/// <summary>
/// Shorter implementation of TimestampVerifier.IsValidAfterRevocation method for testing purposes.
/// </summary>
public static bool IsValidAfterRevocationFake(X509Crl crl, X509Certificate cert, DateTime timestampGenTime)
{
if (crl.IsRevoked(cert))
{
X509CrlEntry revokedEntry = crl.GetRevokedCertificate(cert.SerialNumber);
DateTime revocationDate = revokedEntry.RevocationDate;
/* All timestamps created after revocation date are invalid */
if (DateTime.Compare(timestampGenTime, revocationDate) > 0)
{
return(false);
}
DerEnumerated reasonCode = DerEnumerated.GetInstance(GetExtensionValue(revokedEntry, X509Extensions.ReasonCode));
/* If the revocation reason is not present, the timestamp is considered invalid */
if (reasonCode == null)
{
return(false);
}
int reason = reasonCode.Value.IntValue;
/* If the revocation reason is any other value, the timestamp is considered invalid */
if (!(reason == CrlReason.Unspecified ||
reason == CrlReason.AffiliationChanged ||
reason == CrlReason.Superseded ||
reason == CrlReason.CessationOfOperation))
{
return(false);
}
}
return(true);
}
public ValidationError ValidationHandler1(XmlDocument xmlDoc, string xmlFileName)
{
ValidationError validationError = new ValidationError(xmlFileName, null);
X509Certificate signerCert = GetSignerCertificate(xmlDoc);
if (signerCert == null)
{
return(validationError.AppendErrorMessage("Timestamp signer certificate missing."));
}
if (!signerCert.IsValidNow)
{
return(validationError.AppendErrorMessage("Timestamp signer certificate is not valid to current date."));
}
X509CrlEntry crlEntry = CrlHelper.GetRevokedCertificateEntry(signerCert.SerialNumber);
if (crlEntry != null)
{
return(validationError.AppendErrorMessage("Timestamp signer certificate is revoked."));
}
return(validationError);
}
/// <summary>
/// Determines whether timestamp, signed by given certificate, can be considered valid, even after said certificate has been revoked.
/// It follows rules discribed in RFC3161 section 4.1.
/// </summary>
/// <param name="certificate">The certificate.</param>
/// <param name="timestampGenTime">The timestamp time.</param>
/// <returns>
/// <c>true</c> if [is valid after revocation] [the specified certificate]; otherwise, <c>false</c>.
/// </returns>
private static bool IsValidAfterRevocation(X509Certificate2 certificate, DateTime timestampGenTime)
{
try
{
/* Get CRL url from certificate */
Org.BouncyCastle.X509.X509Certificate cert = Org.BouncyCastle.Security.DotNetUtilities.FromX509Certificate(certificate);
X509Extension revocationExtension = (from X509Extension extension in certificate.Extensions where extension.Oid.Value.Equals("2.5.29.31") select extension).Single();
Regex rx = new Regex("http://.*?\\.crl");
foreach (Match match in rx.Matches(new AsnEncodedData(revocationExtension.Oid, revocationExtension.RawData).Format(false)))
{
string crlUrl = match.Value;
WebClient client = new WebClient();
X509CrlParser crlParser = new X509CrlParser();
X509Crl crl = crlParser.ReadCrl(client.DownloadData(crlUrl));
if (crl.IsRevoked(cert))
{
X509CrlEntry revokedEntry = crl.GetRevokedCertificate(cert.SerialNumber);
DateTime revocationDate = revokedEntry.RevocationDate;
/* All timestamps created after revocation date are invalid */
if (DateTime.Compare(timestampGenTime, revocationDate) > 0)
{
return(false);
}
