/// <summary>Verifies a certificate against a single CRL.</summary>
/// <param name="crl">the Certificate Revocation List</param>
/// <param name="signCert">a certificate that needs to be verified</param>
/// <param name="issuerCert">its issuer</param>
/// <param name="signDate">the sign date</param>
/// <returns>true if the verification succeeded</returns>
/// <exception cref="Org.BouncyCastle.Security.GeneralSecurityException"/>
public virtual bool Verify(X509Crl crl, X509Certificate signCert, X509Certificate issuerCert, DateTime signDate
)
{
if (crl == null || signDate == SignUtils.UNDEFINED_TIMESTAMP_DATE)
{
return(false);
}
// We only check CRLs valid on the signing date for which the issuer matches
if (crl.IssuerDN.Equals(signCert.IssuerDN) && signDate.After(crl.ThisUpdate) && signDate.Before(crl.NextUpdate
))
{
// the signing certificate may not be revoked
if (IsSignatureValid(crl, issuerCert) && crl.IsRevoked(signCert))
{
throw new VerificationException(signCert, "The certificate has been revoked.");
}
return(true);
}
return(false);
}
/// <summary>
/// Create a reference to a X509Crl
/// </summary>
private static CrlValidatedID MakeCrlValidatedID(X509Crl crl)
{
OtherHash hash = new OtherHash(DigestUtilities.CalculateDigest(X509ObjectIdentifiers.IdSha1, crl.GetEncoded()));
BigInteger crlnumber;
CrlIdentifier crlid;
DerObjectIdentifier crlExt = new DerObjectIdentifier("2.5.29.20");
if (crl.GetExtensionValue(crlExt) != null)
{
crlnumber = new DerInteger(crl.GetExtensionValue(crlExt).GetDerEncoded()).PositiveValue;
crlid = new CrlIdentifier(crl.IssuerDN, crl.ThisUpdate, crlnumber);
}
else
{
crlid = new CrlIdentifier(crl.IssuerDN, crl.ThisUpdate);
}
CrlValidatedID crlvid = new CrlValidatedID(hash, crlid);
return(crlvid);
}
private bool ProcessCrlExtensions(X509Crl crl)
{
foreach (X509Extension ext in crl.Extensions)
{
if (ext.Critical)
{
switch (ext.Oid)
{
case "2.5.29.20": // cRLNumber
case "2.5.29.35": // authorityKeyIdentifier
// we processed/know about this extension
break;
default:
return(false);
}
}
}
return(true);
}
public void basicConstraintsCriticalcAFalseCACRL()
{
X509Crl crl = new X509Crl(basicConstraintsCriticalcAFalseCACRL_crl);
Assert.AreEqual(0, crl.Entries.Count, "Entries.Count");
Assert.AreEqual(2, crl.Extensions.Count, "Extensions.Count");
Assert.IsTrue(crl.IsCurrent, "IsCurrent"); // true till 2011
Assert.AreEqual("C=US, O=Test Certificates, CN=basicConstraints Critical cA False CA", crl.IssuerName, "IssuerName");
Assert.AreEqual(634388218400000000, crl.NextUpdate.ToUniversalTime().Ticks, "NextUpdate");
Assert.AreEqual("32-BC-12-1F-84-D0-B6-3E-72-A0-FB-D9-75-99-CA-E5-2A-05-09-E6-C8-27-74-47-1C-DC-0C-D4-9F-BC-9F-B2-62-25-B4-6D-5B-E5-0B-E8-2A-8E-07-EB-3E-6B-C5-1E-9A-D2-14-FD-89-5B-C3-10-BF-19-77-67-0A-33-45-1B-BC-6C-ED-AF-84-30-59-FB-7C-71-95-63-60-31-9B-9B-0A-EA-77-F1-70-F1-B9-2E-D1-A9-04-42-66-94-B9-54-48-DB-44-56-56-1A-57-5A-01-0E-7C-4D-D7-C0-1F-5C-6F-13-F5-A3-57-88-6A-9A-71-CD-D5-AE-C3-00-B1-28", BitConverter.ToString(crl.Signature), "Signature");
Assert.AreEqual("1.2.840.113549.1.1.5", crl.SignatureAlgorithm, "SignatureAlgorithm");
Assert.AreEqual(631232890400000000, crl.ThisUpdate.ToUniversalTime().Ticks, "ThisUpdate");
Assert.AreEqual(2, crl.Version, "Version");
X509Certificate cert = new X509Certificate(basicConstraintsCriticalcAFalseCACert_crt);
// certificate has CA set to false
Assert.IsFalse(crl.VerifySignature(cert), "VerifySignature(cert)");
Assert.IsTrue(crl.VerifySignature(cert.RSA), "VerifySignature(RSA)");
}
/// <summary>
/// Imports a certificate revocation list.
