public FirmaXades.Clients.CertificateStatus ProcessOcspResponse(byte[] binaryResp) { if (binaryResp.Length != 0) { OcspResp ocspResp = new OcspResp(binaryResp); FirmaXades.Clients.CertificateStatus result = FirmaXades.Clients.CertificateStatus.Unknown; if (ocspResp.Status != 0) { throw new Exception("Unknow status '" + ocspResp.Status + "'."); } BasicOcspResp basicOcspResp = (BasicOcspResp)ocspResp.GetResponseObject(); if (basicOcspResp.Responses.Length == 1) { SingleResp singleResp = basicOcspResp.Responses[0]; object certStatus = singleResp.GetCertStatus(); if (certStatus == Org.BouncyCastle.Ocsp.CertificateStatus.Good) { result = FirmaXades.Clients.CertificateStatus.Good; } else if (certStatus is RevokedStatus) { result = FirmaXades.Clients.CertificateStatus.Revoked; } else if (certStatus is UnknownStatus) { result = FirmaXades.Clients.CertificateStatus.Unknown; } } return(result); } return(FirmaXades.Clients.CertificateStatus.Unknown); }
public BasicOcspResp GetOcspStatus(OcspReq ocspRequest) { byte[] reqArray = ocspRequest.GetEncoded(); var uris = GetOcspUris(); OcspResp resp; try { HttpWebRequest request = (HttpWebRequest)WebRequest.Create(uris[0]); request.Method = "POST"; var requestStream = request.GetRequestStream(); request.ContentLength = reqArray.Length; request.ContentType = "application/ocsp-request"; request.Accept = "application/ocsp-response"; requestStream.Write(reqArray, 0, reqArray.Length); using (HttpWebResponse response = (HttpWebResponse)request.GetResponse()) using (Stream stream = response.GetResponseStream()) { resp = new OcspResp(stream); } return((BasicOcspResp)resp.GetResponseObject()); } catch { return(null); } }
/// <summary>Gets OCSP response.</summary> /// <remarks> /// Gets OCSP response. If /// <see cref="OCSPVerifier"/> /// was set, the response will be checked. /// </remarks> /// <param name="checkCert">to certificate to check</param> /// <param name="rootCert">the parent certificate</param> /// <param name="url">to get the verification</param> public virtual BasicOcspResp GetBasicOCSPResp(X509Certificate checkCert, X509Certificate rootCert, String url) { try { OcspResp ocspResponse = GetOcspResponse(checkCert, rootCert, url); if (ocspResponse == null) { return(null); } if (ocspResponse.Status != Org.BouncyCastle.Asn1.Ocsp.OcspResponseStatus.Successful) { return(null); } BasicOcspResp basicResponse = (BasicOcspResp)ocspResponse.GetResponseObject(); if (verifier != null) { verifier.IsValidResponse(basicResponse, rootCert); } return(basicResponse); } catch (Exception ex) { LOGGER.Error(ex.Message); } return(null); }
/// <summary>Gets OCSP responses from the Document Security Store.</summary> /// <returns>a list of BasicOCSPResp objects</returns> /// <exception cref="System.IO.IOException"/> /// <exception cref="Org.BouncyCastle.Security.GeneralSecurityException"/> public virtual IList <BasicOcspResp> GetOCSPResponsesFromDSS() { IList <BasicOcspResp> ocsps = new List <BasicOcspResp>(); if (dss == null) { return(ocsps); } PdfArray ocsparray = dss.GetAsArray(PdfName.OCSPs); if (ocsparray == null) { return(ocsps); } for (int i = 0; i < ocsparray.Size(); i++) { PdfStream stream = ocsparray.GetAsStream(i); OcspResp ocspResponse = new OcspResp(stream.GetBytes()); if (ocspResponse.Status == 0) { try { ocsps.Add((BasicOcspResp)ocspResponse.GetResponseObject()); } catch (OcspException e) { throw new GeneralSecurityException(e.ToString()); } } } return(ocsps); }
public static BasicOcspResp GetInvalidOcspResp() { var bytes = File.ReadAllBytes(@"Data\InvalidOCSP.txt"); var ocspResp = new OcspResp(bytes); return((BasicOcspResp)ocspResp.GetResponseObject()); }
private X509Certificate2[] ValidateCertificateByOCSP(UnsignedProperties unsignedProperties, X509Certificate2 client, X509Certificate2 issuer, IEnumerable <string> ocspServers, FirmaXades.Crypto.DigestMethod digestMethod) { bool byKey = false; List <string> list = new List <string>(); Org.BouncyCastle.X509.X509Certificate eeCert = client.ToBouncyX509Certificate(); Org.BouncyCastle.X509.X509Certificate x509Certificate = issuer.ToBouncyX509Certificate(); OcspClient ocspClient = new OcspClient(); string authorityInformationAccessOcspUrl = ocspClient.GetAuthorityInformationAccessOcspUrl(x509Certificate); if (!string.IsNullOrEmpty(authorityInformationAccessOcspUrl)) { list.Add(authorityInformationAccessOcspUrl); } foreach (string ocspServer in ocspServers) { list.Add(ocspServer); } foreach (string item in list) { byte[] array = ocspClient.QueryBinary(eeCert, x509Certificate, item); switch (ocspClient.ProcessOcspResponse(array)) { case FirmaXades.Clients.CertificateStatus.Revoked: throw new Exception("Certificado revocado"); case FirmaXades.Clients.CertificateStatus.Good: { OcspResp ocspResp = new OcspResp(array); byte[] encoded = ocspResp.GetEncoded(); BasicOcspResp basicOcspResp = (BasicOcspResp)ocspResp.GetResponseObject(); string str = Guid.NewGuid().ToString(); OCSPRef oCSPRef = new OCSPRef(); oCSPRef.OCSPIdentifier.UriAttribute = "#OcspValue" + str; DigestUtil.SetCertDigest(encoded, digestMethod, oCSPRef.CertDigest); ResponderID responderId = basicOcspResp.ResponderId.ToAsn1Object(); string responderName = GetResponderName(responderId, ref byKey); if (!byKey) { oCSPRef.OCSPIdentifier.ResponderID = RevertIssuerName(responderName); } else { oCSPRef.OCSPIdentifier.ResponderID = responderName; oCSPRef.OCSPIdentifier.ByKey = true; } oCSPRef.OCSPIdentifier.ProducedAt = basicOcspResp.ProducedAt.ToLocalTime(); unsignedProperties.UnsignedSignatureProperties.CompleteRevocationRefs.OCSPRefs.OCSPRefCollection.Add(oCSPRef); OCSPValue oCSPValue = new OCSPValue(); oCSPValue.PkiData = encoded; oCSPValue.Id = "OcspValue" + str; unsignedProperties.UnsignedSignatureProperties.RevocationValues.OCSPValues.OCSPValueCollection.Add(oCSPValue); return((from cert in basicOcspResp.GetCerts() select new X509Certificate2(cert.GetEncoded())).ToArray()); } } } throw new Exception("El certificado no ha podido ser validado"); }
