//5. The time at which the status being indicated is known to be
//correct (thisUpdate) is sufficiently recent.
private void ValidateThisUpdate(SingleResp resp)
{
if (Math.Abs(resp.ThisUpdate.Ticks - DateTime.Now.Ticks) > MaxClockSkew)
{
//NEWthrow new Exception("Max clock skew reached.");
}
}
public FirmaXades.Clients.CertificateStatus ProcessOcspResponse(byte[] binaryResp)
{
if (binaryResp.Length != 0)
{
OcspResp ocspResp = new OcspResp(binaryResp);
FirmaXades.Clients.CertificateStatus result = FirmaXades.Clients.CertificateStatus.Unknown;
if (ocspResp.Status != 0)
{
throw new Exception("Unknow status '" + ocspResp.Status + "'.");
}
BasicOcspResp basicOcspResp = (BasicOcspResp)ocspResp.GetResponseObject();
if (basicOcspResp.Responses.Length == 1)
{
SingleResp singleResp = basicOcspResp.Responses[0];
object certStatus = singleResp.GetCertStatus();
if (certStatus == Org.BouncyCastle.Ocsp.CertificateStatus.Good)
{
result = FirmaXades.Clients.CertificateStatus.Good;
}
else if (certStatus is RevokedStatus)
{
result = FirmaXades.Clients.CertificateStatus.Revoked;
}
else if (certStatus is UnknownStatus)
{
result = FirmaXades.Clients.CertificateStatus.Unknown;
}
}
return(result);
}
return(FirmaXades.Clients.CertificateStatus.Unknown);
}
//6. When available, the time at or before which newer information will
//be available about the status of the certificate (nextUpdate) is
//greater than the current time.
private void ValidateNextUpdate(SingleResp resp)
{
if (resp.NextUpdate != null && resp.NextUpdate.Value != null && resp.NextUpdate.Value.Ticks <= DateTime.Now.Ticks)
{
//NEWthrow new Exception("Invalid next update.");
}
}
/// <summary>Gets an encoded byte array with OCSP validation.</summary>
/// <remarks>Gets an encoded byte array with OCSP validation. The method should not throw an exception.</remarks>
/// <param name="checkCert">to certificate to check</param>
/// <param name="rootCert">the parent certificate</param>
/// <param name="url">
/// to get the verification. It it's null it will be taken
/// from the check cert or from other implementation specific source
/// </param>
/// <returns>a byte array with the validation or null if the validation could not be obtained</returns>
public virtual byte[] GetEncoded(X509Certificate checkCert, X509Certificate rootCert, String url)
{
try {
BasicOcspResp basicResponse = GetBasicOCSPResp(checkCert, rootCert, url);
if (basicResponse != null)
{
SingleResp[] responses = basicResponse.Responses;
if (responses.Length == 1)
{
SingleResp resp = responses[0];
Object status = resp.GetCertStatus();
if (status == CertificateStatus.Good)
{
return(basicResponse.GetEncoded());
}
else
{
if (status is RevokedStatus)
{
throw new System.IO.IOException(iText.IO.LogMessageConstant.OCSP_STATUS_IS_REVOKED);
}
else
{
throw new System.IO.IOException(iText.IO.LogMessageConstant.OCSP_STATUS_IS_UNKNOWN);
}
}
}
}
}
catch (Exception ex) {
LOGGER.Error(ex.Message);
}
return(null);
}
public OcspResponse ParseOcspResponse(BasicOcspResp brep)
{
SingleResp singleResp = brep.Responses.Single();
var itstatus = singleResp.GetCertStatus();
var status = new OcspResponse()
{
ProducedAt = brep.ProducedAt,
ThisUpdate = singleResp.ThisUpdate,
NextUpdate = singleResp.NextUpdate.Value
};
if (itstatus == CertificateStatus.Good)
{
status.Status = OcspRevocationStatus.Good;
}
else if (itstatus is RevokedStatus revokedStatus)
{
status.Status = OcspRevocationStatus.Revoked;
status.RevocationTime = revokedStatus.RevocationTime;
try
{
status.RevocationReason = revokedStatus.RevocationReason;
}
catch (InvalidOperationException)
{
status.RevocationReason = -1;
}
}
else
{
status.Status = OcspRevocationStatus.Unknown;
}
return(status);
}
/**
* Gets an encoded byte array with OCSP validation. The method should not throw an exception.