/// </summary>
/// <remarks>
/// Imports the specified certificate revocation list.
/// </remarks>
/// <param name="crl">The certificate revocation list.</param>
/// <exception cref="System.ArgumentNullException">
/// <paramref name="crl"/> is <c>null</c>.
/// </exception>
public override void Import(X509Crl crl)
{
if (crl == null)
{
throw new ArgumentNullException(nameof(crl));
}
// check for an exact match...
if (dbase.Find(crl, X509CrlRecordFields.Id) != null)
{
return;
}
const X509CrlRecordFields fields = ~X509CrlRecordFields.Crl;
var obsolete = new List <X509CrlRecord> ();
var delta = crl.IsDelta();
// scan over our list of CRLs by the same issuer to check if this CRL obsoletes any
// older CRLs or if there are any newer CRLs that obsolete that obsolete this one.
foreach (var record in dbase.Find(crl.IssuerDN, fields))
{
if (!record.IsDelta && record.ThisUpdate >= crl.ThisUpdate)
{
// we have a complete CRL that obsoletes this CRL
return;
}
if (!delta)
{
obsolete.Add(record);
}
}
// remove any obsoleted CRLs
foreach (var record in obsolete)
{
dbase.Remove(record);
}
dbase.Add(new X509CrlRecord(crl));
}
//Отдает содержимое Crl-файла в виде структуры CrlInfo:
public CrlInfo GetCrlInfoAsStructure(string fileName)
{
try
{
byte[] buf = ReadFile(fileName);
X509CrlParser clrParser = new X509CrlParser();
X509Crl crl = clrParser.ReadCrl(buf);
var issuer = crl.IssuerDN;
var signature = crl.GetSignature();
DateTime nextupdate = crl.NextUpdate.Value;
DateTime thisUpdate = crl.ThisUpdate;
//Console.WriteLine("Issuerdata.tostring = {0}", issuer.ToString());
//Console.WriteLine("Signature.ToString = {0}", signature.ToString());
//Console.WriteLine("NextUpdate = {0}", nextupdate.ToString());
//Console.WriteLine("ThisUpdate = {0}", thisUpdate);
Logger.Write($"Извлечение данных из crl-файла: {fileName}");
Logger.Write($"issuer: {issuer}");
Logger.Write($"signature: {signature}");
Logger.Write($"nextupdate: {nextupdate}");
Logger.Write($"thisupdate: {thisUpdate}");
CrlInfo CrlInfo = new CrlInfo(issuer.ToString(), signature, nextupdate, thisUpdate);
return(CrlInfo);
}
catch (Exception ex)
{
Crlinfo = new CrlInfo();
Logger.Write(ex.Message);
return(Crlinfo);
}
}
public bool Generate()
{
using (var dlg = new SaveFileDialog())
{
dlg.Filter = @"Crl files (*.crl)|*.crl|All files (*.*)|*.*";
dlg.FilterIndex = 0;
dlg.RestoreDirectory = true;
if (dlg.ShowDialog() == DialogResult.OK)
{
string file = dlg.FileName;
var listGenerator = new DefaultCertificateRevocationListGenerator();
DateTime beginDate = View.From;
DateTime nextUpdateDate = beginDate.AddDays(View.NextUpdate);
X509Certificate caFile = IOPEMUtils.LoadPemCertificate(View.CAFile);
AsymmetricCipherKeyPair caPriveKeyFile = IOPEMUtils.LoadPemPrivateKey(View.CAPrivateKeyFile);
X509Crl result = listGenerator.Create(
View.Algoritm,
caFile,
caPriveKeyFile,
beginDate,
nextUpdateDate
);
IOPEMUtils.SavePemCrl(result, file);
MessageBox.Show(String.Format("Lista gravada em '{0}'", file), @"Informação",
MessageBoxButtons.OK,
MessageBoxIcon.Information
);
return(true);
}
return(false);
}
}
/// <exception cref="Org.BouncyCastle.Security.GeneralSecurityException"/>
/// <exception cref="System.IO.IOException"/>
private bool VerifyTest(TestCrlBuilder crlBuilder)
{
String caCertFileName = certsSrc + "rootRsa.p12";
X509Certificate caCert = (X509Certificate)Pkcs12FileHelper.ReadFirstChain(caCertFileName, password)[0];
ICipherParameters caPrivateKey = Pkcs12FileHelper.ReadFirstKey(caCertFileName, password, password);
