/// <param name="cert"></param>
/// <returns></returns>
public virtual CertificateStatus GetCertificateStatusFromContext(CertificateAndContext
cert)
{
if (cert.GetCertificateSource() == CertificateSourceType.TRUSTED_LIST)
{
CertificateStatus status = new CertificateStatus();
status.Validity = CertificateValidity.VALID;
status.StatusSourceType = ValidatorSourceType.TRUSTED_LIST;
status.Certificate = cert.GetCertificate();
return(status);
}
CertificateAndContext issuer = GetIssuerCertificateFromThisContext(cert);
if (issuer == null)
{
return(null);
}
IOcspSource ocspSource = new ListOCSPSource(neededOCSPResp);
ICrlSource crlSource = new ListCRLSource(neededCRL);
OCSPAndCRLCertificateVerifier verifier = new OCSPAndCRLCertificateVerifier();
verifier.SetCrlSource(crlSource);
verifier.SetOcspSource(ocspSource);
return(verifier.Check(cert.GetCertificate(), issuer.GetCertificate(), GetValidationDate
()));
}
private CertificateStatus GetCertificateValidity(CertificateAndContext cert, CertificateAndContext
potentialIssuer, DateTime validationDate, ICrlSource optionalCRLSource, IOcspSource
optionalOCSPSource)
{
if (optionalCRLSource != null || optionalOCSPSource != null)
{
LOG.Info("Verify with offline services");
OCSPAndCRLCertificateVerifier verifier = new OCSPAndCRLCertificateVerifier();
verifier.SetCrlSource(optionalCRLSource);
verifier.SetOcspSource(optionalOCSPSource);
CertificateStatus status = verifier.Check(cert.GetCertificate(), potentialIssuer.
GetCertificate(), validationDate);
if (status != null)
{
return(status);
}
}
LOG.Info("Verify with online services");
OCSPAndCRLCertificateVerifier onlineVerifier = new OCSPAndCRLCertificateVerifier(
);
onlineVerifier.SetCrlSource(crlSource);
onlineVerifier.SetOcspSource(ocspSource);
return(onlineVerifier.Check(cert.GetCertificate(), potentialIssuer.GetCertificate
(), validationDate));
}
public virtual bool Check(CertificateAndContext cert)
{
//TODO jbonilla - validar.
//byte[] certificatePolicies = cert.GetCertificate().GetExtensionValue(X509Extensions.CertificatePolicies);
Asn1OctetString certificatePolicies = cert.GetCertificate().GetExtensionValue(X509Extensions.CertificatePolicies);
if (certificatePolicies != null)
{
try
{
//Asn1InputStream input = new Asn1InputStream(certificatePolicies);
//DerOctetString s = (DerOctetString)input.ReadObject();
DerOctetString s = (DerOctetString)certificatePolicies;
byte[] content = s.GetOctets();
Asn1InputStream input = new Asn1InputStream(content);
DerSequence seq = (DerSequence)input.ReadObject();
for (int i = 0; i < seq.Count; i++)
{
PolicyInformation policyInfo = PolicyInformation.GetInstance(seq[i]);
if (policyInfo.PolicyIdentifier.Id.Equals(policyOid))
{
return(true);
}
}
}
catch (IOException e)
{
throw new RuntimeException(e);
}
}
return(false);
}
/// <summary>The default constructor for CertificateVerification.</summary>
/// <remarks>The default constructor for CertificateVerification.</remarks>
/// <param name="cert"></param>
/// <param name="ctx"></param>
public CertificateVerification(CertificateAndContext cert, ValidationContext ctx)
{
certificate = cert;
if (cert != null)
{
try
{
cert.GetCertificate().CheckValidity(ctx.GetValidationDate());
validityPeriodVerification = new Result(Result.ResultStatus.VALID, null);
}
catch (CertificateExpiredException)
{
validityPeriodVerification = new Result(Result.ResultStatus.INVALID, "certificate.expired"
);
}
catch (CertificateNotYetValidException)
{
validityPeriodVerification = new Result(Result.ResultStatus.INVALID, "certificate.not.yet.valid"
);
}
CertificateStatus status = ctx.GetCertificateStatusFromContext(cert);
if (status != null)
{
certificateStatus = new RevocationVerificationResult(status);
}
}
}
/// <summary>Finds the provided certificate's issuer in the context</summary>
/// <param name="cert">The certificate whose issuer to find</param>
/// <returns>the issuer's X509Certificate</returns>
public virtual CertificateAndContext GetIssuerCertificateFromThisContext(CertificateAndContext
cert)
{
if (cert.GetCertificate().SubjectDN.Equals(cert.GetCertificate().IssuerDN))
{
return(null);
}
foreach (CertificateAndContext c in neededCertificates)
{
if (c.GetCertificate().SubjectDN.Equals(cert.GetCertificate().IssuerDN))
{
return(c);
}
}
return(null);
}
public virtual bool Check(CertificateAndContext cert)
{
//TODO jbonilla - Validar
//byte[] qcStatement = cert.GetCertificate().GetExtensionValue(X509Extensions.QCStatements);
Asn1OctetString qcStatement = cert.GetCertificate().GetExtensionValue(X509Extensions.QCStatements);
if (qcStatement != null)
{
try
{
//Asn1InputStream input = new Asn1InputStream(qcStatement);
//DerOctetString s = (DerOctetString)input.ReadObject();
DerOctetString s = (DerOctetString)qcStatement;
byte[] content = s.GetOctets();
Asn1InputStream input = new Asn1InputStream(content);
DerSequence seq = (DerSequence)input.ReadObject();
for (int i = 0; i < seq.Count; i++)
{
QCStatement statement = QCStatement.GetInstance(seq[i]);
