public async Task CheckCertificateRevocationStatusAsync()

in net/JetBrains.SignatureVerifier/src/Crypt/OcspVerifier.cs [29:104]

• 61 lines of code
• 13 McCabe index (conditional complexity)

    public async Task<VerifySignatureResult> CheckCertificateRevocationStatusAsync([NotNull] X509Certificate targetCert,
      [NotNull] X509Certificate issuerCert)
    {
      if (targetCert == null) throw new ArgumentNullException(nameof(targetCert));
      if (issuerCert == null) throw new ArgumentNullException(nameof(issuerCert));

      var ocspUrl = targetCert.GetOcspUrl();

      if (ocspUrl is null)
      {
        _logger.Warning($"The OCSP access data is empty in certificate {targetCert.FormatId()}");
        _logger.Error(Messages.unable_determin_certificate_revocation_status);
        return VerifySignatureResult.InvalidChain(Messages.unable_determin_certificate_revocation_status);
      }

      var ocspReqGenerator = new Org.BouncyCastle.Ocsp.OcspReqGenerator();
      var certificateIdReq =
        new CertificateID(OiwObjectIdentifiers.IdSha1.Id, issuerCert, targetCert.SerialNumber);
      ocspReqGenerator.AddRequest(certificateIdReq);
      var ocspReq = ocspReqGenerator.Generate();

      var ocspRes = await getOcspResponceAsync(ocspUrl, ocspReq, _ocspResponseTimeout);

      if (ocspRes.Status != OcspRespStatus.Successful)
      {
        _logger.Error($"OCSP response status: {ocspRes.Status}");
        return VerifySignatureResult.InvalidChain(Messages.unable_determin_certificate_revocation_status);
      }

      var basicOcspResp = ocspRes.GetResponseObject() as BasicOcspResp;

      if (basicOcspResp is null)
      {
        _logger.Error($"Unknown OCSP response type");
        return VerifySignatureResult.InvalidChain(Messages.unable_determin_certificate_revocation_status);
      }

      if (!validateOcspResponse(basicOcspResp))
        return VerifySignatureResult.InvalidChain(Messages.invalid_ocsp_response);

      var singleResponses = basicOcspResp.Responses.Where(w => w.GetCertID().Equals(certificateIdReq)).ToList();

      if (singleResponses.Count < 1)
      {
        _logger.Error("OCSP response not correspond to request");
        return VerifySignatureResult.InvalidChain(Messages.invalid_ocsp_response);
      }

      foreach (var singleResp in singleResponses)
      {
        if (!validateSingleOcspResponse(singleResp))
          return VerifySignatureResult.InvalidChain(Messages.invalid_ocsp_response);

        var certStatus = singleResp.GetCertStatus();

        //null is good
        if (certStatus is null)
        {
          continue;
        }
        else if (certStatus is UnknownStatus)
        {
          _logger.Warning(Messages.unknown_certificate_revocation_status);
          return VerifySignatureResult.InvalidChain(Messages.unknown_certificate_revocation_status);
        }
        else if (certStatus is RevokedStatus)
        {
          var certRevStatus = certStatus as RevokedStatus;
          var msg = formatRevokedStatus(certRevStatus);
          _logger.Warning(msg);
          return VerifySignatureResult.InvalidChain(msg);
        }
      }

      return VerifySignatureResult.Valid;
    }