/// <summary>
/// Revoke a certificate
/// </summary>
/// <param name="Certificate">Certificate to revoke</param>
/// <param name="Reason">Revocation reason</param>
/// <returns>Status of the certificate</returns>
/// <exception cref="ApplicationException">Certificate not found</exception>
/// <exception cref="ApplicationException">Duplicate serial number</exception>
/// <exception cref="ApplicationException">Certificate is already revoked</exception>
public string RevokeCertificate(X509Certificate Certificate, CRLReason Reason)
{
Database.RevokeCertificate(Certificate, Reason, dbFileLocation, caCertificate, cspParam);
logEvent(LogEvent.EventType.RevokeCert, "Certificate revoked: " + Certificate.SerialNumber.ToString());
return("revoked");
}
/// <summary>
/// Get string associated with a revocation reason code
/// </summary>
/// <param name="ReasonCode">CRLReason enum value</param>
/// <returns>String translation of the reason code</returns>
public static string GetReason(CRLReason ReasonCode)
{
switch (ReasonCode)
{
case CRLReason.unused:
return("Unknown");
case CRLReason.keyCompromise:
return("Key Compromise");
case CRLReason.cACompromise:
return("CA Compromise");
case CRLReason.affiliationChanged:
return("Affiliation Changed");
case CRLReason.supersede:
return("Superseded");
case CRLReason.cessationOfOperation:
return("Cessation of Operation");
case CRLReason.certificateHold:
return("Certificate Hold");
}
return("");
}
public RevokedInfo(
DERGeneralizedTime revocationTime,
CRLReason revocationReason)
{
this.revocationTime = revocationTime;
this.revocationReason = revocationReason;
}
/// <summary>
/// Construct revoked certificate with serialnumber,
/// actual UTC time and the CRL reason.
/// </summary>
/// <param name="serialNumber">The serial number</param>
/// <param name="crlReason">The reason for revocation</param>
public RevokedCertificate(byte[] serialNumber, CRLReason crlReason)
: this(serialNumber)
{
if (crlReason != CRLReason.Unspecified)
{
CrlEntryExtensions.Add(X509Extensions.BuildX509CRLReason(crlReason));
}
}
/// <summary>
/// Add a revoked certificate.
/// </summary>
/// <param name="certificate">The certificate to revoke.</param>
/// <param name="crlReason">The revocation reason</param>
public CrlBuilder AddRevokedCertificate(X509Certificate2 certificate, CRLReason crlReason = CRLReason.Unspecified)
{
if (certificate == null)
{
throw new ArgumentNullException(nameof(certificate));
}
m_revokedCertificates.Add(new RevokedCertificate(certificate.SerialNumber, crlReason));
return(this);
}
/// <summary>
/// Add array of serialnumbers of revoked certificates.
/// </summary>
/// <param name="serialNumbers">The array of serial numbers to revoke.</param>
/// <param name="crlReason">The revocation reason</param>
public CrlBuilder AddRevokedSerialNumbers(string[] serialNumbers, CRLReason crlReason = CRLReason.Unspecified)
{
if (serialNumbers == null)
{
throw new ArgumentNullException(nameof(serialNumbers));
}
m_revokedCertificates.AddRange(serialNumbers.Select(s => new RevokedCertificate(s, crlReason)).ToList());
return(this);
}
/// <summary>
/// Build the CRL Reason extension.
/// </summary>
public static X509Extension BuildX509CRLReason(
CRLReason reason
)
{
AsnWriter writer = new AsnWriter(AsnEncodingRules.DER);
writer.WriteEnumeratedValue <CRLReason>(reason);
return(new X509Extension(Oids.CrlReasonCode, writer.Encode(), false));
}
public RevokedInfo(
ASN1Sequence seq)
{
this.revocationTime = (DERGeneralizedTime)seq.getObjectAt(0);
if (seq.size() > 1)
{
this.revocationReason = new CRLReason(DEREnumerated.getInstance(
(ASN1TaggedObject)seq.getObjectAt(1), true));
}
}
/// <summary>
/// Constructs a {@code CertificateRevokedException} with
/// the specified revocation date, reason code, authority name, and map
/// of extensions.
/// </summary>
/// <param name="revocationDate"> the date on which the certificate was revoked. The
/// date is copied to protect against subsequent modification. </param>
/// <param name="reason"> the revocation reason </param>
/// <param name="extensions"> a map of X.509 Extensions. Each key is an OID String
/// that maps to the corresponding Extension. The map is copied to
/// prevent subsequent modification. </param>
/// <param name="authority"> the {@code X500Principal} that represents the name
/// of the authority that signed the certificate's revocation status
/// information </param>
/// <exception cref="NullPointerException"> if {@code revocationDate},
/// {@code reason}, {@code authority}, or
/// {@code extensions} is {@code null} </exception>
public CertificateRevokedException(DateTime revocationDate, CRLReason reason, X500Principal authority, IDictionary <String, Extension> extensions)
{
if (revocationDate == null || reason == null || authority == null || extensions == null)
{
throw new NullPointerException();
}
this.RevocationDate_Renamed = new DateTime(revocationDate.Ticks);
this.Reason = reason;
this.Authority = authority;
// make sure Map only contains correct types
this.Extensions_Renamed = Collections.CheckedMap(new Dictionary <>(), typeof(String), typeof(Extension));
//JAVA TO C# CONVERTER TODO TASK: There is no .NET Dictionary equivalent to the Java 'putAll' method:
this.Extensions_Renamed.putAll(extensions);
}
/// <summary>
/// Mark a certificate as revoked
/// </summary>
/// <param name="cert">Certificate to revoke</param>
/// <param name="reason">Revocation reason</param>
/// <param name="dbFileLocation">Location of CA DB file</param>
/// <param name="caCert">The ca cert.</param>
/// <param name="cspParam">The CSP parameter.</param>
/// <exception cref="ApplicationException">Certificate already revoked or expired</exception>
internal static void RevokeCertificate(X509Certificate cert,
CRLReason reason,
string dbFileLocation,
X509Certificate caCert,
CspParameters cspParam)
{
XDocument db;
if (XmlSigning.VerifyXmlFile(dbFileLocation))
{
db = XDocument.Load(dbFileLocation);
}
else
{
throw new GeneralSecurityException("Signature failure on database file");
}
// Find the cert
string serialNumber = cert.SerialNumber.ToString();
XElement record = findCertBySerialNumber(serialNumber, db);
// Check that certificate is current
if (record.Element("revocation").Attribute("status").Value != "current")
{
throw new ApplicationException("Certificate already revoked or expired: " + serialNumber);
}
// Create new revocation element
XElement revoked = new XElement("revocation",
new XAttribute("status", "revoked"),
new XElement("date", DateTime.Now),
new XElement("reason", (int)reason)
);
// Replace the revocation record in the database
record.Element("revocation").ReplaceWith(revoked);
// Sign and save the database
XmlSigning.SignXml(db, dbFileLocation, caCert, cspParam);
}
/// <summary>
/// Construct revoked certificate with serialnumber,
/// actual UTC time and the CRL reason.
/// </summary>
/// <param name="serialNumber">The serial number</param>
/// <param name="crlReason">The reason for revocation</param>
public RevokedCertificate(string serialNumber, CRLReason crlReason)
: this(serialNumber)
{
CrlEntryExtensions.Add(X509Extensions.BuildX509CRLReason(crlReason));
}