|
static private AddAdditionalStoresFromCrlDistributionPoint ( |
||
| crldp | ||
| pkixParams | ||
| return | void | |
/**
* Checks if an attribute certificate is revoked.
*
* @param attrCert Attribute certificate to check if it is revoked.
* @param paramsPKIX PKIX parameters.
* @param issuerCert The issuer certificate of the attribute certificate
* <code>attrCert</code>.
* @param validDate The date when the certificate revocation status should
* be checked.
* @param certPathCerts The certificates of the certification path to be
* checked.
*
* @throws CertPathValidatorException if the certificate is revoked or the
* status cannot be checked or some error occurs.
*/
internal static void CheckCrls(
IX509AttributeCertificate attrCert,
PkixParameters paramsPKIX,
X509Certificate issuerCert,
DateTime validDate,
IList certPathCerts)
{
if (!paramsPKIX.IsRevocationEnabled)
{
return;
}
// check if revocation is available
if (attrCert.GetExtensionValue(X509Extensions.NoRevAvail) != null)
{
if (attrCert.GetExtensionValue(X509Extensions.CrlDistributionPoints) != null ||
attrCert.GetExtensionValue(X509Extensions.AuthorityInfoAccess) != null)
{
throw new PkixCertPathValidatorException(
"No rev avail extension is set, but also an AC revocation pointer.");
}
return;
}
CrlDistPoint crldp = null;
try
{
crldp = CrlDistPoint.GetInstance(
PkixCertPathValidatorUtilities.GetExtensionValue(
attrCert, X509Extensions.CrlDistributionPoints));
}
catch (Exception e)
{
throw new PkixCertPathValidatorException(
"CRL distribution point extension could not be read.", e);
}
try
{
PkixCertPathValidatorUtilities
.AddAdditionalStoresFromCrlDistributionPoint(crldp, paramsPKIX);
}
catch (Exception e)
{
throw new PkixCertPathValidatorException(
"No additional CRL locations could be decoded from CRL distribution point extension.", e);
}
CertStatus certStatus = new CertStatus();
ReasonsMask reasonsMask = new ReasonsMask();
Exception lastException = null;
bool validCrlFound = false;
// for each distribution point
if (crldp != null)
{
DistributionPoint[] dps = null;
try
{
dps = crldp.GetDistributionPoints();
}
catch (Exception e)
{
throw new PkixCertPathValidatorException(
"Distribution points could not be read.", e);
}
try
{
for (int i = 0; i < dps.Length &&
certStatus.Status == CertStatus.Unrevoked &&
!reasonsMask.IsAllReasons; i++)
{
PkixParameters paramsPKIXClone = (PkixParameters)paramsPKIX
.Clone();
CheckCrl(dps[i], attrCert, paramsPKIXClone,
validDate, issuerCert, certStatus, reasonsMask,
certPathCerts);
validCrlFound = true;
}
}
catch (Exception e)
{
lastException = new Exception(
"No valid CRL for distribution point found.", e);
}
}
/*
* If the revocation status has not been determined, repeat the
* process above with any available CRLs not specified in a
* distribution point but issued by the certificate issuer.
*/
if (certStatus.Status == CertStatus.Unrevoked &&
!reasonsMask.IsAllReasons)
{
try
{
/*
* assume a DP with both the reasons and the cRLIssuer
* fields omitted and a distribution point name of the
* certificate issuer.
