internal virtual CertificateAndContext GetIssuerCertificate(ISignedToken signedToken, ICertificateSource optionalSource, DateTime validationDate) { if (signedToken.GetSignerSubjectName() == null) { return(null); } IList <CertificateAndContext> list = new CompositeCertificateSource(TrustedListCertificatesSource, optionalSource).GetCertificateBySubjectName(signedToken.GetSignerSubjectName()); if (list != null) { foreach (CertificateAndContext cert in list) { logger?.Info(cert.ToString()); if (validationDate != null) { try { cert.Certificate.CheckValidity(validationDate); } catch (CertificateExpiredException) { logger?.Info(WasExpiredMessage); continue; } catch (CertificateNotYetValidException) { logger?.Info(WasNotYetValidMessage); continue; } if (cert.CertificateSource == CertificateSourceType.TRUSTED_LIST && cert.Context != null) { ServiceInfo info = (ServiceInfo)cert.Context; if (info.StatusStartingDateAtReferenceTime != null && validationDate.CompareTo( //jbonilla Before info.StatusStartingDateAtReferenceTime) < 0) { logger?.Info(WasNotValidTSLMessage); continue; } else { if (info.StatusEndingDateAtReferenceTime != null && validationDate.CompareTo(info //jbonilla After .StatusEndingDateAtReferenceTime) > 0) { logger?.Info(WasNotValidTSLMessage); continue; } } } } if (signedToken.IsSignedBy(cert.Certificate)) { return(cert); } } } return(null); }
internal virtual void Validate(ISignedToken signedToken, RevocationData data) { if (!RevocationInfo.ContainsKey(signedToken)) { throw new ArgumentException(signedToken + " must be a key of revocationInfo"); } if (data is null) { throw new ArgumentNullException(nameof(data)); } RevocationInfo[signedToken] = data; }
internal void AddNotYetVerifiedToken(ISignedToken signedToken) { if (!RevocationInfo.ContainsKey(signedToken)) { logger?.Info("New token to validate " + signedToken + " hashCode " + signedToken.GetHashCode()); RevocationInfo[signedToken] = null; if (signedToken is CRLToken) { NeededCRL.Add(((CRLToken)signedToken).GetX509crl()); } else { if (signedToken is OCSPRespToken) { NeededOCSPResp.Add(((OCSPRespToken)signedToken).GetOcspResp()); } else { if (signedToken is CertificateToken) { bool found = false; CertificateAndContext newCert = ((CertificateToken)signedToken).GetCertificateAndContext(); foreach (CertificateAndContext c in NeededCertificates) { if (c.Certificate.Equals(newCert.Certificate)) { found = true; break; } } if (!found) { NeededCertificates.Add(newCert); } } } } } else { logger?.Info("Token was already in list " + signedToken); } }
/// <summary> /// Build the validation context for the specific date /// </summary> public virtual void Validate(DateTime validationDate, ICertificateSource optionalSource, ICrlSource optionalCRLSource, IOcspSource optionalOCPSSource, IList <CertificateAndContext> usedCerts) { int previousSize = RevocationInfo.Count; int previousVerified = VerifiedTokenCount(); ISignedToken signedToken = GetOneNotYetVerifiedToken(); if (signedToken != null) { ICertificateSource otherSource = new CompositeCertificateSource(signedToken.GetWrappedCertificateSource(), optionalSource); CertificateAndContext issuer = GetIssuerCertificate(signedToken, otherSource, validationDate); RevocationData data = null; if (issuer == null) { logger?.Warn("Don't found any issuer for token " + signedToken); data = new RevocationData(signedToken); } else { usedCerts?.Add(issuer); AddNotYetVerifiedToken(certificateTokenFactory(issuer)); if (issuer.Certificate.SubjectDN.Equals(issuer.Certificate.IssuerDN)) { ISignedToken trustedToken = certificateTokenFactory(issuer); RevocationData noNeedToValidate = new RevocationData(); if (issuer.CertificateSource == CertificateSourceType.TRUSTED_LIST) { noNeedToValidate.SetRevocationData(CertificateSourceType.TRUSTED_LIST); } Validate(trustedToken, noNeedToValidate); } else if (issuer.CertificateSource == CertificateSourceType.TRUSTED_LIST) { ISignedToken trustedToken = certificateTokenFactory(issuer); RevocationData noNeedToValidate = new RevocationData(); noNeedToValidate.SetRevocationData(CertificateSourceType.TRUSTED_LIST); Validate(trustedToken, noNeedToValidate); } if (signedToken is CertificateToken) { CertificateToken ct = (CertificateToken)signedToken; CertificateStatus status = GetCertificateValidity(ct.GetCertificateAndContext(), issuer, validationDate, optionalCRLSource, optionalOCPSSource); data = new RevocationData(signedToken); if (status != null) { data.SetRevocationData(status.StatusSource); if (status.StatusSource is X509Crl) { AddNotYetVerifiedToken(new CRLToken((X509Crl)status.StatusSource)); } else { if (status.StatusSource is BasicOcspResp) { AddNotYetVerifiedToken(new OCSPRespToken((BasicOcspResp)status.StatusSource)); } } } else { logger?.Warn("No status for " + signedToken); } } else { if (signedToken is CRLToken || signedToken is OCSPRespToken || signedToken is TimestampToken) { data = new RevocationData(signedToken); data.SetRevocationData(issuer); } else { throw new Exception("Not supported token type " + signedToken.GetType().Name); } } } Validate(signedToken, data); logger?.Info(ToString()); int newSize = RevocationInfo.Count; int newVerified = VerifiedTokenCount(); if (newSize != previousSize || newVerified != previousVerified) { Validate(validationDate, otherSource, optionalCRLSource, optionalOCPSSource, usedCerts); } } }
public RevocationData(ISignedToken signedToken) { targetToken = signedToken; }