public override byte[] GetSignatureValue()
 {
     using (var nativeCms = NativeCms.Decode(_primarySignature.SignedCms.Encode()))
     {
         return(nativeCms.GetRepositoryCountersignatureSignatureValue());
     }
 }
Example #2
0
 public override byte[] GetSignatureValue()
 {
     using (var nativeCms = NativeCms.Decode(SignedCms.Encode()))
     {
         return(nativeCms.GetPrimarySignatureSignatureValue());
     }
 }
 private static void InsertTimestampCertChainIntoTimestampCms(
     SignedCms timestampCms,
     X509Chain timstampCertChain,
     NativeCms timestampNativeCms)
 {
     timestampNativeCms.AddCertificates(timstampCertChain.ChainElements
                                        .Cast <X509ChainElement>()
                                        .Where(c => !timestampCms.Certificates.Contains(c.Certificate))
                                        .Select(c => c.Certificate.Export(X509ContentType.Cert)));
 }
Example #4
0
        private static PrimarySignature CreateRepositoryCountersignature(CmsSigner cmsSigner, PrimarySignature primarySignature, CngKey privateKey)
        {
            using (var primarySignatureNativeCms = NativeCms.Decode(primarySignature.GetBytes()))
            {
                primarySignatureNativeCms.AddCountersignature(cmsSigner, privateKey);

                var bytes      = primarySignatureNativeCms.Encode();
                var updatedCms = new SignedCms();

                updatedCms.Decode(bytes);

                return(PrimarySignature.Load(updatedCms));
            }
        }
Example #5
0
        /// <summary>
        /// Timestamps data present in the TimestampRequest.
        /// </summary>
        public Task <PrimarySignature> TimestampSignatureAsync(PrimarySignature primarySignature, TimestampRequest request, ILogger logger, CancellationToken token)
        {
            var timestampCms = GetTimestamp(request, logger, token);

            using (var signatureNativeCms = NativeCms.Decode(primarySignature.GetBytes()))
            {
                if (request.Target == SignaturePlacement.Countersignature)
                {
                    signatureNativeCms.AddTimestampToRepositoryCountersignature(timestampCms);
                }
                else
                {
                    signatureNativeCms.AddTimestamp(timestampCms);
                }
                return(Task.FromResult(PrimarySignature.Load(signatureNativeCms.Encode())));
            }
        }
Example #6
0
        private static SignedCms EnsureCertificatesInCertificatesCollection(
            SignedCms timestampCms,
            IReadOnlyList <X509Certificate2> chain)
        {
            using (var timestampNativeCms = NativeCms.Decode(timestampCms.Encode()))
            {
                timestampNativeCms.AddCertificates(
                    chain.Where(certificate => !timestampCms.Certificates.Contains(certificate))
                    .Select(certificate => certificate.RawData));

                var bytes      = timestampNativeCms.Encode();
                var updatedCms = new SignedCms();

                updatedCms.Decode(bytes);

                return(updatedCms);
            }
        }
        private Timestamp GetValidTimestamp(
            Signature signature,
            bool allowMultipleTimestamps,
            bool allowIgnoreTimestamp,
            bool allowNoTimestamp,
            bool allowUnknownRevocation,
            List <SignatureLog> issues)
        {
            var timestamps = signature.Timestamps;

            if (timestamps.Count == 0)
            {
                issues.Add(SignatureLog.Issue(!allowNoTimestamp, NuGetLogCode.NU3027, Strings.ErrorNoTimestamp));
                if (!allowNoTimestamp)
                {
                    throw new TimestampException();
                }
            }

            if (timestamps.Count > 1 && !allowMultipleTimestamps)
            {
                issues.Add(SignatureLog.Issue(true, NuGetLogCode.NU3000, Strings.ErrorMultipleTimestamps));
                throw new TimestampException();
            }

            var timestamp = timestamps.FirstOrDefault();

