public override byte[] GetSignatureValue()
{
using (var nativeCms = NativeCms.Decode(_primarySignature.SignedCms.Encode()))
{
return(nativeCms.GetRepositoryCountersignatureSignatureValue());
}
}
public override byte[] GetSignatureValue()
{
using (var nativeCms = NativeCms.Decode(SignedCms.Encode()))
{
return(nativeCms.GetPrimarySignatureSignatureValue());
}
}
private static void InsertTimestampCertChainIntoTimestampCms(
SignedCms timestampCms,
X509Chain timstampCertChain,
NativeCms timestampNativeCms)
{
timestampNativeCms.AddCertificates(timstampCertChain.ChainElements
.Cast <X509ChainElement>()
.Where(c => !timestampCms.Certificates.Contains(c.Certificate))
.Select(c => c.Certificate.Export(X509ContentType.Cert)));
}
private static PrimarySignature CreateRepositoryCountersignature(CmsSigner cmsSigner, PrimarySignature primarySignature, CngKey privateKey)
{
using (var primarySignatureNativeCms = NativeCms.Decode(primarySignature.GetBytes()))
{
primarySignatureNativeCms.AddCountersignature(cmsSigner, privateKey);
var bytes = primarySignatureNativeCms.Encode();
var updatedCms = new SignedCms();
updatedCms.Decode(bytes);
return(PrimarySignature.Load(updatedCms));
}
}
/// <summary>
/// Timestamps data present in the TimestampRequest.
/// </summary>
public Task <PrimarySignature> TimestampSignatureAsync(PrimarySignature primarySignature, TimestampRequest request, ILogger logger, CancellationToken token)
{
var timestampCms = GetTimestamp(request, logger, token);
using (var signatureNativeCms = NativeCms.Decode(primarySignature.GetBytes()))
{
if (request.Target == SignaturePlacement.Countersignature)
{
signatureNativeCms.AddTimestampToRepositoryCountersignature(timestampCms);
}
else
{
signatureNativeCms.AddTimestamp(timestampCms);
}
return(Task.FromResult(PrimarySignature.Load(signatureNativeCms.Encode())));
}
}
private static SignedCms EnsureCertificatesInCertificatesCollection(
SignedCms timestampCms,
IReadOnlyList <X509Certificate2> chain)
{
using (var timestampNativeCms = NativeCms.Decode(timestampCms.Encode()))
{
timestampNativeCms.AddCertificates(
chain.Where(certificate => !timestampCms.Certificates.Contains(certificate))
.Select(certificate => certificate.RawData));
var bytes = timestampNativeCms.Encode();
var updatedCms = new SignedCms();
updatedCms.Decode(bytes);
return(updatedCms);
}
}
private Timestamp GetValidTimestamp(
Signature signature,
bool allowMultipleTimestamps,
bool allowIgnoreTimestamp,
bool allowNoTimestamp,
bool allowUnknownRevocation,
List <SignatureLog> issues)
{
var timestamps = signature.Timestamps;
if (timestamps.Count == 0)
{
issues.Add(SignatureLog.Issue(!allowNoTimestamp, NuGetLogCode.NU3027, Strings.ErrorNoTimestamp));
if (!allowNoTimestamp)
{
throw new TimestampException();
}
}
if (timestamps.Count > 1 && !allowMultipleTimestamps)
{
issues.Add(SignatureLog.Issue(true, NuGetLogCode.NU3000, Strings.ErrorMultipleTimestamps));
throw new TimestampException();
}
var timestamp = timestamps.FirstOrDefault();
if (timestamp != null)
{
using (var authorSignatureNativeCms = NativeCms.Decode(signature.SignedCms.Encode(), detached: false))
{
var signatureHash = NativeCms.GetSignatureValueHash(signature.SignatureContent.HashAlgorithm, authorSignatureNativeCms);
if (!IsTimestampValid(timestamp, signatureHash, allowIgnoreTimestamp, allowUnknownRevocation, issues) && !allowIgnoreTimestamp)
{
throw new TimestampException();
}
}
}
return(timestamp);
}
internal static ICms Create(byte[] cmsBytes)
{
if (cmsBytes == null)
{
throw new ArgumentNullException(nameof(cmsBytes));
}
#if IS_SIGNING_SUPPORTED
ICms cms = null;
#if IS_DESKTOP
NativeCms nativeCms = NativeCms.Decode(cmsBytes);
cms = new NativeCmsWrapper(nativeCms);
#else
SignedCms signedCms = new SignedCms();
signedCms.Decode(cmsBytes);
cms = new ManagedCmsWrapper(signedCms);
#endif
return(cms);
#else
throw new NotSupportedException();
#endif
}
internal static byte[] GetSignatureValueHash(HashAlgorithmName hashAlgorithmName, NativeCms nativeCms)
{
var signatureValue = nativeCms.GetEncryptedDigest();
using (var signatureValueStream = new MemoryStream(signatureValue))
using (var hashAlgorithm = hashAlgorithmName.GetHashProvider())
{
return(hashAlgorithm.ComputeHash(signatureValueStream, leaveStreamOpen: false));
}
}
/// <summary>
/// Timestamps data present in the TimestampRequest.