if (statement.StatementId.Id.Equals(qcStatementId))
{
return(true);
}
}
return(false);
}
catch (IOException e)
{
throw new RuntimeException(e);
}
}
return(false);
}
internal virtual void AddNotYetVerifiedToken(SignedToken signedToken)
{
if (!revocationInfo.ContainsKey(signedToken))
{
LOG.Info("New token to validate " + signedToken + " hashCode " + signedToken.GetHashCode
());
revocationInfo.Put(signedToken, null);
if (signedToken is CRLToken)
{
neededCRL.AddItem(((CRLToken)signedToken).GetX509crl());
}
else
{
if (signedToken is OCSPRespToken)
{
neededOCSPResp.AddItem(((OCSPRespToken)signedToken).GetOcspResp());
}
else
{
if (signedToken is CertificateToken)
{
bool found = false;
CertificateAndContext newCert = ((CertificateToken)signedToken).GetCertificateAndContext
();
foreach (CertificateAndContext c in neededCertificates)
{
if (c.GetCertificate().Equals(newCert.GetCertificate()))
{
found = true;
break;
}
}
if (!found)
{
neededCertificates.AddItem(newCert);
}
}
}
}
}
else
{
LOG.Info("Token was already in list " + signedToken);
}
}
public virtual bool Check(CertificateAndContext cert)
{
return(cert.GetCertificate().GetKeyUsage()[(int)bit]);
}
public virtual X509Name GetSignerSubjectName()
{
return(cert.GetCertificate().IssuerDN);
}
/// <returns>the certificate</returns>
public virtual X509Certificate GetCertificate()
{
return(certificate.GetCertificate());
}
private bool ConcernsCertificate(BasicOcspResp basicOcspResp, CertificateAndContext
cert)
{
CertificateAndContext issuerCertificate = GetIssuerCertificateFromThisContext(cert
);
if (issuerCertificate == null)
{
return(false);
}
else
{
try
{
CertificateID matchingCertID = new CertificateID(CertificateID.HashSha1, issuerCertificate
.GetCertificate(), cert.GetCertificate().SerialNumber);
foreach (SingleResp resp in basicOcspResp.Responses)
{
if (resp.GetCertID().Equals(matchingCertID))
{
return(true);
}
}
return(false);
}
catch (OcspException ex)
{
throw new RuntimeException(ex);
}
}
}
private bool ConcernsCertificate(X509Crl x509crl, CertificateAndContext cert)
{
return(x509crl.IssuerDN.Equals(cert.GetCertificate().IssuerDN));
}
/// <summary>Build the validation context for the specific date</summary>
/// <param name="validationDate"></param>
/// <param name="optionalSource"></param>
/// <exception cref="System.IO.IOException"></exception>
public virtual void Validate(DateTime validationDate, CertificateSource optionalSource
, ICrlSource optionalCRLSource, IOcspSource optionalOCPSSource)
{
int previousSize = revocationInfo.Count;
int previousVerified = VerifiedTokenCount();
SignedToken signedToken = GetOneNotYetVerifiedToken();
if (signedToken != null)
{
CertificateSource otherSource = optionalSource;
if (signedToken != null)
{
otherSource = new CompositeCertificateSource(signedToken.GetWrappedCertificateSource
(), optionalSource);
}
CertificateAndContext issuer = GetIssuerCertificate(signedToken, otherSource, validationDate
);
RevocationData data = null;
if (issuer == null)
{
LOG.Warn("Don't found any issuer for token " + signedToken);
data = new RevocationData(signedToken);
}
else
{
AddNotYetVerifiedToken(new CertificateToken(issuer));
if (issuer.GetCertificate().SubjectDN.Equals(issuer.GetCertificate
().IssuerDN))
{
SignedToken trustedToken = new CertificateToken(issuer);
RevocationData noNeedToValidate = new RevocationData();
// noNeedToValidate.setRevocationData(CertificateSourceType.TRUSTED_LIST);
Validate(trustedToken, noNeedToValidate);
}
if (issuer.GetCertificateSource() == CertificateSourceType.TRUSTED_LIST)
{
SignedToken trustedToken = new CertificateToken(issuer);
RevocationData noNeedToValidate = new RevocationData();
noNeedToValidate.SetRevocationData(CertificateSourceType.TRUSTED_LIST);
Validate(trustedToken, noNeedToValidate);
}
if (signedToken is CertificateToken)
{
CertificateToken ct = (CertificateToken)signedToken;
CertificateStatus status = GetCertificateValidity(ct.GetCertificateAndContext(),
issuer, validationDate, optionalCRLSource, optionalOCPSSource);
data = new RevocationData(signedToken);
if (status != null)
{
data.SetRevocationData(status.StatusSource);
if (status.StatusSource is X509Crl)
{
AddNotYetVerifiedToken(new CRLToken((X509Crl)status.StatusSource));
}
else
{
if (status.StatusSource is BasicOcspResp)
{
AddNotYetVerifiedToken(new OCSPRespToken((BasicOcspResp)status.StatusSource));
}
}
}
else
{
LOG.Warn("No status for " + signedToken);
}
}
else
{
if (signedToken is CRLToken || signedToken is OCSPRespToken || signedToken is TimestampToken)
{
data = new RevocationData(signedToken);
data.SetRevocationData(issuer);
}
else
{
throw new RuntimeException("Not supported token type " + signedToken.GetType().Name
);
}
}
}
Validate(signedToken, data);
LOG.Info(this.ToString());
int newSize = revocationInfo.Count;
int newVerified = VerifiedTokenCount();
if (newSize != previousSize || newVerified != previousVerified)
{
Validate(validationDate, otherSource, optionalCRLSource, optionalOCPSSource);
}
}
}