* @param checkCert to certificate to check
* @param rootCert the parent certificate
* @param the url to get the verification. It it's null it will be taken
* from the check cert or from other implementation specific source
* @return a byte array with the validation or null if the validation could not be obtained
*/
public virtual byte[] GetEncoded(X509Certificate checkCert, X509Certificate rootCert, String url)
{
try {
BasicOcspResp basicResponse = GetBasicOCSPResp(checkCert, rootCert, url);
if (basicResponse != null)
{
SingleResp[] responses = basicResponse.Responses;
if (responses.Length == 1)
{
SingleResp resp = responses[0];
Object status = resp.GetCertStatus();
if (status == CertificateStatus.Good)
{
return(basicResponse.GetEncoded());
}
else if (status is Org.BouncyCastle.Ocsp.RevokedStatus)
{
throw new IOException(MessageLocalization.GetComposedMessage("ocsp.status.is.revoked"));
}
else
{
throw new IOException(MessageLocalization.GetComposedMessage("ocsp.status.is.unknown"));
}
}
}
}
catch (Exception ex) {
if (LOGGER.IsLogging(Level.ERROR))
{
LOGGER.Error(ex.Message);
}
}
return(null);
}
/**
* @return a byte array
* @see com.lowagie.text.pdf.OcspClient#getEncoded()
*/
public byte[] GetEncoded()
{
OcspReq request = GenerateOCSPRequest(rootCert, checkCert.SerialNumber);
byte[] array = request.GetEncoded();
HttpWebRequest con = (HttpWebRequest)WebRequest.Create(url);
con.ContentLength = array.Length;
con.ContentType = "application/ocsp-request";
con.Accept = "application/ocsp-response";
con.Method = "POST";
Stream outp = con.GetRequestStream();
outp.Write(array, 0, array.Length);
outp.Close();
HttpWebResponse response = (HttpWebResponse)con.GetResponse();
if (response.StatusCode != HttpStatusCode.OK)
{
throw new IOException(MessageLocalization.GetComposedMessage("invalid.http.response.1", (int)response.StatusCode));
}
Stream inp = response.GetResponseStream();
OcspResp ocspResponse = new OcspResp(inp);
inp.Close();
response.Close();
if (ocspResponse.Status != 0)
{
throw new IOException(MessageLocalization.GetComposedMessage("invalid.status.1", ocspResponse.Status));
}
BasicOcspResp basicResponse = (BasicOcspResp)ocspResponse.GetResponseObject();
if (basicResponse != null)
{
SingleResp[] responses = basicResponse.Responses;
if (responses.Length == 1)
{
SingleResp resp = responses[0];
Object status = resp.GetCertStatus();
if (status == CertificateStatus.Good)
{
return(basicResponse.GetEncoded());
}
else if (status is Org.BouncyCastle.Ocsp.RevokedStatus)
{
throw new IOException(MessageLocalization.GetComposedMessage("ocsp.status.is.revoked"));
}
else
{
throw new IOException(MessageLocalization.GetComposedMessage("ocsp.status.is.unknown"));
}
}
}
return(null);
}
/// <summary>
/// @see com.lowagie.text.pdf.OcspClient#getEncoded()
/// </summary>
/// <returns> a byte array</returns>
public byte[] GetEncoded()
{
OcspReq request = generateOcspRequest(_rootCert, _checkCert.SerialNumber);
byte[] array = request.GetEncoded();
HttpWebRequest con = (HttpWebRequest)WebRequest.Create(_url);
con.ContentType = "application/ocsp-request";
con.Accept = "application/ocsp-response";
con.Method = "POST";
Stream outp = con.GetRequestStreamAsync().Result;
outp.Write(array, 0, array.Length);
outp.Dispose();
HttpWebResponse response = (HttpWebResponse)con.GetResponseAsync().Result;
if (response.StatusCode != HttpStatusCode.OK)
{
