private X509Certificate2[] ValidateCertificateByOCSP(UnsignedProperties unsignedProperties, X509Certificate2 client, X509Certificate2 issuer) { bool byKey = false; List <string> ocspServers = new List <string>(); Org.BouncyCastle.X509.X509Certificate clientCert = CertUtil.ConvertToX509Certificate(client); Org.BouncyCastle.X509.X509Certificate issuerCert = CertUtil.ConvertToX509Certificate(issuer); OcspClient ocsp = new OcspClient(); string certOcspUrl = ocsp.GetAuthorityInformationAccessOcspUrl(issuerCert); if (!string.IsNullOrEmpty(certOcspUrl)) { ocspServers.Add(certOcspUrl); } foreach (var ocspUrl in _firma.OCSPServers) { ocspServers.Add(ocspUrl); } foreach (var ocspUrl in ocspServers) { byte[] resp = ocsp.QueryBinary(clientCert, issuerCert, ocspUrl); FirmaXadesNet.Clients.CertificateStatus status = ocsp.ProcessOcspResponse(clientCert, issuerCert, resp); if (status == FirmaXadesNet.Clients.CertificateStatus.Revoked) { throw new Exception("Certificado revocado"); } else if (status == FirmaXadesNet.Clients.CertificateStatus.Good) { Org.BouncyCastle.Ocsp.OcspResp r = new OcspResp(resp); byte[] rEncoded = r.GetEncoded(); BasicOcspResp or = (BasicOcspResp)r.GetResponseObject(); string guidOcsp = Guid.NewGuid().ToString(); OCSPRef ocspRef = new OCSPRef(); ocspRef.OCSPIdentifier.UriAttribute = "#OcspValue" + guidOcsp; DigestUtil.SetCertDigest(rEncoded, _firma.RefsDigestMethod, ocspRef.CertDigest); Org.BouncyCastle.Asn1.Ocsp.ResponderID rpId = or.ResponderId.ToAsn1Object(); string name = GetResponderName(rpId, ref byKey); if (!byKey) { ocspRef.OCSPIdentifier.ResponderID = RevertIssuerName(name); } else { ocspRef.OCSPIdentifier.ResponderID = name; ocspRef.OCSPIdentifier.ByKey = true; } ocspRef.OCSPIdentifier.ProducedAt = or.ProducedAt.ToLocalTime(); unsignedProperties.UnsignedSignatureProperties.CompleteRevocationRefs.OCSPRefs.OCSPRefCollection.Add(ocspRef); OCSPValue ocspValue = new OCSPValue(); ocspValue.PkiData = rEncoded; ocspValue.Id = "OcspValue" + guidOcsp; unsignedProperties.UnsignedSignatureProperties.RevocationValues.OCSPValues.OCSPValueCollection.Add(ocspValue); return((from cert in or.GetCerts() select new X509Certificate2(cert.GetEncoded())).ToArray()); } } throw new Exception("El certificado no ha podido ser validado"); }
public override void PerformTest() { string signDN = "O=Bouncy Castle, C=AU"; AsymmetricCipherKeyPair signKP = OcspTestUtil.MakeKeyPair(); X509Certificate testCert = OcspTestUtil.MakeCertificate(signKP, signDN, signKP, signDN); string origDN = "CN=Eric H. Echidna, [email protected], O=Bouncy Castle, C=AU"; GeneralName origName = new GeneralName(new X509Name(origDN)); // // general id value for our test issuer cert and a serial number. // CertificateID id = new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One); // // basic request generation // OcspReqGenerator gen = new OcspReqGenerator(); gen.AddRequest( new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One)); OcspReq req = gen.Generate(); if (req.IsSigned) { Fail("signed but shouldn't be"); } X509Certificate[] certs = req.GetCerts(); if (certs != null) { Fail("null certs expected, but not found"); } Req[] requests = req.GetRequestList(); if (!requests[0].GetCertID().Equals(id)) { Fail("Failed isFor test"); } // // request generation with signing // X509Certificate[] chain = new X509Certificate[1]; gen = new OcspReqGenerator(); gen.SetRequestorName(new GeneralName(GeneralName.DirectoryName, new