String checkCertFileName = certsSrc + "signCertRsa01.p12";
X509Certificate checkCert = (X509Certificate)Pkcs12FileHelper.ReadFirstChain(checkCertFileName, password)[
0];
TestCrlClient crlClient = new TestCrlClient(crlBuilder, caPrivateKey);
ICollection <byte[]> crlBytesCollection = crlClient.GetEncoded(checkCert, null);
bool verify = false;
foreach (byte[] crlBytes in crlBytesCollection)
{
X509Crl crl = (X509Crl)SignTestPortUtil.ParseCrlFromStream(new MemoryStream(crlBytes));
CRLVerifier verifier = new CRLVerifier(null, null);
verify = verifier.Verify(crl, checkCert, caCert, DateTimeUtil.GetCurrentUtcTime());
break;
}
return(verify);
}
public X509Crl Get(string url)
{
X509Crl crl = this.crlCache.Get(url);
if (crl == null)
{
// Not in cache
crl = this.Download(url);
}
else if (crl.NextUpdate != null && crl.NextUpdate.Value < DateTime.Now)
{
// Outdated
crl = this.Download(url);
}
else if (crl.NextUpdate == null)
{
// No action.
}
return(crl);
}
/// <summary>
/// Finds the specified certificate revocation list.
/// </summary>
/// <remarks>
/// Searches the database for the specified CRL, returning the matching record with
/// the desired fields populated.
/// </remarks>
/// <returns>The matching record if found; otherwise <c>null</c>.</returns>
/// <param name="crl">The certificate revocation list.</param>
/// <param name="fields">The desired fields.</param>
/// <exception cref="System.ArgumentNullException">
/// <paramref name="crl"/> is <c>null</c>.
/// </exception>
public X509CrlRecord Find(X509Crl crl, X509CrlRecordFields fields)
{
if (crl == null)
{
throw new ArgumentNullException(nameof(crl));
}
using (var command = GetSelectCommand(crl, fields)) {
using (var reader = command.ExecuteReader()) {
if (reader.Read())
{
var parser = new X509CrlParser();
var buffer = new byte[4096];
return(LoadCrlRecord(reader, parser, ref buffer));
}
}
}
return(null);
}
static void Download(string url, X509Store store)
{
if (verbose)
{
Console.WriteLine("Downloading: {0}", url);
}
WebClient wc = new WebClient();
string error = "download";
try {
byte [] data = wc.DownloadData(url);
error = "decode";
X509Crl crl = new X509Crl(data);
error = "import";
// warn if CRL is not current - but still allow it to be imported
if (!crl.IsCurrent && verbose)
{
Console.WriteLine("WARNING: CRL is not current: {0}", url);
}
// only import the CRL if its signature is valid and coming from a trusted root
if (VerifyCrl(crl))
{
store.Import(crl);
}
else
{
Console.WriteLine("ERROR: could not validate CRL: {0}", url);
}
}
catch (Exception e) {
Console.WriteLine("ERROR: could not {0}: {1}", error, url);
if (verbose)
{
Console.WriteLine(e);
Console.WriteLine();
}
}
}
/// <summary>
/// Issue a CRL (containing all revoked certificates)
/// </summary>
/// <returns></returns>
public virtual string IssueCRL()
{
X509V2CrlGenerator crlGen = new X509V2CrlGenerator();
// Generate CRL
try
{
createCRL(crlGen);
X509Crl crl = crlGen.Generate(privateKey);
// Write CRL to file
File.WriteAllBytes(crlFileLocation, crl.GetEncoded());
logEvent(LogEvent.EventType.IssueCert, "CRL Published. Serial: " + lastCRL);
}
catch (Exception ex)
{
LogEvent.WriteEvent(eventLog, LogEvent.EventType.Error, "Failed CRL issue: " + ex.Message);
throw new ApplicationException("Failed CRL Issue", ex);
}
return(lastCRL);
}
/// <summary>
/// Publishes the crl
/// </summary>
public void PublishCrl()
{
if (_revoked == null)
{
return;
//TODO: may be show a messagebox or something?