throw new IOException($"Invalid HTTP response: {(int) response.StatusCode}");
}
Stream inp = response.GetResponseStream();
OcspResp ocspResponse = new OcspResp(inp);
inp.Dispose();
response.Dispose();
if (ocspResponse.Status != 0)
{
throw new IOException("Invalid status: " + ocspResponse.Status);
}
BasicOcspResp basicResponse = (BasicOcspResp)ocspResponse.GetResponseObject();
if (basicResponse != null)
{
SingleResp[] responses = basicResponse.Responses;
if (responses.Length == 1)
{
SingleResp resp = responses[0];
object status = resp.GetCertStatus();
if (status == CertificateStatus.Good)
{
return(basicResponse.GetEncoded());
}
else if (status is RevokedStatus)
{
throw new IOException("OCSP Status is revoked!");
}
else
{
throw new IOException("OCSP Status is unknown!");
}
}
}
return(null);
}
private static bool IsCurrent(SingleResp resp)
{
if (Math.Abs(resp.ThisUpdate.Ticks - DateTime.Now.Ticks) > MaxClockSkew)
{
return(false);
}
else
{
return(true);
}
}
public SingleResp[] GetResponses()
{
Asn1Sequence responses = data.Responses;
SingleResp[] array = new SingleResp[responses.Count];
for (int i = 0; i != array.Length; i++)
{
array[i] = new SingleResp(SingleResponse.GetInstance(responses[i]));
}
return(array);
}
private OcspStatus VerifyResponse(byte[] response)
{
OcspResp r = new OcspResp(response);
OcspStatus cStatusEnum = OcspStatus.Unknown;
switch (r.Status)
{
case OcspRespStatus.Successful:
var or = (BasicOcspResp)r.GetResponseObject();
Debug.WriteLine(or.Responses.Length);
if (or.Responses.Length == 1)
{
SingleResp resp = or.Responses[0];
var certificateStatus = resp.GetCertStatus();
if (certificateStatus == null || certificateStatus == CertificateStatus.Good)
{
cStatusEnum = OcspStatus.Good;
}
else if (certificateStatus is RevokedStatus)
{
cStatusEnum = OcspStatus.Revoked;
}
else if (certificateStatus is UnknownStatus)
{
cStatusEnum = OcspStatus.Unknown;
}
}
break;
case OcspResponseStatus.InternalError:
case OcspResponseStatus.TryLater:
cStatusEnum = OcspStatus.ServerError;
break;
case OcspResponseStatus.MalformedRequest:
case OcspResponseStatus.SignatureRequired:
case OcspResponseStatus.Unauthorized:
cStatusEnum = OcspStatus.ClientError;
break;
default:
Debug.WriteLine($"Unknow status '{r.Status}'.");
cStatusEnum = OcspStatus.Unknown;
break;
}
return(cStatusEnum);
}
/// <summary>
/// Procesa la respuesta del servidor OCSP y devuelve el estado del certificado
/// </summary>
/// <param name="binaryResp"></param>
/// <returns></returns>
public CertificateStatus ProcessOcspResponse(byte[] binaryResp, bool checkNonce)
{
if (binaryResp.Length == 0)
{
return(CertificateStatus.Unknown);
}
OcspResp r = new OcspResp(binaryResp);
CertificateStatus cStatus = CertificateStatus.Unknown;
if (r.Status == OcspRespStatus.Successful)
{
BasicOcspResp or = (BasicOcspResp)r.GetResponseObject();
if (checkNonce)
{
if (or.GetExtensionValue(OcspObjectIdentifiers.PkixOcspNonce).ToString() !=
_nonceAsn1OctetString.ToString())
{
throw new Exception("Bad nonce value");
}
}
if (or.Responses.Length == 1)
{
SingleResp resp = or.Responses[0];
object certificateStatus = resp.GetCertStatus();
if (certificateStatus == Org.BouncyCastle.Ocsp.CertificateStatus.Good)
{
cStatus = CertificateStatus.Good;
}
else if (certificateStatus is Org.BouncyCastle.Ocsp.RevokedStatus)
{
cStatus = CertificateStatus.Revoked;
}
else if (certificateStatus is Org.BouncyCastle.Ocsp.UnknownStatus)
