private MX.X509Crl FindCrl(X509Certificate2 caCertificate)
{
string subject = caCertificate.SubjectName.Decode(X500DistinguishedNameFlags.None);
string ski = GetSubjectKeyIdentifier(caCertificate);
MX.X509Crl result = CheckCrls(subject, ski, LMCAStore.Store.Crls);
if (result != null)
{
return(result);
}
if (location == StoreLocation.CurrentUser)
{
result = CheckCrls(subject, ski, UserCAStore.Store.Crls);
if (result != null)
{
return(result);
}
}
result = CheckCrls(subject, ski, LMRootStore.Store.Crls);
if (result != null)
{
return(result);
}
if (location == StoreLocation.CurrentUser)
{
result = CheckCrls(subject, ski, UserRootStore.Store.Crls);
if (result != null)
{
return(result);
}
}
return(null);
}
public void EmptyCrlWithExtensions ()
{
// bug #75406
// http://bugzilla.ximian.com/show_bug.cgi?id=75406
X509Crl crl = new X509Crl (emptyCrl);
Assert.AreEqual (0, crl.Entries.Count, "Entries.Count");
Assert.AreEqual (3, crl.Extensions.Count, "Extensions.Count");
}
public void EmptyCrl ()
{
// bug #78901
// http://bugzilla.ximian.com/show_bug.cgi?id=78901
X509Crl crl = new X509Crl (bug78901);
Assert.AreEqual (0, crl.Entries.Count, "Entries.Count");
Assert.AreEqual (0, crl.Extensions.Count, "Extensions.Count");
}
static X509Certificate FindCrlIssuer (X509Crl crl)
{
string name = crl.IssuerName;
byte [] aki = GetAuthorityKeyIdentifier (crl.Extensions ["2.5.29.35"]);
X509Certificate cert = FindCrlIssuer (name, aki, X509StoreManager.IntermediateCACertificates);
if (cert != null)
return cert;
return FindCrlIssuer (name, aki, X509StoreManager.TrustedRootCertificates);
}
static bool VerifyCrl (X509Crl crl)
{
X509Certificate issuer = FindCrlIssuer (crl);
if (issuer == null)
return false;
if (!crl.VerifySignature (issuer))
return false;
chain.Reset ();
return chain.Build (issuer);
}
public void basicConstraintsCriticalcAFalseCACRL ()
{
X509Crl crl = new X509Crl (basicConstraintsCriticalcAFalseCACRL_crl);
Assert.AreEqual (0, crl.Entries.Count, "Entries.Count");
Assert.AreEqual (2, crl.Extensions.Count, "Extensions.Count");
Assert.IsTrue (crl.IsCurrent, "IsCurrent"); // true till 2011
Assert.AreEqual ("C=US, O=Test Certificates, CN=basicConstraints Critical cA False CA", crl.IssuerName, "IssuerName");
Assert.AreEqual (634388218400000000, crl.NextUpdate.ToUniversalTime ().Ticks, "NextUpdate");
Assert.AreEqual ("32-BC-12-1F-84-D0-B6-3E-72-A0-FB-D9-75-99-CA-E5-2A-05-09-E6-C8-27-74-47-1C-DC-0C-D4-9F-BC-9F-B2-62-25-B4-6D-5B-E5-0B-E8-2A-8E-07-EB-3E-6B-C5-1E-9A-D2-14-FD-89-5B-C3-10-BF-19-77-67-0A-33-45-1B-BC-6C-ED-AF-84-30-59-FB-7C-71-95-63-60-31-9B-9B-0A-EA-77-F1-70-F1-B9-2E-D1-A9-04-42-66-94-B9-54-48-DB-44-56-56-1A-57-5A-01-0E-7C-4D-D7-C0-1F-5C-6F-13-F5-A3-57-88-6A-9A-71-CD-D5-AE-C3-00-B1-28", BitConverter.ToString (crl.Signature), "Signature");
Assert.AreEqual ("1.2.840.113549.1.1.5", crl.SignatureAlgorithm, "SignatureAlgorithm");
Assert.AreEqual (631232890400000000, crl.ThisUpdate.ToUniversalTime ().Ticks, "ThisUpdate");
Assert.AreEqual (2, crl.Version, "Version");
X509Certificate cert = new X509Certificate (basicConstraintsCriticalcAFalseCACert_crt);
// certificate has CA set to false
Assert.IsFalse (crl.VerifySignature (cert), "VerifySignature(cert)");
Assert.IsTrue (crl.VerifySignature (cert.RSA), "VerifySignature(RSA)");
}
public void Import(X509Crl crl)
{
CheckStore(_storePath, true);
if (_newFormat)
{
throw new NotSupportedException();
}
string filename = Path.Combine(_storePath, GetUniqueName(crl));
if (!File.Exists(filename))
{
using (FileStream fs = File.Create(filename)) {
byte[] data = crl.RawData;
fs.Write(data, 0, data.Length);
}
ClearCrls(); // We have modified the store on disk. So forget the old state.