            if (timestamp != null)
            {
                using (var authorSignatureNativeCms = NativeCms.Decode(signature.SignedCms.Encode(), detached: false))
                {
                    var signatureHash = NativeCms.GetSignatureValueHash(signature.SignatureContent.HashAlgorithm, authorSignatureNativeCms);

                    if (!IsTimestampValid(timestamp, signatureHash, allowIgnoreTimestamp, allowUnknownRevocation, issues) && !allowIgnoreTimestamp)
                    {
                        throw new TimestampException();
                    }
                }
            }

            return(timestamp);
        }
Example #8
0
        internal static ICms Create(byte[] cmsBytes)
        {
            if (cmsBytes == null)
            {
                throw new ArgumentNullException(nameof(cmsBytes));
            }
#if IS_SIGNING_SUPPORTED
            ICms cms = null;
#if IS_DESKTOP
            NativeCms nativeCms = NativeCms.Decode(cmsBytes);
            cms = new NativeCmsWrapper(nativeCms);
#else
            SignedCms signedCms = new SignedCms();
            signedCms.Decode(cmsBytes);
            cms = new ManagedCmsWrapper(signedCms);
#endif
            return(cms);
#else
            throw new NotSupportedException();
#endif
        }
Example #9
0
        internal static byte[] GetSignatureValueHash(HashAlgorithmName hashAlgorithmName, NativeCms nativeCms)
        {
            var signatureValue = nativeCms.GetEncryptedDigest();

            using (var signatureValueStream = new MemoryStream(signatureValue))
                using (var hashAlgorithm = hashAlgorithmName.GetHashProvider())
                {
                    return(hashAlgorithm.ComputeHash(signatureValueStream, leaveStreamOpen: false));
                }
        }
Example #10
0
        /// <summary>
        /// Timestamps data present in the TimestampRequest.
        /// </summary>
        public byte[] TimestampData(TimestampRequest request, ILogger logger, CancellationToken token)
        {
            token.ThrowIfCancellationRequested();

            if (request == null)
            {
                throw new ArgumentNullException(nameof(request));
            }

            if (logger == null)
            {
                throw new ArgumentNullException(nameof(logger));
            }

            // Get the signatureValue from the signerInfo object
            using (var nativeCms = NativeCms.Decode(request.Signature))
            {
                var signatureValue = nativeCms.GetPrimarySignatureSignatureValue();
                var messageHash    = request.TimestampHashAlgorithm.ComputeHash(signatureValue);

                // Allows us to track the request.
                var nonce = GenerateNonce();
                var rfc3161TimestampRequest = new Rfc3161TimestampRequest(
                    messageHash,
                    request.TimestampHashAlgorithm.ConvertToSystemSecurityHashAlgorithmName(),
                    nonce: nonce,
                    requestSignerCertificates: true);

                // Request a timestamp
                // The response status need not be checked here as lower level api will throw if the response is invalid
                var timestampToken = rfc3161TimestampRequest.SubmitRequest(
                    _timestamperUrl,
                    TimeSpan.FromSeconds(_rfc3161RequestTimeoutSeconds));

                // quick check for response validity
                ValidateTimestampResponse(nonce, messageHash, timestampToken);

                var timestampCms = timestampToken.AsSignedCms();
                ValidateTimestampCms(request.SigningSpec, timestampCms);

                // If the timestamp signed CMS already has a complete chain for the signing certificate,
                // it's ready to be added to the signature to be timestamped.
                // However, a timestamp service is not required to include all certificates in a complete
                // chain for the signing certificate in the SignedData.certificates collection.
                // Some timestamp services include all certificates except the root in the
                // SignedData.certificates collection.
                var signerInfo = timestampCms.SignerInfos[0];
                var chain      = CertificateChainUtility.GetCertificateChain(
                    signerInfo.Certificate,
                    timestampCms.Certificates,
                    logger,
                    CertificateType.Timestamp);

