/// <param name="cert"></param> /// <returns></returns> public virtual CertificateStatus GetCertificateStatusFromContext(CertificateAndContext cert) { if (cert.GetCertificateSource() == CertificateSourceType.TRUSTED_LIST) { CertificateStatus status = new CertificateStatus(); status.Validity = CertificateValidity.VALID; status.StatusSourceType = ValidatorSourceType.TRUSTED_LIST; status.Certificate = cert.GetCertificate(); return(status); } CertificateAndContext issuer = GetIssuerCertificateFromThisContext(cert); if (issuer == null) { return(null); } IOcspSource ocspSource = new ListOCSPSource(neededOCSPResp); ICrlSource crlSource = new ListCRLSource(neededCRL); OCSPAndCRLCertificateVerifier verifier = new OCSPAndCRLCertificateVerifier(); verifier.SetCrlSource(crlSource); verifier.SetOcspSource(ocspSource); return(verifier.Check(cert.GetCertificate(), issuer.GetCertificate(), GetValidationDate ())); }
/// <summary>The default constructor for CertificateVerification.</summary> /// <remarks>The default constructor for CertificateVerification.</remarks> /// <param name="cert"></param> /// <param name="ctx"></param> public CertificateVerification(CertificateAndContext cert, ValidationContext ctx) { certificate = cert; if (cert != null) { try { cert.GetCertificate().CheckValidity(ctx.GetValidationDate()); validityPeriodVerification = new Result(Result.ResultStatus.VALID, null); } catch (CertificateExpiredException) { validityPeriodVerification = new Result(Result.ResultStatus.INVALID, "certificate.expired" ); } catch (CertificateNotYetValidException) { validityPeriodVerification = new Result(Result.ResultStatus.INVALID, "certificate.not.yet.valid" ); } CertificateStatus status = ctx.GetCertificateStatusFromContext(cert); if (status != null) { certificateStatus = new RevocationVerificationResult(status); } } }
private bool ConcernsCertificate(BasicOcspResp basicOcspResp, CertificateAndContext cert) { CertificateAndContext issuerCertificate = GetIssuerCertificateFromThisContext(cert ); if (issuerCertificate == null) { return(false); } else { try { CertificateID matchingCertID = new CertificateID(CertificateID.HashSha1, issuerCertificate .GetCertificate(), cert.GetCertificate().SerialNumber); foreach (SingleResp resp in basicOcspResp.Responses) { if (resp.GetCertID().Equals(matchingCertID)) { return(true); } } return(false); } catch (OcspException ex) { throw new RuntimeException(ex); } } }
private CertificateStatus GetCertificateValidity(CertificateAndContext cert, CertificateAndContext potentialIssuer, DateTime validationDate, ICrlSource optionalCRLSource, IOcspSource optionalOCSPSource) { if (optionalCRLSource != null || optionalOCSPSource != null) { LOG.Info("Verify with offline services"); OCSPAndCRLCertificateVerifier verifier = new OCSPAndCRLCertificateVerifier(); verifier.SetCrlSource(optionalCRLSource); verifier.SetOcspSource(optionalOCSPSource); CertificateStatus status = verifier.Check(cert.GetCertificate(), potentialIssuer. GetCertificate(), validationDate); if (status != null) { return(status); } } LOG.Info("Verify with online services"); OCSPAndCRLCertificateVerifier onlineVerifier = new OCSPAndCRLCertificateVerifier( ); onlineVerifier.SetCrlSource(crlSource); onlineVerifier.SetOcspSource(ocspSource); return(onlineVerifier.Check(cert.GetCertificate(), potentialIssuer.GetCertificate (), validationDate)); }
public virtual bool Check(CertificateAndContext cert) { //TODO jbonilla - validar. //byte[] certificatePolicies = cert.GetCertificate().GetExtensionValue(X509Extensions.CertificatePolicies); Asn1OctetString certificatePolicies = cert.GetCertificate().GetExtensionValue(X509Extensions.CertificatePolicies); if (certificatePolicies != null) { try { //Asn1InputStream input = new Asn1InputStream(certificatePolicies); //DerOctetString s = (DerOctetString)input.ReadObject(); DerOctetString s = (DerOctetString)certificatePolicies; byte[] content = s.GetOctets(); Asn1InputStream input = new Asn1InputStream(content); DerSequence seq = (DerSequence)input.ReadObject(); for (int i = 0; i < seq.Count; i++) { PolicyInformation policyInfo = PolicyInformation.GetInstance(seq[i]); if (policyInfo.PolicyIdentifier.Id.Equals(policyOid)) { return(true); } } } catch (IOException e) { throw new RuntimeException(e); } } return(false); }