DerEnumerated reasonCode = DerEnumerated.GetInstance(GetExtensionValue(revokedEntry, Org.BouncyCastle.Asn1.X509.X509Extensions.ReasonCode));
/* If the revocation reason is not present, the timestamp is considered invalid */
if (reasonCode == null)
{
return(false);
}
int reason = reasonCode.Value.IntValue;
/* If the revocation reason is any other value, the timestamp is considered invalid */
if (!(reason == Org.BouncyCastle.Asn1.X509.CrlReason.Unspecified ||
reason == Org.BouncyCastle.Asn1.X509.CrlReason.AffiliationChanged ||
reason == Org.BouncyCastle.Asn1.X509.CrlReason.Superseded ||
reason == Org.BouncyCastle.Asn1.X509.CrlReason.CessationOfOperation))
{
return(false);
}
}
}
}
catch
{
return(false);
}
return(true);
}
public X509CrlEntry GetCrlEntry(BigInteger serial)
{
X509CrlEntry result = null;
_crlLock.EnterReadLock();
try{
result = _crl.GetRevokedCertificate(serial);
}catch (Exception) {
}finally{
_crlLock.ExitReadLock();
}
return(result);
}
internal static void GetCertStatus(global::System.DateTime validDate, X509Crl crl, object cert, CertStatus certStatus)
{
X509Crl x509Crl = null;
try
{
x509Crl = new X509Crl(CertificateList.GetInstance((Asn1Sequence)Asn1Object.FromByteArray(crl.GetEncoded())));
}
catch (global::System.Exception ex)
{
throw new global::System.Exception("Bouncy Castle X509Crl could not be created.", ex);
}
X509CrlEntry revokedCertificate = x509Crl.GetRevokedCertificate(GetSerialNumber(cert));
if (revokedCertificate == null)
{
return;
}
X509Name issuerPrincipal = GetIssuerPrincipal(cert);
if (!issuerPrincipal.Equivalent(revokedCertificate.GetCertificateIssuer(), inOrder: true) && !issuerPrincipal.Equivalent(crl.IssuerDN, inOrder: true))
{
return;
}
DerEnumerated derEnumerated = null;
if (revokedCertificate.HasExtensions)
{
try
{
derEnumerated = DerEnumerated.GetInstance(GetExtensionValue(revokedCertificate, X509Extensions.ReasonCode));
}
catch (global::System.Exception ex2)
{
throw new global::System.Exception("Reason code CRL entry extension could not be decoded.", ex2);
}
}
if (validDate.get_Ticks() >= revokedCertificate.RevocationDate.get_Ticks() || derEnumerated == null || derEnumerated.Value.TestBit(0) || derEnumerated.Value.TestBit(1) || derEnumerated.Value.TestBit(2) || derEnumerated.Value.TestBit(8))
{
if (derEnumerated != null)
{
certStatus.Status = derEnumerated.Value.SignValue;
}
else
{
certStatus.Status = 0;
}
certStatus.RevocationDate = new DateTimeObject(revokedCertificate.RevocationDate);
}
}
private ISet LoadCrlEntries()
{
ISet set = new HashSet();
IEnumerable revokedCertificateEnumeration = c.GetRevokedCertificateEnumeration();
X509Name previousCertificateIssuer = IssuerDN;
foreach (CrlEntry item in revokedCertificateEnumeration)
{
X509CrlEntry x509CrlEntry = new X509CrlEntry(item, isIndirect, previousCertificateIssuer);
set.Add(x509CrlEntry);
previousCertificateIssuer = x509CrlEntry.GetCertificateIssuer();
}
return(set);
}
internal static void GetCertStatus(DateTime validDate, X509Crl crl, object cert, CertStatus certStatus)
{
X509Crl x509Crl = null;
try
{
x509Crl = new X509Crl(CertificateList.GetInstance((Asn1Sequence)Asn1Object.FromByteArray(crl.GetEncoded())));
}
catch (Exception innerException)
{
throw new Exception("Bouncy Castle X509Crl could not be created.", innerException);
}
X509CrlEntry revokedCertificate = x509Crl.GetRevokedCertificate(PkixCertPathValidatorUtilities.GetSerialNumber(cert));
if (revokedCertificate == null)
{
return;
}