{
cStatus = CertificateStatus.Unknown;
}
}
}
else
{
throw new Exception("Unknow status '" + r.Status + "'.");
}
return(cStatus);
}
private CertificateStatus processOcspResponse(X509Certificate clientCert, X509Certificate issuerCert, byte[] binaryResp, out string respMsg)
{
OcspResp r = new OcspResp(binaryResp);
CertificateStatus cStatus = CertificateStatus.unknown;
switch (r.Status)
{
case OcspRespStatus.Successful:
BasicOcspResp or = (BasicOcspResp)r.GetResponseObject();
validateResponse(or, issuerCert);
respMsg = string.Empty;
if (or.Responses.Length == 1)
{
SingleResp resp = or.Responses[0];
validateCertificateId(issuerCert, clientCert, resp.GetCertID());
validateThisUpdate(resp);
validateNextUpdate(resp);
Object certificateStatus = resp.GetCertStatus();
if (certificateStatus == Org.BouncyCastle.Ocsp.CertificateStatus.Good)
{
cStatus = CertificateStatus.good;
respMsg = "Certificado Válido";
}
else if (certificateStatus is RevokedStatus)
{
cStatus = CertificateStatus.revoked;
respMsg = "Certificado Revocado";
}
else if (certificateStatus is UnknownStatus)
{
cStatus = CertificateStatus.unknown;
respMsg = "Certificado Desconocido";
}
}
break;
default:
respMsg = "No se ha podido procesar la respuesta OCSP";
//throw new Exception("Status Desconocido '" + r.Status + "'.");
return(cStatus);
}
return(cStatus);
}
private CertificateStatus ProcessOcspResponse(X509Certificate eeCert, X509Certificate issuerCert, byte[] binaryResp)
{
OcspResp r = new OcspResp(binaryResp);
CertificateStatus cStatus = CertificateStatus.Unknown;
switch (r.Status)
{
case OcspRespStatus.Successful:
BasicOcspResp or = (BasicOcspResp)r.GetResponseObject();
ValidateResponse(or, issuerCert);
if (or.Responses.Length == 1)
{
SingleResp resp = or.Responses[0];
ValidateCertificateId(issuerCert, eeCert, resp.GetCertID());
ValidateThisUpdate(resp);
ValidateNextUpdate(resp);
Object certificateStatus = resp.GetCertStatus();
if (certificateStatus == Org.BouncyCastle.Ocsp.CertificateStatus.Good)
{
cStatus = CertificateStatus.Good;
}
else if (certificateStatus is Org.BouncyCastle.Ocsp.RevokedStatus)
{
cStatus = CertificateStatus.Revoked;
}
else if (certificateStatus is Org.BouncyCastle.Ocsp.UnknownStatus)
{
cStatus = CertificateStatus.Unknown;
}
}
break;
default:
throw new OCSPExpection("Unknown status '" + r.Status + "'.");
}
return(cStatus);
}
/// <summary>
/// Procesa la respuesta del servidor OCSP y devuelve el estado del certificado
/// </summary>
/// <param name="eeCert"></param>
/// <param name="issuerCert"></param>
/// <param name="binaryResp"></param>
/// <returns></returns>
public CertificateStatus ProcessOcspResponse(X509Certificate eeCert, X509Certificate issuerCert, byte[] binaryResp)
{
if (binaryResp.Length == 0)
{
return(CertificateStatus.Unknown);
}
OcspResp r = new OcspResp(binaryResp);
CertificateStatus cStatus = CertificateStatus.Unknown;
if (r.Status == OcspRespStatus.Successful)
{
BasicOcspResp or = (BasicOcspResp)r.GetResponseObject();
if (or.Responses.Length == 1)
{
SingleResp resp = or.Responses[0];
object certificateStatus = resp.GetCertStatus();
if (certificateStatus == Org.BouncyCastle.Ocsp.CertificateStatus.Good)
{
cStatus = CertificateStatus.Good;
}
else if (certificateStatus is Org.BouncyCastle.Ocsp.RevokedStatus)
{
cStatus = CertificateStatus.Revoked;
}
else if (certificateStatus is Org.BouncyCastle.Ocsp.UnknownStatus)
