// Why use SignatureValidationStackCheck ... ? // If used as designed, it will make the endpoint stop, if the interceptor throws an error // private SignatureValidationStackCheck stackCheck; /// <summary> /// Constructor that takes the binding element extension for configuration reasons. /// </summary> /// <param name="configuration"></param> public ServerSignatureValidationProofBindingElement(dk.gov.oiosi.extension.wcf.Interceptor.Validation.ValidationServerConfiguration configuration) // (ServerSignatureValidationProofBindingExtensionElement configuration) : base(configuration) { this.logger = LoggerFactory.Create(this); RevocationLookupFactory ocspLookupFactory = new RevocationLookupFactory(); this.revocationLookup = ocspLookupFactory.CreateRevocationLookupClient(); //this.stackCheck = new SignatureValidationStackCheck(GetType()); }
private void Revocation(X509Certificate2 certificate) { // Create the OCSP client RevocationLookupFactory revocationLookupFactory = new RevocationLookupFactory(); IRevocationLookup revocationClient = revocationLookupFactory.CreateRevocationLookupClient(); // Check the validity status of the certificate using OCSP RevocationResponse revocationResponse = revocationClient.CheckCertificate(certificate); // Print out info Console.Write(" 3. Certificate status returned by RevocationLookup.\n Is valid: "); Console.ForegroundColor = ConsoleColor.Yellow; Console.WriteLine(revocationResponse.IsValid.ToString()); Console.ForegroundColor = ConsoleColor.White; // Make sure the cert was valid if (!revocationResponse.IsValid) { throw new Exception("The certificate returned by RevocationLookup was not valid"); } }
protected void ValidateEndpointCertificate(OcesX509Certificate endpointOcesCertificate) { RevocationLookupFactory ocspLookupFactory = new RevocationLookupFactory(); IRevocationLookup ocspClient = ocspLookupFactory.CreateRevocationLookupClient(); RevocationResponse ocspStatus = endpointOcesCertificate.CheckRevocationStatus(ocspClient); switch (ocspStatus.RevocationCheckStatus) { case RevocationCheckStatus.AllChecksPassed: { // all okay break; } case RevocationCheckStatus.CertificateRevoked: { throw new Exception("Certificate validation error - CertificateRevoked"); //break; } case RevocationCheckStatus.NotChecked: { throw new Exception("Certificate validation error - NotChecked"); //break; } case RevocationCheckStatus.UnknownIssue: { throw new Exception("Certificate validation error - UnknownIssue"); // break; } default: { throw new Exception("Certificate validation error"); // break; } } }
/// <summary> /// Instantiates CertificateChecker /// </summary> /// <param name="defaultRootCertificate">default OCES root certificate</param> public CertificateChecker(X509Certificate2 defaultRootCertificate) { try { _defaultOCESrootCertificate = defaultRootCertificate; //Initializes the component, that will do the actual ocsp lookup RevocationLookupFactory lookupFactory = new RevocationLookupFactory(); _lookup = lookupFactory.CreateRevocationLookupClient(); } catch (UriFormatException) { throw; } catch (ArgumentNullException) { throw; } catch (OverflowException) { throw; } catch (FormatException) { throw; } catch (CryptographicUnexpectedOperationException) { throw; } catch (CryptographicException) { throw; } catch (Exception) { throw; } }
