/**
* Verifies if an OCSP response is genuine
* @param ocspResp the OCSP response
* @param issuerCert the issuer certificate
* @throws GeneralSecurityException
* @throws IOException
*/
public void IsValidResponse(BasicOcspResp ocspResp, X509Certificate issuerCert) {
// by default the OCSP responder certificate is the issuer certificate
X509Certificate responderCert = issuerCert;
// check if there's a responder certificate
X509Certificate[] certs = ocspResp.GetCerts();
if (certs.Length > 0) {
responderCert = certs[0];
try {
responderCert.Verify(issuerCert.GetPublicKey());
}
catch (GeneralSecurityException) {
if (base.Verify(responderCert, issuerCert, DateTime.MaxValue).Count == 0)
throw new VerificationException(responderCert, String.Format("{0} Responder certificate couldn't be verified", responderCert));
}
}
// verify if the signature of the response is valid
if (!VerifyResponse(ocspResp, responderCert))
throw new VerificationException(responderCert, String.Format("{0} OCSP response could not be verified", responderCert));
}