private static bool ValidateStrongChain(ICmsSignature signature, X509Chain chain, SignatureLogger verboseWriter)
        {
            var signatureStrength = GetHashStrenghForComparison(signature.DigestAlgorithm.Value !);
            var strongShaChain    = true;
            var leafCertificateSignatureAlgorithm         = chain.ChainElements[0].Certificate.SignatureAlgorithm;
            var leafCertificateSignatureAlgorithmStrength = GetHashStrenghForComparison(leafCertificateSignatureAlgorithm.Value !);

            //We use count-1 because we don't want to validate the root certificate.
            for (var i = 0; i < chain.ChainElements.Count - 1; i++)
            {
                var element                 = chain.ChainElements[i];
                var signatureAlgorithm      = element.Certificate.SignatureAlgorithm;
                var certificateHashStrength = GetHashStrenghForComparison(signatureAlgorithm.Value !);
                if (certificateHashStrength < signatureStrength)
                {
                    verboseWriter.LogSignatureMessage(signature, $"Certificate {element.Certificate.Thumbprint} in chain uses {element.Certificate.SignatureAlgorithm.FriendlyName} for its signature algorithm instead of at least {signature.DigestAlgorithm.FriendlyName}.");
                    strongShaChain = false;
                }
                //Check that all intermediates are at least as strong as the leaf.
                else if (certificateHashStrength < leafCertificateSignatureAlgorithmStrength)
                {
                    verboseWriter.LogSignatureMessage(signature, $"Certificate {element.Certificate.Thumbprint} in chain uses {element.Certificate.SignatureAlgorithm.FriendlyName} for its signature algorithm instead of at least {signature.DigestAlgorithm.FriendlyName}.");
                }
            }
            return(strongShaChain);
        }
Beispiel #2
0
        internal unsafe AuthenticodeTimestampCmsSignature(AsnEncodedData data, ICmsSignature owningSignature)
        {
            OwningSignature        = owningSignature;
            Kind                   = SignatureKind.AuthenticodeTimestamp;
            AdditionalCertificates = owningSignature.AdditionalCertificates;
            fixed(byte *dataPtr = data.RawData)
            {
                uint size = 0;

                if (Crypt32.CryptDecodeObjectEx(EncodingType.PKCS_7_ASN_ENCODING | EncodingType.X509_ASN_ENCODING, (IntPtr)500, new IntPtr(dataPtr), (uint)data.RawData.Length, CryptDecodeFlags.CRYPT_DECODE_ALLOC_FLAG, IntPtr.Zero, out var localBuffer, ref size))
                {
                    using (localBuffer)
                    {
                        var signerInfo = Marshal.PtrToStructure <CMSG_SIGNER_INFO>(localBuffer.DangerousGetHandle());
                        Signature               = ReadBlob(signerInfo.EncryptedHash);
                        DigestAlgorithm         = new Oid(signerInfo.HashAlgorithm.pszObjId);
                        HashEncryptionAlgorithm = new Oid(signerInfo.HashEncryptionAlgorithm.pszObjId);
                        SerialNumber            = ReadBlob(signerInfo.SerialNumber);
                        UnsignedAttributes      = ReadAttributes(signerInfo.UnauthAttrs);
                        SignedAttributes        = ReadAttributes(signerInfo.AuthAttrs);
                        var subjectId = new UniversalSubjectIdentifier(signerInfo.Issuer, signerInfo.SerialNumber);
                        if (subjectId.Type == SubjectIdentifierType.SubjectKeyIdentifier)
                        {
                            Certificate = FindCertificate((string)subjectId.Value, OwningSignature.AdditionalCertificates);
                        }
                        else if (subjectId.Type == SubjectIdentifierType.IssuerAndSerialNumber)
                        {
                            Certificate = FindCertificate((X509IssuerSerial)subjectId.Value, OwningSignature.AdditionalCertificates);
                        }
                    }
                }
Beispiel #3
0
 internal AuthenticodeSignature(ICmsSignature cmsSignature)
 {
     if ((cmsSignature.Kind & SignatureKind.AnySignature) == 0)
     {
         throw new ArgumentException("The signature must be a root or nested signature.", nameof(cmsSignature));
     }
     _cmsSignature = cmsSignature;
 }
        private static bool ValidatEKUForChain(ICmsSignature signature, X509Chain chain, SignatureLogger verboseWriter)
        {
            bool signingCertEKU = false;
            bool chainEKU       = false;
            X509ExtensionCollection extensions = signature.Certificate.Extensions;

