private bool ConcernsCertificate(BasicOcspResp basicOcspResp, CertificateAndContext
cert)
{
CertificateAndContext issuerCertificate = GetIssuerCertificateFromThisContext(cert);
if (issuerCertificate == null)
{
return(false);
}
else
{
//try
//{
CertificateID matchingCertID = new CertificateID(CertificateID.HashSha1, issuerCertificate
.Certificate, cert.Certificate.SerialNumber);
foreach (SingleResp resp in basicOcspResp.Responses)
{
if (resp.GetCertID().Equals(matchingCertID))
{
return(true);
}
}
return(false);
//}
//catch (OcspException ex)
//{
// throw new RuntimeException(ex);
//}
}
}
public virtual bool Check(CertificateAndContext cert)
{
if (cert is null)
{
throw new System.ArgumentNullException(nameof(cert));
}
Asn1OctetString certificatePolicies = cert.Certificate.GetExtensionValue(X509Extensions.CertificatePolicies);
if (certificatePolicies != null)
{
DerOctetString s = (DerOctetString)certificatePolicies;
byte[] content = s.GetOctets();
using (Asn1InputStream input = new Asn1InputStream(content))
{
DerSequence seq = (DerSequence)input.ReadObject();
for (int i = 0; i < seq.Count; i++)
{
PolicyInformation policyInfo = PolicyInformation.GetInstance(seq[i]);
if (policyInfo.PolicyIdentifier.Id.Equals(policyOid, System.StringComparison.OrdinalIgnoreCase))
{
return(true);
}
}
}
}
return(false);
}
public override bool Equals(object obj)
{
if (this == obj)
{
return(true);
}
if (obj == null)
{
return(false);
}
if (GetType() != obj.GetType())
{
return(false);
}
CertificateAndContext other = (CertificateAndContext)obj;
if (Certificate == null)
{
if (other.Certificate != null)
{
return(false);
}
}
else
{
if (!Certificate.Equals(other.Certificate))
{
return(false);
}
}
return(true);
}
public virtual bool Check(CertificateAndContext cert)
{
if (cert is null)
{
throw new System.ArgumentNullException(nameof(cert));
}
Asn1OctetString qcStatement = cert.Certificate.GetExtensionValue(X509Extensions.QCStatements);
if (qcStatement != null)
{
DerOctetString s = (DerOctetString)qcStatement;
byte[] content = s.GetOctets();
using (Asn1InputStream input = new Asn1InputStream(content))
{
DerSequence seq = (DerSequence)input.ReadObject();
for (int i = 0; i < seq.Count; i++)
{
QCStatement statement = QCStatement.GetInstance(seq[i]);
if (statement.StatementId.Id.Equals(qcStatementId, System.StringComparison.OrdinalIgnoreCase))
{
return(true);
}
}
return(false);
}
}
return(false);
}
public virtual CertificateStatus GetCertificateStatusFromContext(CertificateAndContext cert)
{
if (cert is null)
{
throw new ArgumentNullException(nameof(cert));
}
if (cert.CertificateSource == CertificateSourceType.TRUSTED_LIST)
{
CertificateStatus status = new CertificateStatus
{
Validity = CertificateValidity.VALID,
StatusSourceType = ValidatorSourceType.TRUSTED_LIST,
Certificate = cert.Certificate
};
return(status);
}
CertificateAndContext issuer = GetIssuerCertificateFromThisContext(cert);
if (issuer == null)
{
return(null);
}
IOcspSource ocspSource = new ListOCSPSource(NeededOCSPResp);
ICrlSource crlSource = new ListCRLSource(NeededCRL);
var verifier = certificateVerifierFactory(ocspSource, crlSource);
return(verifier.Check(cert.Certificate, issuer.Certificate, ValidationDate));
}
public CertificateVerification(CertificateAndContext cert, IValidationContext ctx)
{
if (ctx is null)
{
throw new System.ArgumentNullException(nameof(ctx));
}
CertificateAndContext = cert;
if (cert != null)
{
try
{
cert.Certificate.CheckValidity(ctx.ValidationDate);
validityPeriodVerification = new Result(ResultStatus.VALID, null);
}
catch (CertificateExpiredException)
{
validityPeriodVerification = new Result(ResultStatus.INVALID, "$UI_Signatures_ValidationText_CertificateExpired");
}
catch (CertificateNotYetValidException)
{
validityPeriodVerification = new Result(ResultStatus.INVALID, "$UI_Signatures_ValidationText_CertificateNotYetValid");
}
CertificateStatus status = ctx.GetCertificateStatusFromContext(cert);
if (status != null)
{
certificateStatus = new RevocationVerificationResult(status);
}
Summary.SetStatus(ResultStatus.VALID, null);
if (ValidityPeriodVerification.IsInvalid)
{
Summary.SetStatus(ResultStatus.INVALID, "$UI_Signatures_ValidationText_CertificateIsNotValid");
}
if (CertificateStatus != null)
{
if (CertificateStatus.Status == CertificateValidity.REVOKED)
{
Summary.SetStatus(ResultStatus.INVALID, "$UI_Signatures_ValidationText_CertificateRevoked");
}
else
{
if (CertificateStatus.Status == CertificateValidity.UNKNOWN)
{
Summary.SetStatus(ResultStatus.UNDETERMINED, "$UI_Signatures_ValidationText_RevocationUnknown");
}
}
}
else if (!ValidityPeriodVerification.IsInvalid)
{
Summary.SetStatus(ResultStatus.UNDETERMINED, "$UI_Signatures_ValidationText_NoRevocationData");
}
}
}
/// <summary>
/// Retrieve all the qualifiers for which the corresponding condition evaluate to true.