X509Name("CN=fred"))); gen.AddRequest( new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One)); chain[0] = testCert; req = gen.Generate("SHA1withRSA", signKP.Private, chain); if (!req.IsSigned) { Fail("not signed but should be"); } if (!req.Verify(signKP.Public)) { Fail("signature failed to Verify"); } requests = req.GetRequestList(); if (!requests[0].GetCertID().Equals(id)) { Fail("Failed isFor test"); } certs = req.GetCerts(); if (certs == null) { Fail("null certs found"); } if (certs.Length != 1 || !testCert.Equals(certs[0])) { Fail("incorrect certs found in request"); } // // encoding test // byte[] reqEnc = req.GetEncoded(); OcspReq newReq = new OcspReq(reqEnc); if (!newReq.Verify(signKP.Public)) { Fail("newReq signature failed to Verify"); } // // request generation with signing and nonce // chain = new X509Certificate[1]; gen = new OcspReqGenerator(); IList oids = new ArrayList(); IList values = new ArrayList(); byte[] sampleNonce = new byte[16]; Random rand = new Random(); rand.NextBytes(sampleNonce); gen.SetRequestorName(new GeneralName(GeneralName.DirectoryName, new X509Name("CN=fred"))); oids.Add(OcspObjectIdentifiers.PkixOcspNonce); values.Add(new X509Extension(false, new DerOctetString(new DerOctetString(sampleNonce)))); gen.SetRequestExtensions(new X509Extensions(oids, values)); gen.AddRequest( new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One)); chain[0] = testCert; req = gen.Generate("SHA1withRSA", signKP.Private, chain); if (!req.IsSigned) { Fail("not signed but should be"); } if (!req.Verify(signKP.Public)) { Fail("signature failed to Verify"); } // // extension check. // ISet extOids = req.GetCriticalExtensionOids(); if (extOids.Count != 0) { Fail("wrong number of critical extensions in OCSP request."); } extOids = req.GetNonCriticalExtensionOids(); if (extOids.Count != 1) { Fail("wrong number of non-critical extensions in OCSP request."); } Asn1OctetString extValue = req.GetExtensionValue(OcspObjectIdentifiers.PkixOcspNonce); Asn1Object extObj = X509ExtensionUtilities.FromExtensionValue(extValue); if (!(extObj is Asn1OctetString)) { Fail("wrong extension type found."); } byte[] compareNonce = ((Asn1OctetString) extObj).GetOctets(); if (!AreEqual(compareNonce, sampleNonce)) { Fail("wrong extension value found."); } // // request list check // requests = req.GetRequestList(); if (!requests[0].GetCertID().Equals(id)) { Fail("Failed isFor test"); } // // response parsing - test 1 // OcspResp response = new OcspResp(testResp1); if (response.Status != 0) { Fail("response status not zero."); } BasicOcspResp brep = (BasicOcspResp) response.GetResponseObject(); chain = brep.GetCerts(); if (!brep.Verify(chain[0].GetPublicKey())) { Fail("response 1 failed to Verify."); } // // test 2 // SingleResp[] singleResp = brep.Responses; response = new OcspResp(testResp2); if (response.Status != 0) { Fail("response status not zero."); } brep = (BasicOcspResp)response.GetResponseObject(); chain = brep.GetCerts(); if (!brep.Verify(chain[0].GetPublicKey())) { Fail("response 2 failed to Verify."); } singleResp = brep.Responses; // // simple response generation // OCSPRespGenerator respGen = new OCSPRespGenerator(); OcspResp resp = respGen.Generate(OCSPRespGenerator.Successful, response.GetResponseObject()); if (!resp.GetResponseObject().Equals(response.GetResponseObject())) { Fail("response fails to match"); } doTestECDsa(); doTestRsa(); doTestIrregularVersionReq(); }