/// </summary>
public byte[] TimestampData(TimestampRequest request, ILogger logger, CancellationToken token)
{
token.ThrowIfCancellationRequested();
if (request == null)
{
throw new ArgumentNullException(nameof(request));
}
if (logger == null)
{
throw new ArgumentNullException(nameof(logger));
}
// Get the signatureValue from the signerInfo object
using (var nativeCms = NativeCms.Decode(request.Signature))
{
var signatureValue = nativeCms.GetPrimarySignatureSignatureValue();
var messageHash = request.TimestampHashAlgorithm.ComputeHash(signatureValue);
// Allows us to track the request.
var nonce = GenerateNonce();
var rfc3161TimestampRequest = new Rfc3161TimestampRequest(
messageHash,
request.TimestampHashAlgorithm.ConvertToSystemSecurityHashAlgorithmName(),
nonce: nonce,
requestSignerCertificates: true);
// Request a timestamp
// The response status need not be checked here as lower level api will throw if the response is invalid
var timestampToken = rfc3161TimestampRequest.SubmitRequest(
_timestamperUrl,
TimeSpan.FromSeconds(_rfc3161RequestTimeoutSeconds));
// quick check for response validity
ValidateTimestampResponse(nonce, messageHash, timestampToken);
var timestampCms = timestampToken.AsSignedCms();
ValidateTimestampCms(request.SigningSpec, timestampCms);
// If the timestamp signed CMS already has a complete chain for the signing certificate,
// it's ready to be added to the signature to be timestamped.
// However, a timestamp service is not required to include all certificates in a complete
// chain for the signing certificate in the SignedData.certificates collection.
// Some timestamp services include all certificates except the root in the
// SignedData.certificates collection.
var signerInfo = timestampCms.SignerInfos[0];
var chain = CertificateChainUtility.GetCertificateChain(
signerInfo.Certificate,
timestampCms.Certificates,
logger,
CertificateType.Timestamp);
var timestampCmsWithChainCertificates = EnsureCertificatesInCertificatesCollection(timestampCms, chain);
var bytes = timestampCmsWithChainCertificates.Encode();
nativeCms.AddTimestamp(bytes);
return(nativeCms.Encode());
}
}
internal static byte[] GetSignatureValueHash(HashAlgorithmName hashAlgorithm, NativeCms nativeCms)
{
var signatureValue = nativeCms.GetEncryptedDigest();
var signatureValueStream = new MemoryStream(signatureValue);
var signatureValueHashByteArray = hashAlgorithm
.GetHashProvider()
.ComputeHash(signatureValueStream, leaveStreamOpen: false);
return(signatureValueHashByteArray);
}
/// <summary>
/// Timestamps data present in the TimestampRequest.
/// </summary>
public byte[] TimestampData(TimestampRequest request, ILogger logger, CancellationToken token)
{
token.ThrowIfCancellationRequested();
if (request == null)
{
throw new ArgumentNullException(nameof(request));
}
if (logger == null)
{
throw new ArgumentNullException(nameof(logger));
}
// Get the signatureValue from the signerInfo object
using (var signatureNativeCms = NativeCms.Decode(request.SignatureValue, detached: false))
{
var signatureValueHashByteArray = NativeCms.GetSignatureValueHash(
request.TimestampHashAlgorithm,
signatureNativeCms);
// Allows us to track the request.
