/**
* Checks if OCSP revocation refers to the document signing certificate.
* @return true if it checks false otherwise
* @since 2.1.6
*/
public bool IsRevocationValid() {
if (basicResp == null)
return false;
if (signCerts.Count < 2)
return false;
try {
X509Certificate[] cs = SignCertificateChain;
SingleResp sr = basicResp.Responses[0];
CertificateID cid = sr.GetCertID();
X509Certificate sigcer = SigningCertificate;
X509Certificate isscer = cs[1];
CertificateID tis = new CertificateID(CertificateID.HashSha1, isscer, sigcer.SerialNumber);
return tis.Equals(cid);
}
catch {
}
return false;
}
public virtual CertificateStatus Check(X509Certificate childCertificate, X509Certificate
certificate, DateTime validationDate)
{
CertificateStatus status = new CertificateStatus();
status.Certificate = childCertificate;
status.ValidationDate = validationDate;
status.IssuerCertificate = certificate;
if (ocspSource == null)
{
LOG.Warn("OCSPSource null");
return null;
}
try
{
BasicOcspResp ocspResp = ocspSource.GetOcspResponse(childCertificate, certificate
);
if (null == ocspResp)
{
LOG.Info("OCSP response not found");
return null;
}
BasicOcspResp basicOCSPResp = (BasicOcspResp)ocspResp;
CertificateID certificateId = new CertificateID(CertificateID.HashSha1, certificate
, childCertificate.SerialNumber);
SingleResp[] singleResps = basicOCSPResp.Responses;
foreach (SingleResp singleResp in singleResps)
{
CertificateID responseCertificateId = singleResp.GetCertID();
if (false == certificateId.Equals(responseCertificateId))
{
continue;
}
DateTime thisUpdate = singleResp.ThisUpdate;
LOG.Info("OCSP thisUpdate: " + thisUpdate);
LOG.Info("OCSP nextUpdate: " + singleResp.NextUpdate);
status.StatusSourceType = ValidatorSourceType.OCSP;
status.StatusSource = ocspResp;
status.RevocationObjectIssuingTime = ocspResp.ProducedAt;
if (null == singleResp.GetCertStatus())
{
LOG.Info("OCSP OK for: " + childCertificate.SubjectDN);
status.Validity = CertificateValidity.VALID;
}
else
{
LOG.Info("OCSP certificate status: " + singleResp.GetCertStatus().GetType().FullName
);
if (singleResp.GetCertStatus() is RevokedStatus)
{
LOG.Info("OCSP status revoked");
if (validationDate.CompareTo(((RevokedStatus)singleResp.GetCertStatus()).RevocationTime) < 0) //jbonilla - Before
{
LOG.Info("OCSP revocation time after the validation date, the certificate was valid at "
+ validationDate);
status.Validity = CertificateValidity.VALID;
}
else
{
status.RevocationDate = ((RevokedStatus)singleResp.GetCertStatus()).RevocationTime;
status.Validity = CertificateValidity.REVOKED;
}
}
else
{
if (singleResp.GetCertStatus() is UnknownStatus)
{
LOG.Info("OCSP status unknown");
status.Validity = CertificateValidity.UNKNOWN;
}
}
}
return status;
}
LOG.Info("no matching OCSP response entry");
return null;
}
catch (IOException ex)
{
LOG.Error("OCSP exception: " + ex.Message);
return null;
}
catch (OcspException ex)
{
LOG.Error("OCSP exception: " + ex.Message);
throw new RuntimeException(ex);
}
}