}
Pkcs12Store store = LoadCAPfx(KeyStorePassword);
if (!store.ContainsAlias(CaAlias) || !store.IsEntryOfType(CaAlias, typeof(AsymmetricKeyEntry)))
{
return;
}
AsymmetricKeyParameter key = store.GetKey(CaAlias).Key;
X509Certificate caCert = store.GetCertificate(CaAlias).Certificate;
var crlNumber = new BigInteger(ReadCrlSerialNumber(), SerialNumberRadix);
var crlGen = new X509V2CrlGenerator();
crlGen.SetIssuerDN(caCert.SubjectDN);
//crlGen.SetNextUpdate();
crlGen.SetSignatureAlgorithm(caCert.SigAlgName.Replace("-", ""));
crlGen.SetThisUpdate(DateTime.UtcNow);
crlGen.SetNextUpdate(DateTime.UtcNow.AddHours(CrlFrequency));
crlGen.AddExtension(X509Extensions.CrlNumber, false, new CrlNumber(crlNumber));
crlGen.AddExtension(X509Extensions.AuthorityKeyIdentifier, false,
new AuthorityKeyIdentifierStructure(caCert));
//crlGen.AddExtension(X509Extensions.KeyUsage, false, new KeyUsage(KeyUsage.KeyAgreement | KeyUsage.CrlSign | KeyUsage.DataEncipherment | KeyUsage.DecipherOnly | KeyUsage.EncipherOnly | KeyUsage.KeyEncipherment | KeyUsage.NonRepudiation));
foreach (RevokedSerial rs in _revoked.RevokedSerialCollection)
{
crlGen.AddCrlEntry(new BigInteger(rs.Serial), rs.RevocationDate, rs.Reason);
}
X509Crl crl = crlGen.Generate(key);
string crlEncoded = PemUtilities.Encode(crl);
File.WriteAllText(CrlFilePath, crlEncoded);
IncrementCrlSerial();
}
private bool ProcessCrlExtensions(X509Crl crl)
{
foreach (object obj in crl.Extensions)
{
X509Extension x509Extension = (X509Extension)obj;
if (x509Extension.Critical)
{
string oid = x509Extension.Oid;
if (oid != null)
{
if (X509Chain.< > f__switch$mapC == null)
{
X509Chain.< > f__switch$mapC = new Dictionary <string, int>(2)
{
{
"2.5.29.20",
0
},
{
"2.5.29.35",
0
}
};
}
int num;
if (X509Chain.< > f__switch$mapC.TryGetValue(oid, out num))
{
if (num == 0)
{
continue;
}
}
}
return(false);
}
}
return(true);
}
private X509Crl FindCrl(BCX509Certificate2 caCertificate)
{
#if !NETCF
string subject = caCertificate.SubjectDN.Decode(X500DistinguishedNameFlags.None);
string ski = GetSubjectKeyIdentifier(caCertificate);
// consider that the LocalMachine directories could not exists... and cannot be created by the user
X509Crl result = CheckCrls(subject, ski, LMCAStore.Store);
if (result != null)
{
return(result);
}
if (location == StoreLocation.CurrentUser)
{
result = CheckCrls(subject, ski, UserCAStore.Store);
if (result != null)
{
return(result);
}
}
// consider that the LocalMachine directories could not exists... and cannot be created by the user
result = CheckCrls(subject, ski, LMRootStore.Store);
if (result != null)
{
return(result);
}
if (location == StoreLocation.CurrentUser)
{
result = CheckCrls(subject, ski, UserRootStore.Store);
if (result != null)
{
return(result);
}
}
#endif
return(null);
}
public static global::System.Collections.IList GetCrlsFromStore(IX509Store crlStore)
{
try
{
global::System.Collections.IList list = Platform.CreateArrayList();
if (crlStore != null)
{
{
global::System.Collections.IEnumerator enumerator = ((global::System.Collections.IEnumerable)crlStore.GetMatches(null)).GetEnumerator();
try
{
while (enumerator.MoveNext())
{
X509Crl x509Crl = (X509Crl)enumerator.get_Current();
list.Add((object)CertificateList.GetInstance(Asn1Object.FromByteArray(x509Crl.GetEncoded())));
}
}
finally
{
global::System.IDisposable disposable = enumerator as global::System.IDisposable;
if (disposable != null)
{
disposable.Dispose();
}
}
}
}
return(list);
}
catch (CrlException e)
{
throw new CmsException("error encoding crls", e);