/** * @return a byte array * @see com.lowagie.text.pdf.OcspClient#getEncoded() */ public byte[] GetEncoded() { OcspReq request = GenerateOCSPRequest(rootCert, checkCert.SerialNumber); byte[] array = request.GetEncoded(); HttpWebRequest con = (HttpWebRequest)WebRequest.Create(url); con.ContentLength = array.Length; con.ContentType = "application/ocsp-request"; con.Accept = "application/ocsp-response"; con.Method = "POST"; Stream outp = con.GetRequestStream(); outp.Write(array, 0, array.Length); outp.Close(); HttpWebResponse response = (HttpWebResponse)con.GetResponse(); if (response.StatusCode != HttpStatusCode.OK) { throw new IOException(MessageLocalization.GetComposedMessage("invalid.http.response.1", (int)response.StatusCode)); } Stream inp = response.GetResponseStream(); OcspResp ocspResponse = new OcspResp(inp); inp.Close(); response.Close(); if (ocspResponse.Status != 0) { throw new IOException(MessageLocalization.GetComposedMessage("invalid.status.1", ocspResponse.Status)); } BasicOcspResp basicResponse = (BasicOcspResp)ocspResponse.GetResponseObject(); if (basicResponse != null) { SingleResp[] responses = basicResponse.Responses; if (responses.Length == 1) { SingleResp resp = responses[0]; Object status = resp.GetCertStatus(); if (status == CertificateStatus.Good) { return(basicResponse.GetEncoded()); } else if (status is Org.BouncyCastle.Ocsp.RevokedStatus) { throw new IOException(MessageLocalization.GetComposedMessage("ocsp.status.is.revoked")); } else { throw new IOException(MessageLocalization.GetComposedMessage("ocsp.status.is.unknown")); } } } return(null); }
static BasicOcspResp GetResponseObject(OcspResp ocspResp) { var response = (BasicOcspResp)ocspResp.GetResponseObject(); if (response == null) { throw new OcspException("Did not return basic response"); } return(response); }
/// <summary> /// @see com.lowagie.text.pdf.OcspClient#getEncoded() /// </summary> /// <returns> a byte array</returns> public byte[] GetEncoded() { OcspReq request = generateOcspRequest(_rootCert, _checkCert.SerialNumber); byte[] array = request.GetEncoded(); HttpWebRequest con = (HttpWebRequest)WebRequest.Create(_url); con.ContentType = "application/ocsp-request"; con.Accept = "application/ocsp-response"; con.Method = "POST"; Stream outp = con.GetRequestStreamAsync().Result; outp.Write(array, 0, array.Length); outp.Dispose(); HttpWebResponse response = (HttpWebResponse)con.GetResponseAsync().Result; if (response.StatusCode != HttpStatusCode.OK) { throw new IOException($"Invalid HTTP response: {(int) response.StatusCode}"); } Stream inp = response.GetResponseStream(); OcspResp ocspResponse = new OcspResp(inp); inp.Dispose(); response.Dispose(); if (ocspResponse.Status != 0) { throw new IOException("Invalid status: " + ocspResponse.Status); } BasicOcspResp basicResponse = (BasicOcspResp)ocspResponse.GetResponseObject(); if (basicResponse != null) { SingleResp[] responses = basicResponse.Responses; if (responses.Length == 1) { SingleResp resp = responses[0]; object status = resp.GetCertStatus(); if (status == CertificateStatus.Good) { return(basicResponse.GetEncoded()); } else if (status is RevokedStatus) { throw new IOException("OCSP Status is revoked!"); } else { throw new IOException("OCSP Status is unknown!"); } } } return(null); }
/// <summary>Convert a OcspResp in a BasicOcspResp</summary> /// <param name="ocspResp"></param> /// <returns></returns> public static BasicOcspResp FromRespToBasic(OcspResp ocspResp) { try { return((BasicOcspResp)ocspResp.GetResponseObject()); } catch (OcspException e) { throw new RuntimeException(e); } }
public virtual async Task <OcspResponse> SendOcspRequest(HttpWebRequest request) { OcspResp resp; using (WebResponse response = await request.GetResponseAsync()) using (Stream stream = response.GetResponseStream()) { resp = new OcspResp(stream); return(ParseOcspResponse((BasicOcspResp)resp.GetResponseObject())); } }
private OcspStatus VerifyResponse(byte[] response) { OcspResp r = new OcspResp(response); OcspStatus cStatusEnum = OcspStatus.Unknown; switch (r.Status) { case OcspRespStatus.Successful: var or = (BasicOcspResp)r.GetResponseObject(); Debug.WriteLine(or.Responses.Length); if (or.Responses.Length == 1) { SingleResp resp = or.Responses[0]; var certificateStatus = resp.GetCertStatus(); if (certificateStatus == null || certificateStatus == CertificateStatus.Good) { cStatusEnum = OcspStatus.Good; } else if (certificateStatus is RevokedStatus) { cStatusEnum = OcspStatus.Revoked; } else if (certificateStatus is UnknownStatus) { cStatusEnum = OcspStatus.Unknown; } } break; case OcspResponseStatus.InternalError: case OcspResponseStatus.TryLater: cStatusEnum = OcspStatus.ServerError; break; case OcspResponseStatus.MalformedRequest: case OcspResponseStatus.SignatureRequired: case OcspResponseStatus.Unauthorized: cStatusEnum = OcspStatus.ClientError; break; default: Debug.WriteLine($"Unknow status '{r.Status}'."); cStatusEnum = OcspStatus.Unknown; break; } return(cStatusEnum); }
