private bool ConcernsCertificate(BasicOcspResp basicOcspResp, CertificateAndContext cert) { CertificateAndContext issuerCertificate = GetIssuerCertificateFromThisContext(cert); if (issuerCertificate == null) { return(false); } else { //try //{ CertificateID matchingCertID = new CertificateID(CertificateID.HashSha1, issuerCertificate .Certificate, cert.Certificate.SerialNumber); foreach (SingleResp resp in basicOcspResp.Responses) { if (resp.GetCertID().Equals(matchingCertID)) { return(true); } } return(false); //} //catch (OcspException ex) //{ // throw new RuntimeException(ex); //} } }
public virtual bool Check(CertificateAndContext cert) { if (cert is null) { throw new System.ArgumentNullException(nameof(cert)); } Asn1OctetString certificatePolicies = cert.Certificate.GetExtensionValue(X509Extensions.CertificatePolicies); if (certificatePolicies != null) { DerOctetString s = (DerOctetString)certificatePolicies; byte[] content = s.GetOctets(); using (Asn1InputStream input = new Asn1InputStream(content)) { DerSequence seq = (DerSequence)input.ReadObject(); for (int i = 0; i < seq.Count; i++) { PolicyInformation policyInfo = PolicyInformation.GetInstance(seq[i]); if (policyInfo.PolicyIdentifier.Id.Equals(policyOid, System.StringComparison.OrdinalIgnoreCase)) { return(true); } } } } return(false); }
public override bool Equals(object obj) { if (this == obj) { return(true); } if (obj == null) { return(false); } if (GetType() != obj.GetType()) { return(false); } CertificateAndContext other = (CertificateAndContext)obj; if (Certificate == null) { if (other.Certificate != null) { return(false); } } else { if (!Certificate.Equals(other.Certificate)) { return(false); } } return(true); }
public virtual bool Check(CertificateAndContext cert) { if (cert is null) { throw new System.ArgumentNullException(nameof(cert)); } Asn1OctetString qcStatement = cert.Certificate.GetExtensionValue(X509Extensions.QCStatements); if (qcStatement != null) { DerOctetString s = (DerOctetString)qcStatement; byte[] content = s.GetOctets(); using (Asn1InputStream input = new Asn1InputStream(content)) { DerSequence seq = (DerSequence)input.ReadObject(); for (int i = 0; i < seq.Count; i++) { QCStatement statement = QCStatement.GetInstance(seq[i]); if (statement.StatementId.Id.Equals(qcStatementId, System.StringComparison.OrdinalIgnoreCase)) { return(true); } } return(false); } } return(false); }
public virtual CertificateStatus GetCertificateStatusFromContext(CertificateAndContext cert) { if (cert is null) { throw new ArgumentNullException(nameof(cert)); } if (cert.CertificateSource == CertificateSourceType.TRUSTED_LIST) { CertificateStatus status = new CertificateStatus { Validity = CertificateValidity.VALID, StatusSourceType = ValidatorSourceType.TRUSTED_LIST, Certificate = cert.Certificate }; return(status); } CertificateAndContext issuer = GetIssuerCertificateFromThisContext(cert); if (issuer == null) { return(null); } IOcspSource ocspSource = new ListOCSPSource(NeededOCSPResp); ICrlSource crlSource = new ListCRLSource(NeededCRL); var verifier = certificateVerifierFactory(ocspSource, crlSource); return(verifier.Check(cert.Certificate, issuer.Certificate, ValidationDate)); }
public CertificateVerification(CertificateAndContext cert, IValidationContext ctx) { if (ctx is null) { throw new System.ArgumentNullException(nameof(ctx)); } CertificateAndContext = cert; if (cert != null) { try { cert.Certificate.CheckValidity(ctx.ValidationDate); validityPeriodVerification = new Result(ResultStatus.VALID, null); } catch (CertificateExpiredException) { validityPeriodVerification = new Result(ResultStatus.INVALID, "$UI_Signatures_ValidationText_CertificateExpired"); } catch (CertificateNotYetValidException) { validityPeriodVerification = new Result(ResultStatus.INVALID, "$UI_Signatures_ValidationText_CertificateNotYetValid"); } CertificateStatus status = ctx.GetCertificateStatusFromContext(cert); if (status != null) { certificateStatus = new RevocationVerificationResult(status); } Summary.SetStatus(ResultStatus.VALID, null); if (ValidityPeriodVerification.IsInvalid) { Summary.SetStatus(ResultStatus.INVALID, "$UI_Signatures_ValidationText_CertificateIsNotValid"); } if (CertificateStatus != null) { if (CertificateStatus.Status == CertificateValidity.REVOKED) { Summary.SetStatus(ResultStatus.INVALID, "$UI_Signatures_ValidationText_CertificateRevoked"); } else { if (CertificateStatus.Status == CertificateValidity.UNKNOWN) { Summary.SetStatus(ResultStatus.UNDETERMINED, "$UI_Signatures_ValidationText_RevocationUnknown"); } } } else if (!ValidityPeriodVerification.IsInvalid) { Summary.SetStatus(ResultStatus.UNDETERMINED, "$UI_Signatures_ValidationText_NoRevocationData"); } } }