}
catch (global::System.Exception e2)
{
throw new CmsException("error processing crls", e2);
}
}
/// <exception cref="Sharpen.CertificateException"></exception>
/// <exception cref="Sharpen.CRLException"></exception>
/// <exception cref="Sharpen.NoSuchProviderException"></exception>
/// <exception cref="Org.BouncyCastle.X509.NoSuchParserException"></exception>
/// <exception cref="Org.BouncyCastle.X509.Util.StreamParsingException"></exception>
private X509Crl GetCrl(string downloadUrl)
{
if (downloadUrl != null)
{
try
{
InputStream input = UrlDataLoader.Get(downloadUrl);
X509CrlParser parser = new X509CrlParser();
X509Crl crl = parser.ReadCrl(input);
LOG.Info("CRL size: " + crl.GetEncoded().Length + " bytes");
return(crl);
}
catch (CannotFetchDataException)
{
return(null);
}
}
else
{
return(null);
}
}
/// <summary>
/// Issue a CRL (containing all revoked certificates)
/// </summary>
/// <returns>CRL number</returns>
public override string IssueCRL()
{
SysCrlGen crlGen = new SysCrlGen();
// Generate CRL
try
{
createCRL(crlGen);
X509Crl crl = crlGen.Generate(cspParam);
// Write CRL to file
File.WriteAllBytes(crlFileLocation, crl.GetEncoded());
logEvent(LogEvent.EventType.IssueCert, "CRL Published. Serial: " + lastCRL);
}
catch (Exception ex)
{
logEvent(LogEvent.EventType.Error, "Failed CRL issue: " + ex.Message);
throw new ApplicationException("Failed CRL Issue", ex);
}
return(lastCRL);
}
private X509Crl FindCrl(X509Certificate2 caCertificate)
{
string b = caCertificate.SubjectName.Decode(X500DistinguishedNameFlags.None);
string subjectKeyIdentifier = this.GetSubjectKeyIdentifier(caCertificate);
foreach (object obj in this.CertificateAuthorities.Store.Crls)
{
X509Crl x509Crl = (X509Crl)obj;
if (x509Crl.IssuerName == b && (subjectKeyIdentifier.Length == 0 || subjectKeyIdentifier == this.GetAuthorityKeyIdentifier(x509Crl)))
{
return(x509Crl);
}
}
foreach (object obj2 in this.Roots.Store.Crls)
{
X509Crl x509Crl2 = (X509Crl)obj2;
if (x509Crl2.IssuerName == b && (subjectKeyIdentifier.Length == 0 || subjectKeyIdentifier == this.GetAuthorityKeyIdentifier(x509Crl2)))
{
return(x509Crl2);
}
}
return(null);
}
public void AddCrl(X509Crl other)
{
if (other == null)
{
throw new ArgumentNullException("other");
}
ISet revokedCertificates = other.GetRevokedCertificates();
if (revokedCertificates != null)
{
foreach (X509CrlEntry item in revokedCertificates)
{
try
{
tbsGen.AddCrlEntry(Asn1Sequence.GetInstance(Asn1Object.FromByteArray(item.GetEncoded())));
}
catch (IOException e)
{
throw new CrlException("exception processing encoding of CRL", e);
}
}
}
}
/// <summary>Checks if a CRL verifies against the issuer certificate or a trusted anchor.</summary>
/// <param name="crl">the CRL</param>
/// <param name="crlIssuer">the trusted anchor</param>
/// <returns>true if the CRL can be trusted</returns>
public virtual bool IsSignatureValid(X509Crl crl, X509Certificate crlIssuer)
{
// check if the CRL was issued by the issuer
if (crlIssuer != null)
{
try {
crl.Verify(crlIssuer.GetPublicKey());
return(true);
}
catch (GeneralSecurityException) {
LOGGER.Warn("CRL not issued by the same authority as the certificate that is being checked");
}
}
// check the CRL against trusted anchors
if (rootStore == null)
{
return(false);
}
try {
// loop over the certificate in the key store
foreach (X509Certificate anchor in SignUtils.GetCertificates(rootStore))
{
try {
// check if the crl was signed by a trusted party (indirect CRLs)
crl.Verify(anchor.GetPublicKey());
return(true);