}
}
private bool ProcessCrlExtensions(MX.X509Crl crl)
{
foreach (MX.X509Extension ext in crl.Extensions)
{
if (ext.Critical)
{
switch (ext.Oid)
{
case "2.5.29.20": // cRLNumber
case "2.5.29.35": // authorityKeyIdentifier
// we processed/know about this extension
break;
default:
return(false);
}
}
}
return(true);
}
static void Download (string url, X509Store store)
{
if (verbose)
Console.WriteLine ("Downloading: {0}", url);
WebClient wc = new WebClient ();
string error = "download";
try {
byte [] data = wc.DownloadData (url);
error = "decode";
X509Crl crl = new X509Crl (data);
error = "import";
store.Import (crl);
}
catch (Exception e) {
Console.WriteLine ("ERROR: could not {0}: {1}", error, url);
if (verbose) {
Console.WriteLine (e);
Console.WriteLine ();
}
}
}
private MX.X509Crl FindCrl(X509Certificate2 caCertificate)
{
string subject = caCertificate.SubjectName.Decode(X500DistinguishedNameFlags.None);
string ski = GetSubjectKeyIdentifier(caCertificate);
// consider that the LocalMachine directories could not exists... and cannot be created by the user
MX.X509Crl result = (LMCAStore.Store == null) ? null : CheckCrls(subject, ski, LMCAStore.Store.Crls);
if (result != null)
{
return(result);
}
if (location == StoreLocation.CurrentUser)
{
result = CheckCrls(subject, ski, UserCAStore.Store.Crls);
if (result != null)
{
return(result);
}
}
// consider that the LocalMachine directories could not exists... and cannot be created by the user
result = (LMRootStore.Store == null) ? null : CheckCrls(subject, ski, LMRootStore.Store.Crls);
if (result != null)
{
return(result);
}
if (location == StoreLocation.CurrentUser)
{
result = CheckCrls(subject, ski, UserRootStore.Store.Crls);
if (result != null)
{
return(result);
}
}
return(null);
}
private X509ChainStatusFlags CheckRevocation(X509Certificate2 certificate, X509Certificate2 ca_cert, bool online)
{
// change this if/when we support OCSP
X509KeyUsageExtension kue = (ca_cert.Extensions["2.5.29.15"] as X509KeyUsageExtension);
if (kue != null)
{
// ... verify CrlSign is set
X509KeyUsageFlags success = X509KeyUsageFlags.CrlSign;
if ((kue.KeyUsages & success) != success)
{
// FIXME - we should try to find an alternative CA that has the CrlSign bit
return(X509ChainStatusFlags.RevocationStatusUnknown);
}
}
MX.X509Crl crl = FindCrl(ca_cert);
if ((crl == null) && online)
{
// FIXME - download and install new CRL
// then you get a second chance
// crl = FindCrl (ca_cert, ref valid, ref out_of_date);
// We need to get the subjectAltName and an URI from there (or use OCSP)
// X509KeyUsageExtension subjectAltName = (ca_cert.Extensions["2.5.29.17"] as X509KeyUsageExtension);
}
if (crl != null)
{
// validate the digital signature on the CRL using the CA public key
// note #1: we can't use X509Crl.VerifySignature(X509Certificate) because it duplicates
// checks and we loose the "why" of the failure
// note #2: we do this before other tests as an invalid signature could be a hacked CRL
// (so anything within can't be trusted)
if (!crl.VerifySignature(ca_cert.PublicKey.Key))
{
return(X509ChainStatusFlags.RevocationStatusUnknown);
}
MX.X509Crl.X509CrlEntry entry = crl.GetCrlEntry(certificate.MonoCertificate);
if (entry != null)
{
// We have an entry for this CRL that includes an unknown CRITICAL extension
// See [X.509 7.3] NOTE 4
if (!ProcessCrlEntryExtensions(entry))
{
return(X509ChainStatusFlags.Revoked);
}
// FIXME - a little more is involved
if (entry.RevocationDate <= ChainPolicy.VerificationTime)
{
return(X509ChainStatusFlags.Revoked);
}
}
// are we overdue for a CRL update ? if so we can't be sure of any certificate status
if (crl.NextUpdate < ChainPolicy.VerificationTime)
{
return(X509ChainStatusFlags.RevocationStatusUnknown | X509ChainStatusFlags.OfflineRevocation);
}
// we have a CRL that includes an unknown CRITICAL extension
// we put this check at the end so we do not "hide" any Revoked flags
if (!ProcessCrlExtensions(crl))
{
return(X509ChainStatusFlags.RevocationStatusUnknown);
}
}
else
{
return(X509ChainStatusFlags.RevocationStatusUnknown);
}
return(X509ChainStatusFlags.NoError);
}
// but anyway System.dll v2 doesn't expose CRL in any way so...