{
cStatus = CertificateStatus.Unknown;
}
}
}
else
{
throw new Exception("Unknow status '" + r.Status + "'.");
}
return(cStatus);
}
private CertificateStatus ProcesarRespuestaOcsp(X509Certificate in_Certificado, X509Certificate in_CertificadoEmisor, byte[] in_BytesRespuesta)
{
OcspResp r = new OcspResp(in_BytesRespuesta);
CertificateStatus estado = CertificateStatus.Unknown;
switch (r.Status)
{
case OcspRespStatus.Successful:
BasicOcspResp or = (BasicOcspResp)r.GetResponseObject();
if (or.Responses.Length == 1)
{
SingleResp resp = or.Responses[0];
ValidarCertificateId(in_CertificadoEmisor, in_Certificado, resp.GetCertID());
Object estadoCertificado = resp.GetCertStatus();
if (estadoCertificado == Org.BouncyCastle.Ocsp.CertificateStatus.Good)
{
estado = CertificateStatus.Good;
}
else if (estadoCertificado is Org.BouncyCastle.Ocsp.RevokedStatus)
{
estado = CertificateStatus.Revoked;
}
else if (estadoCertificado is Org.BouncyCastle.Ocsp.UnknownStatus)
{
estado = CertificateStatus.Unknown;
}
}
break;
default:
throw new Exception("Status desconocido'" + r.Status + "'.");
}
return(estado);
}
/**
* Checks if OCSP revocation refers to the document signing certificate.
* @return true if it checks, false otherwise
* @since 2.1.6
*/
public bool IsRevocationValid()
{
if (basicResp == null)
{
return(false);
}
if (signCerts.Count < 2)
{
return(false);
}
try {
X509Certificate[] cs = SignCertificateChain;
SingleResp sr = basicResp.Responses[0];
CertificateID cid = sr.GetCertID();
X509Certificate sigcer = SigningCertificate;
X509Certificate isscer = cs[1];
CertificateID tis = new CertificateID(CertificateID.HashSha1, isscer, sigcer.SerialNumber);
return(tis.Equals(cid));
}
catch {
}
return(false);
}
private CertificateStatus ProcessOcspResponse(X509Certificate eeCert, X509Certificate issuerCert, byte[] binaryResp)
{
OcspResp r = new OcspResp(binaryResp);
CertificateStatus cStatus = null;
switch (r.Status)
{
case OcspRespStatus.Successful:
BasicOcspResp or = (BasicOcspResp)r.GetResponseObject();
if (or.Responses.Length == 1)
{
SingleResp resp = or.Responses[0];
ValidateCertificateId(issuerCert, eeCert, resp.GetCertID());
Object certificateStatus = resp.GetCertStatus();
if (certificateStatus == Org.BouncyCastle.Ocsp.CertificateStatus.Good)
{
cStatus = CertificateStatus.Good;
}
else if (certificateStatus is Org.BouncyCastle.Ocsp.RevokedStatus)
{
throw new Exception(Resource.ErrorOscpRevocado);
}
else if (certificateStatus is Org.BouncyCastle.Ocsp.UnknownStatus)
{
throw new Exception(Resource.ErrorOscpDesconocido);
}
}
break;
default:
throw new Exception(Resource.ErrorOscpDesconocido);
}
return(cStatus);
}
private OcspCheckStatus ParseOcspResponse(byte[] raw)
{
OcspResp response = new OcspResp(raw);
if (response.Status == OcspRespStatus.Unauthorized)
{
return(OcspCheckStatus.Unauthorized);
}
else if (response.Status != OcspResponseStatus.Successful)
{
return(OcspCheckStatus.Error);
}
var brep = (BasicOcspResp)response.GetResponseObject();
SingleResp[] singleResps = brep.Responses;
SingleResp singleResp = singleResps[0];
Object status = singleResp.GetCertStatus();
if (status == null)
{
return(OcspCheckStatus.Good);
}
if (status is RevokedStatus)
{
return(OcspCheckStatus.Revoked);
}
if (status is UnknownStatus)
{
return(OcspCheckStatus.Unknown);
}
return(OcspCheckStatus.Error);
}
/// <summary>
/// Validate a certificate against its AIA OCSP.
