public X509Crl(
CertificateList c)
{
this.c = c;
try
{
this.sigAlgName = X509SignatureUtilities.GetSignatureName(c.SignatureAlgorithm);
if (c.SignatureAlgorithm.Parameters != null)
{
this.sigAlgParams = ((Asn1Encodable)c.SignatureAlgorithm.Parameters).GetDerEncoded();
}
else
{
this.sigAlgParams = null;
}
this.isIndirect = IsIndirectCrl;
}
catch (Exception e)
{
throw new CrlException("CRL contents invalid: " + e);
}
}
/// <summary>
/// Build a chain for the certificates and verifies the revocation (own implementation)
/// </summary>
/// <param name="cert">The certificate to validate</param>
/// <param name="validationTime">The time upon wich the validate</param>
/// <param name="extraStore">Extra certs to use when creating the chain</param>
/// <param name="crls">Already known crl's, newly retrieved CRL's will be added here</param>
/// <param name="ocsps">Already konwn ocsp's, newly retreived OCSP's will be added here</param>
/// <returns>The chain with all the information about validity</returns>
public static Chain BuildChain(this X509Certificate2 cert, DateTime validationTime, X509Certificate2Collection extraStore, IList <BCAX.CertificateList> crls, IList <BCAO.BasicOcspResponse> ocsps)
{
Chain chain = cert.BuildChain(validationTime, extraStore);
if (cert.IsOcspNoCheck())
{
return(chain); //nothing to do
}
for (int i = 0; i < (chain.ChainElements.Count - 1); i++)
{
X509Certificate2 nextCert = chain.ChainElements[i].Certificate;
X509Certificate2 nextIssuer = chain.ChainElements[i + 1].Certificate;
try
{
//try OCSP
BCAO.BasicOcspResponse ocspResponse = nextCert.Verify(nextIssuer, validationTime, ocsps);
if (ocspResponse == null)
{
//try to fetch a new one
BCAO.OcspResponse ocspMsg = nextCert.GetOcspResponse(nextIssuer);
if (ocspMsg != null)
{
//new one fetched, try again
ocspResponse = BCAO.BasicOcspResponse.GetInstance(BCA.Asn1Object.FromByteArray(ocspMsg.ResponseBytes.Response.GetOctets()));
ocsps.Add(ocspResponse);
ocspResponse = nextCert.Verify(nextIssuer, validationTime, ocsps);
}
}
//TODO::ignore OCSP retreival errors and try CRL ;-)
if (ocspResponse == null)
{
//try CRL
BCAX.CertificateList crl = nextCert.Verify(nextIssuer, validationTime, crls);
if (crl == null)
{
//try to fetch a new one
crl = nextCert.GetCertificateList();
if (crl != null)
{
//new one fetched, try again
crls.Add(crl);
crl = nextCert.Verify(nextIssuer, validationTime, crls);
}
}
}
}
catch (RevocationException <BCAO.BasicOcspResponse> )
{
AddErrorStatus(chain.ChainStatus, chain.ChainElements[i].ChainElementStatus, X509ChainStatusFlags.Revoked, "The certificate has been revoked");
}
catch
{
AddErrorStatus(chain.ChainStatus, chain.ChainElements[i].ChainElementStatus, X509ChainStatusFlags.RevocationStatusUnknown, "Invalid OCSP/CRL found");
}
}
return(chain);
}
public virtual CertificateList[] ToCertificateListArray()
{
CertificateList[] result = new CertificateList[content.Count];
for (int i = 0; i != result.Length; ++ i)
{
result[i] = CertificateList.GetInstance(content[i]);
}
return result;
}
public virtual CertificateList[] GetCrls()
{
if (crls == null)
return null;
CertificateList[] results = new CertificateList[crls.Count];
for (int i = 0; i != results.Length; ++i)
{
results[i] = CertificateList.GetInstance(crls[i]);
}
return results;
}
/// <summary>
/// Validates the cert with the provided crl responses.