public virtual bool Check(CertificateAndContext cert) { //TODO jbonilla - Validar //byte[] qcStatement = cert.GetCertificate().GetExtensionValue(X509Extensions.QCStatements); Asn1OctetString qcStatement = cert.GetCertificate().GetExtensionValue(X509Extensions.QCStatements); if (qcStatement != null) { try { //Asn1InputStream input = new Asn1InputStream(qcStatement); //DerOctetString s = (DerOctetString)input.ReadObject(); DerOctetString s = (DerOctetString)qcStatement; byte[] content = s.GetOctets(); Asn1InputStream input = new Asn1InputStream(content); DerSequence seq = (DerSequence)input.ReadObject(); for (int i = 0; i < seq.Count; i++) { QCStatement statement = QCStatement.GetInstance(seq[i]); if (statement.StatementId.Id.Equals(qcStatementId)) { return(true); } } return(false); } catch (IOException e) { throw new RuntimeException(e); } } return(false); }
/// <summary>Returns the CRLs in the context which concern the provided certificate.</summary> /// <remarks> /// Returns the CRLs in the context which concern the provided certificate. It can happen there are more than one, /// even though this is unlikely. /// </remarks> /// <param name="cert">the X509 certificate</param> /// <returns>the list of CRLs related to the certificate</returns> public virtual IList <X509Crl> GetRelatedCRLs(CertificateAndContext cert) { IList <X509Crl> crls = new AList <X509Crl>(); foreach (X509Crl crl in this.neededCRL) { if (ConcernsCertificate(crl, cert)) { crls.AddItem(crl); } } return(crls); }
/// <summary>Retrieve all the qualifiers for which the corresponding condition evaluate to true. /// </summary> /// <remarks>Retrieve all the qualifiers for which the corresponding condition evaluate to true. /// </remarks> /// <param name="cert"></param> /// <returns></returns> public virtual IList <string> GetQualifiers(CertificateAndContext cert) { IList <string> list = new List <string>(); foreach (KeyValuePair <string, Condition> e in qualifiersAndConditions) { if (e.Value.Check(cert)) { list.Add(e.Key); } } return(list); }
/// <summary>Returns the OCSP responses in the context which concern the provided certificate. /// </summary> /// <remarks> /// Returns the OCSP responses in the context which concern the provided certificate. It can happen there are more /// than one, even though this is unlikely. /// </remarks> /// <param name="cert">the X509 certificate</param> /// <returns>the list of OCSP responses related to the certificate</returns> /// <exception cref="Org.Bouncycastle.Ocsp.OcspException">Org.Bouncycastle.Ocsp.OcspException /// </exception> public virtual IList <BasicOcspResp> GetRelatedOCSPResp(CertificateAndContext cert ) { IList <BasicOcspResp> ocspresps = new AList <BasicOcspResp>(); foreach (BasicOcspResp ocspresp in this.neededOCSPResp) { if (this.ConcernsCertificate(ocspresp, cert)) { ocspresps.AddItem(ocspresp); } } return(ocspresps); }
/// <summary>Return the ServiceInfo of the parent (in the Trusted List) of the certificate /// </summary> /// <returns></returns> public virtual ServiceInfo GetRelevantServiceInfo() { CertificateAndContext cert = new CertificateAndContext(GetCertificate()); CertificateAndContext parent = GetParentFromTrustedList(cert); if (parent == null) { return(null); } else { ServiceInfo info = (ServiceInfo)parent.GetContext(); return(info); } }
/// <summary>Finds the provided certificate's issuer in the context</summary> /// <param name="cert">The certificate whose issuer to find</param> /// <returns>the issuer's X509Certificate</returns> public virtual CertificateAndContext GetIssuerCertificateFromThisContext(CertificateAndContext cert) { if (cert.GetCertificate().SubjectDN.Equals(cert.GetCertificate().IssuerDN)) { return(null); } foreach (CertificateAndContext c in neededCertificates) { if (c.GetCertificate().SubjectDN.Equals(cert.GetCertificate().IssuerDN)) { return(c); } } return(null); }
internal virtual void AddNotYetVerifiedToken(SignedToken signedToken) { if (!revocationInfo.ContainsKey(signedToken)) { LOG.Info("New token to validate " + signedToken + " hashCode " + signedToken.GetHashCode ()); revocationInfo.Put(signedToken, null); if (signedToken is CRLToken) { neededCRL.AddItem(((CRLToken)signedToken).GetX509crl()); } else { if (signedToken is OCSPRespToken) { neededOCSPResp.AddItem(((OCSPRespToken)signedToken).GetOcspResp()); } else { if (signedToken is CertificateToken) { bool found = false; CertificateAndContext newCert = ((CertificateToken)signedToken).GetCertificateAndContext (); foreach (CertificateAndContext c in neededCertificates) { if (c.GetCertificate().Equals(newCert.GetCertificate())) { found = true; break; } } if (!found) { neededCertificates.AddItem(newCert); } } } } } else { LOG.Info("Token was already in list " + signedToken); } }