/// </summary>
/// <param name="cert"></param>
/// <param name="aia"></param>
/// <returns></returns>
CertStatus Validate(System.Security.Cryptography.X509Certificates.X509Certificate2 cert,
AIA aia)
{
string hash = ComputeSHA1(System.Text.ASCIIEncoding.ASCII.GetBytes(aia.Issuer));
string filePath = IssuerCachedFolder + hash;
//Check if aki is cached
if (!IsIssuerCached(aia.Issuer))
{
Download(aia.Issuer, filePath);
if (!IsIssuerCached(aia.Issuer))
{
return(CertStatus.Unknown(CertStatus.BadIssuer));
}
}
var issuerTemp = new System.Security.Cryptography.X509Certificates.X509Certificate2(filePath);
var certParser = new Org.BouncyCastle.X509.X509CertificateParser();
var issuer = certParser.ReadCertificate(issuerTemp.RawData);
var cert2Validate = certParser.ReadCertificate(cert.RawData);
var id = new Org.BouncyCastle.Ocsp.CertificateID(
Org.BouncyCastle.Ocsp.CertificateID.HashSha1,
issuer,
cert2Validate.SerialNumber);
byte[] reqEnc = GenerateOCSPRequest(id, cert2Validate);
byte[] resp = GetOCSPResponse(aia.Ocsp, reqEnc);
//Extract the response
OcspResp ocspResponse = new OcspResp(resp);
BasicOcspResp basicOCSPResponse =
(BasicOcspResp)ocspResponse.GetResponseObject();
SingleResp singResp = basicOCSPResponse.Responses[0];
//Validate ID
var expectedId = singResp.GetCertID();
if (!expectedId.SerialNumber.Equals(id.SerialNumber))
{
return(CertStatus.Unknown(CertStatus.BadSerial));
}
if (!Org.BouncyCastle.Utilities.Arrays.AreEqual(expectedId.GetIssuerNameHash(), id.GetIssuerNameHash()))
{
return(CertStatus.Unknown(CertStatus.IssuerNotMatch));
}
//Extract Status
var certificateStatus = singResp.GetCertStatus();
if (certificateStatus == null)
{
return(CertStatus.Good);
}
if (certificateStatus is Org.BouncyCastle.Ocsp.RevokedStatus)
{
int revocationReason = ((Org.BouncyCastle.Ocsp.RevokedStatus)certificateStatus).RevocationReason;
var revocationDate = ((Org.BouncyCastle.Ocsp.RevokedStatus)certificateStatus).RevocationTime;
return(CertStatus.Revoked(revocationDate.ToString("o"), revocationReason));
}
if (certificateStatus is Org.BouncyCastle.Ocsp.UnknownStatus)
{
return(CertStatus.Unknown());
}
return(CertStatus.Unknown());
}
private static void CheckBasicOcspResp(CertID id, BasicOcspResp basicResp, OcesCertificate ocspCertificate, Ca ca)
{
DateTime nowInGmt = DateTime.Now.ToUniversalTime();
/* check condition:
* The certificate identified in a received response corresponds to
* that which was identified in the corresponding request;
*/
SingleResp[] responses = basicResp.Responses;
if (responses.Length != 1)
{
throw new OcspException("unexpected number of responses received");
}
if (!id.SerialNumber.Value.Equals(responses[0].GetCertID().SerialNumber))
{
throw new OcspException("Serial number mismatch problem");
}
/* check condition
* The signature on the response is valid;
*/
try
{
ChainVerifier.VerifyTrust(ocspCertificate.ExportCertificate(), ca);
}
catch (ChainVerificationException e)
{
throw new OcspException("OCSP response certificate chain is invalid", e);
}
/* check the signature on the ocsp response */
var ocspBcCertificate =
