public SingleResponse(
Asn1Sequence seq)
{
this.certID = CertID.GetInstance(seq[0]);
this.certStatus = CertStatus.GetInstance(seq[1]);
this.thisUpdate = (DerGeneralizedTime)seq[2];
if (seq.Count > 4)
{
this.nextUpdate = DerGeneralizedTime.GetInstance(
(Asn1TaggedObject) seq[3], true);
this.singleExtensions = X509Extensions.GetInstance(
(Asn1TaggedObject) seq[4], true);
}
else if (seq.Count > 3)
{
Asn1TaggedObject o = (Asn1TaggedObject) seq[3];
if (o.TagNo == 0)
{
this.nextUpdate = DerGeneralizedTime.GetInstance(o, true);
}
else
{
this.singleExtensions = X509Extensions.GetInstance(o, true);
}
}
}
public SingleResponse(
Asn1Sequence seq)
{
this.certID = CertID.GetInstance(seq[0]);
this.certStatus = CertStatus.GetInstance(seq[1]);
this.thisUpdate = (DerGeneralizedTime)seq[2];
if (seq.Count > 4)
{
this.nextUpdate = DerGeneralizedTime.GetInstance(
(Asn1TaggedObject)seq[3], true);
this.singleExtensions = X509Extensions.GetInstance(
(Asn1TaggedObject)seq[4], true);
}
else if (seq.Count > 3)
{
Asn1TaggedObject o = (Asn1TaggedObject)seq[3];
if (o.TagNo == 0)
{
this.nextUpdate = DerGeneralizedTime.GetInstance(o, true);
}
else
{
this.singleExtensions = X509Extensions.GetInstance(o, true);
}
}
}
private Request(Asn1Sequence seq)
{
this.reqCert = CertID.GetInstance(seq[0]);
if (seq.Count == 2)
{
this.singleRequestExtensions = X509Extensions.GetInstance((Asn1TaggedObject)seq[1], true);
}
}
public CertificateID(
CertID id)
{
if (id == null)
throw new ArgumentNullException("id");
this.id = id;
}
public SingleResponse(CertID certID, CertStatus certStatus, DerGeneralizedTime thisUpdate, DerGeneralizedTime nextUpdate, X509Extensions singleExtensions)
{
this.certID = certID;
this.certStatus = certStatus;
this.thisUpdate = thisUpdate;
this.nextUpdate = nextUpdate;
this.singleExtensions = singleExtensions;
}
static bool CertificateIsValid(CertID id, OcspResp ocspResp, string serialNumber, Ca ca)
{
CheckOcspResp(ocspResp);
BasicOcspResp response = GetResponseObject(ocspResp);
CheckValidityOfResponse(id, response, ca);
return SerialNumberInResponseIsNotRevoked(response, serialNumber);
}
public Request(CertID reqCert, X509Extensions singleRequestExtensions)
{
if (reqCert == null)
{
throw new ArgumentNullException("reqCert");
}
this.reqCert = reqCert;
this.singleRequestExtensions = singleRequestExtensions;
}
public Request(
CertID reqCert,
X509Extensions singleRequestExtensions)
{
if (reqCert == null)
throw new ArgumentNullException("reqCert");
this.reqCert = reqCert;
this.singleRequestExtensions = singleRequestExtensions;
}
public Request(CertID reqCert, X509Extensions singleRequestExtensions)
{
//IL_000e: Unknown result type (might be due to invalid IL or missing references)
if (reqCert == null)
{
throw new ArgumentNullException("reqCert");
}
this.reqCert = reqCert;
this.singleRequestExtensions = singleRequestExtensions;
}
/**
* create from an issuer certificate and the serial number of the
* certificate it signed.
* @exception OcspException if any problems occur creating the id fields.
