Esempio n. 1
0
        public async ValueTask <CtVerificationResult> IsValidAsync(IList <X509Certificate2> chain, CancellationToken cancellationToken)
        {
            if (chain?.Any() != true)
            {
                return(CtVerificationResult.NoCertificates());
            }

            var leaf = chain.First();
            var scts = leaf.GetSignedCertificateTimestamps();

            if (scts?.Any() != true)
            {
                return(CtVerificationResult.NoScts());
            }

            var logDictionary = await _logListService.GetLogDictionaryAsync(cancellationToken).ConfigureAwait(false);

            cancellationToken.ThrowIfCancellationRequested();

            if (logDictionary?.Any() != true)
            {
                return(CtVerificationResult.LogServersFailed());
            }

            var sctResults = scts.Select(sct =>
                                         logDictionary.TryGetValue(sct.LogIdBase64, out var log)
                    ? (sct.LogIdBase64, sct.VerifySignature(log, chain))
                    : (sct.LogIdBase64, SctVerificationResult.NoTrustedLogServerFound(sct.TimestampUtc)))
                             .ToDictionary(t => t.LogIdBase64, t => t.Item2);

            return(_ctPolicy.PolicyVerificationResult(leaf, sctResults));
        }
        public async Task <CtVerificationResult> IsValidAsync(IList <X509Certificate2> chain, CancellationToken cancellationToken)
        {
            if (chain?.Any() != true)
            {
                return(CtVerificationResult.NoCertificates());
            }

            var leaf = chain.First();
            var scts = leaf.GetSignedCertificateTimestamps();

            if (scts?.Any() != true)
            {
                return(CtVerificationResult.NoScts());
            }

            var logDictionary = await _logListService.GetLogDictionaryAsync(cancellationToken).ConfigureAwait(false);

            //foreach (var log in logDictionary)
            //{
            //    Console.WriteLine($"{BitConverter.ToString(Convert.FromBase64String(log.Key)).Replace("-", string.Empty).ToLowerInvariant()} {log.Value.Description}");
            //}

            cancellationToken.ThrowIfCancellationRequested();

            if (logDictionary?.Any() != true)
            {
                return(CtVerificationResult.LogServersFailed());
            }

            //var sctResults = scts.Select(sct =>
            //        logDictionary.TryGetValue(sct.LogIdBase64, out var log)
            //        ? new { LogIdBase64 = sct.LogIdBase64, Item2 = sct.VerifySignature(log, chain) }
            //        : new { LogIdBase64 = sct.LogIdBase64, Item2 = SctVerificationResult.NoTrustedLogServerFound(sct.TimestampUtc) })
            //    .ToDictionary(t => t.LogIdBase64, t => t.Item2);

            var sctResults = new Dictionary <string, SctVerificationResult>();

            foreach (var sct in scts)
            {
                SctVerificationResult result;
                if (logDictionary.TryGetValue(sct.LogIdBase64, out var log))
                {
                    result = sct.VerifySignature(log, chain);
                }
                else
                {
                    result = SctVerificationResult.NoTrustedLogServerFound(sct.TimestampUtc);
                }

                sctResults.Add(sct.LogIdBase64, result);
                Console.WriteLine($"{BitConverter.ToString(Convert.FromBase64String(sct.LogIdBase64)).Replace("-", string.Empty).ToLowerInvariant()} {result}");
            }

            return(_ctPolicy.PolicyVerificationResult(leaf, sctResults));
        }
        public async Task <CtVerificationResult> IsValidAsync(string hostname, IList <X509Certificate2> chain, CancellationToken cancellationToken)
        {
            if (string.IsNullOrEmpty(hostname))
            {
                throw new ArgumentNullException(nameof(hostname));
            }

            if (_hostnameValidator.ValidateHost(hostname))
            {
                return(await IsValidAsync(chain, cancellationToken).ConfigureAwait(false));
            }

            return(CtVerificationResult.DisabledForHost());
        }
Esempio n. 4
0
        private bool VerifyCtResult(string host, IList <X509Certificate2> chain, CtVerificationResult result)
        {
#if DEBUG
            System.Diagnostics.Debug.WriteLine($"😺 CT Result, host: {host}, description: {result?.Description ?? string.Empty}");
#endif

            if (!result.IsValid)
            {
                _logger.Event("ct_result_invalid", new Dictionary <string, string>()
                {
                    { "host", host },
                    { "result", result?.Result.ToString() ?? string.Empty },
                    { "description", result?.Description ?? string.Empty }
                });
            }

            return(result.IsValid);
        }
Esempio n. 5
0
        public CtVerificationResult PolicyVerificationResult(X509Certificate2 leafCertificate, IDictionary <string, SctVerificationResult> sctResults)
        {
#if DEBUG
            var moqCert = leafCertificate as MoqX509Certificate2;
            var before  = moqCert?.NotBefore ?? leafCertificate.NotBefore;
            var after   = moqCert?.NotAfter ?? leafCertificate.NotAfter;
#else
            var before = leafCertificate.NotBefore;
            var after  = leafCertificate.NotAfter;
#endif

            var(months, partial) = FlooredMonth(before, after);
            var minValidScts = MinimumValidSignedCertificateTimestamps(months, partial);

            var validScts = sctResults.Count(kv => kv.Value.IsValid);
            if (validScts < minValidScts)
            {
                return(CtVerificationResult.TooFewSctsTrusted(sctResults.Values, minValidScts));
            }

            return(CtVerificationResult.Trusted(sctResults.Values, minValidScts));
        }