X509Name issuerPrincipal = PkixCertPathValidatorUtilities.GetIssuerPrincipal(cert);
if (issuerPrincipal.Equivalent(revokedCertificate.GetCertificateIssuer(), true) || issuerPrincipal.Equivalent(crl.IssuerDN, true))
{
DerEnumerated derEnumerated = null;
if (revokedCertificate.HasExtensions)
{
try
{
derEnumerated = DerEnumerated.GetInstance(PkixCertPathValidatorUtilities.GetExtensionValue(revokedCertificate, X509Extensions.ReasonCode));
}
catch (Exception innerException2)
{
throw new Exception("Reason code CRL entry extension could not be decoded.", innerException2);
}
}
if (validDate.Ticks >= revokedCertificate.RevocationDate.Ticks || derEnumerated == null || derEnumerated.Value.TestBit(0) || derEnumerated.Value.TestBit(1) || derEnumerated.Value.TestBit(2) || derEnumerated.Value.TestBit(8))
{
if (derEnumerated != null)
{
certStatus.Status = derEnumerated.Value.SignValue;
}
else
{
certStatus.Status = 0;
}
certStatus.RevocationDate = new DateTimeObject(revokedCertificate.RevocationDate);
}
}
}
public X509CrlEntry GetCrlEntry(byte[] serialNumber)
{
if (serialNumber == null)
{
throw new ArgumentNullException("serialNumber");
}
for (int i = 0; i < entries.Count; i++)
{
X509CrlEntry x509CrlEntry = (X509CrlEntry)entries[i];
if (Compare(serialNumber, x509CrlEntry.SerialNumber))
{
return(x509CrlEntry);
}
}
return(null);
}
public virtual X509CrlEntry GetRevokedCertificate(BigInteger serialNumber)
{
IEnumerable revokedCertificateEnumeration = c.GetRevokedCertificateEnumeration();
X509Name previousCertificateIssuer = IssuerDN;
foreach (CrlEntry item in revokedCertificateEnumeration)
{
X509CrlEntry x509CrlEntry = new X509CrlEntry(item, isIndirect, previousCertificateIssuer);
if (serialNumber.Equals(item.UserCertificate.Value))
{
return(x509CrlEntry);
}
previousCertificateIssuer = x509CrlEntry.GetCertificateIssuer();
}
return(null);
}
public ValidationError ValidationHandler1(XmlDocument xmlDoc, string xmlFileName)
{
ValidationError validationError = new ValidationError(xmlFileName, null);
TimeStampToken token = XmlNodeHelper.GetTimeStampToken(xmlDoc);
Org.BouncyCastle.X509.X509Certificate certificate = XmlNodeHelper.GetX509Certificate(xmlDoc);
if (certificate == null)
{
return(validationError.AppendErrorMessage("Nepodarilo sa nájsť certifikát"));
}
if (token == null)
{
return(validationError.AppendErrorMessage("Nepodarilo sa nájsť token"));
}
// Check certificate validity against timestamp token time
try
{
certificate.CheckValidity(token.TimeStampInfo.GenTime);
}
catch (Exception ex)
{
return(validationError.AppendErrorMessage("Platnosť podpisového certifikátu neodpovedá času z časovej pečiatky. ErrorMessage ->" + ex.Message));
}
// Check certificate validity against crl
X509CrlEntry entry = CrlHelper.GetRevokedCertificateEntry(certificate.SerialNumber);
if (entry == null)
{
return(validationError);
}
if (entry.RevocationDate < token.TimeStampInfo.GenTime)
{
return(validationError.AppendErrorMessage("Platnosť certifikátu vypršala"));
}
return(validationError);
}
public void AddRevokedResponse(CertificateID cert_id, X509CrlEntry crl_entry)
{
int reason;
var crl_reason_oid = X509Extensions.ReasonCode;
var ext_reason = crl_entry.GetExtensionValue(crl_reason_oid);
if (ext_reason != null)
{
var asn1_reason = new DerEnumerated(ext_reason.GetEncoded());
reason = asn1_reason.Value.IntValue;
}
else
{
reason = (int)CrlReason.unspecified;
}
CertificateStatus status = new RevokedStatus(crl_entry.RevocationDate, reason);