/// <summary> /// Retrieve all the qualifiers for which the corresponding condition evaluate to true. /// </summary> public virtual IList <string> GetQualifiers(CertificateAndContext cert) { IList <string> list = new List <string>(); foreach (KeyValuePair <string, Condition> e in qualifiersAndConditions) { if (e.Value.Check(cert)) { list.Add(e.Key); } } return(list); }
/// <summary> /// Return the ServiceInfo of the parent (in the Trusted List) of the certificate /// </summary> public virtual ServiceInfo GetRelevantServiceInfo() { CertificateAndContext cert = new CertificateAndContext(Certificate); CertificateAndContext parent = GetParentFromTrustedList(cert); if (parent == null) { return(null); } else { ServiceInfo info = (ServiceInfo)parent.Context; return(info); } }
/// <summary> /// Retrieve the parent from the trusted list /// </summary> public virtual CertificateAndContext GetParentFromTrustedList(CertificateAndContext ctx) { CertificateAndContext parent = ctx; while ((parent = GetIssuerCertificateFromThisContext(parent)) != null) { if (parent.CertificateSource == CertificateSourceType.TRUSTED_LIST) { logger?.Info("Parent from TrustedList found " + parent); return(parent); } } logger?.Warn("No issuer in the TrustedList for this certificate. The parent found is " + parent); return(null); }
public IList <CertificateAndContext> GetCertificateBySubjectName(X509Name subjectName) { IList <CertificateAndContext> list = new List <CertificateAndContext>(); foreach (X509Certificate cert in GetCertificates()) { if (subjectName.Equals(cert.SubjectDN)) { CertificateAndContext cc = new CertificateAndContext(cert) { CertificateSource = sourceType }; list.Add(cc); } } return(list); }
private CertificateStatus GetCertificateValidity(CertificateAndContext cert, CertificateAndContext potentialIssuer, DateTime validationDate, ICrlSource optionalCRLSource, IOcspSource optionalOCSPSource) { if (optionalCRLSource != null || optionalOCSPSource != null) { logger?.Info(VerifyWithOfflineServiceMessage); var verifier = certificateVerifierFactory(optionalOCSPSource, optionalCRLSource); var status = verifier.Check(cert.Certificate, potentialIssuer.Certificate, validationDate); if (status != null) { return(status); } } logger?.Info(VerifyWithOnlineServiceMessage); var onlineVerifier = certificateVerifierFactory(OcspSource, CrlSource); return(onlineVerifier.Check(cert.Certificate, potentialIssuer.Certificate, validationDate)); }
/// <summary> /// Returns the OCSP responses in the context which concern the provided certificate. /// </summary> /// <remarks> /// Returns the OCSP responses in the context which concern the provided certificate. It can happen there are more /// than one, even though this is unlikely. /// </remarks> /// <param> /// the X509 certificate /// </param> /// <returns> /// the list of OCSP responses related to the certificate /// </returns> public virtual IList <BasicOcspResp> GetRelatedOCSPResp(CertificateAndContext cert) { if (cert is null) { throw new ArgumentNullException(nameof(cert)); } IList <BasicOcspResp> ocspresps = new List <BasicOcspResp>(); foreach (BasicOcspResp ocspresp in NeededOCSPResp) { if (ConcernsCertificate(ocspresp, cert)) { ocspresps.Add(ocspresp); } } return(ocspresps); }
/// <summary> /// Returns the CRLs in the context which concern the provided certificate. /// </summary> /// <remarks> /// Returns the CRLs in the context which concern the provided certificate. It can happen there are more than one, /// even though this is unlikely. /// </remarks> /// <param> /// the X509 certificate /// </param> /// <returns> /// the list of CRLs related to the certificate /// </returns> public virtual IList <X509Crl> GetRelatedCRLs(CertificateAndContext cert) { if (cert is null) { throw new ArgumentNullException(nameof(cert)); } IList <X509Crl> crls = new List <X509Crl>(); foreach (X509Crl crl in NeededCRL) { if (ConcernsCertificate(crl, cert)) { crls.Add(crl); } } return(crls); }
