Example #1
0
        PrimarySignature CreateKeyVaultPrimarySignature(SignPackageRequest request, SignatureContent signatureContent, SignatureType signatureType)
        {
            // Get the chain

            var getter = typeof(SignPackageRequest).GetProperty("Chain", BindingFlags.Instance | BindingFlags.NonPublic)
                         .GetGetMethod(true);

            var certs = (IReadOnlyList <X509Certificate2>)getter.Invoke(request, null);


            var attribs = SigningUtility.CreateSignedAttributes(request, certs);

            // Convert .NET crypto attributes to Bouncy Castle
            var attribTable = new AttributeTable(new Asn1EncodableVector(attribs.Cast <CryptographicAttributeObject>()
                                                                         .Select(ToBcAttribute)
                                                                         .ToArray()));
            // SignerInfo generator setup
            var signerInfoGeneratorBuilder = new SignerInfoGeneratorBuilder()
                                             .WithSignedAttributeGenerator(new DefaultSignedAttributeTableGenerator(attribTable));


            // Subject Key Identifier (SKI) is smaller and less prone to accidental matching than issuer and serial
            // number.  However, to ensure cross-platform verification, SKI should only be used if the certificate
            // has the SKI extension attribute.

            // Try to look for the value
            var bcCer = DotNetUtilities.FromX509Certificate(request.Certificate);
            var ext   = bcCer.GetExtensionValue(new DerObjectIdentifier(Oids.SubjectKeyIdentifier));
            SignerInfoGenerator signerInfoGenerator;

            if (ext != null)
            {
                var ski = new SubjectKeyIdentifierStructure(ext);
                signerInfoGenerator = signerInfoGeneratorBuilder.Build(new RsaSignatureFactory(HashAlgorithmToBouncyCastle(request.SignatureHashAlgorithm), provider), ski.GetKeyIdentifier());
            }
            else
            {
                signerInfoGenerator = signerInfoGeneratorBuilder.Build(new RsaSignatureFactory(HashAlgorithmToBouncyCastle(request.SignatureHashAlgorithm), provider), bcCer);
            }


            var generator = new CmsSignedDataGenerator();

            generator.AddSignerInfoGenerator(signerInfoGenerator);

            // Get the chain as bc certs
            generator.AddCertificates(X509StoreFactory.Create("Certificate/Collection",
                                                              new X509CollectionStoreParameters(certs.Select(DotNetUtilities.FromX509Certificate).
                                                                                                ToList())));

            var msg  = new CmsProcessableByteArray(signatureContent.GetBytes());
            var data = generator.Generate(msg, true);

            var encoded = data.ContentInfo.GetDerEncoded();

            return(PrimarySignature.Load(encoded));
        }
Example #2
0
        public void CreateSignedAttributes_SignPackageRequest_WhenRequestNull_Throws()
        {
            using (var certificate = _fixture.GetDefaultCertificate())
            {
                var exception = Assert.Throws <ArgumentNullException>(
                    () => SigningUtility.CreateSignedAttributes((SignPackageRequest)null, new[] { certificate }));

                Assert.Equal("request", exception.ParamName);
            }
        }
        CmsSigner CreateCmsSigner(SignPackageRequest request, IReadOnlyList <X509Certificate2> chain, ILogger logger)
        {
            if (request == null)
            {
                throw new ArgumentNullException(nameof(request));
            }

            if (logger == null)
            {
                throw new ArgumentNullException(nameof(logger));
            }

            // Subject Key Identifier (SKI) is smaller and less prone to accidental matching than issuer and serial
            // number.  However, to ensure cross-platform verification, SKI should only be used if the certificate
            // has the SKI extension attribute.
            CmsSigner signer;

            if (request.Certificate.Extensions[Oids.SubjectKeyIdentifier] == null)
            {
                signer = new CmsSigner(SubjectIdentifierType.IssuerAndSerialNumber, request.Certificate, provider);
            }
            else
            {
                signer = new CmsSigner(SubjectIdentifierType.SubjectKeyIdentifier, request.Certificate, provider);
            }

            foreach (var certificate in chain)
            {
                signer.Certificates.Add(certificate);
            }

            CryptographicAttributeObjectCollection attributes;

            if (request.SignatureType == SignatureType.Repository)
            {
                attributes = SigningUtility.CreateSignedAttributes((RepositorySignPackageRequest)request, chain);
            }
            else
            {
                attributes = SigningUtility.CreateSignedAttributes(request, chain);
            }

            foreach (var attribute in attributes)
            {
                signer.SignedAttributes.Add(attribute);
            }

            // We built the chain ourselves and added certificates.
            // Passing any other value here would trigger another chain build
            // and possibly add duplicate certs to the collection.
            signer.IncludeOption   = X509IncludeOption.None;
            signer.DigestAlgorithm = request.SignatureHashAlgorithm.ConvertToOid();

            return(signer);
        }
Example #4
0
        public void CreateSignedAttributes_RepositorySignPackageRequest_WhenChainListEmpty_Throws()
        {
            using (var certificate = _fixture.GetDefaultCertificate())
                using (var request = CreateRequestRepository(certificate, new Uri("https://test.test"), new[] { "a" }))
                {
                    var exception = Assert.Throws <ArgumentException>(
                        () => SigningUtility.CreateSignedAttributes(request, new X509Certificate2[0]));

                    Assert.Equal("chainList", exception.ParamName);
                    Assert.StartsWith("The argument cannot be null or empty.", exception.Message);
                }
        }
Example #5
0
        public void CreateSignedAttributes_SignPackageRequest_WhenChainListNull_Throws()
        {
            using (var certificate = _fixture.GetDefaultCertificate())
                using (var request = CreateRequest(certificate))
                {
                    var exception = Assert.Throws <ArgumentException>(
                        () => SigningUtility.CreateSignedAttributes(request, chainList: null));

                    Assert.Equal("chainList", exception.ParamName);
                    Assert.StartsWith("The argument cannot be null or empty.", exception.Message);
                }
        }
Example #6
0
        public void CreateSignedAttributes_RepositorySignPackageRequest_WhenPackageOwnersNonEmpty_ReturnsAttributes()
        {
            var v3ServiceIndexUrl = new Uri("https://test.test", UriKind.Absolute);
            var packageOwners     = new[] { "a" };

            using (var certificate = _fixture.GetDefaultCertificate())
                using (var request = CreateRequestRepository(certificate, v3ServiceIndexUrl, packageOwners))
                {
                    var attributes = SigningUtility.CreateSignedAttributes(request, new[] { certificate });

                    Assert.Equal(5, attributes.Count);

                    VerifyAttributesRepository(attributes, request, v3ServiceIndexUrl, packageOwners);
                }
        }
Example #7
0
        public void CreateSignedAttributes_SignPackageRequest_WithValidInput_ReturnsAttributes()
        {
            using (var rootCertificate = SignTestUtility.GetCertificate("root.crt"))
                using (var intermediateCertificate = SignTestUtility.GetCertificate("intermediate.crt"))
                    using (var leafCertificate = SignTestUtility.GetCertificate("leaf.crt"))
                        using (var request = CreateRequest(leafCertificate))
                        {
                            var certList   = new[] { leafCertificate, intermediateCertificate, rootCertificate };
                            var attributes = SigningUtility.CreateSignedAttributes(request, certList);

                            Assert.Equal(3, attributes.Count);

                            VerifyAttributes(attributes, request);
                        }
        }