public static bool CertificateIsValid(CertID id, OcspResp ocspResp, IOcesCertificate certificate) { return(CertificateIsValid(id, ocspResp, SerialNumberConverter.FromCertificate(certificate), certificate.IssuingCa)); }
private RevocationResponse ProcessOcspResponse(Org.BouncyCastle.X509.X509Certificate serverX509Certificate, Org.BouncyCastle.X509.X509Certificate rootX509Certificate, byte[] binaryResp) { OcspResp r = new OcspResp(binaryResp); //CertificateStatus cStatus = CertificateStatus.Unknown; RevocationResponse revocationResponse = new RevocationResponse(); //X509CertificateParser parser = null; //OcspRespStatus.Unauthorized switch (r.Status) { case OcspRespStatus.Successful: { BasicOcspResp or = (BasicOcspResp)r.GetResponseObject(); // ValidateResponse(or, issuerCert); string certificateSerial = Convert.ToUInt32(serverX509Certificate.SerialNumber.IntValue).ToString(); bool found = false; foreach (SingleResp singleResp in or.Responses) { if (singleResp.GetCertID().SerialNumber.ToString().Equals(certificateSerial)) { found = true; this.ValidateCertificateId(serverX509Certificate, rootX509Certificate, singleResp.GetCertID()); // ValidateThisUpdate(resp); // ValidateNextUpdate(resp); Object certificateStatus = singleResp.GetCertStatus(); if (certificateStatus == null) { // acording to org.openoces.ooapi.utils.ocsp.ResponseParser.cs (DanID test code) // in the TU11, method SerialNumberInResponseIsNotRevoked(..), // when the certificateStatus is empty, all is okay - not revoked // no revocation data exist - the certificate must be valid revocationResponse.IsValid = true; revocationResponse.NextUpdate = singleResp.NextUpdate.Value; revocationResponse.RevocationCheckStatus = RevocationCheckStatus.AllChecksPassed; } else if (certificateStatus == Org.BouncyCastle.Ocsp.CertificateStatus.Good) { // this is the expected certificateStatus for valid certificates // however if the status is good the certificateStatus is null revocationResponse.IsValid = true; revocationResponse.NextUpdate = singleResp.NextUpdate.Value; revocationResponse.RevocationCheckStatus = RevocationCheckStatus.AllChecksPassed; } else if (certificateStatus is Org.BouncyCastle.Ocsp.RevokedStatus) { revocationResponse.IsValid = false; revocationResponse.NextUpdate = singleResp.NextUpdate.Value; revocationResponse.RevocationCheckStatus = RevocationCheckStatus.CertificateRevoked; } else if (certificateStatus is Org.BouncyCastle.Ocsp.UnknownStatus) { throw new CheckCertificateOcspUnexpectedException("CertificateStatus is Unknown"); } else { throw new CheckCertificateOcspUnexpectedException("CertificateStatus is unknown '" + certificateStatus.ToString() + "'."); } // break foreach loop break; } } if (!found) { // the returned result did not contain the desired certificate throw new CheckCertificateOcspUnexpectedException("Revokation result did not contain the desired certificate serial number."); } break; } default: { throw new CheckCertificateOcspUnexpectedException("Unknow status '" + r.Status + "'."); } } return(revocationResponse); }