}
catch (GeneralSecurityException) {
continue;
}
}
}
catch (GeneralSecurityException) {
return(false);
}
return(false);
}
/// <summary>
/// For level -XL, every X509Crl values contained in the ValidationContext must be in the RevocationValues of the
/// signature
/// </summary>
/// <param name="ctx"></param>
/// <param name="refs"></param>
/// <param name="signingCert"></param>
/// <returns></returns>
protected internal virtual bool EveryCRLValueOrRefAreThere <_T0>(ValidationContext
ctx, IList <_T0> crlValuesOrRef)
{
foreach (X509Crl crl in ctx.GetNeededCRL())
{
LOG.Info("Looking for CRL ref issued by " + crl.IssuerDN);
bool found = false;
foreach (object valueOrRef in crlValuesOrRef)
{
if (valueOrRef is X509Crl)
{
X509Crl sigCRL = (X509Crl)valueOrRef;
if (sigCRL.Equals(crl))
{
found = true;
break;
}
}
if (valueOrRef is CRLRef)
{
CRLRef @ref = (CRLRef)valueOrRef;
if (@ref.Match(crl))
{
found = true;
break;
}
}
}
LOG.Info("Ref " + (found ? " found" : " not found"));
if (!found)
{
return(false);
}
}
return(true);
}
private BigInteger GetCrlNumber(X509Crl crl)
{
//byte[] crlNumberExtensionValue = crl.GetExtensionValue(X509Extensions.CrlNumber);
Asn1OctetString crlNumberExtensionValue = crl.GetExtensionValue(X509Extensions.CrlNumber);
if (null == crlNumberExtensionValue)
{
return(null);
}
try
{
//DerOctetString octetString = (DerOctetString)(new ASN1InputStream(new ByteArrayInputStream
// (crlNumberExtensionValue)).ReadObject());
DerOctetString octetString = (DerOctetString)crlNumberExtensionValue;
byte[] octets = octetString.GetOctets();
DerInteger integer = (DerInteger) new Asn1InputStream(octets).ReadObject();
BigInteger crlNumber = integer.PositiveValue;
return(crlNumber);
}
catch (IOException e)
{
throw new RuntimeException("IO error: " + e.Message, e);
}
}
/**
* Gets a list of X509CRL objects from a Document Security Store.
* @return a list of CRLs
* @throws GeneralSecurityException
* @throws IOException
*/
virtual public List <X509Crl> GetCRLsFromDSS()
{
List <X509Crl> crls = new List <X509Crl>();
if (dss == null)
{
return(crls);
}
PdfArray crlarray = dss.GetAsArray(PdfName.CRLS);
if (crlarray == null)
{
return(crls);
}
X509CrlParser crlParser = new X509CrlParser();
for (int i = 0; i < crlarray.Size; ++i)
{
PRStream stream = (PRStream)crlarray.GetAsStream(i);
X509Crl crl = crlParser.ReadCrl(new MemoryStream(PdfReader.GetStreamBytes(stream)));
crls.Add(crl);
}
return(crls);
}
/// <summary>
/// Generate CRL.
/// </summary>
/// <returns>Result.</returns>
public X509Crl Generate()
{
var signer = DotNetUtilities.FromX509Certificate(signerCertificate.Certificate);
ISignatureFactory signatureFactory =
new Asn1SignatureFactory(SignatureAlgorithm, signerCertificate.KeyPair.Private, random);
crlGenerator.SetIssuerDN(signer.IssuerDN);
crlGenerator.SetThisUpdate(DateTime.Now);
crlGenerator.SetNextUpdate(DateTime.Now.AddYears(1));
crlGenerator.AddCrlEntry(BigInteger.One, DateTime.Now, CrlReason.PrivilegeWithdrawn);
crlGenerator.AddExtension(X509Extensions.AuthorityKeyIdentifier,
false,
new AuthorityKeyIdentifierStructure(signer));
var crlNumber = new BigInteger(DateTime.UtcNow.ToString("yyyyMMddHHmm"));
crlGenerator.AddExtension(X509Extensions.CrlNumber, false, new CrlNumber(crlNumber));
X509Crl crlTemp = crlGenerator.Generate(signatureFactory);
return(crlTemp);
}
static void UpdateStore(X509Store store)
{
// for each certificate
foreach (X509Certificate cert in store.Certificates)
{
// do we already have a matching CRL ? (or are we forced to download?)
