/// <summary> /// Build a chain for the certificates and verifies the revocation (own implementation) /// </summary> /// <param name="cert">The certificate to validate</param> /// <param name="validationTime">The time upon wich the validate</param> /// <param name="extraStore">Extra certs to use when creating the chain</param> /// <param name="crls">Already known crl's, newly retrieved CRL's will be added here</param> /// <param name="ocsps">Already konwn ocsp's, newly retreived OCSP's will be added here</param> /// <returns>The chain with all the information about validity</returns> public static Chain BuildChain(this X509Certificate2 cert, DateTime validationTime, X509Certificate2Collection extraStore, IList <BCAX.CertificateList> crls, IList <BCAO.BasicOcspResponse> ocsps) { Chain chain = cert.BuildChain(validationTime, extraStore); if (cert.IsOcspNoCheck()) { return(chain); //nothing to do } for (int i = 0; i < (chain.ChainElements.Count - 1); i++) { X509Certificate2 nextCert = chain.ChainElements[i].Certificate; X509Certificate2 nextIssuer = chain.ChainElements[i + 1].Certificate; try { //try OCSP BCAO.BasicOcspResponse ocspResponse = nextCert.Verify(nextIssuer, validationTime, ocsps); if (ocspResponse == null) { //try to fetch a new one BCAO.OcspResponse ocspMsg = nextCert.GetOcspResponse(nextIssuer); if (ocspMsg != null) { //new one fetched, try again ocspResponse = BCAO.BasicOcspResponse.GetInstance(BCA.Asn1Object.FromByteArray(ocspMsg.ResponseBytes.Response.GetOctets())); ocsps.Add(ocspResponse); ocspResponse = nextCert.Verify(nextIssuer, validationTime, ocsps); } } //TODO::ignore OCSP retreival errors and try CRL ;-) if (ocspResponse == null) { //try CRL BCAX.CertificateList crl = nextCert.Verify(nextIssuer, validationTime, crls); if (crl == null) { //try to fetch a new one crl = nextCert.GetCertificateList(); if (crl != null) { //new one fetched, try again crls.Add(crl); crl = nextCert.Verify(nextIssuer, validationTime, crls); } } } } catch (RevocationException <BCAO.BasicOcspResponse> ) { AddErrorStatus(chain.ChainStatus, chain.ChainElements[i].ChainElementStatus, X509ChainStatusFlags.Revoked, "The certificate has been revoked"); } catch { AddErrorStatus(chain.ChainStatus, chain.ChainElements[i].ChainElementStatus, X509ChainStatusFlags.RevocationStatusUnknown, "Invalid OCSP/CRL found"); } } return(chain); }
/// <summary>Convert a BasicOcspResp in OcspResp (connection status is set to SUCCESSFUL). /// </summary> /// <remarks>Convert a BasicOcspResp in OcspResp (connection status is set to SUCCESSFUL). /// </remarks> /// <param name="basicOCSPResp"></param> /// <returns></returns> public static OcspResp FromBasicToResp(byte[] basicOCSPResp) { OcspResponse response = new OcspResponse(new OcspResponseStatus(OcspResponseStatus .Successful), new ResponseBytes(OcspObjectIdentifiers.PkixOcspBasic, new DerOctetString (basicOCSPResp))); OcspResp resp = new OcspResp(response); return resp; }
private static BCAO.OcspResponse ParseOCSPResponse(byte[] ocspRspBytes) { BCAO.OcspResponse ocspResponse = BCAO.OcspResponse.GetInstance(BCA.Asn1Sequence.FromByteArray(ocspRspBytes)); if (ocspResponse.ResponseStatus.IntValueExact != BCAO.OcspResponseStatus.Successful) { throw new RevocationUnknownException("OCSP Response with invalid status: " + ocspResponse.ResponseStatus.IntValueExact); } return(ocspResponse); }
private OcspResp( Asn1InputStream aIn) { try { this.resp = OcspResponse.GetInstance(aIn.ReadObject()); } catch (Exception e) { throw new IOException("malformed response: " + e.Message, e); } }
public static OcspResponse GetInstance(Asn1TaggedObject obj, bool explicitly) { return(OcspResponse.GetInstance(Asn1Sequence.GetInstance(obj, explicitly))); }
public OcspResp( OcspResponse resp) { this.resp = resp; }
private ITestResult Response() { try { OcspResponse resp = OcspResponse.GetInstance( Asn1Object.FromByteArray(_response)); ResponseBytes rBytes = ResponseBytes.GetInstance(resp.ResponseBytes); BasicOcspResponse bResp = BasicOcspResponse.GetInstance( Asn1Object.FromByteArray(rBytes.Response.GetOctets())); resp = new OcspResponse( resp.ResponseStatus, new ResponseBytes( rBytes.ResponseType, new DerOctetString(bResp.GetEncoded()))); if (!Arrays.AreEqual(resp.GetEncoded(), _response)) { return new SimpleTestResult(false, Name + ": Ocsp response failed to re-encode"); } return new SimpleTestResult(true, Name + ": Okay"); } catch (Exception e) { return new SimpleTestResult(false, Name + ": failed response exception - " + e.ToString(), e); } }