/// </summary>
public virtual IList <string> GetQualifiers(CertificateAndContext cert)
{
IList <string> list = new List <string>();
foreach (KeyValuePair <string, Condition> e in qualifiersAndConditions)
{
if (e.Value.Check(cert))
{
list.Add(e.Key);
}
}
return(list);
}
/// <summary>
/// Return the ServiceInfo of the parent (in the Trusted List) of the certificate
/// </summary>
public virtual ServiceInfo GetRelevantServiceInfo()
{
CertificateAndContext cert = new CertificateAndContext(Certificate);
CertificateAndContext parent = GetParentFromTrustedList(cert);
if (parent == null)
{
return(null);
}
else
{
ServiceInfo info = (ServiceInfo)parent.Context;
return(info);
}
}
/// <summary>
/// Retrieve the parent from the trusted list
/// </summary>
public virtual CertificateAndContext GetParentFromTrustedList(CertificateAndContext ctx)
{
CertificateAndContext parent = ctx;
while ((parent = GetIssuerCertificateFromThisContext(parent)) != null)
{
if (parent.CertificateSource == CertificateSourceType.TRUSTED_LIST)
{
logger?.Info("Parent from TrustedList found " + parent);
return(parent);
}
}
logger?.Warn("No issuer in the TrustedList for this certificate. The parent found is " + parent);
return(null);
}
public IList <CertificateAndContext> GetCertificateBySubjectName(X509Name subjectName)
{
IList <CertificateAndContext> list = new List <CertificateAndContext>();
foreach (X509Certificate cert in GetCertificates())
{
if (subjectName.Equals(cert.SubjectDN))
{
CertificateAndContext cc = new CertificateAndContext(cert)
{
CertificateSource = sourceType
};
list.Add(cc);
}
}
return(list);
}
private CertificateStatus GetCertificateValidity(CertificateAndContext cert, CertificateAndContext potentialIssuer, DateTime validationDate, ICrlSource optionalCRLSource, IOcspSource optionalOCSPSource)
{
if (optionalCRLSource != null || optionalOCSPSource != null)
{
logger?.Info(VerifyWithOfflineServiceMessage);
var verifier = certificateVerifierFactory(optionalOCSPSource, optionalCRLSource);
var status = verifier.Check(cert.Certificate, potentialIssuer.Certificate, validationDate);
if (status != null)
{
return(status);
}
}
logger?.Info(VerifyWithOnlineServiceMessage);
var onlineVerifier = certificateVerifierFactory(OcspSource, CrlSource);
return(onlineVerifier.Check(cert.Certificate, potentialIssuer.Certificate, validationDate));
}
/// <summary>
/// Returns the OCSP responses in the context which concern the provided certificate.
/// </summary>
/// <remarks>
/// Returns the OCSP responses in the context which concern the provided certificate. It can happen there are more
/// than one, even though this is unlikely.
/// </remarks>
/// <param>
/// the X509 certificate
/// </param>
/// <returns>
/// the list of OCSP responses related to the certificate
/// </returns>
public virtual IList <BasicOcspResp> GetRelatedOCSPResp(CertificateAndContext cert)
{
if (cert is null)
{
throw new ArgumentNullException(nameof(cert));
}
IList <BasicOcspResp> ocspresps = new List <BasicOcspResp>();
foreach (BasicOcspResp ocspresp in NeededOCSPResp)
{
if (ConcernsCertificate(ocspresp, cert))
{
ocspresps.Add(ocspresp);
}
}
return(ocspresps);
}
/// <summary>
/// Returns the CRLs in the context which concern the provided certificate.
/// </summary>
/// <remarks>
/// Returns the CRLs in the context which concern the provided certificate. It can happen there are more than one,
/// even though this is unlikely.
