|
public IsRevoked ( |
||
| certificate | ||
| return | bool | |
public bool IsRevoked(X509Certificate2 certificate)
{
IntPtr pData1 = IntPtr.Zero;
IntPtr pData2 = IntPtr.Zero;
int dwDataSize1 = 0;
try
{
// check that the issuer matches.
if (m_issuer == null || !Utils.CompareDistinguishedName(certificate.Issuer, m_issuer.Subject))
{
throw new ServiceResultException(StatusCodes.BadCertificateInvalid, "Certificate was not created by the CRL issuer.");
}
// get the cert info for the target certificate.
Win32.CERT_CONTEXT context = (Win32.CERT_CONTEXT)Marshal.PtrToStructure(certificate.Handle, typeof(Win32.CERT_CONTEXT));
// calculate amount of memory required.
int bResult = Win32.CryptDecodeObjectEx(
Win32.X509_ASN_ENCODING | Win32.PKCS_7_ASN_ENCODING,
(IntPtr)Win32.X509_CERT_CRL_TO_BE_SIGNED,
m_signedCrl.ToBeSigned.pbData,
m_signedCrl.ToBeSigned.cbData,
Win32.CRYPT_DECODE_NOCOPY_FLAG,
IntPtr.Zero,
pData1,
ref dwDataSize1);
if (bResult == 0)
{
throw Win32.GetLastError(StatusCodes.BadDecodingError, "Could not get size for CRL_INFO.");
}
// allocate memory.
pData1 = Marshal.AllocHGlobal(dwDataSize1);
// decode blob.
bResult = Win32.CryptDecodeObjectEx(
Win32.X509_ASN_ENCODING | Win32.PKCS_7_ASN_ENCODING,
(IntPtr)Win32.X509_CERT_CRL_TO_BE_SIGNED,
m_signedCrl.ToBeSigned.pbData,
m_signedCrl.ToBeSigned.cbData,
Win32.CRYPT_DECODE_NOCOPY_FLAG,
IntPtr.Zero,
pData1,
ref dwDataSize1);
if (bResult == 0)
{
throw Win32.GetLastError(StatusCodes.BadDecodingError, "Could not decode CRL_INFO.");
}
IntPtr[] pCRLs = new IntPtr[] { pData1 };
pData2 = Marshal.AllocHGlobal(IntPtr.Size * pCRLs.Length);
Marshal.Copy(pCRLs, 0, pData2, pCRLs.Length);
// check for revocation.
bResult = Win32.CertVerifyCRLRevocation(
Win32.X509_ASN_ENCODING | Win32.PKCS_7_ASN_ENCODING,
context.pCertInfo,
pCRLs.Length,
pData2);
if (bResult == 0)
{
return true;
}
// not revoked.
return false;
}
finally
{
if (pData1 != IntPtr.Zero)
{
Marshal.FreeHGlobal(pData1);
pData1 = IntPtr.Zero;
}
if (pData2 != IntPtr.Zero)
{
Marshal.FreeHGlobal(pData2);
pData2 = IntPtr.Zero;
}
}
}
#endregion /// <summary>
/// Checks if issuer has revoked the certificate.
/// </summary>
public virtual StatusCode IsRevoked(X509Certificate2 issuer, X509Certificate2 certificate)
{
if (issuer == null)
{
throw new ArgumentNullException("issuer");
}
if (certificate == null)
{
throw new ArgumentNullException("certificate");
}
// check for CRL.
DirectoryInfo info = new DirectoryInfo(this.Directory.FullName + Path.DirectorySeparatorChar + "crl");
if (info.Exists)
{
bool crlExpired = true;
foreach (FileInfo file in info.GetFiles("*.crl"))
{
X509CRL crl = null;
try
{
crl = new X509CRL(file.FullName);
}
catch (Exception e)
{
Utils.Trace(e, "Could not parse CRL file.");
continue;
}
if (!Utils.CompareDistinguishedName(crl.Issuer, issuer.Subject))
{
continue;
}
if (!crl.VerifySignature(issuer, false))
{
continue;
}
if (crl.IsRevoked(certificate))
{
return(StatusCodes.BadCertificateRevoked);
}
if (crl.UpdateTime <= DateTime.UtcNow && (crl.NextUpdateTime == DateTime.MinValue || crl.NextUpdateTime >= DateTime.UtcNow))
{
crlExpired = false;
}
}
// certificate is fine.
if (!crlExpired)
{
return(StatusCodes.Good);
}
}
// can't find a valid CRL.
return(StatusCodes.BadCertificateRevocationUnknown);
}