/// </summary>
/// <param name="certificate">The cert to validate</param>
/// <param name="issuer">The issuer of the cert to validate</param>
/// <param name="validationTime">The time on which the cert was needed to validated</param>
/// <param name="certLists">The list of crls to use</param>
/// <returns>The crl response that was used, <c>null</c> if none used</returns>
/// <exception cref="RevocationException{T}">When the certificate was revoked on the provided time</exception>
/// <exception cref="RevocationUnknownException">When the certificate (or the crl) can't be validated</exception>
public static BCAX.CertificateList Verify(this X509Certificate2 certificate, X509Certificate2 issuer, DateTime validationTime, IList <BCAX.CertificateList> certLists)
{
DateTime minTime = validationTime - ClockSkewness;
DateTime maxTime = validationTime + ClockSkewness;
BCX.X509Certificate certificateBC = DotNetUtilities.FromX509Certificate(certificate);
BCX.X509Certificate issuerBC = DotNetUtilities.FromX509Certificate(issuer);
ValueWithRef <BCX.X509Crl, BCAX.CertificateList> crlWithOrg = certLists
.Select((c) => new ValueWithRef <BCX.X509Crl, BCAX.CertificateList>(new BCX.X509Crl(c), c)) //convert, keep orginal
.Where((c) => c.Value.IssuerDN.Equals(certificateBC.IssuerDN))
.Where((c) => c.Value.ThisUpdate >= minTime || (c.Value.NextUpdate != null && c.Value.NextUpdate.Value >= minTime))
.OrderByDescending((c) => c.Value.ThisUpdate)
.FirstOrDefault();
if (crlWithOrg == null)
{
return(null);
}
BCX.X509Crl crl = crlWithOrg.Value;
BCAX.CertificateList certList = crlWithOrg.Reference;
//check the signature (no need the check the issuer here)
try
{
crl.Verify(issuerBC.GetPublicKey());
}
catch (Exception e)
{
throw new RevocationUnknownException("The CRL has an invalid signature", e);
}
//check the signer (only the part relevant for CRL)
if (!issuerBC.GetKeyUsage()[6])
{
throw new RevocationUnknownException("The CRL was signed with a certificate that isn't allowed to sign CRLs");
}
//check if the certificate is revoked
BCX.X509CrlEntry crlEntry = crl.GetRevokedCertificate(certificateBC.SerialNumber);
if (crlEntry != null)
{
trace.TraceEvent(TraceEventType.Verbose, 0, "CRL indicates that {0} is revoked on {1}", certificate.Subject, crlEntry.RevocationDate);
if (maxTime >= crlEntry.RevocationDate)
{
throw new RevocationException <BCAX.CertificateList>(certList, "The certificate was revoked on " + crlEntry.RevocationDate.ToString("o"));
}
}
return(certList);
}
public RevocationValues(
CertificateList[] crlVals,
BasicOcspResponse[] ocspVals,
OtherRevVals otherRevVals)
{
if (crlVals != null)
{
this.crlVals = new DerSequence(crlVals);
}
if (ocspVals != null)
{
this.ocspVals = new DerSequence(ocspVals);
}
this.otherRevVals = otherRevVals;
}
public RevocationValues(
CertificateList[] crlVals,
BasicOcspResponse[] ocspVals,
OtherRevVals otherRevVals)
{
//if (otherRevVals == null)
// throw new ArgumentNullException("otherRevVals");
if (crlVals != null)
{
this.crlVals = new DerSequence(crlVals);
}
if (ocspVals != null)
{
this.ocspVals = new DerSequence(ocspVals);
}
this.otherRevVals = otherRevVals;
}
public CertificateList[] GetCrlVals()
{
CertificateList[] result = new CertificateList[crlVals.Count];
for (int i = 0; i < crlVals.Count; ++i)
{
result[i] = CertificateList.GetInstance(crlVals[i].ToAsn1Object());
}
return result;
}
protected virtual X509Crl CreateX509Crl(
CertificateList c)
{
return new X509Crl(c);
}
public virtual RevRepContentBuilder AddCrl(CertificateList crl)
{
this.crls.Add(crl);
