private bool ProcessCrlExtensions(MX.X509Crl crl) { foreach (MX.X509Extension ext in crl.Extensions) { if (ext.Critical) { switch (ext.Oid) { case "2.5.29.20": // cRLNumber case "2.5.29.35": // authorityKeyIdentifier // we processed/know about this extension break; default: return(false); } } } return(true); }
private MX.X509Crl FindCrl(X509Certificate2 caCertificate) { string subject = caCertificate.SubjectName.Decode(X500DistinguishedNameFlags.None); string ski = GetSubjectKeyIdentifier(caCertificate); // consider that the LocalMachine directories could not exists... and cannot be created by the user MX.X509Crl result = CheckCrls(subject, ski, LMCAStore.Store); if (result != null) { return(result); } if (location == StoreLocation.CurrentUser) { result = CheckCrls(subject, ski, UserCAStore.Store); if (result != null) { return(result); } } // consider that the LocalMachine directories could not exists... and cannot be created by the user result = CheckCrls(subject, ski, LMRootStore.Store); if (result != null) { return(result); } if (location == StoreLocation.CurrentUser) { result = CheckCrls(subject, ski, UserRootStore.Store); if (result != null) { return(result); } } return(null); }
private X509ChainStatusFlags CheckRevocation(X509Certificate2 certificate, X509Certificate2 ca_cert, bool online) { // change this if/when we support OCSP X509KeyUsageExtension kue = (ca_cert.Extensions["2.5.29.15"] as X509KeyUsageExtension); if (kue != null) { // ... verify CrlSign is set X509KeyUsageFlags success = X509KeyUsageFlags.CrlSign; if ((kue.KeyUsages & success) != success) { // FIXME - we should try to find an alternative CA that has the CrlSign bit return(X509ChainStatusFlags.RevocationStatusUnknown); } } MX.X509Crl crl = FindCrl(ca_cert); if ((crl == null) && online) { // FIXME - download and install new CRL // then you get a second chance // crl = FindCrl (ca_cert, ref valid, ref out_of_date); // We need to get the subjectAltName and an URI from there (or use OCSP) // X509KeyUsageExtension subjectAltName = (ca_cert.Extensions["2.5.29.17"] as X509KeyUsageExtension); } if (crl != null) { // validate the digital signature on the CRL using the CA public key // note #1: we can't use X509Crl.VerifySignature(X509Certificate) because it duplicates // checks and we loose the "why" of the failure // note #2: we do this before other tests as an invalid signature could be a hacked CRL // (so anything within can't be trusted) if (!crl.VerifySignature(ca_cert.PublicKey.Key)) { return(X509ChainStatusFlags.RevocationStatusUnknown); } MX.X509Crl.X509CrlEntry entry = crl.GetCrlEntry(certificate.MonoCertificate); if (entry != null) { // We have an entry for this CRL that includes an unknown CRITICAL extension // See [X.509 7.3] NOTE 4 if (!ProcessCrlEntryExtensions(entry)) { return(X509ChainStatusFlags.Revoked); } // FIXME - a little more is involved if (entry.RevocationDate <= ChainPolicy.VerificationTime) { return(X509ChainStatusFlags.Revoked); } } // are we overdue for a CRL update ? if so we can't be sure of any certificate status if (crl.NextUpdate < ChainPolicy.VerificationTime) { return(X509ChainStatusFlags.RevocationStatusUnknown | X509ChainStatusFlags.OfflineRevocation); } // we have a CRL that includes an unknown CRITICAL extension // we put this check at the end so we do not "hide" any Revoked flags if (!ProcessCrlExtensions(crl)) { return(X509ChainStatusFlags.RevocationStatusUnknown); } } else { return(X509ChainStatusFlags.RevocationStatusUnknown); } return(X509ChainStatusFlags.NoError); }
// but anyway System.dll v2 doesn't expose CRL in any way so... static string GetAuthorityKeyIdentifier(MX.X509Crl crl) { return(GetAuthorityKeyIdentifier(crl.Extensions ["2.5.29.35"])); }