X509Crl crl = force ? null : FindCrl(cert, store);
// without a CRL (or with a CRL in need of updating)
if ((crl == null) || !crl.IsCurrent)
{
X509Extension ext = cert.Extensions ["2.5.29.31"];
if (ext == null)
{
if (verbose)
{
Console.WriteLine("WARNING: No cRL distribution point found for '{0}'", cert.SubjectName);
}
continue;
}
CRLDistributionPointsExtension crlDP = new CRLDistributionPointsExtension(ext);
foreach (var dp in crlDP.DistributionPoints)
{
string name = dp.Name.Trim();
if (name.StartsWith("URL="))
{
Download(name.Substring(4), store);
}
else if (verbose)
{
Console.WriteLine("WARNING: Unsupported distribution point: '{0}'", name);
}
}
}
}
}
private X509Crl GetCrlFromFS(string downloadUrl)
{
if (downloadUrl != null)
{
try
{
using (var input = File.OpenRead(downloadUrl))
{
X509CrlParser parser = new X509CrlParser();
X509Crl crl = parser.ReadCrl(input);
logger.Info("CRL size: " + crl.GetEncoded().Length + " bytes");
return(crl);
}
}
catch (CannotFetchDataException)
{
return(null);
}
}
else
{
return(null);
}
}
/// <summary> /// Imports the specified certificate revocation list. /// </summary> /// <remarks> /// Imports the specified certificate revocation list. /// </remarks> /// <param name="crl">The certificate revocation list.</param> /// <exception cref="System.ArgumentNullException"> /// <paramref name="crl"/> is <c>null</c>. /// </exception> public abstract void Import(X509Crl crl);
/// <summary> /// Gets the database command to select the record for the specified CRL. /// </summary> /// <remarks> /// Gets the database command to select the record for the specified CRL. /// </remarks> /// <returns>The database command.</returns> /// <param name="crl">The X.509 CRL.</param> /// <param name="fields">The fields to return.</param> protected abstract DbCommand GetSelectCommand(X509Crl crl, X509CrlRecordFields fields);
public virtual bool Match(
object obj)
{
X509Crl c = obj as X509Crl;
if (c == null)
{
return(false);
}
if (dateAndTime != null)
{
DateTime dt = dateAndTime.Value;
DateTime tu = c.ThisUpdate;
DateTimeObject nu = c.NextUpdate;
if (dt.CompareTo(tu) < 0 || nu == null || dt.CompareTo(nu.Value) >= 0)
{
return(false);
}
}
if (issuers != null)
{
X509Name i = c.IssuerDN;
bool found = false;
foreach (X509Name issuer in issuers)
{
if (issuer.Equivalent(i, true))
{
found = true;
break;
}
}
if (!found)
{
return(false);
}
}
if (maxCrlNumber != null || minCrlNumber != null)
{
Asn1OctetString extVal = c.GetExtensionValue(X509Extensions.CrlNumber);
if (extVal == null)
{
return(false);
}
BigInteger cn = CrlNumber.GetInstance(
X509ExtensionUtilities.FromExtensionValue(extVal)).PositiveValue;
if (maxCrlNumber != null && cn.CompareTo(maxCrlNumber) > 0)
{
return(false);
}
if (minCrlNumber != null && cn.CompareTo(minCrlNumber) < 0)
{
return(false);
}
}
DerInteger dci = null;
try
{
Asn1OctetString bytes = c.GetExtensionValue(X509Extensions.DeltaCrlIndicator);
if (bytes != null)
{
dci = DerInteger.GetInstance(X509ExtensionUtilities.FromExtensionValue(bytes));
}
}
catch (Exception)
{
return(false);
}
if (dci == null)
{
if (DeltaCrlIndicatorEnabled)
{
return(false);
}
}
else
{
if (CompleteCrlEnabled)
{
return(false);
}
if (maxBaseCrlNumber != null && dci.PositiveValue.CompareTo(maxBaseCrlNumber) > 0)
{
return(false);
}
}
if (issuingDistributionPointEnabled)
{
Asn1OctetString idp = c.GetExtensionValue(X509Extensions.IssuingDistributionPoint);
if (issuingDistributionPoint == null)
{
if (idp != null)
{
return(false);
}
}
else
{
if (!Arrays.AreEqual(idp.GetOctets(), issuingDistributionPoint))
{
return(false);
}
}
}
return(true);
}