_builder.AddResponse(cert_id, status, DateTime.UtcNow.AddMinutes(_nextupdate), null);
}
public ValidationResponse ValidateCertificate(X509Certificate2 certificate, String urlCRL)
{
try
{
byte[] crl = transferHttpDataService.GetFile(urlCRL);
X509Crl x509crl = new X509CrlParser().ReadCrl(crl);
Org.BouncyCastle.X509.X509Certificate certificateBC = Org.BouncyCastle.Security.DotNetUtilities.FromX509Certificate(certificate);
X509CrlEntry crlEntry = x509crl.GetRevokedCertificate(certificateBC.SerialNumber);
if (crlEntry != null)
{
return(new ValidationResponse(CertificateStatus.REVOKED, crlEntry.RevocationDate));
}
return(new ValidationResponse(CertificateStatus.VALID));
}
catch (CommunicationException)
{
return(new ValidationResponse(CertificateStatus.UNKNOWN));
}
}
public bool IsRevoked(CertificateID id, ref DerGeneralizedTime dt, ref CrlReason reason)
{
if (Crl == null)
{
return(false);
}
else
{
X509CrlEntry ent = Crl.GetRevokedCertificate(id.SerialNumber);
if (ent == null)
{
return(false);
}
else
{
dt = new DerGeneralizedTime(ent.RevocationDate);
reason = new CrlReason(CrlReason.CessationOfOperation);
return(true);
}
}
}
public virtual CertificateStatus Check(X509Certificate childCertificate, X509Certificate
certificate, DateTime validationDate)
{
try
{
CertificateStatus report = new CertificateStatus();
report.Certificate = childCertificate;
report.ValidationDate = validationDate;
report.IssuerCertificate = certificate;
if (crlSource == null)
{
LOG.Warn("CRLSource null");
return(null);
}
X509Crl x509crl = crlSource.FindCrl(childCertificate, certificate);
if (x509crl == null)
{
LOG.Info("No CRL found for certificate " + childCertificate.SubjectDN);
return(null);
}
if (!IsCRLValid(x509crl, certificate, validationDate))
{
LOG.Warn("The CRL is not valid !");
return(null);
}
report.StatusSource = x509crl;
report.Validity = CertificateValidity.UNKNOWN;
report.Certificate = childCertificate;
report.StatusSourceType = ValidatorSourceType.CRL;
report.ValidationDate = validationDate;
X509CrlEntry crlEntry = x509crl.GetRevokedCertificate(childCertificate.SerialNumber);
if (null == crlEntry)
{
LOG.Info("CRL OK for: " + childCertificate.SubjectDN);
report.Validity = CertificateValidity.VALID;
}
else
{
if (crlEntry.RevocationDate.CompareTo(validationDate) > 0) //jbonilla - After
{
LOG.Info("CRL OK for: " + childCertificate.SubjectDN + " at " + validationDate
);
report.Validity = CertificateValidity.VALID;
report.RevocationObjectIssuingTime = x509crl.ThisUpdate;
}
else
{
LOG.Info("CRL reports certificate: " + childCertificate.SubjectDN
+ " as revoked since " + crlEntry.RevocationDate);
report.Validity = CertificateValidity.REVOKED;
report.RevocationObjectIssuingTime = x509crl.ThisUpdate;
report.RevocationDate = crlEntry.RevocationDate;
}
}
return(report);
}
catch (IOException e)
{
LOG.Error("IOException when accessing CRL for " + childCertificate.SubjectDN.ToString() + " " + e.Message);
return(null);
}
}
internal static void GetCertStatus(
DateTime validDate,
X509Crl crl,
Object cert,
CertStatus certStatus)
{
X509Crl bcCRL = null;
try
{
bcCRL = new X509Crl(CertificateList.GetInstance((Asn1Sequence)Asn1Sequence.FromByteArray(crl.GetEncoded())));
}
catch (Exception exception)
{
throw new Exception("Bouncy Castle X509Crl could not be created.", exception);
}
X509CrlEntry crl_entry = (X509CrlEntry)bcCRL.GetRevokedCertificate(GetSerialNumber(cert));