/// <summary> /// Procesa la respuesta del servidor OCSP y devuelve el estado del certificado /// </summary> /// <param name="binaryResp"></param> /// <returns></returns> public CertificateStatus ProcessOcspResponse(byte[] binaryResp, bool checkNonce) { if (binaryResp.Length == 0) { return(CertificateStatus.Unknown); } OcspResp r = new OcspResp(binaryResp); CertificateStatus cStatus = CertificateStatus.Unknown; if (r.Status == OcspRespStatus.Successful) { BasicOcspResp or = (BasicOcspResp)r.GetResponseObject(); if (checkNonce) { if (or.GetExtensionValue(OcspObjectIdentifiers.PkixOcspNonce).ToString() != _nonceAsn1OctetString.ToString()) { throw new Exception("Bad nonce value"); } } if (or.Responses.Length == 1) { SingleResp resp = or.Responses[0]; object certificateStatus = resp.GetCertStatus(); if (certificateStatus == Org.BouncyCastle.Ocsp.CertificateStatus.Good) { cStatus = CertificateStatus.Good; } else if (certificateStatus is Org.BouncyCastle.Ocsp.RevokedStatus) { cStatus = CertificateStatus.Revoked; } else if (certificateStatus is Org.BouncyCastle.Ocsp.UnknownStatus) { cStatus = CertificateStatus.Unknown; } } } else { throw new Exception("Unknow status '" + r.Status + "'."); } return(cStatus); }
private CertificateStatus processOcspResponse(X509Certificate clientCert, X509Certificate issuerCert, byte[] binaryResp, out string respMsg) { OcspResp r = new OcspResp(binaryResp); CertificateStatus cStatus = CertificateStatus.unknown; switch (r.Status) { case OcspRespStatus.Successful: BasicOcspResp or = (BasicOcspResp)r.GetResponseObject(); validateResponse(or, issuerCert); respMsg = string.Empty; if (or.Responses.Length == 1) { SingleResp resp = or.Responses[0]; validateCertificateId(issuerCert, clientCert, resp.GetCertID()); validateThisUpdate(resp); validateNextUpdate(resp); Object certificateStatus = resp.GetCertStatus(); if (certificateStatus == Org.BouncyCastle.Ocsp.CertificateStatus.Good) { cStatus = CertificateStatus.good; respMsg = "Certificado Válido"; } else if (certificateStatus is RevokedStatus) { cStatus = CertificateStatus.revoked; respMsg = "Certificado Revocado"; } else if (certificateStatus is UnknownStatus) { cStatus = CertificateStatus.unknown; respMsg = "Certificado Desconocido"; } } break; default: respMsg = "No se ha podido procesar la respuesta OCSP"; //throw new Exception("Status Desconocido '" + r.Status + "'."); return(cStatus); } return(cStatus); }
private static CertificateStatusType ProcessOcspResponse(X509Certificate eeCert, X509Certificate issuerCert, byte[] binaryResp) { var r = new OcspResp(binaryResp); var cStatus = CertificateStatusType.Unknown; switch (r.Status) { case OcspRespStatus.Successful: var or = (BasicOcspResp)r.GetResponseObject(); if (or.Responses.Length == 1) { var resp = or.Responses[0]; IsValidCertificateId(issuerCert, eeCert, resp.GetCertID()); var certificateStatus = resp.GetCertStatus(); if (certificateStatus == Org.BouncyCastle.Ocsp.CertificateStatus.Good) { cStatus = CertificateStatusType.Active; } else if (certificateStatus is Org.BouncyCastle.Ocsp.RevokedStatus) { cStatus = CertificateStatusType.Revoked; } else if (certificateStatus is Org.BouncyCastle.Ocsp.UnknownStatus) { cStatus = CertificateStatusType.Unknown; } } break; case OcspRespStatus.Unauthorized: cStatus = CertificateStatusType.Unknown; break; case OcspRespStatus.TryLater: cStatus = CertificateStatusType.Unknown; break; default: cStatus = CertificateStatusType.Unknown; break; } return(cStatus); }
public ValidationResponse ValidateCertificate(string serialNumber, X509Certificate2 issuer, String urlOCSP) { try { OcspReqGenerator ocspReqGenerator = new OcspReqGenerator(); ocspReqGenerator.AddRequest(new CertificateID(CertificateID.HashSha1, Org.BouncyCastle.Security.DotNetUtilities.FromX509Certificate(issuer), new BigInteger(serialNumber, 16))); // Extensions IList oidList = new ArrayList(); IList valueList = new ArrayList(); // nonce byte[] nonce = new byte[16]; Random rand = new Random(); rand.NextBytes(nonce); oidList.Add(OcspObjectIdentifiers.PkixOcspNonce); valueList.Add(new Org.BouncyCastle.Asn1.X509.X509Extension(false, new DerOctetString(nonce))); ocspReqGenerator.SetRequestExtensions(new X509Extensions(oidList, valueList)); // requestor name ocspReqGenerator.SetRequestorName(new GeneralName(GeneralName.DirectoryName, new X509Name(issuer.Subject))); OcspReq ocspReq = ocspReqGenerator.Generate(); OcspResp ocspResponse = new OcspResp(transferHttpDataService.SendOcspRequest(urlOCSP, ocspReq.GetEncoded())); if (ocspResponse.Status == OcspResponseStatus.Successful) { BasicOcspResp ocspBasicResponse = (BasicOcspResp)ocspResponse.GetResponseObject(); if (ocspBasicResponse.Responses[0].GetCertStatus() == Org.BouncyCastle.Ocsp.CertificateStatus.Good) { return(new ValidationResponse(ValidationExtensions.Enums.CertificateStatus.VALID)); } else if (ocspBasicResponse.Responses[0].GetCertStatus().GetType() == typeof(RevokedStatus)) { return(new ValidationResponse(ValidationExtensions.Enums.CertificateStatus.REVOKED)); } // Default case //else if (ocspBasicResponse.Responses[0].GetCertStatus().GetType() == typeof(UnknownStatus)) //{ } } } catch (System.Exception) { } return(new ValidationResponse(ValidationExtensions.Enums.CertificateStatus.UNKNOWN)); }
