Razširitvene metode za preverjanje preklica certifikatov.

namespace WvdS.System.Security.Cryptography.X509Certificates;
 
public static class RevocationExtensions

Z obstoječim CRL:

using System.Security.Cryptography.X509Certificates;
using WvdS.System.Security.Cryptography.X509Certificates;
 
var certificate = new X509Certificate2("user.cer");
byte[] crlData = File.ReadAllBytes("ca.crl");
var caCert = new X509Certificate2("ca.cer");
 
// Preverjanje s preverjanjem podpisa
RevocationResult result = certificate.IsRevoked(crlData, caCert, CryptoMode.Hybrid);
 
if (result.Success)
{
    if (result.IsRevoked)
    {
        Console.WriteLine($"Certifikat preklican dne: {result.RevocationDate}");
        Console.WriteLine($"Razlog: {result.Reason}");
    }
    else
    {
        Console.WriteLine("Certifikat je veljaven");
    }
}
else
{
    Console.WriteLine($"Napaka: {result.ErrorMessage}");
}

Samodejno nalaganje CRL:

// Naloži CRL z URL-ja iz CDP-razširitve certifikata
RevocationResult result = await certificate.CheckRevocationAsync(
    caCert,
    mode: CryptoMode.Hybrid);

// Samo nalaganje CRL, brez preverjanja
byte[]? crlData = await certificate.FetchCrlAsync();
 
if (crlData != null)
{
    File.WriteAllBytes("downloaded.crl", crlData);
}

Z lastnim HttpClient:

using var httpClient = new HttpClient();
httpClient.Timeout = TimeSpan.FromSeconds(10);
 
byte[]? crlData = await certificate.FetchCrlAsync(httpClient);

IReadOnlyList<string> crlUrls = certificate.GetCrlDistributionPoints();
 
foreach (var url in crlUrls)
{
    Console.WriteLine($"CRL URL: {url}");
}
 
// Hitro preverjanje
bool hasCdp = certificate.HasCrlDistributionPoints();

IReadOnlyList<string> ocspUrls = certificate.GetOcspUrls();
 
foreach (var url in ocspUrls)
{
    Console.WriteLine($"OCSP Responder: {url}");
}
 
// Hitro preverjanje
bool hasOcsp = certificate.HasOcspUrls();

Za pogoste preverjanja s samodejnim predpomnenjem:

using var cache = new CrlCache(defaultCacheDuration: TimeSpan.FromHours(1));
 
// Preverjanje s samodejnim CRL-predpomnenjem
RevocationResult result1 = await cache.CheckRevocationAsync(cert1, caCert);
RevocationResult result2 = await cache.CheckRevocationAsync(cert2, caCert); // CRL iz predpomnilnika
 
// Čiščenje predpomnilnika
cache.Clear();

Z lastnim HttpClient:

using var httpClient = new HttpClient();
using var cache = new CrlCache(httpClient, TimeSpan.FromMinutes(30));
 
// Preverjanje več certifikatov
foreach (var cert in certificates)
{
    var result = await cache.CheckRevocationAsync(cert, caCert, CryptoMode.Hybrid);
    // ...
}

Za popolno validacijo verige s CRL-preverjanjem:

using var chain = new X509Chain();
chain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain;
 
bool valid = chain.Build(certificate, CryptoMode.Hybrid);
 
if (!valid)
{
    foreach (var status in chain.ChainStatus)
    {
        if (status.Status == X509ChainStatusFlags.Revoked)
        {
            Console.WriteLine("Certifikat v verigi preklican");
        }
    }
}

Za air-gapped sisteme brez omrežnega dostopa:

// CRL-ji predhodno naloženi in shranjeni
var crlFiles = new Dictionary<string, byte[]>
{
    ["CN=Root CA"] = File.ReadAllBytes("root.crl"),
    ["CN=Issuing CA"] = File.ReadAllBytes("issuing.crl")
};
 
// Offline-preverjanje
RevocationResult result = certificate.IsRevoked(crlFiles["CN=Issuing CA"], caCert);

• Aktivirajte CRL-predpomnjenje: Uporabljajte CrlCache za ponavljajoča preverjanja
• Nastavite časovne omejitve: Konfigurirajte HttpClient-časovne omejitve za omrežne operacije
• Implementirajte nadomestno rešitev: Preverite OCSP če CRL ni na voljo
• Offline-kopije: Hranite lokalne CRL-kopije za kritične sisteme

• CertificateRevocationListExtensions - Ustvarjanje CRL
• X509ChainExtensions - Validacija verige
• Koncept preklica

Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional