|
public GetRevokedCertificate ( |
||
| serialNumber | ||
| return | ||
/// <summary>
/// Validates the cert with the provided crl responses.
/// </summary>
/// <param name="certificate">The cert to validate</param>
/// <param name="issuer">The issuer of the cert to validate</param>
/// <param name="validationTime">The time on which the cert was needed to validated</param>
/// <param name="certLists">The list of crls to use</param>
/// <returns>The crl response that was used, <c>null</c> if none used</returns>
/// <exception cref="RevocationException{T}">When the certificate was revoked on the provided time</exception>
/// <exception cref="RevocationUnknownException">When the certificate (or the crl) can't be validated</exception>
public static BCAX.CertificateList Verify(this X509Certificate2 certificate, X509Certificate2 issuer, DateTime validationTime, IList <BCAX.CertificateList> certLists)
{
DateTime minTime = validationTime - ClockSkewness;
DateTime maxTime = validationTime + ClockSkewness;
BCX.X509Certificate certificateBC = DotNetUtilities.FromX509Certificate(certificate);
BCX.X509Certificate issuerBC = DotNetUtilities.FromX509Certificate(issuer);
ValueWithRef <BCX.X509Crl, BCAX.CertificateList> crlWithOrg = certLists
.Select((c) => new ValueWithRef <BCX.X509Crl, BCAX.CertificateList>(new BCX.X509Crl(c), c)) //convert, keep orginal
.Where((c) => c.Value.IssuerDN.Equals(certificateBC.IssuerDN))
.Where((c) => c.Value.ThisUpdate >= minTime || (c.Value.NextUpdate != null && c.Value.NextUpdate.Value >= minTime))
.OrderByDescending((c) => c.Value.ThisUpdate)
.FirstOrDefault();
if (crlWithOrg == null)
{
return(null);
}
BCX.X509Crl crl = crlWithOrg.Value;
BCAX.CertificateList certList = crlWithOrg.Reference;
//check the signature (no need the check the issuer here)
try
{
crl.Verify(issuerBC.GetPublicKey());
}
catch (Exception e)
{
throw new RevocationUnknownException("The CRL has an invalid signature", e);
}
//check the signer (only the part relevant for CRL)
if (!issuerBC.GetKeyUsage()[6])
{
throw new RevocationUnknownException("The CRL was signed with a certificate that isn't allowed to sign CRLs");
}
//check if the certificate is revoked
BCX.X509CrlEntry crlEntry = crl.GetRevokedCertificate(certificateBC.SerialNumber);
if (crlEntry != null)
{
trace.TraceEvent(TraceEventType.Verbose, 0, "CRL indicates that {0} is revoked on {1}", certificate.Subject, crlEntry.RevocationDate);
if (maxTime >= crlEntry.RevocationDate)
{
throw new RevocationException <BCAX.CertificateList>(certList, "The certificate was revoked on " + crlEntry.RevocationDate.ToString("o"));
}
}
return(certList);
}
internal static void GetCertStatus(
DateTime validDate,
X509Crl crl,
Object cert,
CertStatus certStatus)
{
X509Crl bcCRL = null;
try
{
bcCRL = new X509Crl(CertificateList.GetInstance((Asn1Sequence)Asn1Sequence.FromByteArray(crl.GetEncoded())));
}
catch (Exception exception)
{
throw new Exception("Bouncy Castle X509Crl could not be created.", exception);
}
X509CrlEntry crl_entry = (X509CrlEntry)bcCRL.GetRevokedCertificate(GetSerialNumber(cert));
if (crl_entry == null)
return;
X509Name issuer = GetIssuerPrincipal(cert);
if (issuer.Equivalent(crl_entry.GetCertificateIssuer(), true)
|| issuer.Equivalent(crl.IssuerDN, true))
{
DerEnumerated reasonCode = null;
if (crl_entry.HasExtensions)
{
try
{
reasonCode = DerEnumerated.GetInstance(
GetExtensionValue(crl_entry, X509Extensions.ReasonCode));
}
catch (Exception e)
{
throw new Exception(
"Reason code CRL entry extension could not be decoded.",
e);
}
}
// for reason keyCompromise, caCompromise, aACompromise or
// unspecified
if (!(validDate.Ticks < crl_entry.RevocationDate.Ticks)
|| reasonCode == null
|| reasonCode.Value.TestBit(0)
|| reasonCode.Value.TestBit(1)
|| reasonCode.Value.TestBit(2)
|| reasonCode.Value.TestBit(8))
{
if (reasonCode != null) // (i) or (j) (1)
{
certStatus.Status = reasonCode.Value.SignValue;
}
else // (i) or (j) (2)
{
certStatus.Status = CrlReason.Unspecified;
}
certStatus.RevocationDate = new DateTimeObject(crl_entry.RevocationDate);
}
}
}