if (crl_entry == null)
{
return;
}
X509Name issuer = GetIssuerPrincipal(cert);
if (issuer.Equivalent(crl_entry.GetCertificateIssuer(), true) ||
issuer.Equivalent(crl.IssuerDN, true))
{
DerEnumerated reasonCode = null;
if (crl_entry.HasExtensions)
{
try
{
reasonCode = DerEnumerated.GetInstance(
GetExtensionValue(crl_entry, X509Extensions.ReasonCode));
}
catch (Exception e)
{
throw new Exception(
"Reason code CRL entry extension could not be decoded.",
e);
}
}
// for reason keyCompromise, caCompromise, aACompromise or
// unspecified
if (!(validDate.Ticks < crl_entry.RevocationDate.Ticks) ||
reasonCode == null ||
reasonCode.Value.TestBit(0) ||
reasonCode.Value.TestBit(1) ||
reasonCode.Value.TestBit(2) ||
reasonCode.Value.TestBit(8))
{
if (reasonCode != null) // (i) or (j) (1)
{
certStatus.Status = reasonCode.Value.SignValue;
}
else // (i) or (j) (2)
{
certStatus.Status = CrlReason.Unspecified;
}
certStatus.RevocationDate = new DateTimeObject(crl_entry.RevocationDate);
}
}
}
private async Task <RevocationResult> GetCrlResponse(string url, string host, BcX509Certificate peerCertificate)
{
int maxAttemptCount = 2;
int attemptCount = 0;
string error = null;
while (maxAttemptCount > attemptCount)
{
try
{
_log.LogInformation("Attempt {Attempt}: Getting crl info for host {Host} certificate {Certificate} from url {Url}",
attemptCount, host, peerCertificate.SubjectDN, url);
HttpResponseMessage httpResponseMessage = await url
.WithTimeout(TimeSpan.FromSeconds(20))
.GetAsync();
if (httpResponseMessage.IsSuccessStatusCode)
{
X509Crl x509Crl = _x509CrlParser.ReadCrl(await httpResponseMessage.Content.ReadAsStreamAsync());
bool revoked = x509Crl.IsRevoked(peerCertificate);
List <RevocationInfo> revocationInfos = new List <RevocationInfo>();
if (revoked)
{
X509CrlEntry crlEntry = x509Crl.GetRevokedCertificate(peerCertificate.SerialNumber);
string revocationReason = "unknown";
if (crlEntry.HasExtensions)
{
revocationReason = crlEntry.GetExtensionValue(X509Extensions.ReasonCode)?.ToString() ?? "unknown";
}
revocationInfos.Add(new RevocationInfo(crlEntry.RevocationDate, revocationReason));
_log.LogInformation("Certificate {Certificate} for host {Host} is was revoked on {RevocationDate} with reason {RevocationReason}.",
peerCertificate.SubjectDN, host, crlEntry.RevocationDate, revocationReason);
}
else
{
_log.LogInformation("Certificate {Certificate} for host {Host} is not revoked.",
peerCertificate.SubjectDN, host);
}
return(new RevocationResult(revoked, revocationInfos));
}
_log.LogWarning("Failed to get crl info for host {Host} certificate {Certificate} from url {Url} with http status code {StatusCode}",
host, peerCertificate.SubjectDN.ToString(), url, httpResponseMessage.StatusCode);
error = $"Failed call to {url} with http status code {httpResponseMessage.StatusCode}.";
}
catch (Exception e)
{
_log.LogError("Failed to get crl revocation info for host {Host} certificate {Certificate} from url {Url} with exception {ExceptionMessage}{StackTrace}",
host, peerCertificate.SubjectDN.ToString(), url, e.Message, e.StackTrace);
error = e.Message;
}
attemptCount++;
}
return(new RevocationResult(error));
}
EsitoVerifica controllaCrlCert(X509Certificate cert, string cachePath, bool force = false)
{
//usiamo l'ev solo per i dati di revoca
EsitoVerifica ev = new EsitoVerifica();
string CN = cert.SubjectDN.GetValues(X509Name.CN).Cast <string>().FirstOrDefault();
