summary refs log tree commit diff
path: root/crypto/src/pkix
diff options
context:
space:
mode:
authorPeter Dettman <peter.dettman@bouncycastle.org>2020-02-21 18:05:27 +0700
committerPeter Dettman <peter.dettman@bouncycastle.org>2020-02-21 18:05:27 +0700
commit949c5f658b9558c5f163a3c523d1efaf73ea1319 (patch)
tree2743ed0822d1a6cdb77a3d0671014339e8ccab03 /crypto/src/pkix
parentUpdate ASN.1 GetInstance methods (diff)
downloadBouncyCastle.NET-ed25519-949c5f658b9558c5f163a3c523d1efaf73ea1319.tar.xz
Fix handling of reason codes
Diffstat (limited to 'crypto/src/pkix')
-rw-r--r--crypto/src/pkix/PkixCertPathValidatorUtilities.cs82
1 files changed, 43 insertions, 39 deletions
diff --git a/crypto/src/pkix/PkixCertPathValidatorUtilities.cs b/crypto/src/pkix/PkixCertPathValidatorUtilities.cs
index 55f4afb19..57dfcd6ed 100644
--- a/crypto/src/pkix/PkixCertPathValidatorUtilities.cs
+++ b/crypto/src/pkix/PkixCertPathValidatorUtilities.cs
@@ -529,46 +529,50 @@ namespace Org.BouncyCastle.Pkix
 
 			X509Name issuer = GetIssuerPrincipal(cert);
 
-			if (issuer.Equivalent(crl_entry.GetCertificateIssuer(), true)
-				|| issuer.Equivalent(crl.IssuerDN, true))
-			{
-				DerEnumerated reasonCode = null;
-				if (crl_entry.HasExtensions)
-				{
-					try
-					{
-						reasonCode = DerEnumerated.GetInstance(
-							GetExtensionValue(crl_entry, X509Extensions.ReasonCode));
-					}
-					catch (Exception e)
-					{
-						throw new Exception(
-							"Reason code CRL entry extension could not be decoded.",
-							e);
-					}
-				}
+			if (!issuer.Equivalent(crl_entry.GetCertificateIssuer(), true)
+				&& !issuer.Equivalent(crl.IssuerDN, true))
+            {
+                return;
+            }
 
-				// for reason keyCompromise, caCompromise, aACompromise or
-				// unspecified
-				if (!(validDate.Ticks < crl_entry.RevocationDate.Ticks)
-					|| reasonCode == null
-					|| reasonCode.Value.TestBit(0)
-					|| reasonCode.Value.TestBit(1)
-					|| reasonCode.Value.TestBit(2)
-					|| reasonCode.Value.TestBit(8))
-				{
-					if (reasonCode != null) // (i) or (j) (1)
-					{
-						certStatus.Status = reasonCode.Value.SignValue;
-					}
-					else // (i) or (j) (2)
-					{
-						certStatus.Status = CrlReason.Unspecified;
-					}
-					certStatus.RevocationDate = new DateTimeObject(crl_entry.RevocationDate);
-				}
-			}
-		}
+            int reasonCodeValue = CrlReason.Unspecified;
+
+            if (crl_entry.HasExtensions)
+            {
+                try
+                {
+                    Asn1Object extValue = GetExtensionValue(crl_entry, X509Extensions.ReasonCode);
+                    DerEnumerated reasonCode = DerEnumerated.GetInstance(extValue);
+                    if (null != reasonCode)
+                    {
+                        reasonCodeValue = reasonCode.IntValueExact;
+                    }
+                }
+                catch (Exception e)
+                {
+                    throw new Exception("Reason code CRL entry extension could not be decoded.", e);
+                }
+            }
+
+            DateTime revocationDate = crl_entry.RevocationDate;
+            if (validDate.Ticks < revocationDate.Ticks)
+            {
+                switch (reasonCodeValue)
+                {
+                case CrlReason.Unspecified:
+                case CrlReason.KeyCompromise:
+                case CrlReason.CACompromise:
+                case CrlReason.AACompromise:
+                    break;
+                default:
+                    return;
+                }
+            }
+
+            // (i) or (j)
+            certStatus.Status = reasonCodeValue;
+            certStatus.RevocationDate = new DateTimeObject(revocationDate);
+        }
 
 		/**
 		* Return the next working key inheriting DSA parameters if necessary.