private CertificateStatus ProcessOcspResponse(X509Certificate eeCert, X509Certificate issuerCert, byte[] binaryResp) { OcspResp r = new OcspResp(binaryResp); CertificateStatus cStatus = CertificateStatus.Unknown; switch (r.Status) { case OcspRespStatus.Successful: BasicOcspResp or = (BasicOcspResp)r.GetResponseObject(); ValidateResponse(or, issuerCert); if (or.Responses.Length == 1) { SingleResp resp = or.Responses[0]; ValidateCertificateId(issuerCert, eeCert, resp.GetCertID()); ValidateThisUpdate(resp); ValidateNextUpdate(resp); Object certificateStatus = resp.GetCertStatus(); if (certificateStatus == Org.BouncyCastle.Ocsp.CertificateStatus.Good) { cStatus = CertificateStatus.Good; } else if (certificateStatus is Org.BouncyCastle.Ocsp.RevokedStatus) { cStatus = CertificateStatus.Revoked; } else if (certificateStatus is Org.BouncyCastle.Ocsp.UnknownStatus) { cStatus = CertificateStatus.Unknown; } } break; default: throw new OCSPExpection("Unknown status '" + r.Status + "'."); } return(cStatus); }
/// <summary> /// Procesa la respuesta del servidor OCSP y devuelve el estado del certificado /// </summary> /// <param name="eeCert"></param> /// <param name="issuerCert"></param> /// <param name="binaryResp"></param> /// <returns></returns> public CertificateStatus ProcessOcspResponse(X509Certificate eeCert, X509Certificate issuerCert, byte[] binaryResp) { if (binaryResp.Length == 0) { return(CertificateStatus.Unknown); } OcspResp r = new OcspResp(binaryResp); CertificateStatus cStatus = CertificateStatus.Unknown; if (r.Status == OcspRespStatus.Successful) { BasicOcspResp or = (BasicOcspResp)r.GetResponseObject(); if (or.Responses.Length == 1) { SingleResp resp = or.Responses[0]; object certificateStatus = resp.GetCertStatus(); if (certificateStatus == Org.BouncyCastle.Ocsp.CertificateStatus.Good) { cStatus = CertificateStatus.Good; } else if (certificateStatus is Org.BouncyCastle.Ocsp.RevokedStatus) { cStatus = CertificateStatus.Revoked; } else if (certificateStatus is Org.BouncyCastle.Ocsp.UnknownStatus) { cStatus = CertificateStatus.Unknown; } } } else { throw new Exception("Unknow status '" + r.Status + "'."); } return(cStatus); }
private CertificateStatus ProcesarRespuestaOcsp(X509Certificate in_Certificado, X509Certificate in_CertificadoEmisor, byte[] in_BytesRespuesta) { OcspResp r = new OcspResp(in_BytesRespuesta); CertificateStatus estado = CertificateStatus.Unknown; switch (r.Status) { case OcspRespStatus.Successful: BasicOcspResp or = (BasicOcspResp)r.GetResponseObject(); if (or.Responses.Length == 1) { SingleResp resp = or.Responses[0]; ValidarCertificateId(in_CertificadoEmisor, in_Certificado, resp.GetCertID()); Object estadoCertificado = resp.GetCertStatus(); if (estadoCertificado == Org.BouncyCastle.Ocsp.CertificateStatus.Good) { estado = CertificateStatus.Good; } else if (estadoCertificado is Org.BouncyCastle.Ocsp.RevokedStatus) { estado = CertificateStatus.Revoked; } else if (estadoCertificado is Org.BouncyCastle.Ocsp.UnknownStatus) { estado = CertificateStatus.Unknown; } } break; default: throw new Exception("Status desconocido'" + r.Status + "'."); } return(estado); }
public BasicOcspResp GetBasicOCSPResp(X509Certificate checkCert, X509Certificate rootCert, String url) { try { OcspResp ocspResponse = GetOcspResponse(checkCert, rootCert, url); if (ocspResponse == null) { return(null); } if (ocspResponse.Status != 0) { return(null); } return((BasicOcspResp)ocspResponse.GetResponseObject()); } catch (Exception ex) { if (LOGGER.IsLogging(Level.ERROR)) { LOGGER.Error(ex.Message); } } return(null); }
/// <exception cref="System.IO.IOException"></exception> public BasicOcspResp GetOcspResponse(X509Certificate certificate, X509Certificate issuerCertificate) { try { this.OcspUri = GetAccessLocation(certificate, X509ObjectIdentifiers.OcspAccessMethod); LOG.Info("OCSP URI: " + this.OcspUri); if (this.OcspUri == null) { return(null); } OcspReqGenerator ocspReqGenerator = new OcspReqGenerator(); CertificateID certId = new CertificateID(CertificateID.HashSha1, issuerCertificate , certificate.SerialNumber); ocspReqGenerator.AddRequest(certId); OcspReq ocspReq = ocspReqGenerator.Generate(); byte[] ocspReqData = ocspReq.GetEncoded(); OcspResp ocspResp = new OcspResp(HttpDataLoader.Post(this.OcspUri, new MemoryStream (ocspReqData))); try { return((BasicOcspResp)ocspResp.GetResponseObject()); } catch (ArgumentNullException) { // Encountered a case when the OCSPResp is initialized with a null OCSP response... // (and there are no nullity checks in the OCSPResp implementation) return(null); } } catch (CannotFetchDataException) { return(null); } catch (OcspException e) { LOG.Error("OCSP error: " + e.Message); return(null); } }