private X509Certificate2[] ValidateCertificateByOCSP(UnsignedProperties unsignedProperties, X509Certificate2 client, X509Certificate2 issuer, IEnumerable <OcspServer> ocspServers, FirmaXadesNet.Crypto.DigestMethod digestMethod, bool addCertificateOcspUrl, bool useNonce) { bool byKey = false; List <OcspServer> finalOcspServers = new List <OcspServer>(); Org.BouncyCastle.X509.X509Certificate clientCert = client.ToBouncyX509Certificate(); Org.BouncyCastle.X509.X509Certificate issuerCert = issuer.ToBouncyX509Certificate(); OcspClient ocsp = new OcspClient(); if (addCertificateOcspUrl) { string certOcspUrl = ocsp.GetAuthorityInformationAccessOcspUrl(issuerCert); if (!string.IsNullOrEmpty(certOcspUrl)) { finalOcspServers.Add(new OcspServer(certOcspUrl)); } } foreach (var ocspServer in ocspServers) { finalOcspServers.Add(ocspServer); } foreach (var ocspServer in finalOcspServers) { byte[] resp = ocsp.QueryBinary(clientCert, issuerCert, ocspServer.Url, useNonce, ocspServer.RequestorName, ocspServer.SignCertificate); FirmaXadesNet.Clients.CertificateStatus status = ocsp.ProcessOcspResponse(resp, useNonce); if (status == FirmaXadesNet.Clients.CertificateStatus.Revoked) { throw new Exception("Certificate revoked"); } else if (status == FirmaXadesNet.Clients.CertificateStatus.Good) { Org.BouncyCastle.Ocsp.OcspResp r = new OcspResp(resp); byte[] rEncoded = r.GetEncoded(); BasicOcspResp or = (BasicOcspResp)r.GetResponseObject(); string guidOcsp = Guid.NewGuid().ToString(); OCSPRef ocspRef = new OCSPRef(); ocspRef.OCSPIdentifier.UriAttribute = "#OcspValue" + guidOcsp; DigestUtil.SetCertDigest(rEncoded, digestMethod, ocspRef.CertDigest); ResponderID rpId = or.ResponderId.ToAsn1Object(); ocspRef.OCSPIdentifier.ResponderID = GetResponderName(rpId, ref byKey); ocspRef.OCSPIdentifier.ByKey = byKey; ocspRef.OCSPIdentifier.ProducedAt = or.ProducedAt.ToLocalTime(); unsignedProperties.UnsignedSignatureProperties.CompleteRevocationRefs.OCSPRefs.OCSPRefCollection.Add(ocspRef); OCSPValue ocspValue = new OCSPValue { PkiData = rEncoded, Id = "OcspValue" + guidOcsp }; unsignedProperties.UnsignedSignatureProperties.RevocationValues.OCSPValues.OCSPValueCollection.Add(ocspValue); return((from cert in or.GetCerts() select new X509Certificate2(cert.GetEncoded())).ToArray()); } } throw new Exception("The certificate could not be validated"); }
/** * Gets an encoded byte array with OCSP validation. The method should not throw an exception. * @param checkCert to certificate to check * @param rootCert the parent certificate * @param the url to get the verification. It it's null it will be taken * from the check cert or from other implementation specific source * @return a byte array with the validation or null if the validation could not be obtained */ public virtual byte[] GetEncoded(X509Certificate checkCert, X509Certificate rootCert, String url) { try { if (checkCert == null || rootCert == null) { return(null); } if (url == null) { url = PdfPKCS7.GetOCSPURL(checkCert); } if (url == null) { return(null); } OcspReq request = GenerateOCSPRequest(rootCert, checkCert.SerialNumber); byte[] array = request.GetEncoded(); HttpWebRequest con = (HttpWebRequest)WebRequest.Create(url); con.ContentLength = array.Length; con.ContentType = "application/ocsp-request"; con.Accept = "application/ocsp-response"; con.Method = "POST"; Stream outp = con.GetRequestStream(); outp.Write(array, 0, array.Length); outp.Close(); HttpWebResponse response = (HttpWebResponse)con.GetResponse(); if (response.StatusCode != HttpStatusCode.OK) { throw new IOException(MessageLocalization.GetComposedMessage("invalid.http.response.1", (int)response.StatusCode)); } Stream inp = response.GetResponseStream(); OcspResp ocspResponse = new OcspResp(inp); inp.Close(); response.Close(); if (ocspResponse.Status != 0) { throw new IOException(MessageLocalization.GetComposedMessage("invalid.status.1", ocspResponse.Status)); } BasicOcspResp basicResponse = (BasicOcspResp)ocspResponse.GetResponseObject(); if (basicResponse != null) { SingleResp[] responses = basicResponse.Responses; if (responses.Length == 1) { SingleResp resp = responses[0]; Object status = resp.GetCertStatus(); if (status == CertificateStatus.Good) { return(basicResponse.GetEncoded()); } else if (status is Org.BouncyCastle.Ocsp.RevokedStatus) { throw new IOException(MessageLocalization.GetComposedMessage("ocsp.status.is.revoked")); } else { throw new IOException(MessageLocalization.GetComposedMessage("ocsp.status.is.unknown")); } } } } catch (Exception ex) { if (LOGGER.IsLogging(Level.ERROR)) { LOGGER.Error("OcspClientBouncyCastle", ex); } } return(null); }
/// <summary> /// Validate a certificate against its AIA OCSP. /// </summary> /// <param name="cert"></param> /// <param name="aia"></param> /// <returns></returns> CertStatus Validate(System.Security.Cryptography.X509Certificates.X509Certificate2 cert, AIA aia) { string hash = ComputeSHA1(System.Text.ASCIIEncoding.ASCII.GetBytes(aia.Issuer)); string filePath = IssuerCachedFolder + hash; //Check if aki is cached if (!IsIssuerCached(aia.Issuer)) { Download(aia.Issuer, filePath); if (!IsIssuerCached(aia.Issuer)) { return(CertStatus.Unknown(CertStatus.BadIssuer)); } } var issuerTemp = new System.Security.Cryptography.X509Certificates.X509Certificate2(filePath); var certParser = new Org.BouncyCastle.X509.X509CertificateParser(); var issuer = certParser.ReadCertificate(issuerTemp.RawData); var cert2Validate = certParser.ReadCertificate(cert.RawData); var id = new Org.BouncyCastle.Ocsp.CertificateID( Org.BouncyCastle.Ocsp.CertificateID.HashSha1, issuer, cert2Validate.SerialNumber); byte[] reqEnc = GenerateOCSPRequest(id, cert2Validate); byte[] resp = GetOCSPResponse(aia.Ocsp, reqEnc); //Extract the response OcspResp ocspResponse = new OcspResp(resp); BasicOcspResp basicOCSPResponse = (BasicOcspResp)ocspResponse.GetResponseObject(); SingleResp singResp = basicOCSPResponse.Responses[0]; //Validate ID var expectedId = singResp.GetCertID(); if (!expectedId.SerialNumber.Equals(id.SerialNumber)) { return(CertStatus.Unknown(CertStatus.BadSerial)); } if (!Org.BouncyCastle.Utilities.Arrays.AreEqual(expectedId.GetIssuerNameHash(), id.GetIssuerNameHash())) { return(CertStatus.Unknown(CertStatus.IssuerNotMatch)); } //Extract Status var certificateStatus = singResp.GetCertStatus(); if (certificateStatus == null) { return(CertStatus.Good); } if (certificateStatus is Org.BouncyCastle.Ocsp.RevokedStatus) { int revocationReason = ((Org.BouncyCastle.Ocsp.RevokedStatus)certificateStatus).RevocationReason; var revocationDate = ((Org.BouncyCastle.Ocsp.RevokedStatus)certificateStatus).RevocationTime; return(CertStatus.Revoked(revocationDate.ToString("o"), revocationReason)); } if (certificateStatus is Org.BouncyCastle.Ocsp.UnknownStatus) { return(CertStatus.Unknown()); } return(CertStatus.Unknown()); }
