private bool ProcessCrlEntryExtensions(X509Crl.X509CrlEntry entry) { foreach (object obj in entry.Extensions) { X509Extension x509Extension = (X509Extension)obj; if (x509Extension.Critical) { string oid = x509Extension.Oid; if (oid != null) { if (X509Chain.< > f__switch$mapD == null) { X509Chain.< > f__switch$mapD = new Dictionary <string, int>(1) { { "2.5.29.21", 0 } }; } int num; if (X509Chain.< > f__switch$mapD.TryGetValue(oid, out num)) { if (num == 0) { continue; } } } return(false); } } return(true); }
private X509ChainStatusFlags CheckRevocation(X509Certificate2 certificate, X509Certificate2 ca_cert, bool online) { X509KeyUsageExtension x509KeyUsageExtension = (X509KeyUsageExtension)ca_cert.Extensions["2.5.29.15"]; if (x509KeyUsageExtension != null) { X509KeyUsageFlags x509KeyUsageFlags = X509KeyUsageFlags.CrlSign; if ((x509KeyUsageExtension.KeyUsages & x509KeyUsageFlags) != x509KeyUsageFlags) { return(X509ChainStatusFlags.RevocationStatusUnknown); } } X509Crl x509Crl = this.FindCrl(ca_cert); if (x509Crl != null || online) { } if (x509Crl == null) { return(X509ChainStatusFlags.RevocationStatusUnknown); } if (!x509Crl.VerifySignature(ca_cert.PublicKey.Key)) { return(X509ChainStatusFlags.RevocationStatusUnknown); } X509Crl.X509CrlEntry crlEntry = x509Crl.GetCrlEntry(certificate.MonoCertificate); if (crlEntry != null) { if (!this.ProcessCrlEntryExtensions(crlEntry)) { return(X509ChainStatusFlags.Revoked); } if (crlEntry.RevocationDate <= this.ChainPolicy.VerificationTime) { return(X509ChainStatusFlags.Revoked); } } if (x509Crl.NextUpdate < this.ChainPolicy.VerificationTime) { return(X509ChainStatusFlags.RevocationStatusUnknown | X509ChainStatusFlags.OfflineRevocation); } if (!this.ProcessCrlExtensions(x509Crl)) { return(X509ChainStatusFlags.RevocationStatusUnknown); } return(X509ChainStatusFlags.NoError); }
private bool ProcessCrlEntryExtensions(X509Crl.X509CrlEntry entry) { foreach (Mono.Security.X509.X509Extension extension in entry.Extensions) { if (extension.Critical) { switch (extension.Oid) { default: return(false); case "2.5.29.21": break; } } } return(true); }
private bool ProcessCrlEntryExtensions(X509Crl.X509CrlEntry entry) { foreach (X509Extension ext in entry.Extensions) { if (ext.Critical) { switch (ext.Oid) { case "2.5.29.21": // cRLReason // we processed/know about this extension break; default: return(false); } } } return(true); }
private X509ChainStatusFlags CheckRevocation(BCX509Certificate2 certificate, BCX509Certificate2 ca_cert, bool online) { // change this if/when we support OCSP KeyUsage kue = KeyUsage.GetInstance(ca_cert.CertificateStructure.TbsCertificate.Extensions.GetExtension(X509Extensions.KeyUsage)); if (kue != null) { // ... verify CrlSign is set //KeyUsage success = new KeyUsage(KeyUsage.CrlSign); if ((kue.IntValue & KeyUsage.CrlSign) != KeyUsage.CrlSign) { // FIXME - we should try to find an alternative CA that has the CrlSign bit return(X509ChainStatusFlags.RevocationStatusUnknown); } } X509Crl crl = FindCrl(ca_cert); if ((crl == null) && online) { // FIXME - download and install new CRL // then you get a second chance // crl = FindCrl (ca_cert, ref valid, ref out_of_date); // We need to get the subjectAltName and an URI from there (or use OCSP) // X509KeyUsageExtension subjectAltName = (ca_cert.Extensions["2.5.29.17"] as X509KeyUsageExtension); } #if !NETCF if (crl != null) { // validate the digital signature on the CRL using the CA public key // note #1: we can't use X509Crl.VerifySignature(X509Certificate) because it duplicates // checks and we loose the "why" of the failure // note #2: we do this before other tests as an invalid signature could be a hacked CRL // (so anything within can't be trusted) if (!crl.VerifySignature(ca_cert.GetPublicKey())) { return(X509ChainStatusFlags.RevocationStatusUnknown); } X509Crl.X509CrlEntry entry = crl.GetCrlEntry(certificate); if (entry != null) { // We have an entry for this CRL that includes an unknown CRITICAL extension // See [X.509 7.3] NOTE 4 if (!ProcessCrlEntryExtensions(entry)) { return(X509ChainStatusFlags.Revoked); } // FIXME - a little more is involved if (entry.RevocationDate <= ChainPolicy.VerificationTime) { return(X509ChainStatusFlags.Revoked); } } // are we overdue for a CRL update ? if so we can't be sure of any certificate status if (crl.NextUpdate.Value < ChainPolicy.VerificationTime) { return(X509ChainStatusFlags.RevocationStatusUnknown | X509ChainStatusFlags.OfflineRevocation); } // we have a CRL that includes an unknown CRITICAL extension // we put this check at the end so we do not "hide" any Revoked flags if (!ProcessCrlExtensions(crl)) { return(X509ChainStatusFlags.RevocationStatusUnknown); } } else #endif return(X509ChainStatusFlags.RevocationStatusUnknown); #if !NETCF return(X509ChainStatusFlags.NoError); #endif }