string SN = cert.SubjectDN.GetValues(X509Name.SerialNumber).Cast <string>().FirstOrDefault();
X509Extensions ex = X509Extensions.GetInstance(cert.CertificateStructure.TbsCertificate.Extensions);
X509Extension e = ex.GetExtension(X509Extensions.CrlDistributionPoints);
if (e == null)
{
string msg = "CRL distribution points NOT PRESENT in certificate structure";
logger.Debug(msg);
ev.status = EsitoVerificaStatus.ErroreGenerico;
ev.errorCode = "1411";//nonposso scaricare la CRL
ev.message = msg;
return(ev);
}
var crldp = CrlDistPoint.GetInstance(e.GetParsedValue());
List <String> certDpUrlLst = GetCrlDistribtionPoints(crldp);
ev.status = EsitoVerificaStatus.Valid;
ev.SubjectCN = CN;
ev.SubjectDN = SN;
int downloadsTrials = 0;
List <String> errorLst = new List <string>();
foreach (string url in certDpUrlLst)
{
try
{
Uri tryUri = new Uri(url);
}
catch
{
logger.ErrorFormat("Unable to download/process CRL URL : {0}", url);
continue;
}
try
{
X509Crl rootCrl = retreiveCrlUrl(url, cachePath, force);
downloadsTrials++;
if (rootCrl.IsRevoked(cert))
{
X509CrlEntry entry = rootCrl.GetRevokedCertificate(cert.CertificateStructure.SerialNumber.Value);
ev.dataRevocaCertificato = entry.RevocationDate;
logger.DebugFormat("Certificate {0} : {1} with serial {2} is Revoked on {3}", CN, SN, BitConverter.ToString(entry.SerialNumber.ToByteArray()), ev.dataRevocaCertificato);
ev.content = entry.SerialNumber.ToByteArray();
ev.errorCode = "1408";
ev.status = EsitoVerificaStatus.Revoked;
break;
}
}
catch (Exception exc)
{
logger.ErrorFormat("Unable to download/process CRL message {0} stack {1} on Download Trial {2}", exc.Message, exc.StackTrace, downloadsTrials);
errorLst.Add(exc.Message);
}
}
string ErrorMessage = string.Empty;
if ((errorLst.Count > 0) && downloadsTrials == 0)
{
foreach (string s in errorLst)
{
ErrorMessage += s + " | ";
}
}
if (!string.IsNullOrEmpty(ErrorMessage))
{
ev.status = EsitoVerificaStatus.ErroreGenerico;
ev.errorCode = "1411";//nonposso scaricare la CRL
ev.message = "Unable to download/process CRL message:" + ErrorMessage;
}
return(ev);
}
/*
* private void verifyTimestamp(TimeStampToken token, X509CRL crl) throws SignVerificationException, XPathExpressionException {
* // Read timestamp signature certificate
* X509CertificateHolder signCert = getTimestampSignatureCertificate(token);
* if (signCert == null) {
* throw new SignVerificationException("Cannot retrieve timestamp signature certificate (Rule 26).");
* }
*
* // Rule 26 - Validity
* // Check current certificate validity
* if (!signCert.isValidOn(new Date())) {
* throw new SignVerificationException("Timestamp signature certificate is not valid now (Rule 26).");
* }
*
* // Check against CRL
* X509CRLEntry entry = crl.getRevokedCertificate(signCert.getSerialNumber());
* if (entry != null) {
* throw new SignVerificationException("Timestamp signature certificate is revoked (Rule 26).");
* }
*
* // Rule 27 - Message imprint
* byte[] timestampDigest = token.getTimeStampInfo().getMessageImprintDigest();
* String hashAlgorithm = token.getTimeStampInfo().getHashAlgorithm().getAlgorithm().getId();
*
* Element signature = querySelector("//ds:Signature/ds:SignatureValue", "Cannot find element 'ds:SignatureValue' (Rule 27).");
* byte[] signatureValue = Base64.decode(signature.getTextContent().getBytes());
*
* MessageDigest messageDigest = null;
* try {
* messageDigest = MessageDigest.getInstance(hashAlgorithm, "BC");