static string GetAuthorityKeyIdentifier(MX.X509Crl crl)
{
return(GetAuthorityKeyIdentifier(crl.Extensions ["2.5.29.35"]));
}
private X509Crl LoadCrl (string filename)
{
byte[] data = Load (filename);
X509Crl crl = new X509Crl (data);
return crl;
}
private string GetUniqueName (X509Crl crl)
{
string method;
byte[] name = GetUniqueName (crl.Extensions);
if (name == null) {
method = "tbp"; // thumbprint
name = crl.Hash;
} else {
method = "ski";
}
return GetUniqueName (method, name, ".crl");
}
public void Remove (X509Crl crl)
{
string filename = Path.Combine (_storePath, GetUniqueName (crl));
if (File.Exists (filename)) {
File.Delete (filename);
ClearCrls (); // We have modified the store on disk. So forget the old state.
}
}
public void Import (X509Crl crl)
{
CheckStore (_storePath, true);
string filename = Path.Combine (_storePath, GetUniqueName (crl));
if (!File.Exists (filename)) {
using (FileStream fs = File.Create (filename)) {
byte[] data = crl.RawData;
fs.Write (data, 0, data.Length);
}
ClearCrls (); // We have modified the store on disk. So forget the old state.
}
}
static void Download (string url, X509Store store)
{
if (verbose)
Console.WriteLine ("Downloading: {0}", url);
WebClient wc = new WebClient ();
string error = "download";
try {
byte [] data = wc.DownloadData (url);
error = "decode";
X509Crl crl = new X509Crl (data);
error = "import";
// warn if CRL is not current - but still allow it to be imported
if (!crl.IsCurrent && verbose)
Console.WriteLine ("WARNING: CRL is not current: {0}", url);
// only import the CRL if its signature is valid and coming from a trusted root
if (VerifyCrl (crl))
store.Import (crl);
else
Console.WriteLine ("ERROR: could not validate CRL: {0}", url);
}
catch (Exception e) {
Console.WriteLine ("ERROR: could not {0}: {1}", error, url);
if (verbose) {
Console.WriteLine (e);
Console.WriteLine ();
}
}
}
public void Remove(X509Crl crl)
{
throw new NotImplementedException("Mono.Security.X509.X509Store.Remove(X509Crl)");
}
static void DisplayCrl (X509Crl crl, bool machine, bool verbose)
{
Console.WriteLine ("X.509 v{0} CRL", crl.Version);
Console.WriteLine (" Issuer Name: {0}", crl.IssuerName);
Console.WriteLine (" This Update: {0}", crl.ThisUpdate);
Console.WriteLine (" Next Update: {0} {1}", crl.NextUpdate, crl.IsCurrent ? String.Empty : "update overdue!");
Console.WriteLine (" Unique Hash: {0}", CryptoConvert.ToHex (crl.Hash));
if (verbose) {
Console.WriteLine (" Signature Algorithm: {0}", crl.SignatureAlgorithm);
Console.WriteLine (" Signature: {0}", CryptoConvert.ToHex (crl.Signature));
int n = 0;
foreach (X509Crl.X509CrlEntry entry in crl.Entries) {
Console.WriteLine (" #{0}: Serial: {1} revoked on {2}",
++n, CryptoConvert.ToHex (entry.SerialNumber), entry.RevocationDate);
}
}
}
public void Remove (X509Crl crl)
{
if (_newFormat)
throw new NotSupportedException ();
string filename = Path.Combine (_storePath, GetUniqueName (crl));
if (File.Exists (filename)) {
File.Delete (filename);
ClearCrls (); // We have modified the store on disk. So forget the old state.
}
}
static ArrayList LoadCRLs (string filename)
{
X509Crl crl = null;
ArrayList list = new ArrayList ();
switch (Path.GetExtension (filename).ToUpper ()) {
case ".P7B":
case ".SPC":
SoftwarePublisherCertificate spc = SoftwarePublisherCertificate.CreateFromFile (filename);
list.AddRange (spc.Crls);
spc = null;
break;
case ".CRL":
using (FileStream fs = File.OpenRead (filename)) {
byte[] data = new byte [fs.Length];
fs.Read (data, 0, data.Length);
crl = new X509Crl (data);
}
list.Add (crl);
break;
default:
Console.WriteLine ("Unknown file extension: {0}",
Path.GetExtension (filename));
break;
}
return list;
}
public void Remove (X509Crl crl)
{
string filename = Path.Combine (_storePath, GetUniqueName (crl));
if (File.Exists (filename)) {
File.Delete (filename);
}
}
public void Import (X509Crl crl)
{
CheckStore (_storePath, true);
string filename = Path.Combine (_storePath, GetUniqueName (crl));
if (!File.Exists (filename)) {
using (FileStream fs = File.Create (filename)) {
byte[] data = crl.RawData;
fs.Write (data, 0, data.Length);
}
}
}