                var timestampCmsWithChainCertificates = EnsureCertificatesInCertificatesCollection(timestampCms, chain);
                var bytes = timestampCmsWithChainCertificates.Encode();

                nativeCms.AddTimestamp(bytes);

                return(nativeCms.Encode());
            }
        }
Example #11
0
        internal static byte[] GetSignatureValueHash(HashAlgorithmName hashAlgorithm, NativeCms nativeCms)
        {
            var signatureValue = nativeCms.GetEncryptedDigest();

            var signatureValueStream = new MemoryStream(signatureValue);

            var signatureValueHashByteArray = hashAlgorithm
                                              .GetHashProvider()
                                              .ComputeHash(signatureValueStream, leaveStreamOpen: false);

            return(signatureValueHashByteArray);
        }
        /// <summary>
        /// Timestamps data present in the TimestampRequest.
        /// </summary>
        public byte[] TimestampData(TimestampRequest request, ILogger logger, CancellationToken token)
        {
            token.ThrowIfCancellationRequested();

            if (request == null)
            {
                throw new ArgumentNullException(nameof(request));
            }

            if (logger == null)
            {
                throw new ArgumentNullException(nameof(logger));
            }

            // Get the signatureValue from the signerInfo object
            using (var signatureNativeCms = NativeCms.Decode(request.SignatureValue, detached: false))
            {
                var signatureValueHashByteArray = NativeCms.GetSignatureValueHash(
                    request.TimestampHashAlgorithm,
                    signatureNativeCms);

                // Allows us to track the request.
                var nonce = GenerateNonce();
                var rfc3161TimestampRequest = new Rfc3161TimestampRequest(
                    signatureValueHashByteArray,
                    request.TimestampHashAlgorithm.ConvertToSystemSecurityHashAlgorithmName(),
                    nonce: nonce,
                    requestSignerCertificates: true);

                // Request a timestamp
                // The response status need not be checked here as lower level api will throw if the response is invalid
                var timestampToken = rfc3161TimestampRequest.SubmitRequest(
                    _timestamperUrl,
                    TimeSpan.FromSeconds(_rfc3161RequestTimeoutSeconds));

                // quick check for response validity
                ValidateTimestampResponse(nonce, signatureValueHashByteArray, timestampToken);

                var timestampCms = timestampToken.AsSignedCms();
                ValidateTimestampCms(request.SigningSpec, timestampCms);

                byte[] timestampByteArray;

                using (var timestampNativeCms = NativeCms.Decode(timestampCms.Encode(), detached: false))
                    using (var chainHolder = new X509ChainHolder())
                    {
                        var chain  = chainHolder.Chain;
                        var policy = chain.ChainPolicy;

                        policy.ApplicationPolicy.Add(new Oid(Oids.TimeStampingEku));
                        policy.VerificationFlags = X509VerificationFlags.IgnoreNotTimeValid | X509VerificationFlags.IgnoreCtlNotTimeValid;

                        policy.ExtraStore.AddRange(timestampCms.Certificates);

                        policy.RevocationFlag = X509RevocationFlag.ExcludeRoot;
                        policy.RevocationMode = X509RevocationMode.Online;

                        var timestampSignerCertificate = timestampCms.SignerInfos[0].Certificate;

                        if (timestampSignerCertificate == null)
                        {
                            throw new TimestampException(NuGetLogCode.NU3020, Strings.TimestampNoCertificate);
                        }

                        if (!chain.Build(timestampSignerCertificate))
                        {
                            var messages = CertificateChainUtility.GetMessagesFromChainStatuses(chain.ChainStatus);

                            throw new TimestampException(NuGetLogCode.NU3028, string.Format(CultureInfo.CurrentCulture, Strings.TimestampCertificateChainBuildFailure, string.Join(", ", messages)));
                        }

