/**
* Check this response against to see if it a well formed response for
* the passed in request. Validation will include checking the time stamp
* token if the response status is GRANTED or GRANTED_WITH_MODS.
*
* @param request the request to be checked against
* @throws TspException if the request can not match this response.
*/
public void Validate(
TimeStampRequest request)
{
TimeStampToken tok = this.TimeStampToken;
if (tok != null)
{
TimeStampTokenInfo tstInfo = tok.TimeStampInfo;
if (request.Nonce != null && !request.Nonce.Equals(tstInfo.Nonce))
{
throw new TspValidationException("response contains wrong nonce value.");
}
if (this.Status != (int)PkiStatus.Granted && this.Status != (int)PkiStatus.GrantedWithMods)
{
throw new TspValidationException("time stamp token found in failed request.");
}
if (!Arrays.ConstantTimeAreEqual(request.GetMessageImprintDigest(), tstInfo.GetMessageImprintDigest()))
{
throw new TspValidationException("response for different message imprint digest.");
}
if (!tstInfo.MessageImprintAlgOid.Equals(request.MessageImprintAlgOid))
{
throw new TspValidationException("response for different message imprint algorithm.");
}
Asn1.Cms.Attribute scV1 = tok.SignedAttributes[PkcsObjectIdentifiers.IdAASigningCertificate];
Asn1.Cms.Attribute scV2 = tok.SignedAttributes[PkcsObjectIdentifiers.IdAASigningCertificateV2];
if (scV1 == null && scV2 == null)
{
throw new TspValidationException("no signing certificate attribute present.");
}
if (scV1 != null && scV2 != null)
{
/*
* RFC 5035 5.4. If both attributes exist in a single message,
* they are independently evaluated.
*/
}
if (request.ReqPolicy != null && !request.ReqPolicy.Equals(tstInfo.Policy))
{
throw new TspValidationException("TSA policy wrong for request.");
}
}
else if (this.Status == (int)PkiStatus.Granted || this.Status == (int)PkiStatus.GrantedWithMods)
{
throw new TspValidationException("no time stamp token found and one expected.");
}
}