Наследование: Org.BouncyCastle.Asn1.Asn1Encodable
		public X509Crl(
			CertificateList c)
		{
			this.c = c;

			try
			{
				this.sigAlgName = X509SignatureUtilities.GetSignatureName(c.SignatureAlgorithm);

				if (c.SignatureAlgorithm.Parameters != null)
				{
					this.sigAlgParams = ((Asn1Encodable)c.SignatureAlgorithm.Parameters).GetDerEncoded();
				}
				else
				{
					this.sigAlgParams = null;
				}

				this.isIndirect = IsIndirectCrl;
			}
			catch (Exception e)
			{
				throw new CrlException("CRL contents invalid: " + e);
			}
		}
Пример #2
0
        /// <summary>
        /// Build a chain for the certificates and verifies the revocation (own implementation)
        /// </summary>
        /// <param name="cert">The certificate to validate</param>
        /// <param name="validationTime">The time upon wich the validate</param>
        /// <param name="extraStore">Extra certs to use when creating the chain</param>
        /// <param name="crls">Already known crl's, newly retrieved CRL's will be added here</param>
        /// <param name="ocsps">Already konwn ocsp's, newly retreived OCSP's will be added here</param>
        /// <returns>The chain with all the information about validity</returns>
        public static Chain BuildChain(this X509Certificate2 cert, DateTime validationTime, X509Certificate2Collection extraStore, IList <BCAX.CertificateList> crls, IList <BCAO.BasicOcspResponse> ocsps)
        {
            Chain chain = cert.BuildChain(validationTime, extraStore);

            if (cert.IsOcspNoCheck())
            {
                return(chain); //nothing to do
            }
            for (int i = 0; i < (chain.ChainElements.Count - 1); i++)
            {
                X509Certificate2 nextCert   = chain.ChainElements[i].Certificate;
                X509Certificate2 nextIssuer = chain.ChainElements[i + 1].Certificate;

                try
                {
                    //try OCSP
                    BCAO.BasicOcspResponse ocspResponse = nextCert.Verify(nextIssuer, validationTime, ocsps);
                    if (ocspResponse == null)
                    {
                        //try to fetch a new one
                        BCAO.OcspResponse ocspMsg = nextCert.GetOcspResponse(nextIssuer);
                        if (ocspMsg != null)
                        {
                            //new one fetched, try again
                            ocspResponse = BCAO.BasicOcspResponse.GetInstance(BCA.Asn1Object.FromByteArray(ocspMsg.ResponseBytes.Response.GetOctets()));
                            ocsps.Add(ocspResponse);
                            ocspResponse = nextCert.Verify(nextIssuer, validationTime, ocsps);
                        }
                    }

                    //TODO::ignore OCSP retreival errors and try CRL ;-)
                    if (ocspResponse == null)
                    {
                        //try CRL
                        BCAX.CertificateList crl = nextCert.Verify(nextIssuer, validationTime, crls);
                        if (crl == null)
                        {
                            //try to fetch a new one
                            crl = nextCert.GetCertificateList();
                            if (crl != null)
                            {
                                //new one fetched, try again
                                crls.Add(crl);
                                crl = nextCert.Verify(nextIssuer, validationTime, crls);
                            }
                        }
                    }
                }
                catch (RevocationException <BCAO.BasicOcspResponse> )
                {
                    AddErrorStatus(chain.ChainStatus, chain.ChainElements[i].ChainElementStatus, X509ChainStatusFlags.Revoked, "The certificate has been revoked");
                }
                catch
                {
                    AddErrorStatus(chain.ChainStatus, chain.ChainElements[i].ChainElementStatus, X509ChainStatusFlags.RevocationStatusUnknown, "Invalid OCSP/CRL found");
                }
            }
            return(chain);
        }
Пример #3
0
		public virtual CertificateList[] ToCertificateListArray()
		{
			CertificateList[] result = new CertificateList[content.Count];
			for (int i = 0; i != result.Length; ++ i)
			{
				result[i] = CertificateList.GetInstance(content[i]);
			}
			return result;
		}
Пример #4
0
		public virtual CertificateList[] GetCrls()
		{
			if (crls == null)
				return null;

