public ValidationResponse ValidateCertificate(X509Certificate2 certificate, X509Certificate2 issuer)
{
Org.BouncyCastle.X509.X509Certificate certificateBC = Org.BouncyCastle.Security.DotNetUtilities.FromX509Certificate(certificate);
try
{
Asn1Object derAiaExtension = Asn1Object.FromByteArray(certificateBC.GetExtensionValue(new DerObjectIdentifier("1.3.6.1.5.5.7.1.1")).GetOctets());
Asn1InputStream asn1Stream = new Asn1InputStream(derAiaExtension.GetDerEncoded());
Asn1Sequence asn1Sequence = (Asn1Sequence)asn1Stream.ReadObject();
foreach (Asn1Encodable entry in asn1Sequence)
{
AccessDescription aiaEntry = AccessDescription.GetInstance(entry.ToAsn1Object());
if (aiaEntry.AccessMethod.Id == AccessDescription.IdADOcsp.Id)
{
Console.Out.WriteLine(aiaEntry.AccessLocation.ToString());
GeneralName gn = (GeneralName)aiaEntry.AccessLocation;
ValidationResponse validationResponse = ValidateCertificate(certificate, issuer, gn.Name.ToString());
if ((validationResponse.status == ValidationExtensions.Enums.CertificateStatus.VALID) ||
(validationResponse.status == ValidationExtensions.Enums.CertificateStatus.REVOKED))
{
return(validationResponse);
}
}
}
}
catch (NullReferenceException)
{
// No Access Information Exception
}
return(new ValidationResponse(ValidationExtensions.Enums.CertificateStatus.UNKNOWN));
}
protected void AddAuthorityDistributionEndPoint(X509V3CertificateGenerator certificateGenerator, string uriCA,
string uriOcsp)
{
// tem que ser colocada de uma só vez....
var info = new Asn1EncodableVector();
if (!String.IsNullOrWhiteSpace(uriCA))
{
var ca = new AccessDescription(AccessDescription.IdADCAIssuers,
new GeneralName(GeneralName.UniformResourceIdentifier, uriCA));
info.Add(ca);
}
if (!String.IsNullOrWhiteSpace(uriOcsp))
{
var ocsp = new AccessDescription(AccessDescription.IdADOcsp,
new GeneralName(GeneralName.UniformResourceIdentifier, uriOcsp));
info.Add(ocsp);
}
if (info.Count > 0)
{
certificateGenerator.AddExtension(
X509Extensions.AuthorityInfoAccess,
false,
new DerSequence(info));
}
}
public AuthorityInformationAccess(AccessDescription description)
{
descriptions = new AccessDescription[1]
{
description
};
}
internal static CertContainer IssueSignerCertificate(X509Name dnName, int keySize = DefaultKeySize)
{
CertContainer issuerCert = IntermediateCa;
RsaKeyPairGenerator keyPairGen = new RsaKeyPairGenerator();
keyPairGen.Init(new KeyGenerationParameters(_secureRandom, keySize));
AsymmetricCipherKeyPair keyPair = keyPairGen.GenerateKeyPair();
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
certGen.SetSerialNumber(BigInteger.One);
certGen.SetIssuerDN(issuerCert.Certificate.SubjectDN);
certGen.SetNotBefore(DateTime.Now);
certGen.SetNotAfter(DateTime.Now.AddYears(1));
certGen.SetSubjectDN(dnName);
certGen.SetPublicKey(keyPair.Public);
certGen.SetSignatureAlgorithm("SHA256withRSA");
certGen.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(issuerCert.Certificate.GetPublicKey()));
certGen.AddExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false));
certGen.AddExtension(X509Extensions.KeyUsage, true, new KeyUsage(X509KeyUsage.NonRepudiation | X509KeyUsage.DigitalSignature));
certGen.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(keyPair.Public));
certGen.AddExtension(X509Extensions.ExtendedKeyUsage, false, new ExtendedKeyUsage(KeyPurposeID.IdKPClientAuth));
// Add CRL endpoint
Uri currentBaseUri = new Uri("https://localhost/");
Uri crlUri = new Uri(currentBaseUri, IntermediateCrlPath);
GeneralName generalName = new GeneralName(GeneralName.UniformResourceIdentifier, crlUri.ToString());
GeneralNames generalNames = new GeneralNames(generalName);
DistributionPointName distPointName = new DistributionPointName(generalNames);
DistributionPoint distPoint = new DistributionPoint(distPointName, null, null);
