Esempio n. 1
0
        private bool ProcessCrlEntryExtensions(MX.X509Crl.X509CrlEntry entry)
        {
            foreach (MX.X509Extension ext in entry.Extensions)
            {
                if (ext.Critical)
                {
                    switch (ext.Oid)
                    {
                    case "2.5.29.21":                     // cRLReason
                        // we processed/know about this extension
                        break;

                    default:
                        return(false);
                    }
                }
            }
            return(true);
        }
Esempio n. 2
0
        private X509ChainStatusFlags CheckRevocation(X509Certificate2 certificate, X509Certificate2 ca_cert, bool online)
        {
            // change this if/when we support OCSP
            X509KeyUsageExtension kue = (ca_cert.Extensions["2.5.29.15"] as X509KeyUsageExtension);

            if (kue != null)
            {
                // ... verify CrlSign is set
                X509KeyUsageFlags success = X509KeyUsageFlags.CrlSign;
                if ((kue.KeyUsages & success) != success)
                {
                    // FIXME - we should try to find an alternative CA that has the CrlSign bit
                    return(X509ChainStatusFlags.RevocationStatusUnknown);
                }
            }

            MX.X509Crl crl = FindCrl(ca_cert);

            if ((crl == null) && online)
            {
                // FIXME - download and install new CRL
                // then you get a second chance
                // crl = FindCrl (ca_cert, ref valid, ref out_of_date);

                // We need to get the subjectAltName and an URI from there (or use OCSP)
                // X509KeyUsageExtension subjectAltName = (ca_cert.Extensions["2.5.29.17"] as X509KeyUsageExtension);
            }

            if (crl != null)
            {
                // validate the digital signature on the CRL using the CA public key
                // note #1: we can't use X509Crl.VerifySignature(X509Certificate) because it duplicates
                // checks and we loose the "why" of the failure
                // note #2: we do this before other tests as an invalid signature could be a hacked CRL
                // (so anything within can't be trusted)
                if (!crl.VerifySignature(ca_cert.PublicKey.Key))
                {
                    return(X509ChainStatusFlags.RevocationStatusUnknown);
                }

                MX.X509Crl.X509CrlEntry entry = crl.GetCrlEntry(certificate.MonoCertificate);
                if (entry != null)
                {
                    // We have an entry for this CRL that includes an unknown CRITICAL extension
                    // See [X.509 7.3] NOTE 4
                    if (!ProcessCrlEntryExtensions(entry))
                    {
                        return(X509ChainStatusFlags.Revoked);
                    }

                    // FIXME - a little more is involved
                    if (entry.RevocationDate <= ChainPolicy.VerificationTime)
                    {
                        return(X509ChainStatusFlags.Revoked);
                    }
                }

                // are we overdue for a CRL update ? if so we can't be sure of any certificate status
                if (crl.NextUpdate < ChainPolicy.VerificationTime)
                {
                    return(X509ChainStatusFlags.RevocationStatusUnknown | X509ChainStatusFlags.OfflineRevocation);
                }

                // we have a CRL that includes an unknown CRITICAL extension
                // we put this check at the end so we do not "hide" any Revoked flags
                if (!ProcessCrlExtensions(crl))
                {
                    return(X509ChainStatusFlags.RevocationStatusUnknown);
                }
            }
            else
            {
                return(X509ChainStatusFlags.RevocationStatusUnknown);
            }

            return(X509ChainStatusFlags.NoError);
        }