/// <summary>
/// Build a chain for the certificates and verifies the revocation (own implementation)
/// </summary>
/// <param name="cert">The certificate to validate</param>
/// <param name="validationTime">The time upon wich the validate</param>
/// <param name="extraStore">Extra certs to use when creating the chain</param>
/// <param name="crls">Already known crl's, newly retrieved CRL's will be added here</param>
/// <param name="ocsps">Already konwn ocsp's, newly retreived OCSP's will be added here</param>
/// <returns>The chain with all the information about validity</returns>
public static Chain BuildChain(this X509Certificate2 cert, DateTime validationTime, X509Certificate2Collection extraStore, IList <BCAX.CertificateList> crls, IList <BCAO.BasicOcspResponse> ocsps)
{
Chain chain = cert.BuildChain(validationTime, extraStore);
if (cert.IsOcspNoCheck())
{
return(chain); //nothing to do
}
for (int i = 0; i < (chain.ChainElements.Count - 1); i++)
{
X509Certificate2 nextCert = chain.ChainElements[i].Certificate;
X509Certificate2 nextIssuer = chain.ChainElements[i + 1].Certificate;
try
{
//try OCSP
BCAO.BasicOcspResponse ocspResponse = nextCert.Verify(nextIssuer, validationTime, ocsps);
if (ocspResponse == null)
{
//try to fetch a new one
BCAO.OcspResponse ocspMsg = nextCert.GetOcspResponse(nextIssuer);
if (ocspMsg != null)
{
//new one fetched, try again
ocspResponse = BCAO.BasicOcspResponse.GetInstance(BCA.Asn1Object.FromByteArray(ocspMsg.ResponseBytes.Response.GetOctets()));
ocsps.Add(ocspResponse);
ocspResponse = nextCert.Verify(nextIssuer, validationTime, ocsps);
}
}
//TODO::ignore OCSP retreival errors and try CRL ;-)
if (ocspResponse == null)
{
//try CRL
BCAX.CertificateList crl = nextCert.Verify(nextIssuer, validationTime, crls);
if (crl == null)
{
//try to fetch a new one
crl = nextCert.GetCertificateList();
if (crl != null)
{
//new one fetched, try again
crls.Add(crl);
crl = nextCert.Verify(nextIssuer, validationTime, crls);
}
}
}
}
catch (RevocationException <BCAO.BasicOcspResponse> )
{
AddErrorStatus(chain.ChainStatus, chain.ChainElements[i].ChainElementStatus, X509ChainStatusFlags.Revoked, "The certificate has been revoked");
}
catch
{
AddErrorStatus(chain.ChainStatus, chain.ChainElements[i].ChainElementStatus, X509ChainStatusFlags.RevocationStatusUnknown, "Invalid OCSP/CRL found");
}
}
return(chain);
}
/// <summary>Convert a BasicOcspResp in OcspResp (connection status is set to SUCCESSFUL).
/// </summary>
/// <remarks>Convert a BasicOcspResp in OcspResp (connection status is set to SUCCESSFUL).
/// </remarks>
/// <param name="basicOCSPResp"></param>
/// <returns></returns>
public static OcspResp FromBasicToResp(byte[] basicOCSPResp)
{
OcspResponse response = new OcspResponse(new OcspResponseStatus(OcspResponseStatus
.Successful), new ResponseBytes(OcspObjectIdentifiers.PkixOcspBasic, new DerOctetString
(basicOCSPResp)));
OcspResp resp = new OcspResp(response);
return resp;
}
private static BCAO.OcspResponse ParseOCSPResponse(byte[] ocspRspBytes)
{
BCAO.OcspResponse ocspResponse = BCAO.OcspResponse.GetInstance(BCA.Asn1Sequence.FromByteArray(ocspRspBytes));
if (ocspResponse.ResponseStatus.IntValueExact != BCAO.OcspResponseStatus.Successful)
{
throw new RevocationUnknownException("OCSP Response with invalid status: " + ocspResponse.ResponseStatus.IntValueExact);
}
return(ocspResponse);
}
private OcspResp(
Asn1InputStream aIn)
{
try
{
this.resp = OcspResponse.GetInstance(aIn.ReadObject());
}
catch (Exception e)
{
throw new IOException("malformed response: " + e.Message, e);
}
}
public static OcspResponse GetInstance(Asn1TaggedObject obj, bool explicitly)
{
return(OcspResponse.GetInstance(Asn1Sequence.GetInstance(obj, explicitly)));
}
public OcspResp(
OcspResponse resp)
{
this.resp = resp;
}
private ITestResult Response()
{
try
{
OcspResponse resp = OcspResponse.GetInstance(
Asn1Object.FromByteArray(_response));
ResponseBytes rBytes = ResponseBytes.GetInstance(resp.ResponseBytes);
BasicOcspResponse bResp = BasicOcspResponse.GetInstance(
Asn1Object.FromByteArray(rBytes.Response.GetOctets()));
resp = new OcspResponse(
resp.ResponseStatus,
new ResponseBytes(
rBytes.ResponseType,
new DerOctetString(bResp.GetEncoded())));
if (!Arrays.AreEqual(resp.GetEncoded(), _response))
{
return new SimpleTestResult(false, Name + ": Ocsp response failed to re-encode");
}
return new SimpleTestResult(true, Name + ": Okay");
}
catch (Exception e)
{
return new SimpleTestResult(false, Name + ": failed response exception - " + e.ToString(), e);
}
}