certGen.AddExtension(X509Extensions.CrlDistributionPoints, false, new CrlDistPoint(new DistributionPoint[] { distPoint }));
// Add OCSP endpoint
Uri ocspUri = new Uri(currentBaseUri, OcspPath);
AccessDescription ocsp = new AccessDescription(AccessDescription.IdADOcsp,
new GeneralName(GeneralName.UniformResourceIdentifier, ocspUri.ToString()));
Asn1EncodableVector aiaASN = new Asn1EncodableVector();
aiaASN.Add(ocsp);
certGen.AddExtension(X509Extensions.AuthorityInfoAccess, false, new DerSequence(aiaASN));
X509Certificate generatedCert = certGen.Generate(issuerCert.PrivateKey);
Pkcs12StoreBuilder pfxBuilder = new Pkcs12StoreBuilder();
Pkcs12Store pfxStore = pfxBuilder.Build();
X509CertificateEntry certEntry = new X509CertificateEntry(generatedCert);
pfxStore.SetCertificateEntry(generatedCert.SubjectDN.ToString(), certEntry);
pfxStore.SetKeyEntry(generatedCert.SubjectDN + "_key", new AsymmetricKeyEntry(keyPair.Private), new X509CertificateEntry[] { certEntry });
return(new CertContainer(pfxStore, issuerCert.GetIssuerChain(true)));
}
static DerSequence CreateAuthorityAccessInformationSequence(string caissuer, string ocsp)
{
Asn1EncodableVector aia_ASN = new Asn1EncodableVector();
// TODO
// AccessDescription ocsp = new AccessDescription(AccessDescription.id_ad_ocsp,
//new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String("http://ocsp.somewebsite.com")));
AccessDescription acd = new AccessDescription(AccessDescription.IdADCAIssuers, new GeneralName(GeneralName.UniformResourceIdentifier, "http://www.arsslensoft.com"));
aia_ASN.Add(acd);
return(new DerSequence(aia_ASN));
}
/// <summary>
/// Encode AuthorityInformationAccessUri to a form required by the extension.
/// </summary>
/// <returns>DER encoded sequence or null.</returns>
protected DerSequence GetAuthorityInfoAccessEncoded()
{
if (AuthorityInformationAccessUri == null || !AuthorityInformationAccessUri.IsAbsoluteUri)
{
return(null);
}
var location = new GeneralName(GeneralName.UniformResourceIdentifier, new DerIA5String(AuthorityInformationAccessUri.AbsoluteUri));
var issuers = new AccessDescription(AccessDescription.IdADCAIssuers, location);
return(new DerSequence(new Asn1EncodableVector(issuers)));
}
private AuthorityInformationAccess(Asn1Sequence seq)
{
if (seq.Count < 1)
{
throw new ArgumentException("sequence may not be empty");
}
descriptions = new AccessDescription[seq.Count];
for (int i = 0; i < seq.Count; i++)
{
descriptions[i] = AccessDescription.GetInstance(seq[i]);
}
}
/// <summary>
/// Encodes this instance.
/// </summary>
/// <returns></returns>
protected Asn1Sequence encode()
{
// DER encoded names
AccessDescription[] accDesc = new AccessDescription[accessDesc.Count()];
for (int i = 0; i < accessDesc.Count; i++)
{
GeneralName gn = generalNames.createGeneralName(
accessDesc[i].Location.Type.ToString(),
accessDesc[i].Location.Name);
accDesc[i] = new AccessDescription(toOID(accessDesc[i].Method), gn);
}
return(new DerSequence(accDesc));
}
public void AddOcspPoints()
{
var accessDescriptions = new List <Asn1Encodable>();
foreach (var endpoint in OcspEndpoints)
{
GeneralName generalName = new GeneralName(GeneralName.UniformResourceIdentifier, new DerIA5String(endpoint));
var accessDescription = new AccessDescription(X509ObjectIdentifiers.OcspAccessMethod, generalName);
accessDescriptions.Add(accessDescription);
}
var seq = new DerSequence(accessDescriptions.ToArray());
certificateGenerator.AddExtension(X509Extensions.AuthorityInfoAccess, false, seq);
}
/// <summary>
/// Initializes a new instance of the <see cref="SubjectInformationAccess"/> class.
/// </summary>
/// <param name="description">The description.</param>
public SubjectInformationAccess(
AccessDescription description)
{
this.descriptions = new AccessDescription[] { description };
}