diff options
author | Peter Dettman <peter.dettman@bouncycastle.org> | 2020-02-21 18:05:27 +0700 |
---|---|---|
committer | Peter Dettman <peter.dettman@bouncycastle.org> | 2020-02-21 18:05:27 +0700 |
commit | 949c5f658b9558c5f163a3c523d1efaf73ea1319 (patch) | |
tree | 2743ed0822d1a6cdb77a3d0671014339e8ccab03 /crypto/src/pkix/PkixCertPathValidatorUtilities.cs | |
parent | Update ASN.1 GetInstance methods (diff) | |
download | BouncyCastle.NET-ed25519-949c5f658b9558c5f163a3c523d1efaf73ea1319.tar.xz |
Fix handling of reason codes
Diffstat (limited to '')
-rw-r--r-- | crypto/src/pkix/PkixCertPathValidatorUtilities.cs | 82 |
1 files changed, 43 insertions, 39 deletions
diff --git a/crypto/src/pkix/PkixCertPathValidatorUtilities.cs b/crypto/src/pkix/PkixCertPathValidatorUtilities.cs index 55f4afb19..57dfcd6ed 100644 --- a/crypto/src/pkix/PkixCertPathValidatorUtilities.cs +++ b/crypto/src/pkix/PkixCertPathValidatorUtilities.cs @@ -529,46 +529,50 @@ namespace Org.BouncyCastle.Pkix X509Name issuer = GetIssuerPrincipal(cert); - if (issuer.Equivalent(crl_entry.GetCertificateIssuer(), true) - || issuer.Equivalent(crl.IssuerDN, true)) - { - DerEnumerated reasonCode = null; - if (crl_entry.HasExtensions) - { - try - { - reasonCode = DerEnumerated.GetInstance( - GetExtensionValue(crl_entry, X509Extensions.ReasonCode)); - } - catch (Exception e) - { - throw new Exception( - "Reason code CRL entry extension could not be decoded.", - e); - } - } + if (!issuer.Equivalent(crl_entry.GetCertificateIssuer(), true) + && !issuer.Equivalent(crl.IssuerDN, true)) + { + return; + } - // for reason keyCompromise, caCompromise, aACompromise or - // unspecified - if (!(validDate.Ticks < crl_entry.RevocationDate.Ticks) - || reasonCode == null - || reasonCode.Value.TestBit(0) - || reasonCode.Value.TestBit(1) - || reasonCode.Value.TestBit(2) - || reasonCode.Value.TestBit(8)) - { - if (reasonCode != null) // (i) or (j) (1) - { - certStatus.Status = reasonCode.Value.SignValue; - } - else // (i) or (j) (2) - { - certStatus.Status = CrlReason.Unspecified; - } - certStatus.RevocationDate = new DateTimeObject(crl_entry.RevocationDate); - } - } - } + int reasonCodeValue = CrlReason.Unspecified; + + if (crl_entry.HasExtensions) + { + try + { + Asn1Object extValue = GetExtensionValue(crl_entry, X509Extensions.ReasonCode); + DerEnumerated reasonCode = DerEnumerated.GetInstance(extValue); + if (null != reasonCode) + { + reasonCodeValue = reasonCode.IntValueExact; + } + } + catch (Exception e) + { + throw new Exception("Reason code CRL entry extension could not be decoded.", e); + } + } + + DateTime revocationDate = crl_entry.RevocationDate; + if (validDate.Ticks < revocationDate.Ticks) + { + switch (reasonCodeValue) + { + case CrlReason.Unspecified: + case CrlReason.KeyCompromise: + case CrlReason.CACompromise: + case CrlReason.AACompromise: + break; + default: + return; + } + } + + // (i) or (j) + certStatus.Status = reasonCodeValue; + certStatus.RevocationDate = new DateTimeObject(revocationDate); + } /** * Return the next working key inheriting DSA parameters if necessary. |