Show CRL and OCSP URLs in verify output (#7343)

Author: zivkan

src/NuGet.Core/NuGet.Packaging/Signing/Utility/CertificateUtility.cs

@@ -54,6 +54,16 @@ internal static IReadOnlyList<SignatureLog> X509Certificate2ToLogMessages(X509Ce
             issues.Add(SignatureLog.InformationLog($"{indentation}{string.Format(CultureInfo.CurrentCulture, Strings.CertUtilityCertificateIssuer, cert.IssuerName.Name)}"));
             issues.Add(SignatureLog.MinimalLog($"{indentation}{string.Format(CultureInfo.CurrentCulture, Strings.CertUtilityCertificateValidity, cert.NotBefore, cert.NotAfter)}"));
 
+            foreach (string url in GetCrlDistributionPointUrls(cert))
+            {
+                issues.Add(SignatureLog.InformationLog($"{indentation}{string.Format(CultureInfo.CurrentCulture, Strings.CertUtilityCertificateCrlUrl, url)}"));
+            }
+
+            foreach (string url in GetOcspUrls(cert))
+            {
+                issues.Add(SignatureLog.InformationLog($"{indentation}{string.Format(CultureInfo.CurrentCulture, Strings.CertUtilityCertificateOcspUrl, url)}"));
+            }
+
             return issues;
         }
 
@@ -66,6 +76,16 @@ private static void X509Certificate2ToString(X509Certificate2 cert, StringBuilde
             certStringBuilder.AppendLine(indentation + string.Format(CultureInfo.CurrentCulture, Strings.CertUtilityCertificateHash, fingerprintAlgorithm.ToString(), certificateFingerprint));
             certStringBuilder.AppendLine(indentation + string.Format(CultureInfo.CurrentCulture, Strings.CertUtilityCertificateIssuer, cert.IssuerName.Name));
             certStringBuilder.AppendLine(indentation + string.Format(CultureInfo.CurrentCulture, Strings.CertUtilityCertificateValidity, cert.NotBefore, cert.NotAfter));
+
+            foreach (string url in GetCrlDistributionPointUrls(cert))
+            {
+                certStringBuilder.AppendLine(indentation + string.Format(CultureInfo.CurrentCulture, Strings.CertUtilityCertificateCrlUrl, url));
+            }
+
+            foreach (string url in GetOcspUrls(cert))
+            {
+                certStringBuilder.AppendLine(indentation + string.Format(CultureInfo.CurrentCulture, Strings.CertUtilityCertificateOcspUrl, url));
+            }
         }
 
         /// <summary>
@@ -445,5 +465,119 @@ private static bool IsHex(string certificateFingerprint)
 