            foreach (X509Extension extension in extensions)
            {
                if (extension.Oid.FriendlyName == "Enhanced Key Usage")
                {
                    signingCertEKU = true;
                    //break;
                    X509EnhancedKeyUsageExtension ext = (X509EnhancedKeyUsageExtension)extension;

                    OidCollection oids = ext.EnhancedKeyUsages;
                    EKUCritical = ext.Critical;

                    foreach (Oid oid in oids)
                    {
                        //if (oid.Equals("1.3.6.1.5.5.7.3.3"))


                        EKU_oidStr = oid.FriendlyName + "(" + oid.Value + ")" + ";" + EKU_oidStr;
                    }
                    Console.WriteLine(EKU_oidStr);
                }
            }
            string EKU =
                var signatureStrength = GetHashStrenghForComparison(signature.DigestAlgorithm.Value);
            var strongShaChain = true;
            var leafCertificateSignatureAlgorithm         = chain.ChainElements[0].Certificate.SignatureAlgorithm;
            var leafCertificateSignatureAlgorithmStrength = GetHashStrenghForComparison(leafCertificateSignatureAlgorithm.Value);

            //We use count-1 because we don't want to validate the root certificate.
            for (var i = 0; i < chain.ChainElements.Count - 1; i++)
            {
                var element                 = chain.ChainElements[i];
                var signatureAlgorithm      = element.Certificate.SignatureAlgorithm;
                var certificateHashStrength = GetHashStrenghForComparison(signatureAlgorithm.Value);
                if (certificateHashStrength < signatureStrength)
                {
                    verboseWriter.LogSignatureMessage(signature, $"Certificate {element.Certificate.Thumbprint} in chain uses {element.Certificate.SignatureAlgorithm.FriendlyName} for its signature algorithm instead of at least {signature.DigestAlgorithm.FriendlyName}.");
                    strongShaChain = false;
                }
                //Check that all intermediates are at least as strong as the leaf.
                else if (certificateHashStrength < leafCertificateSignatureAlgorithmStrength)
                {
                    verboseWriter.LogSignatureMessage(signature, $"Certificate {element.Certificate.Thumbprint} in chain uses {element.Certificate.SignatureAlgorithm.FriendlyName} for its signature algorithm instead of at least {signature.DigestAlgorithm.FriendlyName}.");
                }
            }
            return(strongShaChain);
        }
Beispiel #5
0
        internal static IEnumerable <ICmsSignature> VisitAll(this ICmsSignature signature, SignatureKind kind, bool deep)
        {
            foreach (var nested in signature.GetNestedSignatures())
            {
                if ((nested.Kind & kind) > 0)
                {
                    yield return(nested);

                    foreach (var nestVisit in nested.VisitAll(kind, deep))
                    {
                        yield return(nestVisit);
                    }
                }
                else if (deep)
                {
                    foreach (var nestVisit in nested.VisitAll(kind, deep))
                    {
                        yield return(nestVisit);
                    }
                }
            }
        }
 public static byte[]? SignatureDigest(this ICmsSignature signature)
 {
     return(signature.SignedAttributes
            .Cast <CryptographicAttributeObject>()
            .FirstOrDefault(s => s.Oid.Value == KnownOids.MessageDigest)?.Values[0].RawData);
 }
Beispiel #7
0
        public override void LogSignatureMessage(ICmsSignature signature, string message)
        {
            var digestString = HashHelpers.GetHashForSignature(signature);