/// </remarks>
/// <param>
/// the X509 certificate
/// </param>
/// <returns>
/// the list of CRLs related to the certificate
/// </returns>
public virtual IList <X509Crl> GetRelatedCRLs(CertificateAndContext cert)
{
if (cert is null)
{
throw new ArgumentNullException(nameof(cert));
}
IList <X509Crl> crls = new List <X509Crl>();
foreach (X509Crl crl in NeededCRL)
{
if (ConcernsCertificate(crl, cert))
{
crls.Add(crl);
}
}
return(crls);
}
internal void AddNotYetVerifiedToken(ISignedToken signedToken)
{
if (!RevocationInfo.ContainsKey(signedToken))
{
logger?.Info("New token to validate " + signedToken + " hashCode " + signedToken.GetHashCode());
RevocationInfo[signedToken] = null;
if (signedToken is CRLToken)
{
NeededCRL.Add(((CRLToken)signedToken).GetX509crl());
}
else
{
if (signedToken is OCSPRespToken)
{
NeededOCSPResp.Add(((OCSPRespToken)signedToken).GetOcspResp());
}
else
{
if (signedToken is CertificateToken)
{
bool found = false;
CertificateAndContext newCert = ((CertificateToken)signedToken).GetCertificateAndContext();
foreach (CertificateAndContext c in NeededCertificates)
{
if (c.Certificate.Equals(newCert.Certificate))
{
found = true;
break;
}
}
if (!found)
{
NeededCertificates.Add(newCert);
}
}
}
}
}
else
{
logger?.Info("Token was already in list " + signedToken);
}
}
/// <summary>
/// Finds the provided certificate's issuer in the context
/// </summary>
/// <param>
/// The certificate whose issuer to find
/// </param>
/// <returns>
/// the issuer's X509Certificate
/// </returns>
public virtual CertificateAndContext GetIssuerCertificateFromThisContext(CertificateAndContext cert)
{
if (cert is null)
{
throw new ArgumentNullException(nameof(cert));
}
if (cert.Certificate.SubjectDN.Equals(cert.Certificate.IssuerDN))
{
return(null);
}
foreach (CertificateAndContext c in NeededCertificates)
{
if (c.Certificate.SubjectDN.Equals(cert.Certificate.IssuerDN))
{
return(c);
}
}
return(null);
}
/// <summary>
/// Create a CertificateToken
/// </summary>
public CertificateToken(CertificateAndContext cert, ICertificateSourceFactory sourceFactory)
{
this.cert = cert;
this.sourceFactory = sourceFactory;
}
private bool ConcernsCertificate(X509Crl x509crl, CertificateAndContext cert)
{
return(x509crl.IssuerDN.Equals(cert.Certificate.IssuerDN));
}
/// <summary>
/// Build the validation context for the specific date
/// </summary>
public virtual void Validate(DateTime validationDate, ICertificateSource optionalSource, ICrlSource optionalCRLSource, IOcspSource optionalOCPSSource, IList <CertificateAndContext> usedCerts)
{
int previousSize = RevocationInfo.Count;
int previousVerified = VerifiedTokenCount();
ISignedToken signedToken = GetOneNotYetVerifiedToken();
if (signedToken != null)
{
ICertificateSource otherSource = new CompositeCertificateSource(signedToken.GetWrappedCertificateSource(), optionalSource);
CertificateAndContext issuer = GetIssuerCertificate(signedToken, otherSource, validationDate);
RevocationData data = null;
if (issuer == null)
{
logger?.Warn("Don't found any issuer for token " + signedToken);
data = new RevocationData(signedToken);
}
else
{
usedCerts?.Add(issuer);
AddNotYetVerifiedToken(certificateTokenFactory(issuer));
if (issuer.Certificate.SubjectDN.Equals(issuer.Certificate.IssuerDN))
{
ISignedToken trustedToken = certificateTokenFactory(issuer);
RevocationData noNeedToValidate = new RevocationData();
if (issuer.CertificateSource == CertificateSourceType.TRUSTED_LIST)
{
noNeedToValidate.SetRevocationData(CertificateSourceType.TRUSTED_LIST);
}
Validate(trustedToken, noNeedToValidate);
}
else if (issuer.CertificateSource == CertificateSourceType.TRUSTED_LIST)
{
ISignedToken trustedToken = certificateTokenFactory(issuer);
RevocationData noNeedToValidate = new RevocationData();
noNeedToValidate.SetRevocationData(CertificateSourceType.TRUSTED_LIST);
Validate(trustedToken, noNeedToValidate);
}
if (signedToken is CertificateToken)
{
CertificateToken ct = (CertificateToken)signedToken;
CertificateStatus status = GetCertificateValidity(ct.GetCertificateAndContext(), issuer, validationDate, optionalCRLSource, optionalOCPSSource);
data = new RevocationData(signedToken);
if (status != null)
{
data.SetRevocationData(status.StatusSource);
if (status.StatusSource is X509Crl)
{
AddNotYetVerifiedToken(new CRLToken((X509Crl)status.StatusSource));
}
else
{
if (status.StatusSource is BasicOcspResp)
{
AddNotYetVerifiedToken(new OCSPRespToken((BasicOcspResp)status.StatusSource));
}
}
}
else
{
logger?.Warn("No status for " + signedToken);
}
}
else
{
if (signedToken is CRLToken || signedToken is OCSPRespToken || signedToken is TimestampToken)
{
data = new RevocationData(signedToken);
data.SetRevocationData(issuer);
}
else
{
throw new Exception("Not supported token type " + signedToken.GetType().Name);
}
}
}
Validate(signedToken, data);
logger?.Info(ToString());
int newSize = RevocationInfo.Count;
int newVerified = VerifiedTokenCount();
if (newSize != previousSize || newVerified != previousVerified)
{
Validate(validationDate, otherSource, optionalCRLSource, optionalOCPSSource, usedCerts);
}
}
}