			CertificateList[] results = new CertificateList[crls.Count];
			for (int i = 0; i != results.Length; ++i)
			{
				results[i] = CertificateList.GetInstance(crls[i]);
			}
			return results;
		}
Пример #5
0
        /// <summary>
        /// Validates the cert with the provided crl responses.
        /// </summary>
        /// <param name="certificate">The cert to validate</param>
        /// <param name="issuer">The issuer of the cert to validate</param>
        /// <param name="validationTime">The time on which the cert was needed to validated</param>
        /// <param name="certLists">The list of crls  to use</param>
        /// <returns>The crl response that was used, <c>null</c> if none used</returns>
        /// <exception cref="RevocationException{T}">When the certificate was revoked on the provided time</exception>
        /// <exception cref="RevocationUnknownException">When the certificate (or the crl) can't be validated</exception>
        public static BCAX.CertificateList Verify(this X509Certificate2 certificate, X509Certificate2 issuer, DateTime validationTime, IList <BCAX.CertificateList> certLists)
        {
            DateTime minTime = validationTime - ClockSkewness;
            DateTime maxTime = validationTime + ClockSkewness;

            BCX.X509Certificate certificateBC = DotNetUtilities.FromX509Certificate(certificate);
            BCX.X509Certificate issuerBC      = DotNetUtilities.FromX509Certificate(issuer);

            ValueWithRef <BCX.X509Crl, BCAX.CertificateList> crlWithOrg = certLists
                                                                          .Select((c) => new ValueWithRef <BCX.X509Crl, BCAX.CertificateList>(new BCX.X509Crl(c), c)) //convert, keep orginal
                                                                          .Where((c) => c.Value.IssuerDN.Equals(certificateBC.IssuerDN))
                                                                          .Where((c) => c.Value.ThisUpdate >= minTime || (c.Value.NextUpdate != null && c.Value.NextUpdate.Value >= minTime))
                                                                          .OrderByDescending((c) => c.Value.ThisUpdate)
                                                                          .FirstOrDefault();

            if (crlWithOrg == null)
            {
                return(null);
            }

            BCX.X509Crl          crl      = crlWithOrg.Value;
            BCAX.CertificateList certList = crlWithOrg.Reference;

            //check the signature (no need the check the issuer here)
            try
            {
                crl.Verify(issuerBC.GetPublicKey());
            }
            catch (Exception e)
            {
                throw new RevocationUnknownException("The CRL has an invalid signature", e);
            }

            //check the signer (only the part relevant for CRL)
            if (!issuerBC.GetKeyUsage()[6])
            {
                throw new RevocationUnknownException("The CRL was signed with a certificate that isn't allowed to sign CRLs");
            }

            //check if the certificate is revoked
            BCX.X509CrlEntry crlEntry = crl.GetRevokedCertificate(certificateBC.SerialNumber);
            if (crlEntry != null)
            {
                trace.TraceEvent(TraceEventType.Verbose, 0, "CRL indicates that {0} is revoked on {1}", certificate.Subject, crlEntry.RevocationDate);
                if (maxTime >= crlEntry.RevocationDate)
                {
                    throw new RevocationException <BCAX.CertificateList>(certList, "The certificate was revoked on " + crlEntry.RevocationDate.ToString("o"));
                }
            }

            return(certList);
        }
Пример #6
0
		public RevocationValues(
			CertificateList[]	crlVals,
			BasicOcspResponse[]	ocspVals,
			OtherRevVals		otherRevVals)
		{
			if (crlVals != null)
			{
				this.crlVals = new DerSequence(crlVals);
			}

			if (ocspVals != null)
			{
				this.ocspVals = new DerSequence(ocspVals);
			}

			this.otherRevVals = otherRevVals;
		}
Пример #7
0
        public RevocationValues(
            CertificateList[]	crlVals,
            BasicOcspResponse[]	ocspVals,
            OtherRevVals		otherRevVals)
        {
            //if (otherRevVals == null)
            //	throw new ArgumentNullException("otherRevVals");

            if (crlVals != null)
            {
                this.crlVals = new DerSequence(crlVals);
            }

            if (ocspVals != null)
            {
                this.ocspVals = new DerSequence(ocspVals);
            }