new X509CertificateParser().ReadCertificate(ocspCertificate.ExportCertificate().RawData);
if (!basicResp.Verify(ocspBcCertificate.GetPublicKey()))
{
throw new OcspException("signature validation failed for ocsp response");
}
if (!CanSignOcspResponses(ocspBcCertificate))
{
throw new OcspException("ocsp signing certificate has not been cleared for ocsp response signing");
}
/* check expiry of the signing certificate */
if (ocspCertificate.ValidityStatus() != CertificateStatus.Valid)
{
throw new OcspException("OCSP certificate expired or not yet valid");
}
/* check condition
* The time at which the status being indicated is known to be
* correct (thisUpdate) is sufficiently recent.
*/
SingleResp response = responses[0];
var diff = response.ThisUpdate - nowInGmt;
if (diff > new TimeSpan(0, 1, 0))
{
throw new OcspException("OCSP response signature is from the future. Timestamp of thisUpdate field: "
+ response.ThisUpdate);
}
if (response.NextUpdate != null && response.NextUpdate.Value < nowInGmt)
{
throw new OcspException("OCSP response is no longer valid");
}
}
/**
* @return a byte array
* @see com.lowagie.text.pdf.OcspClient#getEncoded()
*/
public Boolean runAuth()
{
OcspReq request = GenerateOCSPRequest(rootCert, checkCert.SerialNumber);
// Debug.WriteLine(checkCert.SerialNumber.ToString(16));
Debug.WriteLine("..running OCSP check with : " + url);
byte[] array = request.GetEncoded();
// foreach (var i in array) { Debug.WriteLine(Convert.ToBase64String(i)); }
HttpWebRequest con = (HttpWebRequest)WebRequest.Create(url);
con.ContentLength = array.Length;
con.ContentType = "application/ocsp-request";
con.Accept = "application/ocsp-response";
con.Method = "POST";
Stream outp;
try
{
outp = con.GetRequestStream();
}
catch (Exception e)
{
Debug.WriteLine("Exception : " + e.Message);
return(false);
}
outp.Write(array, 0, array.Length);
outp.Close();
HttpWebResponse response = (HttpWebResponse)con.GetResponse();
if (response.StatusCode != HttpStatusCode.OK)
{
throw new IOException("invalid.http.response.1" + response.StatusCode);
}
Stream inp = response.GetResponseStream();
OcspResp ocspResponse = new OcspResp(inp);
string responseText;
using (var reader = new System.IO.StreamReader(inp, ASCIIEncoding.ASCII))
{
responseText = reader.ReadToEnd();
}
inp.Close();
response.Close();
if (ocspResponse.Status != 0)
{
throw new IOException("invalid.status.1" + ocspResponse.Status);
}
BasicOcspResp basicResponse = (BasicOcspResp)ocspResponse.GetResponseObject();
var resp_certs = basicResponse.GetCerts();
//basicResponse.GetCertificates("Collection");
X509Store store = new X509Store(StoreName.CertificateAuthority);
store.Open(System.Security.Cryptography.X509Certificates.OpenFlags.ReadOnly);
int num_matches = 0;
foreach (var c in resp_certs)
{
// Debug.WriteLine("...");
// cehck subject or issuer to see if in store
// Debug.WriteLine(c.SubjectDN);
// Debug.WriteLine(c.IssuerDN);
string issuer_cn = c.IssuerDN.ToString().Split(new string[] { "CN=" }, StringSplitOptions.None)[1].Split(',')[0];
var fndCA = store.Certificates.Find(X509FindType.FindBySubjectName, issuer_cn, true);