public byte[] Sign(Stream data) { BasicOcspResp basicResp = (BasicOcspResp)ocspResp.GetResponseObject(); byte[] oc = basicResp.GetEncoded(); Collection <byte[]> ocspCollection = new Collection <byte[]>(); ocspCollection.Add(oc); String hashAlgorithm = "SHA256"; PdfPKCS7 sgn = new PdfPKCS7(null, chain, hashAlgorithm, false); byte[] hash = DigestAlgorithms.Digest(data, DigestAlgorithms.GetMessageDigest(hashAlgorithm)); byte[] sh = sgn.GetAuthenticatedAttributeBytes(hash, PdfSigner.CryptoStandard.CADES, ocspCollection, null); //create sha256 message digest using (SHA256 sha256 = SHA256.Create()) { sh = sha256.ComputeHash(sh); } //create hex encoded sha256 message digest String hexencodedDigest = new BigInteger(1, sh).ToString(16).ToUpper(); JObject signed = PDFSigningService.Sign(baseURL, id, hexencodedDigest, access); String sig = (String)signed.GetValue("signature"); //decode hex signature byte[] dsg = Hex.Decode(sig); //include signature on PDF sgn.SetExternalDigest(dsg, null, "RSA"); //create TimeStamp Client ITSAClient tsc = new DSSTSAClient(access); return(sgn.GetEncodedPKCS7(hash, PdfSigner.CryptoStandard.CADES, tsc, ocspCollection, null)); }
public byte[] GetEncoded() { ocspRequest = GenerateOCSPRequest(signerCert, checkerCert, issuerCert, checkerKey); byte[] array = ocspRequest.GetEncoded(); HttpWebRequest con = (HttpWebRequest)WebRequest.Create(url); con.ContentLength = array.Length; con.ContentType = "application/ocsp-request"; con.Accept = "application/ocsp-response"; con.Method = "POST"; Stream outp = con.GetRequestStream(); outp.Write(array, 0, array.Length); outp.Close(); HttpWebResponse response = (HttpWebResponse)con.GetResponse(); if (response.StatusCode != HttpStatusCode.OK) { this.lastError = "Invalid HTTP response: " + (int)response.StatusCode; return(null); } Stream inp = response.GetResponseStream(); ocspResponse = new OcspResp(inp); inp.Close(); response.Close(); int verify = VerifyOCSPResponse(); if (verify != (int)CertStatus.GOOD) { return(null); } return(((BasicOcspResp)ocspResponse.GetResponseObject()).GetEncoded()); }
private CertificateStatus ProcessOcspResponse(X509Certificate eeCert, X509Certificate issuerCert, byte[] binaryResp) { OcspResp r = new OcspResp(binaryResp); CertificateStatus cStatus = null; switch (r.Status) { case OcspRespStatus.Successful: BasicOcspResp or = (BasicOcspResp)r.GetResponseObject(); if (or.Responses.Length == 1) { SingleResp resp = or.Responses[0]; ValidateCertificateId(issuerCert, eeCert, resp.GetCertID()); Object certificateStatus = resp.GetCertStatus(); if (certificateStatus == Org.BouncyCastle.Ocsp.CertificateStatus.Good) { cStatus = CertificateStatus.Good; } else if (certificateStatus is Org.BouncyCastle.Ocsp.RevokedStatus) { throw new Exception(Resource.ErrorOscpRevocado); } else if (certificateStatus is Org.BouncyCastle.Ocsp.UnknownStatus) { throw new Exception(Resource.ErrorOscpDesconocido); } } break; default: throw new Exception(Resource.ErrorOscpDesconocido); } return(cStatus); }
private OcspCheckStatus ParseOcspResponse(byte[] raw) { OcspResp response = new OcspResp(raw); if (response.Status == OcspRespStatus.Unauthorized) { return(OcspCheckStatus.Unauthorized); } else if (response.Status != OcspResponseStatus.Successful) { return(OcspCheckStatus.Error); } var brep = (BasicOcspResp)response.GetResponseObject(); SingleResp[] singleResps = brep.Responses; SingleResp singleResp = singleResps[0]; Object status = singleResp.GetCertStatus(); if (status == null) { return(OcspCheckStatus.Good); } if (status is RevokedStatus) { return(OcspCheckStatus.Revoked); } if (status is UnknownStatus) { return(OcspCheckStatus.Unknown); } return(OcspCheckStatus.Error); }
/// <summary> /// Convert a OcspResp in a BasicOcspResp /// </summary> public static BasicOcspResp FromRespToBasic(OcspResp ocspResp) { return((BasicOcspResp)ocspResp.GetResponseObject()); }
public override void PerformTest() { string signDN = "O=Bouncy Castle, C=AU"; AsymmetricCipherKeyPair signKP = OcspTestUtil.MakeKeyPair(); X509Certificate testCert = OcspTestUtil.MakeCertificate(signKP, signDN, signKP, signDN); string origDN = "CN=Eric H. Echidna, [email protected], O=Bouncy Castle, C=AU"; GeneralName origName = new GeneralName(new X509Name(origDN)); // // general id value for our test issuer cert and a serial number. // CertificateID id = new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One); // // basic request generation // OcspReqGenerator gen = new OcspReqGenerator(); gen.AddRequest( new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One)); OcspReq req = gen.Generate(); if (req.IsSigned) { Fail("signed but shouldn't be"); } X509Certificate[] certs = req.GetCerts(); if (certs != null) { Fail("null certs expected, but not found"); } Req[] requests = req.GetRequestList(); if (!requests[0].GetCertID().Equals(id)) { Fail("Failed isFor test"); } // // request generation with signing // X509Certificate[] chain = new X509Certificate[1]; gen = new OcspReqGenerator(); gen.SetRequestorName(new GeneralName(GeneralName.DirectoryName, new X509Name("CN=fred"))); gen.AddRequest( new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One)); chain[0] = testCert; req = gen.Generate("SHA1withRSA", signKP.Private, chain); if (!req.IsSigned) { Fail("not signed but should be"); } if (!req.Verify(signKP.Public)) { Fail("signature failed to Verify"); } requests = req.GetRequestList(); if (!requests[0].GetCertID().Equals(id)) { Fail("Failed isFor test"); } certs = req.GetCerts(); if (certs == null) { Fail("null certs found"); } if (certs.Length != 1 || !testCert.Equals(certs[0])) { Fail("incorrect certs found in request"); } // // encoding test // byte[] reqEnc = req.GetEncoded(); OcspReq newReq = new OcspReq(reqEnc); if (!newReq.Verify(signKP.Public)) { Fail("newReq signature failed to Verify"); } // // request generation with signing and nonce // chain = new X509Certificate[1]; gen = new OcspReqGenerator(); IList oids = new ArrayList(); IList values = new ArrayList(); byte[] sampleNonce = new byte[16]; Random rand = new Random(); rand.NextBytes(sampleNonce); gen.SetRequestorName(new GeneralName(GeneralName.DirectoryName, new X509Name("CN=fred"))); oids.Add(OcspObjectIdentifiers.PkixOcspNonce); values.Add(new X509Extension(false, new DerOctetString(new DerOctetString(sampleNonce)))); gen.SetRequestExtensions(new X509Extensions(oids, values)); gen.AddRequest( new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One)); chain[0] = testCert; req = gen.Generate("SHA1withRSA", signKP.Private, chain); if (!req.IsSigned) { Fail("not signed but should be"); } if (!req.Verify(signKP.Public)) { Fail("signature failed to Verify"); } // // extension check. // ISet extOids = req.GetCriticalExtensionOids(); if (extOids.Count != 0) { Fail("wrong number of critical extensions in OCSP request."); } extOids = req.GetNonCriticalExtensionOids(); if (extOids.Count != 1) { Fail("wrong number of non-critical extensions in OCSP request."); } Asn1OctetString extValue = req.GetExtensionValue(OcspObjectIdentifiers.PkixOcspNonce); Asn1Object extObj = X509ExtensionUtilities.FromExtensionValue(extValue); if (!(extObj is Asn1OctetString)) { Fail("wrong extension type found."); } byte[] compareNonce = ((Asn1OctetString) extObj).GetOctets(); if (!AreEqual(compareNonce, sampleNonce)) { Fail("wrong extension value found."); } // // request list check // requests = req.GetRequestList(); if (!requests[0].GetCertID().Equals(id)) { Fail("Failed isFor test"); } // // response parsing - test 1 // OcspResp response = new OcspResp(testResp1); if (response.Status != 0) { Fail("response status not zero."); } BasicOcspResp brep = (BasicOcspResp) response.GetResponseObject(); chain = brep.GetCerts(); if (!brep.Verify(chain[0].GetPublicKey())) { Fail("response 1 failed to Verify."); } // // test 2 // SingleResp[] singleResp = brep.Responses; response = new OcspResp(testResp2); if (response.Status != 0) { Fail("response status not zero."); } brep = (BasicOcspResp)response.GetResponseObject(); chain = brep.GetCerts(); if (!brep.Verify(chain[0].GetPublicKey())) { Fail("response 2 failed to Verify."); } singleResp = brep.Responses; // // simple response generation // OCSPRespGenerator respGen = new OCSPRespGenerator(); OcspResp resp = respGen.Generate(OCSPRespGenerator.Successful, response.GetResponseObject()); if (!resp.GetResponseObject().Equals(response.GetResponseObject())) { Fail("response fails to match"); } doTestECDsa(); doTestRsa(); doTestIrregularVersionReq(); }
private X509Certificate2[] ValidateCertificateByOCSP(UnsignedProperties unsignedProperties, X509Certificate2 client, X509Certificate2 issuer, IEnumerable <OcspServer> ocspServers, FirmaXadesNet.Crypto.DigestMethod digestMethod, bool addCertificateOcspUrl) { bool byKey = false; List <OcspServer> finalOcspServers = new List <OcspServer>(); Org.BouncyCastle.X509.X509Certificate clientCert = client.ToBouncyX509Certificate(); Org.BouncyCastle.X509.X509Certificate issuerCert = issuer.ToBouncyX509Certificate(); OcspClient ocsp = new OcspClient(); if (addCertificateOcspUrl) { string certOcspUrl = ocsp.GetAuthorityInformationAccessOcspUrl(issuerCert); if (!string.IsNullOrEmpty(certOcspUrl)) { finalOcspServers.Add(new OcspServer(certOcspUrl)); } } foreach (var ocspServer in ocspServers) { finalOcspServers.Add(ocspServer); } foreach (var ocspServer in finalOcspServers) { byte[] resp = ocsp.QueryBinary(clientCert, issuerCert, ocspServer.Url, ocspServer.RequestorName, ocspServer.SignCertificate); FirmaXadesNet.Clients.CertificateStatus status = ocsp.ProcessOcspResponse(resp); if (status == FirmaXadesNet.Clients.CertificateStatus.Revoked) { throw new Exception("Certificado revocado"); } else if (status == FirmaXadesNet.Clients.CertificateStatus.Good) { Org.BouncyCastle.Ocsp.OcspResp r = new OcspResp(resp); byte[] rEncoded = r.GetEncoded(); BasicOcspResp or = (BasicOcspResp)r.GetResponseObject(); string guidOcsp = Guid.NewGuid().ToString(); OCSPRef ocspRef = new OCSPRef(); ocspRef.OCSPIdentifier.UriAttribute = "#OcspValue" + guidOcsp; DigestUtil.SetCertDigest(rEncoded, digestMethod, ocspRef.CertDigest); ResponderID rpId = or.ResponderId.ToAsn1Object(); ocspRef.OCSPIdentifier.ResponderID = GetResponderName(rpId, ref byKey); ocspRef.OCSPIdentifier.ByKey = byKey; ocspRef.OCSPIdentifier.ProducedAt = or.ProducedAt.ToLocalTime(); unsignedProperties.UnsignedSignatureProperties.CompleteRevocationRefs.OCSPRefs.OCSPRefCollection.Add(ocspRef); OCSPValue ocspValue = new OCSPValue(); ocspValue.PkiData = rEncoded; ocspValue.Id = "OcspValue" + guidOcsp; unsignedProperties.UnsignedSignatureProperties.RevocationValues.OCSPValues.OCSPValueCollection.Add(ocspValue); return((from cert in or.GetCerts() select new X509Certificate2(cert.GetEncoded())).ToArray()); } } throw new Exception("El certificado no ha podido ser validado"); }
