public static int CheckRevocation(PdfPKCS7 pkcs7, X509Certificate signCert, X509Certificate issuerCert, DateTime date) { List<BasicOcspResp> ocsps = new List<BasicOcspResp>(); if (pkcs7.Ocsp != null) ocsps.Add(pkcs7.Ocsp); OcspVerifier ocspVerifier = new OcspVerifier(null, ocsps); List<VerificationOK> verification = ocspVerifier.Verify(signCert, issuerCert, date); if (verification.Count == 0) { List<X509Crl> crls = new List<X509Crl>(); if (pkcs7.CRLs != null) foreach (X509Crl crl in pkcs7.CRLs) crls.Add(crl); CrlVerifier crlVerifier = new CrlVerifier(null, crls); verification.AddRange(crlVerifier.Verify(signCert, issuerCert, date)); } if (verification.Count == 0) { Console.WriteLine("No se pudo verificar estado de revocación del certificado por CRL ni OCSP"); return CER_STATUS_NOT_VERIFIED; } else { foreach (VerificationOK v in verification) Console.WriteLine(v); return 0; } }
/** * Verifies certificates against a list of CRLs and OCSP responses. * @param signingCert * @param issuerCert * @return a list of <code>VerificationOK</code> objects. * The list will be empty if the certificate couldn't be verified. * @throws GeneralSecurityException * @throws IOException * @see com.itextpdf.text.pdf.security.RootStoreVerifier#verify(java.security.cert.X509Certificate, java.security.cert.X509Certificate) */ override public List <VerificationOK> Verify(X509Certificate signCert, X509Certificate issuerCert, DateTime sigDate) { // we'll verify agains the rootstore (if present) RootStoreVerifier rootStoreVerifier = new RootStoreVerifier(verifier); rootStoreVerifier.Certificates = certificates; // We'll verify against a list of CRLs CrlVerifier crlVerifier = new CrlVerifier(rootStoreVerifier, GetCRLsFromDSS()); crlVerifier.Certificates = certificates; crlVerifier.OnlineCheckingAllowed = latestRevision || onlineCheckingAllowed; // We'll verify against a list of OCSPs OcspVerifier ocspVerifier = new OcspVerifier(crlVerifier, GetOCSPResponsesFromDSS()); ocspVerifier.Certificates = certificates; ocspVerifier.OnlineCheckingAllowed = latestRevision || onlineCheckingAllowed; // We verify the chain return(ocspVerifier.Verify(signCert, issuerCert, sigDate)); }
public static void CheckRevocation(PdfPKCS7 pkcs7, X509Certificate signCert, X509Certificate issuerCert, DateTime date) { List<BasicOcspResp> ocsps = new List<BasicOcspResp>(); if (pkcs7.Ocsp != null) ocsps.Add(pkcs7.Ocsp); OcspVerifier ocspVerifier = new OcspVerifier(null, ocsps); List<VerificationOK> verification = ocspVerifier.Verify(signCert, issuerCert, date); if (verification.Count == 0) { List<X509Crl> crls = new List<X509Crl>(); if (pkcs7.CRLs != null) foreach (X509Crl crl in pkcs7.CRLs) crls.Add(crl); CrlVerifier crlVerifier = new CrlVerifier(null, crls); verification.AddRange(crlVerifier.Verify(signCert, issuerCert, date)); } if (verification.Count == 0) Console.WriteLine("The signing certificate couldn't be verified"); else foreach (VerificationOK v in verification) Console.WriteLine(v); }
/** * Verifies if an OCSP response is genuine * If it doesn't verify against the issuer certificate and response's certificates, it may verify * using a trusted anchor or cert. * @param ocspResp the OCSP response * @param issuerCert the issuer certificate * @throws GeneralSecurityException * @throws IOException */ virtual public void IsValidResponse(BasicOcspResp ocspResp, X509Certificate issuerCert) { //OCSP response might be signed by the issuer certificate or //the Authorized OCSP responder certificate containing the id-kp-OCSPSigning extended key usage extension X509Certificate responderCert = null; //first check if the issuer certificate signed the response //since it is expected to be the most common case if (IsSignatureValid(ocspResp, issuerCert)) { responderCert = issuerCert; } //if the issuer certificate didn't sign the ocsp response, look for authorized ocsp responses // from properties or from certificate chain received with response if (responderCert == null) { if (ocspResp.GetCerts() != null) { //look for existence of Authorized OCSP responder inside the cert chain in ocsp response X509Certificate[] certs = ocspResp.GetCerts(); foreach (X509Certificate cert in certs) { X509Certificate tempCert; try { tempCert = cert; } catch (Exception