private void TextCertificate() { string subject = string.Empty; /* Production configuration */ // specifie the subject to test // Production certificates valid // subject = "CN = NemHandel test service (funktionscertifikat) + SERIALNUMBER = CVR:26769388-FID:1200406941690, O = IT- og Telestyrelsen // CVR:26769388, C = DK"; //subject = "SERIALNUMBER=CVR:30808460-FID:1320135775022 + CN=TEST FOCES1 (funktionscertifikat), O=DANID A/S // CVR:30808460, C=DK"; // Production certificates not valid /* Test configuration */ // // Test certificates valid // subject = "CN = Testendpoint (funktionscertifikat) + SERIALNUMBER = CVR:26769388-FID:1208430425605, O = IT- og Telestyrelsen // CVR:26769388, C = DK"; //subject = "CN = Testendpoint (funktionscertifikat) + SERIALNUMBER = CVR:26769388-FID:1208430425605, O = IT- og Telestyrelsen // CVR:26769388, C = DK"; // Test certificates not valid //subject = "CN = TU GENEREL FOCES gyldig (funktionscertifikat) + SERIALNUMBER = CVR:30808460-FID:94731315, O = Danid A/S // CVR:30808460, C = DK"; // subject = "CN=Navision (funktionscertifikat) + OID.2.5.4.5=CVR:23267519-FID:1257424251148, O=TIETGENSKOLEN // CVR:23267519, C=DK"; //subject = "CN = TEST FOCES1 (funktionscertifikat) + SERIALNUMBER = CVR:30808460-FID:1320135775022, O = DANID A/S // CVR:30808460, C = DK"; // not valid any more //subject = "CN=TU GENEREL FOCES gyldig (funktionscertifikat) + SERIALNUMBER = CVR:30808460-FID:94731315, O = Danid A/S // CVR:30808460, C = DK"; // subject = "CN=TU GENEREL FOCES gyldig (funktionscertifikat) + SERIALNUMBER=CVR:30808460-FID:94731315, O=Danid A/S // CVR:30808460, C=DK"; // subject = "CN=FOCES1 (funktionscertifikat) + SERIALNUMBER=CVR:30808460-FID:1255692730737, O=DANID A/S // CVR:30808460, C=DK"; // subject = "CN=TU GENEREL MOCES gyldig + SERIALNUMBER=CVR:30808460-RID:45490598, O=Danid A/S // CVR:30808460, C=DK"; subject = "CN = mySupply NemHandel - Foces2 (funktionscertifikat) + SERIALNUMBER = CVR:32433030-FID:27705483, O = mySupply NemHandel // CVR:32433030, C = DK"; //subject = "SERIALNUMBER=CVR:34051178-FID:56940413 + CN=NemLog-in ADFS Test (funktionscertifikat), O=Digitaliseringsstyrelsen // CVR:34051178, C=DK"; // Now - retrive the certificate in LDAP, if the certificate is pressen... CertificateSubject certificateSubject = new CertificateSubject(subject); LdapLookupFactory ldapClientFactory = new LdapLookupFactory(); ICertificateLookup ldapClient = ldapClientFactory.CreateLdapLookupClient(); // Lookup the certificate using LDAP X509Certificate2 certificate = ldapClient.GetCertificate(certificateSubject); if (certificate != null) { Console.Write("Certificate whith subject "); Console.ForegroundColor = ConsoleColor.Yellow; Console.Write(subject); Console.ForegroundColor = ConsoleColor.White; Console.WriteLine(" found in LDAP."); // Validate that the certificate is valid in OCSP RevocationLookupFactory revocationLookupFactory = new RevocationLookupFactory(); IRevocationLookup revocationClient = revocationLookupFactory.CreateRevocationLookupClient(); // Check the validity status of the certificate using OCSP RevocationResponse revocationResponse = revocationClient.CheckCertificate(certificate); if (revocationResponse.IsValid) { Console.ForegroundColor = ConsoleColor.Green; Console.Write("Certificate valid in OCSP/CRL"); } else { Console.ForegroundColor = ConsoleColor.Red; Console.Write("Certificate not valid in OCSP/CRL"); } } else { Console.Write("Certificate whith subject "); Console.ForegroundColor = ConsoleColor.Red; Console.Write(subject); Console.ForegroundColor = ConsoleColor.White; Console.WriteLine(" NOT found in LDAP."); } Console.ForegroundColor = ConsoleColor.White; Console.WriteLine(); Console.WriteLine("Press any key to exit."); Console.ReadLine(); }