public void FewerSctsThanRequiredReturnsFailure()
{
var rand = new Random();
foreach (var tp in _testParams)
{
var certMoq = new Moq.Mock <MoqX509Certificate2>();
certMoq.Setup(c => c.MoqNotBefore).Returns(tp.Start);
certMoq.Setup(c => c.MoqNotAfter).Returns(tp.End);
var cert = certMoq.Object;
var scts = new Dictionary <string, SctVerificationResult>();
var numScts = rand.Next(tp.SctsRequired);
for (var i = 0; i < numScts; i++)
{
scts[i.ToString()] = SctVerificationResult.Valid(DateTime.UtcNow, Guid.NewGuid().ToString());
}
for (var i = 0; i < 10; i++)
{
scts[(i + 100).ToString()] = SctVerificationResult.FailedVerification(DateTime.UtcNow, Guid.NewGuid().ToString());
}
var result = new CtPolicyDefault().PolicyVerificationResult(cert, scts);
Assert.True(tp.SctsRequired == result.MinSctCount, tp.Description);
Assert.True(result.Result == CtResult.TooFewSctsTrusted, tp.Description);
}
}
public void CorrectNumberOfSctsReturnsSuccessTrusted()
{
foreach (var tp in _testParams)
{
var certMoq = new Moq.Mock <MoqX509Certificate2>();
certMoq.Setup(c => c.MoqNotBefore).Returns(tp.Start);
certMoq.Setup(c => c.MoqNotAfter).Returns(tp.End);
var cert = certMoq.Object;
var scts = new Dictionary <string, SctVerificationResult>();
for (var i = 0; i < tp.SctsRequired; i++)
{
scts[i.ToString()] = SctVerificationResult.Valid(DateTime.UtcNow, Guid.NewGuid().ToString());
}
for (var i = 0; i < 10; i++)
{
scts[(i + 100).ToString()] = SctVerificationResult.FailedVerification(DateTime.UtcNow, Guid.NewGuid().ToString());
}
var result = new CtPolicyDefault().PolicyVerificationResult(cert, scts);
Assert.True(result.Result == CtResult.Trusted, tp.Description);
}
}
private static SctVerificationResult VerifySctSignatureOverBytes(this SignedCertificateTimestamp sct, Log logServer, byte[] toVerify)
{
var(oid, sigAlg) = GetKeyAlgorithm(logServer.KeyBytes);
//var signer = sigAlg switch
//{
// CtSignatureAlgorithm.Ecdsa => SignerUtilities.GetSigner(Constants.Sha256WithEcdsa),
// CtSignatureAlgorithm.Rsa => SignerUtilities.GetSigner(Constants.Sha256WithRsa),
// _ => throw new NotImplementedException($"Signature algothrim '{sigAlg}' not supported, with OID '{oid}'"),
//};
ISigner signer;
if (sigAlg == CtSignatureAlgorithm.Ecdsa)
{
signer = SignerUtilities.GetSigner(Constants.Sha256WithEcdsa);
}
else if (sigAlg == CtSignatureAlgorithm.Rsa)
{
signer = SignerUtilities.GetSigner(Constants.Sha256WithRsa);
}
else
{
throw new NotImplementedException($"Signature algothrim '{sigAlg}' not supported, with OID '{oid}'");
}
var pubKey = PublicKeyFactory.CreateKey(logServer.KeyBytes);
signer.Init(false, pubKey);
signer.BlockUpdate(toVerify, 0, toVerify.Length);
var isValid = signer.VerifySignature(sct.Signature.SignatureData);
return(isValid
? SctVerificationResult.Valid(sct.TimestampUtc, logServer.LogId, logServer.Description)
: SctVerificationResult.FailedVerification(sct.TimestampUtc, logServer.LogId, logServer.Description, "Invalid Signature"));
}