8. Sertifikāta ķēdes un aktivitātes pārbaude Statuss CRL sarakstos netiks pārbaudīts – tiks veidota tikai sertifikātu ķēde private bool IsTrustedAndActive(X509Certificate2 subjectCertificate) { // build chain to validate all signatures in it // (do not check statuses in this step) X509Chain chain = new X509Chain(); chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; bool chainBuilt = chain.Build(subjectCertificate); if (chainBuilt) { // check if at the moment certificate is active (i.e., not // before its actication date and not after its expiry date) DateTime validationDateAndTime = DateTime.Now; if (subjectCertificate.NotBefore <= validationDateAndTime && subjectCertificate.NotAfter >= validationDateAndTime) { return true; } } return false; } Pārbaudi veicam pēc pašreizējā datuma. Dokumentu pārbaudē, iespējams, jāveic pēc dokumenta parakstīšanas datuma
12. Sertifikāta statusa pārbaude CRL Statuss CRL sarakstos tiek pārbaudīts, izmantojot kešotos CRL sarakstus klienta datorā (ja tādi ir) X509Chain chain = new X509Chain(); chain.ChainPolicy.RevocationMode = X509RevocationMode.Offline; bool chainBuiltAndStatusesOK = chain.Build(subjectCertificate); Ja mainīgā vērtība True, tad pārbaude veiksmīga un statusi visas ķēdes sertifikātiem ir OK
13. Sertifikāta statusa pārbaude OCSP Cert ir X509Certificate2 klases instance, kas satur pārbaudāmo sertifikātu // validate certificate using OCSP OcspClient ocspClient = new OcspClient(new Uri("https://ocsp.eme.lv/responder.eme")); ocspClient.Verify = true; OcspRequest ocspRequest = new OcspRequest(); ocspRequest.Certs.Add( MakeCertID(cert) ); OcspResponse ocspResponse = ocspClient.QueryOcspServer(ocspRequest); if (ocspResponse.Status == OcspResponseType.Good && ocspResponse.Certs[0].RevocationStatus.Status == CertificateStatusType.Good) { certificateOk = true; } else { certificateOk = false; } Prasījām statusu tikai par vienu sertifikātu – tāpēc varam pārbaudīt tikai pirmo atbildi private CertID MakeCertID(X509Certificate2 subjectCertificate) // helpsbuildcertidneededbyfindingissuer { X509Chain chain = new X509Chain(); chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; bool chainBuilt = chain.Build(subjectCertificate); X509Certificate2 issuerCertificate = null; foreach (var chainElement in chain.ChainElements) { if (chainElement.Certificate.Subject == subjectCertificate.Issuer) issuerCertificate = chainElement.Certificate; } return new CertID(issuerCertificate, new CertificateSerialNumber(subjectCertificate.SerialNumber.Replace("-", "")), ObjectId.Sha1); }
14. Laika zīmogu serviss 3. Pārbauda TSA atbildes parakstu un TSA sertifikāta derīgumu (AIA, CRL/OCSP, paraksta pārbaude) 2. Saņem TSA atbildi 1. Autentificējas, pieprasa laika zīmogu Parakstītājs Atbildes statuss TSA paraksts {TSA sertifikāts} Dokumenta hash Dokumenta hash Datums un laiks TSP (over HTTPS) Laika zīmogu serviss
17. Sertifikātu meklēšana direktorijā 3. Nolasa nepieciešamos atribūtus (sertifikātu) un šifrē nosūtāmo ziņojumu 2. Saņem LDAP atbildi 1. Nosūta meklēšanas pieprasījumu Šifrētājs Saraksts ar atrastajiem elementiem Base: c=lv Query: (&(givenName=Aldis) (sn=Viļums)) Attributes: Nolasāmo atribūtu saraksts LDAP v3 Sertifikātu direktorijs
18. Sertifikātu direktorija struktūra C = LV O = E-ME OU = Sertifikācijas pakalpojumu daļa CN = E-ME PSI (PCA) LDAP objektu klase inetOrgPerson CN = E-ME SI (CA1) UID=<sertifkāta seriālais #> UID=<sertifkāta seriālais #> CN = E-ME SSI (RCA)
21. Informācijas meklēšana LDAP LdapDirectoryIdentifier ldapId = new LdapDirectoryIdentifier("eme.lv", false, false); SearchRequest searchRequest = new SearchRequest( "c=lv", // base path to search from "(&(givenName=Janis)(sn=Berzins))", // filter string to search for entries having name Janis and surname Berzins System.DirectoryServices.Protocols.SearchScope.Subtree, // search in the whole subtree under c=lv "cn", "givenName", "sn", "serialNumber", "uid", "mail", "o", "ou", "userCertificate" // get these attributes ); LdapConnection ldapConn = new LdapConnection(ldapId, null, AuthType.Anonymous); // use anonymous connection ldapConn.SessionOptions.ProtocolVersion = 3; SearchResponse response = (SearchResponse)ldapConn.SendRequest(searchRequest); foreach (SearchResultEntry resultEntry in response.Entries) { Console.WriteLine(" {0}", resultEntry.DistinguishedName); // print out basic information foreach (string attributeName in resultEntry.Attributes.AttributeNames) { if (resultEntry.Attributes[attributeName].Count > 0) { string attributeValue = (string)(resultEntry.Attributes[attributeName].GetValues(typeof(string))[0]); if (attributeName.ToLowerInvariant() != "usercertificate") Console.WriteLine(" {0}: {1}", attributeName, attributeValue); } } // code below shows how to get a certificate byte[] fileContents = (byte[])(resultEntry.Attributes["userCertificate"].GetValues(typeof(byte[]))[0]); Console.WriteLine(Convert.ToBase64String(fileContents)); }