ex) { continue; } IList keyPurposes = null; try { keyPurposes = tempCert.GetExtendedKeyUsage(); if ((keyPurposes != null) && keyPurposes.Contains(id_kp_OCSPSigning) && IsSignatureValid(ocspResp, tempCert)) { responderCert = tempCert; break; } } catch (CertificateParsingException ignored) { } } // Certificate signing the ocsp response is not found in ocsp response's certificate chain received // and is not signed by the issuer certificate. if (responderCert == null) { throw new VerificationException(issuerCert, "OCSP response could not be verified"); } } else { //certificate chain is not present in response received //try to verify using rootStore if (certificates != null) { foreach (X509Certificate anchor in certificates) { try { if (IsSignatureValid(ocspResp, anchor)) { responderCert = anchor; break; } } catch (GeneralSecurityException ignored) { } } } // OCSP Response does not contain certificate chain, and response is not signed by any // of the rootStore or the issuer certificate. if (responderCert == null) { throw new VerificationException(issuerCert, "OCSP response could not be verified"); } } } //check "This certificate MUST be issued directly by the CA that issued the certificate in question". responderCert.Verify(issuerCert.GetPublicKey()); // validating ocsp signers certificate // Check if responders certificate has id-pkix-ocsp-nocheck extension, // in which case we do not validate (perform revocation check on) ocsp certs for lifetime of certificate if (responderCert.GetExtensionValue(OcspObjectIdentifiers.PkixOcspNocheck.Id) == null) { X509Crl crl; try { X509CrlParser crlParser = new X509CrlParser(); // Creates the CRL Stream url = WebRequest.Create(CertificateUtil.GetCRLURL(responderCert)).GetResponse().GetResponseStream(); crl = crlParser.ReadCrl(url); } catch (Exception ignored) { crl = null; } if (crl != null) { CrlVerifier crlVerifier = new CrlVerifier(null, null); crlVerifier.Certificates = certificates; crlVerifier.OnlineCheckingAllowed = onlineCheckingAllowed; crlVerifier.Verify(crl, responderCert, issuerCert, DateTime.UtcNow); return; } } //check if lifetime of certificate is ok responderCert.CheckValidity(); }
/** * Verifies certificates against a list of CRLs and OCSP responses. * @param signingCert * @param issuerCert * @return a list of <code>VerificationOK</code> objects. * The list will be empty if the certificate couldn't be verified. * @throws GeneralSecurityException * @throws IOException * @see com.itextpdf.text.pdf.security.RootStoreVerifier#verify(java.security.cert.X509Certificate, java.security.cert.X509Certificate) */ override public List<VerificationOK> Verify(X509Certificate signCert, X509Certificate issuerCert, DateTime sigDate) { // we'll verify agains the rootstore (if present) RootStoreVerifier rootStoreVerifier = new RootStoreVerifier(verifier); rootStoreVerifier.Certificates = certificates; // We'll verify against a list of CRLs CrlVerifier crlVerifier = new CrlVerifier(rootStoreVerifier, GetCRLsFromDSS()); crlVerifier.Certificates = certificates; crlVerifier.OnlineCheckingAllowed = latestRevision || onlineCheckingAllowed; // We'll verify against a list of OCSPs OcspVerifier ocspVerifier = new OcspVerifier(crlVerifier, GetOCSPResponsesFromDSS()); ocspVerifier.Certificates = certificates; ocspVerifier.OnlineCheckingAllowed = latestRevision || onlineCheckingAllowed; // We verify the chain return ocspVerifier.Verify(signCert, issuerCert, sigDate); }
private static bool CheckRevocation(PdfPKCS7 pkcs7, X509Certificate signCert, X509Certificate issuerCert, DateTime date) { List<BasicOcspResp> ocsps = new List<BasicOcspResp>(); if (pkcs7.Ocsp != null) ocsps.Add(pkcs7.Ocsp); OcspVerifier ocspVerifier = new OcspVerifier(null, ocsps); List<VerificationOK> verification = ocspVerifier.Verify(signCert, issuerCert, date); if (verification.Count == 0) { List<X509Crl> crls = new List<X509Crl>(); if (pkcs7.CRLs != null) foreach (X509Crl crl in pkcs7.CRLs) crls.Add(crl); if (crls.Count > 0) { CrlVerifier crlVerifier = new CrlVerifier(null, crls); verification.AddRange(crlVerifier.Verify(signCert, issuerCert, date)); } } if (verification.Count == 0) return false; else foreach (VerificationOK v in verification) Console.WriteLine(v); return (verification.Count > 0); }