/// <summary>Retrieve the parent from the trusted list</summary> /// <param name="ctx"></param> /// <returns></returns> public virtual CertificateAndContext GetParentFromTrustedList(CertificateAndContext ctx) { CertificateAndContext parent = ctx; while (GetIssuerCertificateFromThisContext(parent) != null) { parent = GetIssuerCertificateFromThisContext(parent); if (parent.GetCertificateSource() == CertificateSourceType.TRUSTED_LIST) { LOG.Info("Parent from TrustedList found " + parent); return(parent); } } LOG.Warn("No issuer in the TrustedList for this certificate. The parent found is " + parent); return(null); }
public virtual bool Check(CertificateAndContext cert) { switch (composition) { case CompositeCriteriaList.Composition.all: { foreach (Condition c in conditions) { if (!c.Check(cert)) { return(false); } } return(true); } case CompositeCriteriaList.Composition.atLeastOne: { foreach (Condition c_1 in conditions) { if (c_1.Check(cert)) { return(true); } } return(false); } case CompositeCriteriaList.Composition.none: { foreach (Condition c_2 in conditions) { if (c_2.Check(cert)) { return(false); } } return(true); } } throw new InvalidOperationException("Unsupported Composition " + composition); }
public virtual bool Check(CertificateAndContext cert) { return(cert.GetCertificate().GetKeyUsage()[(int)bit]); }
/// <summary>Build the validation context for the specific date</summary> /// <param name="validationDate"></param> /// <param name="optionalSource"></param> /// <exception cref="System.IO.IOException"></exception> public virtual void Validate(DateTime validationDate, CertificateSource optionalSource , ICrlSource optionalCRLSource, IOcspSource optionalOCPSSource) { int previousSize = revocationInfo.Count; int previousVerified = VerifiedTokenCount(); SignedToken signedToken = GetOneNotYetVerifiedToken(); if (signedToken != null) { CertificateSource otherSource = optionalSource; if (signedToken != null) { otherSource = new CompositeCertificateSource(signedToken.GetWrappedCertificateSource (), optionalSource); } CertificateAndContext issuer = GetIssuerCertificate(signedToken, otherSource, validationDate ); RevocationData data = null; if (issuer == null) { LOG.Warn("Don't found any issuer for token " + signedToken); data = new RevocationData(signedToken); } else { AddNotYetVerifiedToken(new CertificateToken(issuer)); if (issuer.GetCertificate().SubjectDN.Equals(issuer.GetCertificate ().IssuerDN)) { SignedToken trustedToken = new CertificateToken(issuer); RevocationData noNeedToValidate = new RevocationData(); // noNeedToValidate.setRevocationData(CertificateSourceType.TRUSTED_LIST); Validate(trustedToken, noNeedToValidate); } if (issuer.GetCertificateSource() == CertificateSourceType.TRUSTED_LIST) { SignedToken trustedToken = new CertificateToken(issuer); RevocationData noNeedToValidate = new RevocationData(); noNeedToValidate.SetRevocationData(CertificateSourceType.TRUSTED_LIST); Validate(trustedToken, noNeedToValidate); } if (signedToken is CertificateToken) { CertificateToken ct = (CertificateToken)signedToken; CertificateStatus status = GetCertificateValidity(ct.GetCertificateAndContext(), issuer, validationDate, optionalCRLSource, optionalOCPSSource); data = new RevocationData(signedToken); if (status != null) { data.SetRevocationData(status.StatusSource); if (status.StatusSource is X509Crl) { AddNotYetVerifiedToken(new CRLToken((X509Crl)status.StatusSource)); } else { if (status.StatusSource is BasicOcspResp) { AddNotYetVerifiedToken(new OCSPRespToken((BasicOcspResp)status.StatusSource)); } } } else { LOG.Warn("No status for " + signedToken); } } else { if (signedToken is CRLToken || signedToken is OCSPRespToken || signedToken is TimestampToken) { data = new RevocationData(signedToken); data.SetRevocationData(issuer); } else { throw new RuntimeException("Not supported token type " + signedToken.GetType().Name ); } } } Validate(signedToken, data); LOG.Info(this.ToString()); int newSize = revocationInfo.Count; int newVerified = VerifiedTokenCount(); if (newSize != previousSize || newVerified != previousVerified) { Validate(validationDate, otherSource, optionalCRLSource, optionalOCPSSource); } } }
/// <summary>Create a CertificateToken</summary> /// <param name="cert"></param> /// <param name="sourceFactory"></param> public CertificateToken(CertificateAndContext cert, CertificateSourceFactory sourceFactory ) { this.cert = cert; this.sourceFactory = sourceFactory; }
/// <summary>Create a CertificateToken</summary> /// <param name="cert"></param> public CertificateToken(CertificateAndContext cert) : this(cert, null) { }
private bool ConcernsCertificate(X509Crl x509crl, CertificateAndContext cert) { return(x509crl.IssuerDN.Equals(cert.GetCertificate().IssuerDN)); }
/// <param name="certificate">the certificate to set</param> public virtual void SetCertificate(CertificateAndContext certificate) { this.certificate = certificate; }