*/
public CertificateID(
string hashAlgorithm,
X509Certificate issuerCert,
BigInteger serialNumber)
{
AlgorithmIdentifier hashAlg = new AlgorithmIdentifier(
new DerObjectIdentifier(hashAlgorithm), DerNull.Instance);
this.id = CreateCertID(hashAlg, issuerCert, new DerInteger(serialNumber));
}
private Request(
Asn1Sequence seq)
{
reqCert = CertID.GetInstance(seq[0]);
if (seq.Count == 2)
{
singleRequestExtensions = X509Extensions.GetInstance(
(Asn1TaggedObject)seq[1], true);
}
}
public SingleResponse(
CertID certID,
CertStatus certStatus,
DerGeneralizedTime thisUpdate,
DerGeneralizedTime nextUpdate,
X509Extensions singleExtensions)
{
this.certID = certID;
this.certStatus = certStatus;
this.thisUpdate = thisUpdate;
this.nextUpdate = nextUpdate;
this.singleExtensions = singleExtensions;
}
/**
* create from an issuer certificate and the serial number of the
* certificate it signed.
* @exception OcspException if any problems occur creating the id fields.
*/
public CertificateID(
string hashAlgorithm,
X509Certificate issuerCert,
BigInteger number)
{
try
{
IDigest digest = DigestUtilities.GetDigest(hashAlgorithm);
AlgorithmIdentifier hashAlg = new AlgorithmIdentifier(
new DerObjectIdentifier(hashAlgorithm), DerNull.Instance);
X509Name issuerName = PrincipalUtilities.GetSubjectX509Principal(issuerCert);
byte[] encodedIssuerName = issuerName.GetEncoded();
digest.BlockUpdate(encodedIssuerName, 0, encodedIssuerName.Length);
byte[] hash = DigestUtilities.DoFinal(digest);
Asn1OctetString issuerNameHash = new DerOctetString(hash);
AsymmetricKeyParameter issuerKey = issuerCert.GetPublicKey();
SubjectPublicKeyInfo info = SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(issuerKey);
byte[] encodedPublicKey = info.PublicKeyData.GetBytes();
digest.BlockUpdate(encodedPublicKey, 0, encodedPublicKey.Length);
hash = DigestUtilities.DoFinal(digest);
Asn1OctetString issuerKeyHash = new DerOctetString(hash);
DerInteger serialNumber = new DerInteger(number);
this.id = new CertID(hashAlg, issuerNameHash, issuerKeyHash, serialNumber);
}
catch (Exception e)
{
throw new OcspException("problem creating ID: " + e, e);
}
}
public SingleResponse(Asn1Sequence seq)
{
certID = CertID.GetInstance(seq[0]);
certStatus = CertStatus.GetInstance(seq[1]);
thisUpdate = (DerGeneralizedTime)seq[2];
if (seq.Count > 4)
{
nextUpdate = DerGeneralizedTime.GetInstance((Asn1TaggedObject)seq[3], isExplicit: true);
singleExtensions = X509Extensions.GetInstance((Asn1TaggedObject)seq[4], explicitly: true);
}
else if (seq.Count > 3)
{
Asn1TaggedObject asn1TaggedObject = (Asn1TaggedObject)seq[3];
if (asn1TaggedObject.TagNo == 0)
{
nextUpdate = DerGeneralizedTime.GetInstance(asn1TaggedObject, isExplicit: true);
}
else
{
singleExtensions = X509Extensions.GetInstance(asn1TaggedObject, explicitly: true);
}
}
}
public static bool CertificateIsValid(CertID id, OcspResp ocspResp, IOcesCertificate certificate)
{
return CertificateIsValid(id, ocspResp, SerialNumberConverter.FromCertificate(certificate), certificate.IssuingCa);
}
static void CheckValidityOfResponse(CertID id, BasicOcspResp responseObject, Ca ca)
{
var inputStream = new MemoryStream(responseObject.GetEncoded());
var asn1Sequence = (Asn1Sequence)new Asn1InputStream(inputStream).ReadObject();
var response = BasicOcspResponse.GetInstance(asn1Sequence);
var ocspChain = CreateOcspCertificateChain(ca);
if(ocspChain.Length == 0)
{
