public TrustCouldNotBeVerifiedException(OcesCertificate ocesCertificate,
     IEnumerable<OcesEnvironment> environments)
     : base("Could not verify trust")
 {
     OcesCertificate = ocesCertificate;
     TrustedEnvironments = environments;
 }
Exemplo n.º 2
0
        /// <summary>
        ///  Generates an <code>OcesCertificate</code>. The returned <code>OcesCertificate</code> is the end user certificate, which has a parent relation
        ///  to the certificate of its issuing CA which again can have a parent relation to the certificate of the root CA.
        ///  The root CA has no parent relation.
        ///
        /// The factory verifies that each certificate in the certificate chain has been signed by its issuing CA.
        /// </summary>
        /// <param name="certificates">List of certificates to create OcesCertificate chain from.</param>
        /// <returns><code>OcesCertificate</code> with parent relation to (chain of) issuing CAs. Depending on the Subject DN in the
        /// certificate a <code>PocesCertificate</code>, <code>MocesCertificate</code>, <code>VocesCertificate</code>, or <code>FocesCertificate</code> will be created.</returns>
        ///  <exception cref="org.openoces.ooapi.exceptions.TrustCouldNotBeVerifiedException">when a OcesCertificate in the chain cannot be trusted, i.e. has not been signed by its issuing CA.</exception>
        public OcesCertificate Generate(List <X509Certificate2> certificates)
        {
            certificates = SortCertificatesIssuerLast(certificates);
            AddIssuerCertificateIfNeeded(certificates);
            ValidateExactlyOneChainInList(certificates);
            AppendRootIfMissing(certificates);
            X509Certificate2 endUserCertificate = certificates[0];
            Ca              signingCa           = CreateCaChain(certificates);
            string          subjectSerialNumber = ExtractSubjectSerialNumber(endUserCertificate);
            OcesCertificate certificate         = SelectCertificateSubclass(subjectSerialNumber, signingCa, endUserCertificate);

            if (ChainVerifier.VerifyTrust(certificate))
            {
                return(certificate);
            }
            throw new TrustCouldNotBeVerifiedException(certificate, Environments.TrustedEnvironments);
        }
Exemplo n.º 3
0
 public CertificateIsRevokedException(OcesCertificate certificate)
     : base("Certificate " + certificate.SubjectDistinguishedName + "is revoked")
 {
 }
 /// <summary>
 /// This method verifies a certificate by calling the OCSP used in current Environment 
 /// </summary>
 /// <param name="certificate">certificate to verify</param>
 /// <returns>true if certificate is revoked else false</returns>
 public static bool VerifyCertificateWithOcsp(OcesCertificate certificate)
 {
     var engine = new OcspCertificateRevocationChecker();
     return engine.IsRevoked(certificate);
 }
Exemplo n.º 5
0
 /// <summary>
 /// Checks that a full CRL can be retrieved and is valid. Expects that an environment has been set up.
 /// </summary>
 /// <returns><code>true</code> if the CRL is retrieved or else false</returns>
 public static bool VerifyFullCrl(OcesCertificate ocesCertificate)
 {
     Crl crl = CertificateRevocationHandler.RetrieveFullCrl(ocesCertificate);
     return crl != null && crl.IsValid;
 }
 /// <summary>
 /// Retrieves the full CRL for the given certificate
 /// </summary>
 /// <param name="certificate">to retrieve full CRL for</param>
 /// <returns>full CRL for the given certificate</returns>
 public static Crl RetrieveFullCrl(OcesCertificate certificate)
 {
     return FullCrlRevocationChecker.Instance.DownloadCrl(certificate);
 }
Exemplo n.º 7
0
 private void SetAttributesForMocesOrPoces(OcesCertificate certificate)
 {
     if (certificate is PocesCertificate)
     {
         Session.Add(KeyType, "POCES");
         Session.Add(KeyPid, ((PocesCertificate)certificate).Pid);
     }
     else
     {
         Session.Add(KeyType, "MOCES");
         Session.Add(KeyRid, ((MocesCertificate)certificate).Rid);
         Session.Add(KeyCvr, ((MocesCertificate)certificate).Cvr);
     }
 }
 public CertificateAndStatus(OcesCertificate certificate,
     CertificateStatus certificateStatus)
 {
     Certificate = certificate;
     CertificateStatus = certificateStatus;
 }
        private static void CheckBasicOcspResp(CertID id, BasicOcspResp basicResp, OcesCertificate ocspCertificate, Ca ca)
        {
            DateTime nowInGmt = DateTime.Now.ToUniversalTime();

            /* check condition:
                 The certificate identified in a received response corresponds to
                 that which was identified in the corresponding request;
             */
            SingleResp[] responses = basicResp.Responses;
            if (responses.Length != 1)
            {
                throw new OcspException("unexpected number of responses received");
            }

            if (!id.SerialNumber.Value.Equals(responses[0].GetCertID().SerialNumber))
            {
                throw new OcspException("Serial number mismatch problem");
            }

            /* check condition
               The signature on the response is valid;
            */
            try
            {
                ChainVerifier.VerifyTrust(ocspCertificate.ExportCertificate(), ca);
            }
            catch(ChainVerificationException e)
            {
                throw new OcspException("OCSP response certificate chain is invalid", e);
            }

            /* check the signature on the ocsp response */
            var ocspBcCertificate =
                new X509CertificateParser().ReadCertificate(ocspCertificate.ExportCertificate().RawData);
            if (!basicResp.Verify(ocspBcCertificate.GetPublicKey()))
            {
                throw new OcspException("signature validation failed for ocsp response");
            }

            if (!CanSignOcspResponses(ocspBcCertificate))
            {
                throw new OcspException("ocsp signing certificate has not been cleared for ocsp response signing");
            }

            /* check expiry of the signing certificate */
            if (ocspCertificate.ValidityStatus() != CertificateStatus.Valid)
            {
                throw new OcspException("OCSP certificate expired or not yet valid");
            }

            /* check condition
               The time at which the status being indicated is known to be
               correct (thisUpdate) is sufficiently recent.
            */
            SingleResp response = responses[0];

            var diff = response.ThisUpdate - nowInGmt;
            if (diff > new TimeSpan(0, 1, 0))
            {
                throw new OcspException("OCSP response signature is from the future. Timestamp of thisUpdate field: "
                                        + response.ThisUpdate);
            }

            if (response.NextUpdate != null && response.NextUpdate.Value < nowInGmt)
            {
                throw new OcspException("OCSP response is no longer valid");
            }
        }
Exemplo n.º 10
0
 public static bool VerifyTrust(OcesCertificate certificate)
 {
     return VerifyTrust(certificate.ExportCertificate(), certificate.IssuingCa);
 }
Exemplo n.º 11
0
 public static bool VerifyTrust(OcesCertificate certificate)
 {
     return(VerifyTrust(certificate.ExportCertificate(), certificate.IssuingCa));
 }