* } catch (NoSuchAlgorithmException | NoSuchProviderException e) {
* throw new SignVerificationException("Unsupported digest type (Rule 27).");
* }
*
* byte[] signatureDigest = messageDigest.digest(signatureValue);
* if (!Arrays.equals(timestampDigest, signatureDigest)) {
* throw new SignVerificationException("Timestamp MessageImprint check failure (Rule 27).");
* }
* }*/
private bool validateTimestamp()
{
TimeStampToken token = null;
X509Crl ss = null;
XmlNamespaceManager mn = new XmlNamespaceManager(doc.NameTable);
X509CrlParser xx = new X509CrlParser();
mn.AddNamespace("xades", "http://uri.etsi.org/01903/v1.3.2#");
string crlUrl = "http://test.ditec.sk/DTCCACrl/DTCCACrl.crl";
Org.BouncyCastle.X509.X509Certificate signerCert = null;
try
{
var timestamp = this.doc.SelectSingleNode($"//xades:EncapsulatedTimeStamp", mn);
var webClient = new WebClient();
byte[] crlBytes = webClient.DownloadData(crlUrl);
token = new TimeStampToken(new CmsSignedData(Convert.FromBase64String(timestamp.InnerText)));
ss = xx.ReadCrl(crlBytes);
if (timestamp == null || crlBytes == null || token == null || ss == null)
{
generalException(new Exception());
return(false);
}
var store = token.GetCertificates("Collection");
var certs = new ArrayList(store.GetMatches(null));
foreach (Org.BouncyCastle.X509.X509Certificate cert in certs)
{
string cerIssuer = cert.IssuerDN.ToString(true, new Hashtable());
string signIssuer = token.SignerID.Issuer.ToString(true, new Hashtable());
if (cerIssuer == signIssuer && cert.SerialNumber.Equals(token.SignerID.SerialNumber))
{
signerCert = cert;
if (signerCert == null)
{
generalException(new Exception());
return(false);
}
break;
}
}
if (!signerCert.IsValidNow)
{
return(false);
}
X509CrlEntry revokeCheck = ss.GetRevokedCertificate(signerCert.SerialNumber);
if (revokeCheck == null)
{
generalException(new Exception());
return(false);
}
}
catch (Exception e)
{
generalException(e);
}
return(false);
}
internal static void GetCertStatus(
DateTime validDate,
X509Crl crl,
Object cert,
CertStatus certStatus)
{
X509Crl bcCRL = null;
try
{
bcCRL = new X509Crl(CertificateList.GetInstance((Asn1Sequence)Asn1Sequence.FromByteArray(crl.GetEncoded())));
}
catch (Exception exception)
{
throw new Exception("Bouncy Castle X509Crl could not be created.", exception);
}
X509CrlEntry crl_entry = (X509CrlEntry)bcCRL.GetRevokedCertificate(GetSerialNumber(cert));
if (crl_entry == null)
{
return;
}
X509Name issuer = GetIssuerPrincipal(cert);
if (!issuer.Equivalent(crl_entry.GetCertificateIssuer(), true) &&
!issuer.Equivalent(crl.IssuerDN, true))
{
return;
}
int reasonCodeValue = CrlReason.Unspecified;
if (crl_entry.HasExtensions)
{
try
{
Asn1Object extValue = GetExtensionValue(crl_entry, X509Extensions.ReasonCode);
DerEnumerated reasonCode = DerEnumerated.GetInstance(extValue);
if (null != reasonCode)
{
reasonCodeValue = reasonCode.IntValueExact;
}
}
catch (Exception e)
{
throw new Exception("Reason code CRL entry extension could not be decoded.", e);
}
}
DateTime revocationDate = crl_entry.RevocationDate;
if (validDate.Ticks < revocationDate.Ticks)
{
switch (reasonCodeValue)
{
case CrlReason.Unspecified:
case CrlReason.KeyCompromise:
case CrlReason.CACompromise:
case CrlReason.AACompromise:
break;
default:
return;
}
}
// (i) or (j)
certStatus.Status = reasonCodeValue;
certStatus.RevocationDate = new DateTimeObject(revocationDate);
}