/// <summary> /// Verifies the certificate chain via OCSP /// </summary> /// <returns> /// <c>true</c>, if certificate is revoked, <c>false</c> otherwise. /// </returns> /// <param name='chain'> /// The certificate chain. /// </param> private static bool VerifyCertificateOCSP(System.Security.Cryptography.X509Certificates.X509Chain chain) { List <X509Certificate> certsList = new List <X509Certificate> (); List <Uri> certsUrls = new List <Uri> (); bool bCertificateIsRevoked = false; try { //Get the OCSP URLS to be validated for each certificate. foreach (System.Security.Cryptography.X509Certificates.X509ChainElement cert in chain.ChainElements) { X509Certificate BCCert = Org.BouncyCastle.Security.DotNetUtilities.FromX509Certificate(cert.Certificate); if (BCCert.CertificateStructure.TbsCertificate.Extensions != null) { X509Extension ext = BCCert.CertificateStructure.TbsCertificate.Extensions.GetExtension(X509Extensions.AuthorityInfoAccess); if (ext != null) { AccessDescription[] certUrls = AuthorityInformationAccess.GetInstance(ext).GetAccessDescriptions(); Uri url = (certUrls != null && certUrls.Length > 0 && certUrls [0].AccessLocation.Name.ToString().StartsWith("http://")) ? new Uri(certUrls [0].AccessLocation.Name.ToString()) : null; certsList.Add(BCCert); if (!certsUrls.Contains(url)) { certsUrls.Add(url); } } } } if (certsUrls.Count > 0) { //create requests for each cert List <OcspReq> RequestList = new List <OcspReq>(); OcspReqGenerator OCSPRequestGenerator; for (int i = 0; i < (certsList.Count - 1); i++) { OCSPRequestGenerator = new OcspReqGenerator(); BigInteger nonce = BigInteger.ValueOf(DateTime.Now.Ticks); List <DerObjectIdentifier> oids = new List <DerObjectIdentifier> (); oids.Add(Org.BouncyCastle.Asn1.Ocsp.OcspObjectIdentifiers.PkixOcspNonce); List <X509Extension> values = new List <X509Extension> (); values.Add(new X509Extension(false, new DerOctetString(nonce.ToByteArray()))); OCSPRequestGenerator.SetRequestExtensions(new X509Extensions(oids, values)); CertificateID ID = new CertificateID(CertificateID.HashSha1, certsList [i + 1], certsList [i].SerialNumber); OCSPRequestGenerator.AddRequest(ID); RequestList.Add(OCSPRequestGenerator.Generate()); } //send requests to the OCSP server and read the response for (int i = 0; i < certsUrls.Count && !bCertificateIsRevoked; i++) { for (int j = 0; j < RequestList.Count && !bCertificateIsRevoked; j++) { HttpWebRequest requestToOCSPServer = (HttpWebRequest)WebRequest.Create(certsUrls [i]); requestToOCSPServer.Method = "POST"; requestToOCSPServer.ContentType = "application/ocsp-request"; requestToOCSPServer.Accept = "application/ocsp-response"; requestToOCSPServer.ReadWriteTimeout = 15000; // 15 seconds waiting to stablish connection requestToOCSPServer.Timeout = 100000; // 100 seconds timeout reading response byte[] bRequestBytes = RequestList[j].GetEncoded(); using (Stream requestStream = requestToOCSPServer.GetRequestStream()) { requestStream.Write(bRequestBytes, 0, bRequestBytes.Length); requestStream.Flush(); } HttpWebResponse serverResponse = (HttpWebResponse)requestToOCSPServer.GetResponse(); OcspResp OCSPResponse = new OcspResp(serverResponse.GetResponseStream()); BasicOcspResp basicOCSPResponse = (BasicOcspResp)OCSPResponse.GetResponseObject(); //get the status from the response if (basicOCSPResponse != null) { foreach (SingleResp singleResponse in basicOCSPResponse.Responses) { object certStatus = singleResponse.GetCertStatus(); if (certStatus is RevokedStatus) { bCertificateIsRevoked = true; } } } } } } else { SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation. No OCSP url service found. Cannot verify revocation."); } } catch (Exception e) { SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation. Unhandled exception during revocation checking: " + e.Message); bCertificateIsRevoked = true; } if (bCertificateIsRevoked) { SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation. Certificate is revoked"); } return(bCertificateIsRevoked); }
public override void PerformTest() { string signDN = "O=Bouncy Castle, C=AU"; AsymmetricCipherKeyPair signKP = OcspTestUtil.MakeKeyPair(); X509Certificate testCert = OcspTestUtil.MakeCertificate(signKP, signDN, signKP, signDN); string origDN = "CN=Eric H. Echidna, [email protected], O=Bouncy Castle, C=AU"; GeneralName origName = new GeneralName(new X509Name(origDN)); // // general id value for our test issuer cert and a serial number. // CertificateID id = new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One); // // basic request generation // OcspReqGenerator gen = new OcspReqGenerator(); gen.AddRequest( new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One)); OcspReq req = gen.Generate(); if (req.IsSigned) { Fail("signed but shouldn't be"); } X509Certificate[] certs = req.GetCerts(); if (certs != null) { Fail("null certs expected, but not found"); } Req[] requests = req.GetRequestList(); if (!requests[0].GetCertID().Equals(id)) { Fail("Failed isFor test"); } // // request generation with signing // X509Certificate[] chain = new X509Certificate[1]; gen = new OcspReqGenerator(); gen.SetRequestorName(new GeneralName(GeneralName.DirectoryName, new X509Name("CN=fred"))); gen.AddRequest( new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One)); chain[0] = testCert; req = gen.Generate("SHA1withRSA", signKP.Private, chain); if (!req.IsSigned) { Fail("not signed but should be"); } if (!req.Verify(signKP.Public)) { Fail("signature failed to Verify"); } requests = req.GetRequestList(); if (!requests[0].GetCertID().Equals(id)) { Fail("Failed isFor test"); } certs = req.GetCerts(); if (certs == null) { Fail("null certs found"); } if (certs.Length != 1 || !testCert.Equals(certs[0])) { Fail("incorrect certs found in request"); } // // encoding test // byte[] reqEnc = req.GetEncoded(); OcspReq newReq = new OcspReq(reqEnc); if (!newReq.Verify(signKP.Public)) { Fail("newReq signature failed to Verify"); } // // request generation with signing and nonce // chain = new X509Certificate[1]; gen = new OcspReqGenerator(); IList oids = new ArrayList(); IList values = new ArrayList(); byte[] sampleNonce = new byte[16]; Random rand = new Random(); rand.NextBytes(sampleNonce); gen.SetRequestorName(new GeneralName(GeneralName.DirectoryName, new X509Name("CN=fred"))); oids.Add(OcspObjectIdentifiers.PkixOcspNonce); values.Add(new X509Extension(false, new DerOctetString(new DerOctetString(sampleNonce)))); gen.SetRequestExtensions(new X509Extensions(oids, values)); gen.AddRequest( new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One)); chain[0] = testCert; req = gen.Generate("SHA1withRSA", signKP.Private, chain); if (!req.IsSigned) { Fail("not signed but should be"); } if (!req.Verify(signKP.Public)) { Fail("signature failed to Verify"); } // // extension check. // ISet extOids = req.GetCriticalExtensionOids(); if (extOids.Count != 0) { Fail("wrong number of critical extensions in OCSP request."); } extOids = req.GetNonCriticalExtensionOids(); if (extOids.Count != 1) { Fail("wrong number of non-critical extensions in OCSP request."); } Asn1OctetString extValue = req.GetExtensionValue(OcspObjectIdentifiers.PkixOcspNonce); Asn1Object extObj = X509ExtensionUtilities.FromExtensionValue(extValue); if (!(extObj is Asn1OctetString)) { Fail("wrong extension type found."); } byte[] compareNonce = ((Asn1OctetString)extObj).GetOctets(); if (!AreEqual(compareNonce, sampleNonce)) { Fail("wrong extension value found."); } // // request list check // requests = req.GetRequestList(); if (!requests[0].GetCertID().Equals(id)) { Fail("Failed isFor test"); } // // response parsing - test 1 // OcspResp response = new OcspResp(testResp1); if (response.Status != 0) { Fail("response status not zero."); } BasicOcspResp brep = (BasicOcspResp)response.GetResponseObject(); chain = brep.GetCerts(); if (!brep.Verify(chain[0].GetPublicKey())) { Fail("response 1 failed to Verify."); } // // test 2 // SingleResp[] singleResp = brep.Responses; response = new OcspResp(testResp2); if (response.Status != 0) { Fail("response status not zero."); } brep = (BasicOcspResp)response.GetResponseObject(); chain = brep.GetCerts(); if (!brep.Verify(chain[0].GetPublicKey())) { Fail("response 2 failed to Verify."); } singleResp = brep.Responses; // // simple response generation // OCSPRespGenerator respGen = new OCSPRespGenerator(); OcspResp resp = respGen.Generate(OCSPRespGenerator.Successful, response.GetResponseObject()); if (!resp.GetResponseObject().Equals(response.GetResponseObject())) { Fail("response fails to match"); } doTestECDsa(); doTestRsa(); doTestIrregularVersionReq(); }
/// <summary> /// Validate a certificate against its AIA OCSP. /// </summary> /// <param name="cert"></param> /// <param name="aia"></param> /// <returns></returns> CertStatus Validate(System.Security.Cryptography.X509Certificates.X509Certificate2 cert, AIA aia) { string hash = ComputeSHA1(System.Text.ASCIIEncoding.ASCII.GetBytes(aia.Issuer)); string filePath = IssuerCachedFolder + hash; //Check if aki is cached if (!IsIssuerCached(aia.Issuer)) { Download(aia.Issuer, filePath); if (!IsIssuerCached(aia.Issuer)) { return(CertStatus.Unknown(CertStatus.BadIssuer)); } } var issuerTemp = new System.Security.Cryptography.X509Certificates.X509Certificate2(filePath); var certParser = new Org.BouncyCastle.X509.X509CertificateParser(); var issuer = certParser.ReadCertificate(issuerTemp.RawData); var cert2Validate = certParser.ReadCertificate(cert.RawData); var id = new Org.BouncyCastle.Ocsp.CertificateID( Org.BouncyCastle.Ocsp.CertificateID.HashSha1, issuer, cert2Validate.SerialNumber); byte[] reqEnc = GenerateOCSPRequest(id, cert2Validate); byte[] resp = GetOCSPResponse(aia.Ocsp, reqEnc); //Extract the response OcspResp ocspResponse = new OcspResp(resp); BasicOcspResp basicOCSPResponse = (BasicOcspResp)ocspResponse.GetResponseObject(); SingleResp singResp = basicOCSPResponse.Responses[0]; //Validate ID var expectedId = singResp.GetCertID(); if (!expectedId.SerialNumber.Equals(id.SerialNumber)) { return(CertStatus.Unknown(CertStatus.BadSerial)); } if (!Org.BouncyCastle.Utilities.Arrays.AreEqual(expectedId.GetIssuerNameHash(), id.GetIssuerNameHash())) { return(CertStatus.Unknown(CertStatus.IssuerNotMatch)); } //Extract Status var certificateStatus = singResp.GetCertStatus(); if (certificateStatus == null) { return(CertStatus.Good); } if (certificateStatus is Org.BouncyCastle.Ocsp.RevokedStatus) { int revocationReason = ((Org.BouncyCastle.Ocsp.RevokedStatus)certificateStatus).RevocationReason; var revocationDate = ((Org.BouncyCastle.Ocsp.RevokedStatus)certificateStatus).RevocationTime; return(CertStatus.Revoked(revocationDate.ToString("o"), revocationReason)); } if (certificateStatus is Org.BouncyCastle.Ocsp.UnknownStatus) { return(CertStatus.Unknown()); } return(CertStatus.Unknown()); }