            Messages.Add($"Signature {digestString}: {message}");
        }
Beispiel #8
0
 public abstract void LogSignatureMessage(ICmsSignature signature, string message);
Beispiel #9
0
 public override void LogSignatureMessage(ICmsSignature signature, string message)
 {
 }
 protected abstract bool ValidateChain(ICmsSignature signer, X509Chain chain, SignatureLogger verboseWriter);
 protected override bool ValidateChain(ICmsSignature signer, X509Chain chain, SignatureLogger verboseWriter)
 {
     return(ValidatEKUForChain(signer, chain, verboseWriter));
 }
        public static string GetHashForSignature(ICmsSignature signature)
        {
            var digest = signature.SignatureDigest();

            return(digest.Aggregate(new StringBuilder(), (acc, b) => acc.AppendFormat("{0:x2}", b)).ToString());
        }
Beispiel #13
0
 public void Add(ICmsSignature signature) => _nestedSignatures.Add(signature);
Beispiel #14
0
        private static TestResult ValidateBasicConstraints(ICmsSignature signature, X509Chain chain, SignatureLogger verboseWriter)
        {
            var     pass          = false;
            Boolean BCCritical    = false;
            int     BC_extension  = 0;
            Boolean BC_CA         = false;
            Boolean hasPathLength = false;
            string  KU            = "";
            int     pathLength    = 0;
            string  issuer        = "";
            var     leafCertificateSignatureAlgorithm = chain.ChainElements[0].Certificate.SignatureAlgorithm;

            //We use count-1 because we don't want to validate the root certificate.
            for (var i = 0; i < chain.ChainElements.Count - 1; i++)
            {
                var element            = chain.ChainElements[i];
                var signatureAlgorithm = element.Certificate.SignatureAlgorithm;
                issuer = element.Certificate.Issuer;
                X509ExtensionCollection extensions = element.Certificate.Extensions;
                BC_extension  = 0;
                BC_CA         = false;
                hasPathLength = false;
                pathLength    = 0;
                KU            = "";

                foreach (X509Extension extension in extensions)
                {
                    if (extension.Oid.FriendlyName == "Basic Constraints")
                    {
                        X509BasicConstraintsExtension ext = (X509BasicConstraintsExtension)extension;
                        BCCritical = ext.Critical;

                        BC_extension++;
                        BC_CA         = ext.CertificateAuthority;
                        hasPathLength = ext.HasPathLengthConstraint;
                        pathLength    = ext.PathLengthConstraint;
                    }
                }

                /*   if (BC_extension == 0 && i>0)
                 * {
                 *        Console.WriteLine(issuer);
                 *        Console.WriteLine("No BC.");
                 *        Console.WriteLine(KU);
                 *        Console.WriteLine(Program.appName);
                 *        Console.WriteLine("==================================================================");
                 * }*/
                if (i == 0)
                {
                    if (BC_extension == 1 && !BC_CA)
                    {
                        pass = true;
                    }
                    else if (BC_extension > 1)
                    {
                        verboseWriter.LogSignatureMessage(signature, $"Signature has duplicate Basic Constraints extension.");
                        pass = false;
                    }
                    else if (BC_extension == 1 && BC_CA)
                    {
                        verboseWriter.LogSignatureMessage(signature, $"Signature has violating CA filed for Basic Constraints.");
                        pass = false;
                    }
                    else
                    {
                        pass = false;
                    }
                }
                else
                {
                    verboseWriter.LogSignatureMessage(signature, $"Not a leaf certificate.");
                }
            }
            return(pass ? TestResult.Pass : TestResult.Fail);
        }
Beispiel #15
0
 private protected TimestampSignature(ICmsSignature cmsSignature)
 {
     _cmsSignature = cmsSignature;
 }