                        // Insert all the certificates into timestampCms
                        InsertTimestampCertChainIntoTimestampCms(timestampCms, chain, timestampNativeCms);
                        timestampByteArray = timestampNativeCms.Encode();
                    }

                signatureNativeCms.AddTimestamp(timestampByteArray);

                return(signatureNativeCms.Encode());
            }
        }
 public NativeCmsWrapper(NativeCms nativeCms)
 {
     _nativeCms = nativeCms;
 }
        /// <summary>
        /// Timestamps data present in the TimestampRequest.
        /// </summary>
        public byte[] TimestampData(TimestampRequest request, ILogger logger, CancellationToken token)
        {
            token.ThrowIfCancellationRequested();

            if (request == null)
            {
                throw new ArgumentNullException(nameof(request));
            }

            if (logger == null)
            {
                throw new ArgumentNullException(nameof(logger));
            }

            // Get the signatureValue from the signerInfo object
            using (var signatureNativeCms = NativeCms.Decode(request.SignatureValue, detached: false))
            {
                var signatureValueHashByteArray = NativeCms.GetSignatureValueHash(
                    request.TimestampHashAlgorithm,
                    signatureNativeCms);

                // Allows us to track the request.
                var nonce = GenerateNonce();
                var rfc3161TimestampRequest = new Rfc3161TimestampRequest(
                    signatureValueHashByteArray,
                    request.TimestampHashAlgorithm.ConvertToSystemSecurityHashAlgorithmName(),
                    nonce: nonce,
                    requestSignerCertificates: true);

                // Request a timestamp
                // The response status need not be checked here as lower level api will throw if the response is invalid
                var timestampToken = rfc3161TimestampRequest.SubmitRequest(
                    _timestamperUrl,
                    TimeSpan.FromSeconds(_rfc3161RequestTimeoutSeconds));

                // ensure response is for this request
                ValidateTimestampResponseNonce(nonce, timestampToken);

                var timestampCms = timestampToken.AsSignedCms();

                byte[] timestampByteArray;

                using (var timestampNativeCms = NativeCms.Decode(timestampCms.Encode(), detached: false))
                    using (var timestampCertChain = new X509Chain())
                    {
                        var policy = timestampCertChain.ChainPolicy;

                        policy.ApplicationPolicy.Add(new Oid(Oids.TimeStampingEkuOid));
                        policy.VerificationFlags = X509VerificationFlags.IgnoreNotTimeValid;

                        policy.ExtraStore.AddRange(timestampCms.Certificates);

                        policy.RevocationFlag = X509RevocationFlag.ExcludeRoot;
                        policy.RevocationMode = X509RevocationMode.Online;

                        var timestampSignerCertificate = GetTimestampSignerCertificate(timestampCms);
                        if (DateTime.Now < timestampSignerCertificate.NotBefore)
                        {
                            throw new TimestampException(LogMessage.CreateError(
                                                             NuGetLogCode.NU3025,
                                                             string.Format(CultureInfo.CurrentCulture,
                                                                           Strings.TimestampCertificateInvalid,
                                                                           $"{Environment.NewLine}{CertificateUtility.X509Certificate2ToString(timestampSignerCertificate)}")));
                        }

                        if (!timestampCertChain.Build(timestampSignerCertificate))
                        {
                            throw new TimestampException(LogMessage.CreateError(
                                                             NuGetLogCode.NU3028,
                                                             string.Format(CultureInfo.CurrentCulture,
                                                                           Strings.TimestampCertificateChainBuildFailure,
                                                                           $"{Environment.NewLine}{CertificateUtility.X509Certificate2ToString(timestampSignerCertificate)}")));
                        }

                        // Insert all the certificates into timestampCms
                        InsertTimestampCertChainIntoTimestampCms(timestampCms, timestampCertChain, timestampNativeCms);
                        timestampByteArray = timestampCms.Encode();
                    }

                signatureNativeCms.AddTimestamp(timestampByteArray);

                return(signatureNativeCms.Encode());
            }
        }