if (fndCA.Count > 0)
{
num_matches++;
}
}
if (num_matches != resp_certs.Length)
{
throw new IOException("Response certificate validation failed!");
}
if (basicResponse != null)
{
SingleResp[] responses = basicResponse.Responses;
if (responses.Length == 1)
{
SingleResp resp = responses[0];
Object status = resp.GetCertStatus();
// Debug.WriteLine(status+"=?"+CertificateStatus.Good);
if (status == CertificateStatus.Good)
{
//Debug.WriteLine("CERT IS GOOD!! VALID!!");
//return basicResponse.GetEncoded();
return(true);
}
else if (status is Org.BouncyCastle.Ocsp.RevokedStatus)
{
//throw new IOException("ocsp.status.is.revoked");
Debug.WriteLine("Cert is revoked!");
return(false);
}
else
{
//Debug.WriteLine(responseText);
//throw new IOException("ocsp.status.is.unknown ");
Debug.WriteLine("Unknown status!");
return(false);
}
}
else
{
Debug.WriteLine("DID NOT GET UNIQUE RESPONSE! (" + responses.Length + ")");
/*
* foreach (SingleResp r in responses)
* {
* Debug.WriteLine("..." + r.GetCertID()+" :: "+r.GetCertStatus());
* }*/
}
}
else
{
Debug.WriteLine("BASIC RESPONSE WAS NULL!");
}
return(false);
}
private int VerifyOCSPResponse()
{
if (ocspResponse.Status != 0)
{
this.lastError = Resources.INVALID_OCSP_STATUS + ocspResponse.Status;
return((int)CertStatus.ERROR);
}
BasicOcspResp basicResponse = (BasicOcspResp)ocspResponse.GetResponseObject();
if (basicResponse != null)
{
if (responderCert != null)
{
bool verifyResult = basicResponse.Verify(responderCert.GetPublicKey());
if (verifyResult != true)
{
this.lastError = Resources.OCSP_VERIFY_FAILED;
return((int)CertStatus.ERROR);
}
}
SingleResp[] responses = basicResponse.Responses;
byte[] reqNonce = ocspRequest.GetExtensionValue(OcspObjectIdentifiers.PkixOcspNonce).GetEncoded();
byte[] respNonce = basicResponse.GetExtensionValue(OcspObjectIdentifiers.PkixOcspNonce).GetEncoded();
if (reqNonce == null || Arrays.AreEqual(reqNonce, respNonce))
{
// will handle single response only
if (responses.Length != 1)
{
this.lastError = Resources.INVALID_OCSP_RESPONSE_COUNT + responses.Length;
return((int)CertStatus.ERROR);
}
SingleResp resp = responses[0];
// Check that response creation time is in valid time slot.
DateTime thisUpdate = resp.ThisUpdate;
DateTimeObject nextUpdate = resp.NextUpdate;
DateTime now = DateTime.UtcNow;
// Check whether response creation ramained in valid slot
bool valid = CheckTimeValidity(thisUpdate, nextUpdate, 5000, 100000);
if (valid == false)
{
this.lastError = Resources.INVALID_OCSP_TIMESLOT;
return((int)CertStatus.ERROR);
}
Object status = resp.GetCertStatus();
if (status == CertificateStatus.Good)
{
// Ok
return((int)CertStatus.GOOD);
}
else if (status is RevokedStatus)
{
this.lastError = string.Format(Resources.OCSP_ERROR,
resp.GetCertID().SerialNumber,
"revoked");
return((int)CertStatus.REVOKED);
}
else
{
this.lastError = string.Format(Resources.OCSP_ERROR,
resp.GetCertID().SerialNumber,
"unknown");
return((int)CertStatus.UNKNOWN);
}
}
}
else
{
this.lastError = Resources.INVALID_OCSP_RESPONSE;
}
// failed
return((int)CertStatus.ERROR);
}