             return true;
         }
+
+        /// <summary>
+        /// Extracts CRL Distribution Point URLs from the certificate's CRL Distribution Points extension (OID 2.5.29.31).
+        /// </summary>
+        internal static IReadOnlyList<string> GetCrlDistributionPointUrls(X509Certificate2 cert)
+        {
+            const string CrlDistributionPointsOid = "2.5.29.31";
+            // context-specific primitive tag [6] for uniformResourceIdentifier in GeneralName
+            const byte GeneralNameUriTag = 0x86;
+
+            var urls = new List<string>();
+            var extension = cert.Extensions[CrlDistributionPointsOid];
+
+            if (extension == null)
+            {
+                return urls;
+            }
+
+            try
+            {
+                // CRLDistributionPoints ::= SEQUENCE OF DistributionPoint
+                var reader = new DerEncoding.DerSequenceReader(extension.RawData);
+
+                while (reader.HasData)
+                {
+                    // DistributionPoint ::= SEQUENCE { distributionPoint [0] ... }
+                    var dpReader = reader.ReadSequence();
+
+                    if (dpReader.HasData && dpReader.HasTag(DerEncoding.DerSequenceReader.ContextSpecificConstructedTag0))
+                    {
+                        // distributionPoint [0] CONSTRUCTED
+                        byte[] dpNameData = dpReader.ReadValue((DerEncoding.DerSequenceReader.DerTag)DerEncoding.DerSequenceReader.ContextSpecificConstructedTag0);
+                        var dpNameReader = DerEncoding.DerSequenceReader.CreateForPayload(dpNameData);
+
+                        if (dpNameReader.HasData && dpNameReader.HasTag(DerEncoding.DerSequenceReader.ContextSpecificConstructedTag0))
+                        {
+                            // fullName [0] CONSTRUCTED = GeneralNames
+                            byte[] fullNameData = dpNameReader.ReadValue((DerEncoding.DerSequenceReader.DerTag)DerEncoding.DerSequenceReader.ContextSpecificConstructedTag0);
+                            var gnReader = DerEncoding.DerSequenceReader.CreateForPayload(fullNameData);
+
+                            while (gnReader.HasData)
+                            {
+                                byte tag = gnReader.PeekTag();
+
+                                if (tag == GeneralNameUriTag)
+                                {
+                                    byte[] uriBytes = gnReader.ReadValue((DerEncoding.DerSequenceReader.DerTag)GeneralNameUriTag);
+                                    urls.Add(Encoding.ASCII.GetString(uriBytes));
+                                }
+                                else
+                                {
+                                    gnReader.SkipValue();
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+            catch (System.Security.Cryptography.CryptographicException exception)
+            {
+                return [exception.Message];
+            }
+
+            return urls;
+        }
+
+        /// <summary>
+        /// Extracts OCSP responder URLs from the certificate's Authority Information Access extension (OID 1.3.6.1.5.5.7.1.1).
+        /// </summary>
+        internal static IReadOnlyList<string> GetOcspUrls(X509Certificate2 cert)
+        {
+            const string AuthorityInfoAccessOid = "1.3.6.1.5.5.7.1.1";
+            const string OcspAccessMethodOid = "1.3.6.1.5.5.7.48.1";
+            // context-specific primitive tag [6] for uniformResourceIdentifier in GeneralName
+            const byte GeneralNameUriTag = 0x86;
+
+            var urls = new List<string>();
+            var extension = cert.Extensions[AuthorityInfoAccessOid];
+
+            if (extension == null)
+            {
+                return urls;
+            }
+
+            try
+            {
+                // AuthorityInfoAccessSyntax ::= SEQUENCE OF AccessDescription
+                var reader = new DerEncoding.DerSequenceReader(extension.RawData);
+
+                while (reader.HasData)
+                {
+                    // AccessDescription ::= SEQUENCE { accessMethod OID, accessLocation GeneralName }
+                    var adReader = reader.ReadSequence();
+                    string oid = adReader.ReadOidAsString();
+
+                    if (string.Equals(oid, OcspAccessMethodOid, StringComparison.Ordinal) && adReader.HasData)
+                    {
+                        byte tag = adReader.PeekTag();
+
+                        if (tag == GeneralNameUriTag)
+                        {
+                            byte[] uriBytes = adReader.ReadValue((DerEncoding.DerSequenceReader.DerTag)GeneralNameUriTag);
+                            urls.Add(Encoding.ASCII.GetString(uriBytes));
+                        }
+                    }
+                }
+            }
+            catch (System.Security.Cryptography.CryptographicException exception)
+            {
+                return [exception.Message];
+            }
+
+            return urls;
+        }
     }
 }

src/NuGet.Core/NuGet.Packaging/Strings.Designer.cs

@@ -271,6 +271,14 @@
     <comment>0 -  start date
 1 - end date</comment>
   </data>
+  <data name="CertUtilityCertificateCrlUrl" xml:space="preserve">
+    <value>CRL URL: {0}</value>
+    <comment>0 - CRL distribution point URL</comment>
+  </data>
+  <data name="CertUtilityCertificateOcspUrl" xml:space="preserve">
+    <value>OCSP URL: {0}</value>
+    <comment>0 - OCSP responder URL</comment>
+  </data>
   <data name="CertUtilityMultipleCertificatesFooter" xml:space="preserve">
     <value>... {0} more.</value>
     <comment>0 - number of certificates left</comment>

src/NuGet.Core/NuGet.Packaging/Strings.resx

@@ -44,6 +44,16 @@
         <note>0 -  start date
 1 - end date</note>
       </trans-unit>
+      <trans-unit id="CertUtilityCertificateCrlUrl">
+        <source>CRL URL: {0}</source>
+        <target state="translated">Adresa URL seznamu CRL: {0}</target>
+        <note>0 - CRL distribution point URL</note>
+      </trans-unit>
+      <trans-unit id="CertUtilityCertificateOcspUrl">
+        <source>OCSP URL: {0}</source>
+        <target state="translated">Adresa URL protokolu OCSP: {0}</target>
+        <note>0 - OCSP responder URL</note>
+      </trans-unit>
       <trans-unit id="CertUtilityMultipleCertificatesFooter">
         <source>... {0} more.</source>
         <target state="translated">... dalších {0}.</target>

src/NuGet.Core/NuGet.Packaging/xlf/Strings.cs.xlf

@@ -44,6 +44,16 @@
         <note>0 -  start date
 1 - end date</note>
       </trans-unit>
+      <trans-unit id="CertUtilityCertificateCrlUrl">
+        <source>CRL URL: {0}</source>
+        <target state="translated">CRL-URL: {0}</target>
+        <note>0 - CRL distribution point URL</note>
+      </trans-unit>
+      <trans-unit id="CertUtilityCertificateOcspUrl">
+        <source>OCSP URL: {0}</source>
+        <target state="translated">OCSP-URL: {0}</target>
+        <note>0 - OCSP responder URL</note>
+      </trans-unit>
       <trans-unit id="CertUtilityMultipleCertificatesFooter">
         <source>... {0} more.</source>
         <target state="translated">... {0} weitere.</target>

