|
public SetRequestExtensions ( |
||
| requestExtensions | ||
| Результат | void | |
private OcspReq GenerateOcspRequest(CertificateID id)
{
OcspReqGenerator ocspRequestGenerator = new OcspReqGenerator();
ocspRequestGenerator.AddRequest(id);
BigInteger nonce = BigInteger.ValueOf(new DateTime().Ticks);
ArrayList oids = new ArrayList();
Hashtable values = new Hashtable();
oids.Add(OcspObjectIdentifiers.PkixOcsp);
Asn1OctetString asn1 = new DerOctetString(new DerOctetString(new byte[] { 1, 3, 6, 1, 5, 5, 7, 48, 1, 1 }));
values.Add(OcspObjectIdentifiers.PkixOcsp, new X509Extension(false, asn1));
ocspRequestGenerator.SetRequestExtensions(new X509Extensions(oids, values));
return ocspRequestGenerator.Generate();
}
/// <summary>
/// Verifies the certificate chain via OCSP
/// </summary>
/// <returns>
/// <c>true</c>, if certificate is revoked, <c>false</c> otherwise.
/// </returns>
/// <param name='chain'>
/// The certificate chain.
/// </param>
private static bool VerifyCertificateOCSP(System.Security.Cryptography.X509Certificates.X509Chain chain)
{
List<X509Certificate> certsList = new List<X509Certificate> ();
List<Uri> certsUrls = new List<Uri> ();
bool bCertificateIsRevoked = false;
try {
//Get the OCSP URLS to be validated for each certificate.
foreach (System.Security.Cryptography.X509Certificates.X509ChainElement cert in chain.ChainElements) {
X509Certificate BCCert = Org.BouncyCastle.Security.DotNetUtilities.FromX509Certificate (cert.Certificate);
if (BCCert.CertificateStructure.TbsCertificate.Extensions != null) {
X509Extension ext = BCCert.CertificateStructure.TbsCertificate.Extensions.GetExtension (X509Extensions.AuthorityInfoAccess);
if (ext != null) {
AccessDescription[] certUrls = AuthorityInformationAccess.GetInstance (ext).GetAccessDescriptions ();
Uri url = (certUrls != null && certUrls.Length > 0 && certUrls [0].AccessLocation.Name.ToString ().StartsWith("http://")) ? new Uri (certUrls [0].AccessLocation.Name.ToString ()) : null;
certsList.Add (BCCert);
if (!certsUrls.Contains (url))
certsUrls.Add (url);
}
}
}
if(certsUrls.Count>0){
//create requests for each cert
List<OcspReq> RequestList = new List<OcspReq>();
OcspReqGenerator OCSPRequestGenerator;
for (int i =0; i< (certsList.Count -1); i++) {
OCSPRequestGenerator = new OcspReqGenerator ();
BigInteger nonce = BigInteger.ValueOf (DateTime.Now.Ticks);
List<DerObjectIdentifier> oids = new List<DerObjectIdentifier> ();
oids.Add (Org.BouncyCastle.Asn1.Ocsp.OcspObjectIdentifiers.PkixOcspNonce);
List<X509Extension> values = new List<X509Extension> ();
values.Add (new X509Extension (false, new DerOctetString (nonce.ToByteArray ())));
OCSPRequestGenerator.SetRequestExtensions (new X509Extensions (oids, values));
CertificateID ID = new CertificateID (CertificateID.HashSha1, certsList [i + 1], certsList [i].SerialNumber);
OCSPRequestGenerator.AddRequest (ID);
RequestList.Add(OCSPRequestGenerator.Generate());
}
//send requests to the OCSP server and read the response
for (int i =0; i< certsUrls.Count && !bCertificateIsRevoked; i++) {
for(int j = 0; j< RequestList.Count && !bCertificateIsRevoked ; j++){
HttpWebRequest requestToOCSPServer = (HttpWebRequest)WebRequest.Create (certsUrls [i]);
requestToOCSPServer.Method = "POST";
requestToOCSPServer.ContentType = "application/ocsp-request";
requestToOCSPServer.Accept = "application/ocsp-response";
requestToOCSPServer.ReadWriteTimeout = 15000; // 15 seconds waiting to stablish connection
requestToOCSPServer.Timeout = 100000; // 100 seconds timeout reading response
byte[] bRequestBytes = RequestList[j].GetEncoded();
using (Stream requestStream = requestToOCSPServer.GetRequestStream()) {
requestStream.Write (bRequestBytes, 0, bRequestBytes.Length);
requestStream.Flush ();
}
HttpWebResponse serverResponse = (HttpWebResponse)requestToOCSPServer.GetResponse ();
OcspResp OCSPResponse = new OcspResp (serverResponse.GetResponseStream ());
BasicOcspResp basicOCSPResponse = (BasicOcspResp)OCSPResponse.GetResponseObject ();
//get the status from the response
if (basicOCSPResponse != null) {
foreach (SingleResp singleResponse in basicOCSPResponse.Responses) {
object certStatus = singleResponse.GetCertStatus ();
if (certStatus is RevokedStatus)
bCertificateIsRevoked = true;
}
}
}
}
}else { SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation. No OCSP url service found. Cannot verify revocation.");}
} catch (Exception e) {
SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation. Unhandled exception during revocation checking: " + e.Message);
bCertificateIsRevoked = true;
}
if(bCertificateIsRevoked)
SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation. Certificate is revoked");
return bCertificateIsRevoked;
}
/// <summary>
/// Generate OCSP Request
/// </summary>
/// <param name="id"></param>
/// <param name="cert"></param>
/// <returns></returns>
byte[] GenerateOCSPRequest(Org.BouncyCastle.Ocsp.CertificateID id,
Org.BouncyCastle.X509.X509Certificate cert)
{
byte[] nonce = new byte[16];
Random rand = new Random();
rand.NextBytes(nonce);
//OCSP OID
var asn1 = new DerOctetString(new DerOctetString(new byte[] { 1, 3, 6, 1, 5, 5, 7, 48, 1, 1 }));
//Create OCSP Request
var gen = new Org.BouncyCastle.Ocsp.OcspReqGenerator();
gen.AddRequest(id);
gen.SetRequestorName(new Org.BouncyCastle.Asn1.X509.GeneralName(
Org.BouncyCastle.Asn1.X509.GeneralName.DirectoryName, cert.SubjectDN));
IList oids = new ArrayList();
IList values = new ArrayList();
oids.Add(Org.BouncyCastle.Asn1.Ocsp.OcspObjectIdentifiers.PkixOcspNonce);
values.Add(new X509Extension(false,
new Org.BouncyCastle.Asn1.DerOctetString(
new Org.BouncyCastle.Asn1.DerOctetString(nonce))));
oids.Add(Org.BouncyCastle.Asn1.Ocsp.OcspObjectIdentifiers.PkixOcsp);
values.Add(new X509Extension(false, asn1));
gen.SetRequestExtensions(new X509Extensions(oids, values));
var req = gen.Generate();
return(req.GetEncoded());
}
/**
* Generates an OCSP request using BouncyCastle.
* @param issuerCert certificate of the issues
* @param serialNumber serial number
* @return an OCSP request
* @throws OCSPException
* @throws IOException
*/
private static OcspReq GenerateOCSPRequest(X509Certificate issuerCert, BigInteger serialNumber) {
// Generate the id for the certificate we are looking for
CertificateID id = new CertificateID(CertificateID.HashSha1, issuerCert, serialNumber);
// basic request generation with nonce
OcspReqGenerator gen = new OcspReqGenerator();
gen.AddRequest(id);
// create details for nonce extension
IDictionary extensions = new Hashtable();
extensions[OcspObjectIdentifiers.PkixOcspNonce] = new X509Extension(false, new DerOctetString(new DerOctetString(PdfEncryption.CreateDocumentId()).GetEncoded()));
gen.SetRequestExtensions(new X509Extensions(extensions));
return gen.Generate();
}