            this.otherRevVals = otherRevVals;
        }
Пример #8
0
		public CertificateList[] GetCrlVals()
		{
			CertificateList[] result = new CertificateList[crlVals.Count];
			for (int i = 0; i < crlVals.Count; ++i)
			{
				result[i] = CertificateList.GetInstance(crlVals[i].ToAsn1Object());
			}
			return result;
		}
        protected virtual X509Crl CreateX509Crl(
			CertificateList c)
        {
            return new X509Crl(c);
        }
		public virtual RevRepContentBuilder AddCrl(CertificateList crl)
		{
			this.crls.Add(crl);
			return this;
		}
Пример #11
0
		/// <exception cref="System.IO.IOException"></exception>
        //private IDictionary<DerObjectIdentifier, Asn1Encodable> ExtendUnsignedAttributes(IDictionary
        //    <DerObjectIdentifier, Asn1Encodable> unsignedAttrs, X509Certificate signingCertificate
        //    , DateTime signingDate, CertificateSource optionalCertificateSource)
        private IDictionary ExtendUnsignedAttributes(IDictionary unsignedAttrs
            , X509Certificate signingCertificate, DateTime signingDate
            , CertificateSource optionalCertificateSource)
		{
			ValidationContext validationContext = certificateVerifier.ValidateCertificate(signingCertificate
				, signingDate, optionalCertificateSource, null, null);
			try
			{
				IList<X509CertificateStructure> certificateValues = new AList<X509CertificateStructure
					>();
				AList<CertificateList> crlValues = new AList<CertificateList>();
				AList<BasicOcspResponse> ocspValues = new AList<BasicOcspResponse>();
				foreach (CertificateAndContext c in validationContext.GetNeededCertificates())
				{
					if (!c.Equals(signingCertificate))
					{
                        certificateValues.AddItem(X509CertificateStructure.GetInstance(((Asn1Sequence)Asn1Object.FromByteArray
                            (c.GetCertificate().GetEncoded()))));
					}
				}
				foreach (X509Crl relatedcrl in validationContext.GetNeededCRL())
				{                    
					crlValues.AddItem(CertificateList.GetInstance((Asn1Sequence)Asn1Object.FromByteArray(((X509Crl
						)relatedcrl).GetEncoded())));
				}
				foreach (BasicOcspResp relatedocspresp in validationContext.GetNeededOCSPResp())
				{                    
					ocspValues.AddItem((BasicOcspResponse.GetInstance((Asn1Sequence)Asn1Object.FromByteArray(
						relatedocspresp.GetEncoded()))));
				}
				CertificateList[] crlValuesArray = new CertificateList[crlValues.Count];
				BasicOcspResponse[] ocspValuesArray = new BasicOcspResponse[ocspValues.Count];
				RevocationValues revocationValues = new RevocationValues(Sharpen.Collections.ToArray
					(crlValues, crlValuesArray), Sharpen.Collections.ToArray(ocspValues, ocspValuesArray
					), null);
				//unsignedAttrs.Put(PkcsObjectIdentifiers.IdAAEtsRevocationValues, new Attribute
                unsignedAttrs.Add(PkcsObjectIdentifiers.IdAAEtsRevocationValues, new BcCms.Attribute
					(PkcsObjectIdentifiers.IdAAEtsRevocationValues, new DerSet(revocationValues))
					);
				X509CertificateStructure[] certValuesArray = new X509CertificateStructure[certificateValues
					.Count];
				//unsignedAttrs.Put(PkcsObjectIdentifiers.IdAAEtsCertValues, new Attribute(PkcsObjectIdentifiers.IdAAEtsCertValues, new DerSet(new DerSequence(Sharpen.Collections.ToArray(certificateValues
                unsignedAttrs.Add(PkcsObjectIdentifiers.IdAAEtsCertValues, new BcCms.Attribute(PkcsObjectIdentifiers.IdAAEtsCertValues, new DerSet(new DerSequence(Sharpen.Collections.ToArray(certificateValues
					, certValuesArray)))));
			}
			catch (CertificateEncodingException e)
			{
				throw new RuntimeException(e);
			}
			catch (CrlException e)
			{
				throw new RuntimeException(e);
			}
			return unsignedAttrs;
		}
Пример #12
0
 public static CertificateList GetInstance(Asn1TaggedObject obj, bool explicitly)
 {
     return(CertificateList.GetInstance(Asn1Sequence.GetInstance(obj, explicitly)));
 }
Пример #13
0
        public void Setup()
        {
            leafCert = new X509Certificate2("files/eid79021802145.crt");
            intCaCert = new X509Certificate2("files/Citizen201204.crt");

            intCaCrl = CertificateList.GetInstance(File.ReadAllBytes("files/Citizen201204.crl"));
            rootCaCrl = CertificateList.GetInstance(File.ReadAllBytes("files/rootca2.crl"));
            leafOcsp = BasicOcspResponse.GetInstance(Asn1Sequence.GetInstance(File.ReadAllBytes("files/eid79021802145.ocsp")));
            leafOcsp2 = BasicOcspResponse.GetInstance(Asn1Sequence.GetInstance(File.ReadAllBytes("files/eid79021802145-2.ocsp")));
        }