private async Task <RevocationResult> GetOcspResponse(string url, string host, BcX509Certificate peerCertificate, BcX509Certificate issuerCertificate) { int maxAttemptCount = 2; int attemptCount = 0; string error = null; while (maxAttemptCount > attemptCount) { try { OcspReq request = GenerateOcspRequest(issuerCertificate, peerCertificate.SerialNumber); _log.LogInformation("Attempt {Attempt}: Getting OCSP repsonse for host {Host} certificate {Certificate} from url {Url}", attemptCount, host, peerCertificate.SubjectDN, url); HttpResponseMessage httpResponseMessage = await url .WithTimeout(TimeSpan.FromSeconds(20)) .WithHeaders(new { Content_Type = "application/ocsp-request", Accept = "application/ocsp-response" }) .PostAsync(new ByteArrayContent(request.GetEncoded())); if (httpResponseMessage.IsSuccessStatusCode) { OcspResp ocspResp = new OcspResp(await httpResponseMessage.Content.ReadAsStreamAsync()); if (ocspResp.Status == 0) { BasicOcspResp basicOcspResp = (BasicOcspResp)ocspResp.GetResponseObject(); List <RevocationInfo> revocationInfos = GetRevocationInfos(basicOcspResp); bool revoked = basicOcspResp.Responses[0].GetCertStatus() != null; if (revocationInfos.Any()) { _log.LogInformation("Certificate {Certificate} for host {Host} is {RevocationStatus} with reasons {RevocationReasons}.", peerCertificate.SubjectDN, host, revoked ? "revoked" : "not revoked", string.Join(", ", revocationInfos)); } else { _log.LogInformation("Certificate {Certificate} for host {Host} is {RevocationStatus}.", peerCertificate.SubjectDN, host, revoked ? "revoked" : "not revoked"); } return(new RevocationResult(revoked, revocationInfos)); } error = $"OCSP response had status: {GetOcspErrorCode(ocspResp.Status)}."; _log.LogWarning("Got failed OCSP revocation response for host {Host} certificate {Certificate} with ocsp error {OCSPError}", host, peerCertificate.SubjectDN.ToString(), ocspResp.Status); } else { _log.LogWarning("Failed to get OCSP revocation response for host {Host} certificate {Certificate} from url {Url} with http status code {StatusCode}", host, peerCertificate.SubjectDN.ToString(), url, httpResponseMessage.StatusCode); error = $"OCSP validator failed call to {url} with http status code: {httpResponseMessage.StatusCode}."; } } catch (Exception e) { _log.LogError("Failed to get OCSP revocation response for host {Host} certificate {Certificate} from url {Url} with exception {ExceptionMessage}{StackTrace}", host, peerCertificate.SubjectDN.ToString(), url, e.Message, e.StackTrace); error = e.Message; } attemptCount++; } return(new RevocationResult(error)); }
public override void PerformTest() { string signDN = "O=Bouncy Castle, C=AU"; IAsymmetricCipherKeyPair signKP = OcspTestUtil.MakeKeyPair(); X509Certificate testCert = OcspTestUtil.MakeCertificate(signKP, signDN, signKP, signDN); string origDN = "CN=Eric H. Echidna, [email protected], O=Bouncy Castle, C=AU"; GeneralName origName = new GeneralName(new X509Name(origDN)); // // general id value for our test issuer cert and a serial number. // CertificateID id = new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One); // // basic request generation // OcspReqGenerator gen = new OcspReqGenerator(); gen.AddRequest( new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One)); OcspReq req = gen.Generate(); if (req.IsSigned) { Fail("signed but shouldn't be"); } X509Certificate[] certs = req.GetCerts(); if (certs != null) { Fail("null certs expected, but not found"); } Req[] requests = req.GetRequestList(); if (!requests[0].GetCertID().Equals(id)) { Fail("Failed isFor test"); } // // request generation with signing // X509Certificate[] chain = new X509Certificate[1]; gen = new OcspReqGenerator(); gen.SetRequestorName(new GeneralName(GeneralName.DirectoryName, new