var nonce = GenerateNonce();
var rfc3161TimestampRequest = new Rfc3161TimestampRequest(
signatureValueHashByteArray,
request.TimestampHashAlgorithm.ConvertToSystemSecurityHashAlgorithmName(),
nonce: nonce,
requestSignerCertificates: true);
// Request a timestamp
// The response status need not be checked here as lower level api will throw if the response is invalid
var timestampToken = rfc3161TimestampRequest.SubmitRequest(
_timestamperUrl,
TimeSpan.FromSeconds(_rfc3161RequestTimeoutSeconds));
// quick check for response validity
ValidateTimestampResponse(nonce, signatureValueHashByteArray, timestampToken);
var timestampCms = timestampToken.AsSignedCms();
ValidateTimestampCms(request.SigningSpec, timestampCms);
byte[] timestampByteArray;
using (var timestampNativeCms = NativeCms.Decode(timestampCms.Encode(), detached: false))
using (var chainHolder = new X509ChainHolder())
{
var chain = chainHolder.Chain;
var policy = chain.ChainPolicy;
policy.ApplicationPolicy.Add(new Oid(Oids.TimeStampingEku));
policy.VerificationFlags = X509VerificationFlags.IgnoreNotTimeValid | X509VerificationFlags.IgnoreCtlNotTimeValid;
policy.ExtraStore.AddRange(timestampCms.Certificates);
policy.RevocationFlag = X509RevocationFlag.ExcludeRoot;
policy.RevocationMode = X509RevocationMode.Online;
var timestampSignerCertificate = timestampCms.SignerInfos[0].Certificate;
if (timestampSignerCertificate == null)
{
throw new TimestampException(NuGetLogCode.NU3020, Strings.TimestampNoCertificate);
}
if (!chain.Build(timestampSignerCertificate))
{
var messages = CertificateChainUtility.GetMessagesFromChainStatuses(chain.ChainStatus);
throw new TimestampException(NuGetLogCode.NU3028, string.Format(CultureInfo.CurrentCulture, Strings.TimestampCertificateChainBuildFailure, string.Join(", ", messages)));
}
// Insert all the certificates into timestampCms
InsertTimestampCertChainIntoTimestampCms(timestampCms, chain, timestampNativeCms);
timestampByteArray = timestampNativeCms.Encode();
}
signatureNativeCms.AddTimestamp(timestampByteArray);
return(signatureNativeCms.Encode());
}
}
public NativeCmsWrapper(NativeCms nativeCms)
{
_nativeCms = nativeCms;
}
/// <summary>
/// Timestamps data present in the TimestampRequest.
/// </summary>
public byte[] TimestampData(TimestampRequest request, ILogger logger, CancellationToken token)
{
token.ThrowIfCancellationRequested();
if (request == null)
{
throw new ArgumentNullException(nameof(request));
}
if (logger == null)
{
throw new ArgumentNullException(nameof(logger));
}
// Get the signatureValue from the signerInfo object
using (var signatureNativeCms = NativeCms.Decode(request.SignatureValue, detached: false))
{
var signatureValueHashByteArray = NativeCms.GetSignatureValueHash(
request.TimestampHashAlgorithm,
signatureNativeCms);
// Allows us to track the request.
var nonce = GenerateNonce();
var rfc3161TimestampRequest = new Rfc3161TimestampRequest(
signatureValueHashByteArray,
request.TimestampHashAlgorithm.ConvertToSystemSecurityHashAlgorithmName(),
nonce: nonce,
requestSignerCertificates: true);
// Request a timestamp
// The response status need not be checked here as lower level api will throw if the response is invalid
var timestampToken = rfc3161TimestampRequest.SubmitRequest(
_timestamperUrl,
TimeSpan.FromSeconds(_rfc3161RequestTimeoutSeconds));
// ensure response is for this request
ValidateTimestampResponseNonce(nonce, timestampToken);
var timestampCms = timestampToken.AsSignedCms();
byte[] timestampByteArray;
using (var timestampNativeCms = NativeCms.Decode(timestampCms.Encode(), detached: false))
using (var timestampCertChain = new X509Chain())
{
var policy = timestampCertChain.ChainPolicy;
policy.ApplicationPolicy.Add(new Oid(Oids.TimeStampingEkuOid));
policy.VerificationFlags = X509VerificationFlags.IgnoreNotTimeValid;
policy.ExtraStore.AddRange(timestampCms.Certificates);
policy.RevocationFlag = X509RevocationFlag.ExcludeRoot;
policy.RevocationMode = X509RevocationMode.Online;
var timestampSignerCertificate = GetTimestampSignerCertificate(timestampCms);
if (DateTime.Now < timestampSignerCertificate.NotBefore)
{
throw new TimestampException(LogMessage.CreateError(
NuGetLogCode.NU3025,
string.Format(CultureInfo.CurrentCulture,
Strings.TimestampCertificateInvalid,
$"{Environment.NewLine}{CertificateUtility.X509Certificate2ToString(timestampSignerCertificate)}")));
}
if (!timestampCertChain.Build(timestampSignerCertificate))
{
throw new TimestampException(LogMessage.CreateError(
NuGetLogCode.NU3028,
string.Format(CultureInfo.CurrentCulture,
Strings.TimestampCertificateChainBuildFailure,
$"{Environment.NewLine}{CertificateUtility.X509Certificate2ToString(timestampSignerCertificate)}")));
}
// Insert all the certificates into timestampCms
InsertTimestampCertChainIntoTimestampCms(timestampCms, timestampCertChain, timestampNativeCms);
timestampByteArray = timestampCms.Encode();
}
signatureNativeCms.AddTimestamp(timestampByteArray);
return(signatureNativeCms.Encode());
}
}