src/NuGet.Core/NuGet.Packaging/xlf/Strings.de.xlf

@@ -44,6 +44,16 @@
         <note>0 -  start date
 1 - end date</note>
       </trans-unit>
+      <trans-unit id="CertUtilityCertificateCrlUrl">
+        <source>CRL URL: {0}</source>
+        <target state="translated">DIRECCIÓN URL DE CRL: {0}</target>
+        <note>0 - CRL distribution point URL</note>
+      </trans-unit>
+      <trans-unit id="CertUtilityCertificateOcspUrl">
+        <source>OCSP URL: {0}</source>
+        <target state="translated">DIRECCIÓN URL DE OCSP: {0}</target>
+        <note>0 - OCSP responder URL</note>
+      </trans-unit>
       <trans-unit id="CertUtilityMultipleCertificatesFooter">
         <source>... {0} more.</source>
         <target state="translated">... {0} más.</target>

src/NuGet.Core/NuGet.Packaging/xlf/Strings.es.xlf

@@ -44,6 +44,16 @@
         <note>0 -  start date
 1 - end date</note>
       </trans-unit>
+      <trans-unit id="CertUtilityCertificateCrlUrl">
+        <source>CRL URL: {0}</source>
+        <target state="translated">URL de la liste de révocation des certificats (CRL) : {0}</target>
+        <note>0 - CRL distribution point URL</note>
+      </trans-unit>
+      <trans-unit id="CertUtilityCertificateOcspUrl">
+        <source>OCSP URL: {0}</source>
+        <target state="translated">URL du serveur OCSP : {0}</target>
+        <note>0 - OCSP responder URL</note>
+      </trans-unit>
       <trans-unit id="CertUtilityMultipleCertificatesFooter">
         <source>... {0} more.</source>
         <target state="translated">... {0} de plus.</target>

src/NuGet.Core/NuGet.Packaging/xlf/Strings.fr.xlf

@@ -44,6 +44,16 @@
         <note>0 -  start date
 1 - end date</note>
       </trans-unit>
+      <trans-unit id="CertUtilityCertificateCrlUrl">
+        <source>CRL URL: {0}</source>
+        <target state="translated">URL CRL: {0}</target>
+        <note>0 - CRL distribution point URL</note>
+      </trans-unit>
+      <trans-unit id="CertUtilityCertificateOcspUrl">
+        <source>OCSP URL: {0}</source>
+        <target state="translated">URL OCSP: {0}</target>
+        <note>0 - OCSP responder URL</note>
+      </trans-unit>
       <trans-unit id="CertUtilityMultipleCertificatesFooter">
         <source>... {0} more.</source>
         <target state="translated">... altri {0}.</target>

src/NuGet.Core/NuGet.Packaging/xlf/Strings.it.xlf

@@ -44,6 +44,16 @@
         <note>0 -  start date
 1 - end date</note>
       </trans-unit>
+      <trans-unit id="CertUtilityCertificateCrlUrl">
+        <source>CRL URL: {0}</source>
+        <target state="translated">CRL URL: {0}</target>
+        <note>0 - CRL distribution point URL</note>
+      </trans-unit>
+      <trans-unit id="CertUtilityCertificateOcspUrl">
+        <source>OCSP URL: {0}</source>
+        <target state="translated">OCSP URL: {0}</target>
+        <note>0 - OCSP responder URL</note>
+      </trans-unit>
       <trans-unit id="CertUtilityMultipleCertificatesFooter">
         <source>... {0} more.</source>
         <target state="translated">... さらに {0}。</target>

src/NuGet.Core/NuGet.Packaging/xlf/Strings.ja.xlf

@@ -44,6 +44,16 @@
         <note>0 -  start date
 1 - end date</note>
       </trans-unit>
+      <trans-unit id="CertUtilityCertificateCrlUrl">
+        <source>CRL URL: {0}</source>
+        <target state="translated">CRL URL: {0}</target>
+        <note>0 - CRL distribution point URL</note>
+      </trans-unit>
+      <trans-unit id="CertUtilityCertificateOcspUrl">
+        <source>OCSP URL: {0}</source>
+        <target state="translated">OCSP URL: {0}</target>
+        <note>0 - OCSP responder URL</note>
+      </trans-unit>
       <trans-unit id="CertUtilityMultipleCertificatesFooter">
         <source>... {0} more.</source>
         <target state="translated">...기타 {0}개.</target>