*/
X509Name issuer;
try
{
issuer = X509Name.GetInstance(attrCert.Issuer.GetPrincipals()[0].GetEncoded());
}
catch (Exception e)
{
throw new Exception(
"Issuer from certificate for CRL could not be reencoded.",
e);
}
DistributionPoint dp = new DistributionPoint(
new DistributionPointName(0, new GeneralNames(
new GeneralName(GeneralName.DirectoryName, issuer))), null, null);
PkixParameters paramsPKIXClone = (PkixParameters)paramsPKIX.Clone();
CheckCrl(dp, attrCert, paramsPKIXClone, validDate,
issuerCert, certStatus, reasonsMask, certPathCerts);
validCrlFound = true;
}
catch (Exception e)
{
lastException = new Exception(
"No valid CRL for distribution point found.", e);
}
}
if (!validCrlFound)
{
throw new PkixCertPathValidatorException(
"No valid CRL found.", lastException);
}
if (certStatus.Status != CertStatus.Unrevoked)
{
// This format is enforced by the NistCertPath tests
string formattedDate = certStatus.RevocationDate.Value.ToString(
"ddd MMM dd HH:mm:ss K yyyy");
string message = "Attribute certificate revocation after "
+ formattedDate;
message += ", reason: "
+ Rfc3280CertPathUtilities.CrlReasons[certStatus.Status];
throw new PkixCertPathValidatorException(message);
}
if (!reasonsMask.IsAllReasons &&
certStatus.Status == CertStatus.Unrevoked)
{
certStatus.Status = CertStatus.Undetermined;
}
if (certStatus.Status == CertStatus.Undetermined)
{
throw new PkixCertPathValidatorException(
"Attribute certificate status could not be determined.");
}
}
internal static void CheckCrls(IX509AttributeCertificate attrCert, PkixParameters paramsPKIX, X509Certificate issuerCert, DateTime validDate, IList certPathCerts)
{
if (paramsPKIX.IsRevocationEnabled)
{
if (attrCert.GetExtensionValue(X509Extensions.NoRevAvail) == null)
{
CrlDistPoint crlDistPoint = null;
try
{
crlDistPoint = CrlDistPoint.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(attrCert, X509Extensions.CrlDistributionPoints));
}
catch (Exception cause)
{
throw new PkixCertPathValidatorException("CRL distribution point extension could not be read.", cause);
}
try
{
PkixCertPathValidatorUtilities.AddAdditionalStoresFromCrlDistributionPoint(crlDistPoint, paramsPKIX);
}
catch (Exception cause2)
{
throw new PkixCertPathValidatorException("No additional CRL locations could be decoded from CRL distribution point extension.", cause2);
}
CertStatus certStatus = new CertStatus();
ReasonsMask reasonsMask = new ReasonsMask();
Exception cause3 = null;
bool flag = false;
if (crlDistPoint != null)
{
DistributionPoint[] array = null;
try
{
array = crlDistPoint.GetDistributionPoints();
}
catch (Exception cause4)
{
throw new PkixCertPathValidatorException("Distribution points could not be read.", cause4);
}
try
{
int num = 0;
while (num < array.Length && certStatus.Status == 11 && !reasonsMask.IsAllReasons)
{
PkixParameters paramsPKIX2 = (PkixParameters)paramsPKIX.Clone();
Rfc3281CertPathUtilities.CheckCrl(array[num], attrCert, paramsPKIX2, validDate, issuerCert, certStatus, reasonsMask, certPathCerts);
flag = true;
num++;
}
}
catch (Exception innerException)
{
cause3 = new Exception("No valid CRL for distribution point found.", innerException);
}
}
if (certStatus.Status == 11 && !reasonsMask.IsAllReasons)
{
try
{
Asn1Object name = null;
try
{
name = new Asn1InputStream(attrCert.Issuer.GetPrincipals()[0].GetEncoded()).ReadObject();
}
catch (Exception innerException2)
{
throw new Exception("Issuer from certificate for CRL could not be reencoded.", innerException2);
}
DistributionPoint dp = new DistributionPoint(new DistributionPointName(0, new GeneralNames(new GeneralName(4, name))), null, null);
PkixParameters paramsPKIX3 = (PkixParameters)paramsPKIX.Clone();
Rfc3281CertPathUtilities.CheckCrl(dp, attrCert, paramsPKIX3, validDate, issuerCert, certStatus, reasonsMask, certPathCerts);
flag = true;
}
catch (Exception innerException3)
{
cause3 = new Exception("No valid CRL for distribution point found.", innerException3);
}
}
if (!flag)
{
throw new PkixCertPathValidatorException("No valid CRL found.", cause3);
}
if (certStatus.Status != 11)
{
string str = certStatus.RevocationDate.Value.ToString("ddd MMM dd HH:mm:ss K yyyy");
string text = "Attribute certificate revocation after " + str;
text = text + ", reason: " + Rfc3280CertPathUtilities.CrlReasons[certStatus.Status];
throw new PkixCertPathValidatorException(text);
}
if (!reasonsMask.IsAllReasons && certStatus.Status == 11)
{
certStatus.Status = 12;
}
if (certStatus.Status == 12)
{
throw new PkixCertPathValidatorException("Attribute certificate status could not be determined.");
}
}
else if (attrCert.GetExtensionValue(X509Extensions.CrlDistributionPoints) != null || attrCert.GetExtensionValue(X509Extensions.AuthorityInfoAccess) != null)
{
throw new PkixCertPathValidatorException("No rev avail extension is set, but also an AC revocation pointer.");
}
}
}