internal void AddNotYetVerifiedToken(ISignedToken signedToken) { if (!RevocationInfo.ContainsKey(signedToken)) { logger?.Info("New token to validate " + signedToken + " hashCode " + signedToken.GetHashCode()); RevocationInfo[signedToken] = null; if (signedToken is CRLToken) { NeededCRL.Add(((CRLToken)signedToken).GetX509crl()); } else { if (signedToken is OCSPRespToken) { NeededOCSPResp.Add(((OCSPRespToken)signedToken).GetOcspResp()); } else { if (signedToken is CertificateToken) { bool found = false; CertificateAndContext newCert = ((CertificateToken)signedToken).GetCertificateAndContext(); foreach (CertificateAndContext c in NeededCertificates) { if (c.Certificate.Equals(newCert.Certificate)) { found = true; break; } } if (!found) { NeededCertificates.Add(newCert); } } } } } else { logger?.Info("Token was already in list " + signedToken); } }
/// <summary> /// Finds the provided certificate's issuer in the context /// </summary> /// <param> /// The certificate whose issuer to find /// </param> /// <returns> /// the issuer's X509Certificate /// </returns> public virtual CertificateAndContext GetIssuerCertificateFromThisContext(CertificateAndContext cert) { if (cert is null) { throw new ArgumentNullException(nameof(cert)); } if (cert.Certificate.SubjectDN.Equals(cert.Certificate.IssuerDN)) { return(null); } foreach (CertificateAndContext c in NeededCertificates) { if (c.Certificate.SubjectDN.Equals(cert.Certificate.IssuerDN)) { return(c); } } return(null); }
/// <summary> /// Create a CertificateToken /// </summary> public CertificateToken(CertificateAndContext cert, ICertificateSourceFactory sourceFactory) { this.cert = cert; this.sourceFactory = sourceFactory; }
private bool ConcernsCertificate(X509Crl x509crl, CertificateAndContext cert) { return(x509crl.IssuerDN.Equals(cert.Certificate.IssuerDN)); }
/// <summary> /// Build the validation context for the specific date /// </summary> public virtual void Validate(DateTime validationDate, ICertificateSource optionalSource, ICrlSource optionalCRLSource, IOcspSource optionalOCPSSource, IList <CertificateAndContext> usedCerts) { int previousSize = RevocationInfo.Count; int previousVerified = VerifiedTokenCount(); ISignedToken signedToken = GetOneNotYetVerifiedToken(); if (signedToken != null) { ICertificateSource otherSource = new CompositeCertificateSource(signedToken.GetWrappedCertificateSource(), optionalSource); CertificateAndContext issuer = GetIssuerCertificate(signedToken, otherSource, validationDate); RevocationData data = null; if (issuer == null) { logger?.Warn("Don't found any issuer for token " + signedToken); data = new RevocationData(signedToken); } else { usedCerts?.Add(issuer); AddNotYetVerifiedToken(certificateTokenFactory(issuer)); if (issuer.Certificate.SubjectDN.Equals(issuer.Certificate.IssuerDN)) { ISignedToken trustedToken = certificateTokenFactory(issuer); RevocationData noNeedToValidate = new RevocationData(); if (issuer.CertificateSource == CertificateSourceType.TRUSTED_LIST) { noNeedToValidate.SetRevocationData(CertificateSourceType.TRUSTED_LIST); } Validate(trustedToken, noNeedToValidate); } else if (issuer.CertificateSource == CertificateSourceType.TRUSTED_LIST) { ISignedToken trustedToken = certificateTokenFactory(issuer); RevocationData noNeedToValidate = new RevocationData(); noNeedToValidate.SetRevocationData(CertificateSourceType.TRUSTED_LIST); Validate(trustedToken, noNeedToValidate); } if (signedToken is CertificateToken) { CertificateToken ct = (CertificateToken)signedToken; CertificateStatus status = GetCertificateValidity(ct.GetCertificateAndContext(), issuer, validationDate, optionalCRLSource, optionalOCPSSource); data = new RevocationData(signedToken); if (status != null) { data.SetRevocationData(status.StatusSource); if (status.StatusSource is X509Crl) { AddNotYetVerifiedToken(new CRLToken((X509Crl)status.StatusSource)); } else { if (status.StatusSource is BasicOcspResp) { AddNotYetVerifiedToken(new OCSPRespToken((BasicOcspResp)status.StatusSource)); } } } else { logger?.Warn("No status for " + signedToken); } } else { if (signedToken is CRLToken || signedToken is OCSPRespToken || signedToken is TimestampToken) { data = new RevocationData(signedToken); data.SetRevocationData(issuer); } else { throw new Exception("Not supported token type " + signedToken.GetType().Name); } } } Validate(signedToken, data); logger?.Info(ToString()); int newSize = RevocationInfo.Count; int newVerified = VerifiedTokenCount(); if (newSize != previousSize || newVerified != previousVerified) { Validate(validationDate, otherSource, optionalCRLSource, optionalOCPSSource, usedCerts); } } }