/// <summary>
/// Parses and checks contents of the DICE extension
/// </summary>
/// <param name="c">Certificate to validate</param>
/// <returns>Extension is well formed</returns>
bool CheckDICEExtension(X509Certificate c)
{
var criticalOids = c.GetCriticalExtensionOids();
if (criticalOids.Contains(DICEExtensionOid))
{
Error("DICE extension is marked critical and should be non-critical");
return(false);
}
var nonCriticalOids = c.GetNonCriticalExtensionOids();
if (!nonCriticalOids.Contains(DICEExtensionOid))
{
Error("DICE extension not found");
return(false);
}
var diceExtension = c.GetExtensionValue(new DerObjectIdentifier(DICEExtensionOid));
try
{
DerOctetString envelope = (DerOctetString)DerOctetString.FromByteArray(diceExtension.GetEncoded());
DerSequence seq = (DerSequence)DerSequence.FromByteArray(envelope.GetOctets());
// first field is version number
var versionNumber = (DerInteger)seq[0];
if (versionNumber.PositiveValue.IntValue != 1)
{
Error($"DICE Extension has Wrong version number. Expecing {DICEExtensionVersionNumber}, cert contains {versionNumber.ToString()}");
return(false);
}
// second field is DeviceID
var devIdPubKey = SubjectPublicKeyInfo.GetInstance(seq[1]);
// will check it's good later
PubKeyInfoFromDICEExtension = devIdPubKey;
// third field contains {hashOid, hashVal}
var hashEnvelope = (DerSequence)seq[2];
var hashAlg = (DerObjectIdentifier)hashEnvelope[0];
if (hashAlg.Id != NistObjectIdentifiers.IdSha256.ToString())
{
Error("DICE Extension hash alg is wrong. ");
return(false);
}
var hashVal = (DerOctetString)hashEnvelope[1];
if (hashVal.GetOctets().Length != 32)
{
Error("DICE Extension hash value length is wrong. ");
return(false);
}
}
catch (Exception e)
{
Error($"Failed to parse the DICE extension. Parsing exception was {e.ToString()}");
return(false);
}
return(true);
}
public void Decode(byte[] data)
{
if (data == null)
{
throw ExceptionUtility.ArgumentNull("data");
}
try
{
var s = Asn1Sequence.FromByteArray(data) as Asn1Sequence;
var s0 = s[0] as Asn1Sequence;
var s1 = (s[1] as Asn1TaggedObject).GetObject() as Asn1Sequence;
var s11 = (s1[1] as Asn1TaggedObject).GetObject() as Asn1Sequence;
var s1101 = (s11[0] as Asn1Sequence)[1] as Asn1Sequence;
SessionEncryptedKey = new GostKeyExchangeInfo
{
EncryptionParamSet = (s1[0] as DerObjectIdentifier).Id,
EncryptedKey = (s0[0] as DerOctetString).GetOctets(),
Mac = (s0[1] as DerOctetString).GetOctets(),
Ukm = (s1[2] as DerOctetString).GetOctets()
};
TransportParameters = new GostKeyExchangeParameters
{
PublicKeyParamSet = (s1101[0] as DerObjectIdentifier).Id,
DigestParamSet = (s1101[1] as DerObjectIdentifier).Id,
EncryptionParamSet = s1101.Count > 2 ? (s1101[2] as DerObjectIdentifier).Id : null,
PublicKey = (DerOctetString.FromByteArray((s11[1] as DerBitString).GetBytes()) as DerOctetString).GetOctets(),
PrivateKey = null
};
}
catch (Exception exception)
{
throw ExceptionUtility.CryptographicException(exception, Resources.Asn1DecodeError, "GostR3410KeyTransportDecode");
}
}
public static byte[] ExtractSignerId(this SignerID selector)
{
//In case of SignerID it seems to be the encoded Octet String (bug?)
return(Asn1OctetString.GetInstance(DerOctetString.FromByteArray(selector.SubjectKeyIdentifier)).GetOctets());
}
