|
static private ExtractValidityDateTime ( |
||
| validityDatePtr | ||
| return | System.DateTime | |
private static bool AddCachedCrl(X509Certificate2 cert, SafeX509StoreHandle store, DateTime verificationTime)
{
string crlFile = GetCachedCrlPath(cert);
using (SafeBioHandle bio = Interop.Crypto.BioNewFile(crlFile, "rb"))
{
if (bio.IsInvalid)
{
Interop.Crypto.ErrClearError();
return(false);
}
// X509_STORE_add_crl will increase the refcount on the CRL object, so we should still
// dispose our copy.
using (SafeX509CrlHandle crl = Interop.Crypto.PemReadBioX509Crl(bio))
{
if (crl.IsInvalid)
{
Interop.Crypto.ErrClearError();
return(false);
}
// If crl.LastUpdate is in the past, downloading a new version isn't really going
// to help, since we can't rewind the Internet. So this is just going to fail, but
// at least it can fail without using the network.
//
// If crl.NextUpdate is in the past, try downloading a newer version.
DateTime nextUpdate = OpenSslX509CertificateReader.ExtractValidityDateTime(
Interop.Crypto.GetX509CrlNextUpdate(crl));
// OpenSSL is going to convert our input time to universal, so we should be in Local or
// Unspecified (local-assumed).
Debug.Assert(
verificationTime.Kind != DateTimeKind.Utc,
"UTC verificationTime should have been normalized to Local");
// In the event that we're to-the-second accurate on the match, OpenSSL will consider this
// to be already expired.
if (nextUpdate <= verificationTime)
{
return(false);
}
if (!Interop.Crypto.X509StoreAddCrl(store, crl))
{
// Ignore error "cert already in store", throw on anything else. In any case the error queue will be cleared.
if (X509_R_CERT_ALREADY_IN_HASH_TABLE == Interop.Crypto.ErrPeekLastError())
{
Interop.Crypto.ErrClearError();
}
else
{
throw Interop.Crypto.CreateOpenSslCryptographicException();
}
}
return(true);
}
}
}
private static bool AddCachedCrl(X509Certificate2 cert, SafeX509StoreHandle store, DateTime verificationTime)
{
string crlFile = GetCachedCrlPath(cert);
using (SafeBioHandle bio = Interop.libcrypto.BIO_new_file(crlFile, "rb"))
{
if (bio.IsInvalid)
{
return(false);
}
// X509_STORE_add_crl will increase the refcount on the CRL object, so we should still
// dispose our copy.
using (SafeX509CrlHandle crl = Interop.libcrypto.PEM_read_bio_X509_CRL(bio))
{
if (crl.IsInvalid)
{
return(false);
}
// If crl.LastUpdate is in the past, downloading a new version isn't really going
// to help, since we can't rewind the Internet. So this is just going to fail, but
// at least it can fail without using the network.
//
// If crl.NextUpdate is in the past, try downloading a newer version.
DateTime nextUpdate = OpenSslX509CertificateReader.ExtractValidityDateTime(
Interop.Crypto.GetX509CrlNextUpdate(crl));
// OpenSSL is going to convert our input time to universal, so we should be in Local or
// Unspecified (local-assumed).
Debug.Assert(
verificationTime.Kind != DateTimeKind.Utc,
"UTC verificationTime should have been normalized to Local");
// In the event that we're to-the-second accurate on the match, OpenSSL will consider this
// to be already expired.
if (nextUpdate <= verificationTime)
{
return(false);
}
// TODO (#3063): Check the return value of X509_STORE_add_crl, and throw on any error other
// than X509_R_CERT_ALREADY_IN_HASH_TABLE
Interop.libcrypto.X509_STORE_add_crl(store, crl);
return(true);
}
}
}
