/// <summary>
/// Checks the certificate ID of the response is valid.
/// </summary>
/// <param name="issuerCert">Issuer Certificate if the client</param>
/// <param name="clientCert">Client Certificate</param>
/// <param name="certificateId">Id of certificate found in OCSP response</param>
private void ValidateCertificateId(X509Certificate issuerCert, X509Certificate clientCert, BouncyCastleOCSP.CertificateID certificateId)
{
BouncyCastleOCSP.CertificateID expectedId = new BouncyCastleOCSP.CertificateID(BouncyCastleOCSP.CertificateID.HashSha1, issuerCert, clientCert.SerialNumber);
if (!expectedId.SerialNumber.Equals(certificateId.SerialNumber))
{
throw new HttpException(401, "Invalid certificate ID in response");
}
if (!Org.BouncyCastle.Utilities.Arrays.AreEqual(expectedId.GetIssuerNameHash(), certificateId.GetIssuerNameHash()))
{
throw new HttpException(401, "Invalid certificate Issuer in response");
}
}
//1. The certificate identified in a received response corresponds to
//that which was identified in the corresponding request;
private void ValidateCertificateId(X509Certificate issuerCert, X509Certificate eeCert, CertificateID certificateId)
{
CertificateID expectedId = new CertificateID(CertificateID.HashSha1, issuerCert, eeCert.SerialNumber);
if (!expectedId.SerialNumber.Equals(certificateId.SerialNumber))
{
throw new Exception("Invalid certificate ID in response");
}
if (!Org.BouncyCastle.Utilities.Arrays.AreEqual(expectedId.GetIssuerNameHash(), certificateId.GetIssuerNameHash()))
{
throw new Exception("Invalid certificate Issuer in response");
}
}
/// <summary>
/// Validate a certificate against its AIA OCSP.
/// </summary>
/// <param name="cert"></param>
/// <param name="aia"></param>
/// <returns></returns>
CertStatus Validate(System.Security.Cryptography.X509Certificates.X509Certificate2 cert,
AIA aia)
{
string hash = ComputeSHA1(System.Text.ASCIIEncoding.ASCII.GetBytes(aia.Issuer));
string filePath = IssuerCachedFolder + hash;
//Check if aki is cached
if (!IsIssuerCached(aia.Issuer))
{
Download(aia.Issuer, filePath);
if (!IsIssuerCached(aia.Issuer))
{
return(CertStatus.Unknown(CertStatus.BadIssuer));
}
}
var issuerTemp = new System.Security.Cryptography.X509Certificates.X509Certificate2(filePath);
var certParser = new Org.BouncyCastle.X509.X509CertificateParser();
var issuer = certParser.ReadCertificate(issuerTemp.RawData);
var cert2Validate = certParser.ReadCertificate(cert.RawData);
var id = new Org.BouncyCastle.Ocsp.CertificateID(
Org.BouncyCastle.Ocsp.CertificateID.HashSha1,
issuer,
cert2Validate.SerialNumber);
byte[] reqEnc = GenerateOCSPRequest(id, cert2Validate);
byte[] resp = GetOCSPResponse(aia.Ocsp, reqEnc);
//Extract the response
OcspResp ocspResponse = new OcspResp(resp);
BasicOcspResp basicOCSPResponse =
(BasicOcspResp)ocspResponse.GetResponseObject();
SingleResp singResp = basicOCSPResponse.Responses[0];
//Validate ID
var expectedId = singResp.GetCertID();
if (!expectedId.SerialNumber.Equals(id.SerialNumber))
{
return(CertStatus.Unknown(CertStatus.BadSerial));
}
if (!Org.BouncyCastle.Utilities.Arrays.AreEqual(expectedId.GetIssuerNameHash(), id.GetIssuerNameHash()))
{
return(CertStatus.Unknown(CertStatus.IssuerNotMatch));
}
//Extract Status
var certificateStatus = singResp.GetCertStatus();
if (certificateStatus == null)
{
return(CertStatus.Good);
}
if (certificateStatus is Org.BouncyCastle.Ocsp.RevokedStatus)
{
int revocationReason = ((Org.BouncyCastle.Ocsp.RevokedStatus)certificateStatus).RevocationReason;
var revocationDate = ((Org.BouncyCastle.Ocsp.RevokedStatus)certificateStatus).RevocationTime;
return(CertStatus.Revoked(revocationDate.ToString("o"), revocationReason));
}
if (certificateStatus is Org.BouncyCastle.Ocsp.UnknownStatus)
{
return(CertStatus.Unknown());
}
return(CertStatus.Unknown());
}
private void ValidarCertificateId(X509Certificate in_CertificadoEmisor, X509Certificate in_Certificado, CertificateID in_IDCertificado)
{
CertificateID idEsperado = new CertificateID(CertificateID.HashSha1, in_CertificadoEmisor, in_Certificado.SerialNumber);
if (!idEsperado.SerialNumber.Equals(in_IDCertificado.SerialNumber))
{
throw new Exception("ID de Certificado invalido");
}
if (!Org.BouncyCastle.Utilities.Arrays.AreEqual(idEsperado.GetIssuerNameHash(), in_IDCertificado.GetIssuerNameHash()))
{
throw new Exception("Certificado Emisor invalido");
}
}