return this;
}
/// <exception cref="System.IO.IOException"></exception>
//private IDictionary<DerObjectIdentifier, Asn1Encodable> ExtendUnsignedAttributes(IDictionary
// <DerObjectIdentifier, Asn1Encodable> unsignedAttrs, X509Certificate signingCertificate
// , DateTime signingDate, CertificateSource optionalCertificateSource)
private IDictionary ExtendUnsignedAttributes(IDictionary unsignedAttrs
, X509Certificate signingCertificate, DateTime signingDate
, CertificateSource optionalCertificateSource)
{
ValidationContext validationContext = certificateVerifier.ValidateCertificate(signingCertificate
, signingDate, optionalCertificateSource, null, null);
try
{
IList<X509CertificateStructure> certificateValues = new AList<X509CertificateStructure
>();
AList<CertificateList> crlValues = new AList<CertificateList>();
AList<BasicOcspResponse> ocspValues = new AList<BasicOcspResponse>();
foreach (CertificateAndContext c in validationContext.GetNeededCertificates())
{
if (!c.Equals(signingCertificate))
{
certificateValues.AddItem(X509CertificateStructure.GetInstance(((Asn1Sequence)Asn1Object.FromByteArray
(c.GetCertificate().GetEncoded()))));
}
}
foreach (X509Crl relatedcrl in validationContext.GetNeededCRL())
{
crlValues.AddItem(CertificateList.GetInstance((Asn1Sequence)Asn1Object.FromByteArray(((X509Crl
)relatedcrl).GetEncoded())));
}
foreach (BasicOcspResp relatedocspresp in validationContext.GetNeededOCSPResp())
{
ocspValues.AddItem((BasicOcspResponse.GetInstance((Asn1Sequence)Asn1Object.FromByteArray(
relatedocspresp.GetEncoded()))));
}
CertificateList[] crlValuesArray = new CertificateList[crlValues.Count];
BasicOcspResponse[] ocspValuesArray = new BasicOcspResponse[ocspValues.Count];
RevocationValues revocationValues = new RevocationValues(Sharpen.Collections.ToArray
(crlValues, crlValuesArray), Sharpen.Collections.ToArray(ocspValues, ocspValuesArray
), null);
//unsignedAttrs.Put(PkcsObjectIdentifiers.IdAAEtsRevocationValues, new Attribute
unsignedAttrs.Add(PkcsObjectIdentifiers.IdAAEtsRevocationValues, new BcCms.Attribute
(PkcsObjectIdentifiers.IdAAEtsRevocationValues, new DerSet(revocationValues))
);
X509CertificateStructure[] certValuesArray = new X509CertificateStructure[certificateValues
.Count];
//unsignedAttrs.Put(PkcsObjectIdentifiers.IdAAEtsCertValues, new Attribute(PkcsObjectIdentifiers.IdAAEtsCertValues, new DerSet(new DerSequence(Sharpen.Collections.ToArray(certificateValues
unsignedAttrs.Add(PkcsObjectIdentifiers.IdAAEtsCertValues, new BcCms.Attribute(PkcsObjectIdentifiers.IdAAEtsCertValues, new DerSet(new DerSequence(Sharpen.Collections.ToArray(certificateValues
, certValuesArray)))));
}
catch (CertificateEncodingException e)
{
throw new RuntimeException(e);
}
catch (CrlException e)
{
throw new RuntimeException(e);
}
return unsignedAttrs;
}
public static CertificateList GetInstance(Asn1TaggedObject obj, bool explicitly)
{
return(CertificateList.GetInstance(Asn1Sequence.GetInstance(obj, explicitly)));
}
public void Setup()
{
leafCert = new X509Certificate2("files/eid79021802145.crt");
intCaCert = new X509Certificate2("files/Citizen201204.crt");
intCaCrl = CertificateList.GetInstance(File.ReadAllBytes("files/Citizen201204.crl"));
rootCaCrl = CertificateList.GetInstance(File.ReadAllBytes("files/rootca2.crl"));
leafOcsp = BasicOcspResponse.GetInstance(Asn1Sequence.GetInstance(File.ReadAllBytes("files/eid79021802145.ocsp")));
leafOcsp2 = BasicOcspResponse.GetInstance(Asn1Sequence.GetInstance(File.ReadAllBytes("files/eid79021802145-2.ocsp")));
}