throw new OcspException("OCSP certificate chain is invalid");
}
var ocesOcspCertificate = OcesCertificateFactory.Instance.Generate(CompleteOcspChain(response, ocspChain));
CheckBasicOcspResp(id, responseObject, ocesOcspCertificate, ca);
var signingCertificate = new X509CertificateParser().ReadCertificate(response.Certs[0].GetEncoded());
var issuingCertificate = new X509CertificateParser().ReadCertificate(ocspChain[0].GetRawCertData());
signingCertificate.Verify(issuingCertificate.GetPublicKey());
if (!responseObject.Verify(signingCertificate.GetPublicKey()))
{
throw new OcspException("Signature is invalid");
}
}
public static CertID GetInstance(Asn1TaggedObject obj, bool explicitly)
{
return(CertID.GetInstance(Asn1Sequence.GetInstance(obj, explicitly)));
}
static OcspReqAndId CreateOcspRequest(Asn1OctetString issuerNameHash,
Asn1OctetString issuerKeyHash, string serialNumber)
{
var hashAlgorithm = new AlgorithmIdentifier(X509ObjectIdentifiers.IdSha1, DerNull.Instance);
var derSerialNumber = new DerInteger(new BigInteger(serialNumber));
var id = new CertID(hashAlgorithm, issuerNameHash, issuerKeyHash, derSerialNumber);
var generator = new OcspReqGenerator();
generator.AddRequest(new CertificateID(id));
return new OcspReqAndId(generator.Generate(), id);
}
private static void CheckBasicOcspResp(CertID id, BasicOcspResp basicResp, OcesCertificate ocspCertificate, Ca ca)
{
DateTime nowInGmt = DateTime.Now.ToUniversalTime();
/* check condition:
The certificate identified in a received response corresponds to
that which was identified in the corresponding request;
*/
SingleResp[] responses = basicResp.Responses;
if (responses.Length != 1)
{
throw new OcspException("unexpected number of responses received");
}
if (!id.SerialNumber.Value.Equals(responses[0].GetCertID().SerialNumber))
{
throw new OcspException("Serial number mismatch problem");
}
/* check condition
The signature on the response is valid;
*/
try
{
ChainVerifier.VerifyTrust(ocspCertificate.ExportCertificate(), ca);
}
catch(ChainVerificationException e)
{
throw new OcspException("OCSP response certificate chain is invalid", e);
}
/* check the signature on the ocsp response */
var ocspBcCertificate =
new X509CertificateParser().ReadCertificate(ocspCertificate.ExportCertificate().RawData);
if (!basicResp.Verify(ocspBcCertificate.GetPublicKey()))
{
throw new OcspException("signature validation failed for ocsp response");
}
if (!CanSignOcspResponses(ocspBcCertificate))
{
throw new OcspException("ocsp signing certificate has not been cleared for ocsp response signing");
}
/* check expiry of the signing certificate */
if (ocspCertificate.ValidityStatus() != CertificateStatus.Valid)
{
throw new OcspException("OCSP certificate expired or not yet valid");
}
/* check condition
The time at which the status being indicated is known to be
correct (thisUpdate) is sufficiently recent.
*/
SingleResp response = responses[0];
var diff = response.ThisUpdate - nowInGmt;
if (diff > new TimeSpan(0, 1, 0))
{
throw new OcspException("OCSP response signature is from the future. Timestamp of thisUpdate field: "
+ response.ThisUpdate);
}
if (response.NextUpdate != null && response.NextUpdate.Value < nowInGmt)
{
throw new OcspException("OCSP response is no longer valid");
}
}
public OcspReqAndId(OcspReq request, CertID id)
{
Request = request;
Id = id;
}
public CertificateID(
CertID id)
{
this.id = id;
}
