private static void ValidateTimestampCms(SigningSpecifications spec, SignedCms timestampCms, Rfc3161TimestampToken timestampToken)
{
var signerInfo = timestampCms.SignerInfos[0];
try
{
signerInfo.CheckSignature(verifySignatureOnly: true);
}
catch (Exception e)
{
throw new TimestampException(NuGetLogCode.NU3021, Strings.SignError_TimestampSignatureValidationFailed, e);
}
if (signerInfo.Certificate == null)
{
throw new TimestampException(NuGetLogCode.NU3020, Strings.SignError_TimestampNoCertificate);
}
if (!CertificateUtility.IsSignatureAlgorithmSupported(signerInfo.Certificate))
{
throw new TimestampException(NuGetLogCode.NU3022, Strings.SignError_TimestampUnsupportedSignatureAlgorithm);
}
if (!CertificateUtility.IsCertificatePublicKeyValid(signerInfo.Certificate))
{
throw new TimestampException(NuGetLogCode.NU3023, Strings.SignError_TimestampCertificateFailsPublicKeyLengthRequirement);
}
if (!spec.AllowedHashAlgorithmOids.Contains(signerInfo.DigestAlgorithm.Value))
{
throw new TimestampException(NuGetLogCode.NU3024, Strings.SignError_TimestampUnsupportedSignatureAlgorithm);
}
if (CertificateUtility.IsCertificateValidityPeriodInTheFuture(signerInfo.Certificate))
{
throw new TimestampException(NuGetLogCode.NU3025, Strings.SignError_TimestampNotYetValid);
}
if (!CertificateUtility.IsDateInsideValidityPeriod(signerInfo.Certificate, timestampToken.TokenInfo.Timestamp))
{
throw new TimestampException(NuGetLogCode.NU3036, Strings.SignError_TimestampGeneralizedTimeInvalid);
}
}
internal static SignatureVerificationStatusFlags ValidateTimestamp(Timestamp timestamp, Signature signature, bool treatIssuesAsErrors, List <SignatureLog> issues, SigningSpecifications spec)
{
if (timestamp == null)
{
throw new ArgumentNullException(nameof(timestamp));
}
if (signature == null)
{
throw new ArgumentNullException(nameof(signature));
}
if (issues == null)
{
throw new ArgumentNullException(nameof(issues));
}
// Default to specification v1
spec = spec ?? SigningSpecifications.V1;
var validationFlags = SignatureVerificationStatusFlags.NoErrors;
var signerInfo = timestamp.SignerInfo;
if (timestamp.SignerInfo.Certificate != null)
{
try
{
signerInfo.CheckSignature(verifySignatureOnly: true);
}
catch (Exception e)
{
issues.Add(SignatureLog.Issue(treatIssuesAsErrors, NuGetLogCode.NU3021, string.Format(CultureInfo.CurrentCulture, Strings.VerifyError_TimestampSignatureValidationFailed, signature.FriendlyName)));
issues.Add(SignatureLog.DebugLog(e.ToString()));
validationFlags |= SignatureVerificationStatusFlags.SignatureCheckFailed;
}
if (!CertificateUtility.IsSignatureAlgorithmSupported(signerInfo.Certificate))
{
issues.Add(SignatureLog.Issue(treatIssuesAsErrors, NuGetLogCode.NU3022, string.Format(CultureInfo.CurrentCulture, Strings.VerifyError_TimestampUnsupportedSignatureAlgorithm, signature.FriendlyName)));
validationFlags |= SignatureVerificationStatusFlags.SignatureAlgorithmUnsupported;
}
if (!CertificateUtility.IsCertificatePublicKeyValid(signerInfo.Certificate))
{
issues.Add(SignatureLog.Issue(treatIssuesAsErrors, NuGetLogCode.NU3023, string.Format(CultureInfo.CurrentCulture, Strings.VerifyError_TimestampCertificateFailsPublicKeyLengthRequirement, signature.FriendlyName)));
validationFlags |= SignatureVerificationStatusFlags.CertificatePublicKeyInvalid;
}
if (!spec.AllowedHashAlgorithmOids.Contains(signerInfo.DigestAlgorithm.Value))
{
issues.Add(SignatureLog.Issue(treatIssuesAsErrors, NuGetLogCode.NU3024, string.Format(CultureInfo.CurrentCulture, Strings.VerifyError_TimestampUnsupportedSignatureAlgorithm, signature.FriendlyName)));
validationFlags |= SignatureVerificationStatusFlags.HashAlgorithmUnsupported;
}
try
{
var hashAlgorithm = CryptoHashUtility.OidToHashAlgorithmName(timestamp.TstInfo.HashAlgorithmId.Value);
var signatureValue = signature.GetSignatureValue();
var messageHash = hashAlgorithm.ComputeHash(signatureValue);
if (!timestamp.TstInfo.HasMessageHash(messageHash))
{
issues.Add(SignatureLog.Issue(treatIssuesAsErrors, NuGetLogCode.NU3019, string.Format(CultureInfo.CurrentCulture, Strings.VerifyError_TimestampIntegrityCheckFailed, signature.FriendlyName)));
validationFlags |= SignatureVerificationStatusFlags.IntegrityCheckFailed;
}
}
catch
{
// If the hash algorithm is not supported OidToHashAlgorithmName will throw
issues.Add(SignatureLog.Issue(treatIssuesAsErrors, NuGetLogCode.NU3030, string.Format(CultureInfo.CurrentCulture, Strings.VerifyError_TimestampMessageImprintUnsupportedHashAlgorithm, signature.FriendlyName)));
validationFlags |= SignatureVerificationStatusFlags.MessageImprintUnsupportedAlgorithm;
}
if (CertificateUtility.IsCertificateValidityPeriodInTheFuture(signerInfo.Certificate))
{
issues.Add(SignatureLog.Issue(treatIssuesAsErrors, NuGetLogCode.NU3025, string.Format(CultureInfo.CurrentCulture, Strings.VerifyError_TimestampNotYetValid, signature.FriendlyName)));
validationFlags |= SignatureVerificationStatusFlags.CertificateValidityInTheFuture;
}
if (!CertificateUtility.IsDateInsideValidityPeriod(signerInfo.Certificate, timestamp.GeneralizedTime))
{
issues.Add(SignatureLog.Issue(treatIssuesAsErrors, NuGetLogCode.NU3036, string.Format(CultureInfo.CurrentCulture, Strings.VerifyError_TimestampGeneralizedTimeInvalid, signature.FriendlyName)));
validationFlags |= SignatureVerificationStatusFlags.GeneralizedTimeOutsideValidity;
}
}
else
{
issues.Add(SignatureLog.Issue(treatIssuesAsErrors, NuGetLogCode.NU3020, string.Format(CultureInfo.CurrentCulture, Strings.VerifyError_TimestampNoCertificate, signature.FriendlyName)));
validationFlags |= SignatureVerificationStatusFlags.NoCertificate;
}
return(validationFlags);
}