private bool ProcessCrlExtensions(MX.X509Crl crl)
{
foreach (MX.X509Extension ext in crl.Extensions)
{
if (ext.Critical)
{
switch (ext.Oid)
{
case "2.5.29.20": // cRLNumber
case "2.5.29.35": // authorityKeyIdentifier
// we processed/know about this extension
break;
default:
return(false);
}
}
}
return(true);
}
private MX.X509Crl FindCrl(X509Certificate2 caCertificate)
{
string subject = caCertificate.SubjectName.Decode(X500DistinguishedNameFlags.None);
string ski = GetSubjectKeyIdentifier(caCertificate);
// consider that the LocalMachine directories could not exists... and cannot be created by the user
MX.X509Crl result = CheckCrls(subject, ski, LMCAStore.Store);
if (result != null)
{
return(result);
}
if (location == StoreLocation.CurrentUser)
{
result = CheckCrls(subject, ski, UserCAStore.Store);
if (result != null)
{
return(result);
}
}
// consider that the LocalMachine directories could not exists... and cannot be created by the user
result = CheckCrls(subject, ski, LMRootStore.Store);
if (result != null)
{
return(result);
}
if (location == StoreLocation.CurrentUser)
{
result = CheckCrls(subject, ski, UserRootStore.Store);
if (result != null)
{
return(result);
}
}
return(null);
}
private X509ChainStatusFlags CheckRevocation(X509Certificate2 certificate, X509Certificate2 ca_cert, bool online)
{
// change this if/when we support OCSP
X509KeyUsageExtension kue = (ca_cert.Extensions["2.5.29.15"] as X509KeyUsageExtension);
if (kue != null)
{
// ... verify CrlSign is set
X509KeyUsageFlags success = X509KeyUsageFlags.CrlSign;
if ((kue.KeyUsages & success) != success)
{
// FIXME - we should try to find an alternative CA that has the CrlSign bit
return(X509ChainStatusFlags.RevocationStatusUnknown);
}
}
MX.X509Crl crl = FindCrl(ca_cert);
if ((crl == null) && online)
{
// FIXME - download and install new CRL
// then you get a second chance
// crl = FindCrl (ca_cert, ref valid, ref out_of_date);
// We need to get the subjectAltName and an URI from there (or use OCSP)
// X509KeyUsageExtension subjectAltName = (ca_cert.Extensions["2.5.29.17"] as X509KeyUsageExtension);
}
if (crl != null)
{
// validate the digital signature on the CRL using the CA public key
// note #1: we can't use X509Crl.VerifySignature(X509Certificate) because it duplicates
// checks and we loose the "why" of the failure
// note #2: we do this before other tests as an invalid signature could be a hacked CRL
// (so anything within can't be trusted)
if (!crl.VerifySignature(ca_cert.PublicKey.Key))
{
return(X509ChainStatusFlags.RevocationStatusUnknown);
}
MX.X509Crl.X509CrlEntry entry = crl.GetCrlEntry(certificate.MonoCertificate);
if (entry != null)
{
// We have an entry for this CRL that includes an unknown CRITICAL extension
// See [X.509 7.3] NOTE 4
if (!ProcessCrlEntryExtensions(entry))
{
return(X509ChainStatusFlags.Revoked);
}
// FIXME - a little more is involved
if (entry.RevocationDate <= ChainPolicy.VerificationTime)
{
return(X509ChainStatusFlags.Revoked);
}
}
// are we overdue for a CRL update ? if so we can't be sure of any certificate status
if (crl.NextUpdate < ChainPolicy.VerificationTime)
{
return(X509ChainStatusFlags.RevocationStatusUnknown | X509ChainStatusFlags.OfflineRevocation);
}
// we have a CRL that includes an unknown CRITICAL extension
// we put this check at the end so we do not "hide" any Revoked flags
if (!ProcessCrlExtensions(crl))
{
return(X509ChainStatusFlags.RevocationStatusUnknown);
}
}
else
{
return(X509ChainStatusFlags.RevocationStatusUnknown);
}
return(X509ChainStatusFlags.NoError);
}
// but anyway System.dll v2 doesn't expose CRL in any way so...
static string GetAuthorityKeyIdentifier(MX.X509Crl crl)
{
return(GetAuthorityKeyIdentifier(crl.Extensions ["2.5.29.35"]));
}