X509Name("CN=fred"))); gen.AddRequest( new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One)); chain[0] = testCert; req = gen.Generate("SHA1withRSA", signKP.Private, chain); if (!req.IsSigned) { Fail("not signed but should be"); } if (!req.Verify(signKP.Public)) { Fail("signature failed to Verify"); } requests = req.GetRequestList(); if (!requests[0].GetCertID().Equals(id)) { Fail("Failed isFor test"); } certs = req.GetCerts(); if (certs == null) { Fail("null certs found"); } if (certs.Length != 1 || !testCert.Equals(certs[0])) { Fail("incorrect certs found in request"); } // // encoding test // byte[] reqEnc = req.GetEncoded(); OcspReq newReq = new OcspReq(reqEnc); if (!newReq.Verify(signKP.Public)) { Fail("newReq signature failed to Verify"); } // // request generation with signing and nonce // chain = new X509Certificate[1]; gen = new OcspReqGenerator(); IList oids = new ArrayList(); IList values = new ArrayList(); byte[] sampleNonce = new byte[16]; Random rand = new Random(); rand.NextBytes(sampleNonce); gen.SetRequestorName(new GeneralName(GeneralName.DirectoryName, new X509Name("CN=fred"))); oids.Add(OcspObjectIdentifiers.PkixOcspNonce); values.Add(new X509Extension(false, new DerOctetString(new DerOctetString(sampleNonce)))); gen.SetRequestExtensions(new X509Extensions(oids, values)); gen.AddRequest( new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One)); chain[0] = testCert; req = gen.Generate("SHA1withRSA", signKP.Private, chain); if (!req.IsSigned) { Fail("not signed but should be"); } if (!req.Verify(signKP.Public)) { Fail("signature failed to Verify"); } // // extension check. // ISet extOids = req.GetCriticalExtensionOids(); if (extOids.Count != 0) { Fail("wrong number of critical extensions in OCSP request."); } extOids = req.GetNonCriticalExtensionOids(); if (extOids.Count != 1) { Fail("wrong number of non-critical extensions in OCSP request."); } Asn1OctetString extValue = req.GetExtensionValue(OcspObjectIdentifiers.PkixOcspNonce); Asn1Object extObj = X509ExtensionUtilities.FromExtensionValue(extValue); if (!(extObj is Asn1OctetString)) { Fail("wrong extension type found."); } byte[] compareNonce = ((Asn1OctetString)extObj).GetOctets(); if (!AreEqual(compareNonce, sampleNonce)) { Fail("wrong extension value found."); } // // request list check // requests = req.GetRequestList(); if (!requests[0].GetCertID().Equals(id)) { Fail("Failed isFor test"); } // // response parsing - test 1 // OcspResp response = new OcspResp(testResp1); if (response.Status != 0) { Fail("response status not zero."); } BasicOcspResp brep = (BasicOcspResp)response.GetResponseObject(); chain = brep.GetCerts(); if (!brep.Verify(chain[0].GetPublicKey())) { Fail("response 1 failed to Verify."); } // // test 2 // SingleResp[] singleResp = brep.Responses; response = new OcspResp(testResp2); if (response.Status != 0) { Fail("response status not zero."); } brep = (BasicOcspResp)response.GetResponseObject(); chain = brep.GetCerts(); if (!brep.Verify(chain[0].GetPublicKey())) { Fail("response 2 failed to Verify."); } singleResp = brep.Responses; // // simple response generation // OCSPRespGenerator respGen = new OCSPRespGenerator(); OcspResp resp = respGen.Generate(OCSPRespGenerator.Successful, response.GetResponseObject()); if (!resp.GetResponseObject().Equals(response.GetResponseObject())) { Fail("response fails to match"); } doTestECDsa(); doTestRsa(); doTestIrregularVersionReq(); }