public async ValueTask <CtVerificationResult> IsValidAsync(IList <X509Certificate2> chain, CancellationToken cancellationToken)
{
if (chain?.Any() != true)
{
return(CtVerificationResult.NoCertificates());
}
var leaf = chain.First();
var scts = leaf.GetSignedCertificateTimestamps();
if (scts?.Any() != true)
{
return(CtVerificationResult.NoScts());
}
var logDictionary = await _logListService.GetLogDictionaryAsync(cancellationToken).ConfigureAwait(false);
cancellationToken.ThrowIfCancellationRequested();
if (logDictionary?.Any() != true)
{
return(CtVerificationResult.LogServersFailed());
}
var sctResults = scts.Select(sct =>
logDictionary.TryGetValue(sct.LogIdBase64, out var log)
? (sct.LogIdBase64, sct.VerifySignature(log, chain))
: (sct.LogIdBase64, SctVerificationResult.NoTrustedLogServerFound(sct.TimestampUtc)))
.ToDictionary(t => t.LogIdBase64, t => t.Item2);
return(_ctPolicy.PolicyVerificationResult(leaf, sctResults));
}
public async Task <CtVerificationResult> IsValidAsync(IList <X509Certificate2> chain, CancellationToken cancellationToken)
{
if (chain?.Any() != true)
{
return(CtVerificationResult.NoCertificates());
}
var leaf = chain.First();
var scts = leaf.GetSignedCertificateTimestamps();
if (scts?.Any() != true)
{
return(CtVerificationResult.NoScts());
}
var logDictionary = await _logListService.GetLogDictionaryAsync(cancellationToken).ConfigureAwait(false);
//foreach (var log in logDictionary)
//{
// Console.WriteLine($"{BitConverter.ToString(Convert.FromBase64String(log.Key)).Replace("-", string.Empty).ToLowerInvariant()} {log.Value.Description}");
//}
cancellationToken.ThrowIfCancellationRequested();
if (logDictionary?.Any() != true)
{
return(CtVerificationResult.LogServersFailed());
}
//var sctResults = scts.Select(sct =>
// logDictionary.TryGetValue(sct.LogIdBase64, out var log)
// ? new { LogIdBase64 = sct.LogIdBase64, Item2 = sct.VerifySignature(log, chain) }
// : new { LogIdBase64 = sct.LogIdBase64, Item2 = SctVerificationResult.NoTrustedLogServerFound(sct.TimestampUtc) })
// .ToDictionary(t => t.LogIdBase64, t => t.Item2);
var sctResults = new Dictionary <string, SctVerificationResult>();
foreach (var sct in scts)
{
SctVerificationResult result;
if (logDictionary.TryGetValue(sct.LogIdBase64, out var log))
{
result = sct.VerifySignature(log, chain);
}
else
{
result = SctVerificationResult.NoTrustedLogServerFound(sct.TimestampUtc);
}
sctResults.Add(sct.LogIdBase64, result);
Console.WriteLine($"{BitConverter.ToString(Convert.FromBase64String(sct.LogIdBase64)).Replace("-", string.Empty).ToLowerInvariant()} {result}");
}
return(_ctPolicy.PolicyVerificationResult(leaf, sctResults));
}
public async Task <CtVerificationResult> IsValidAsync(string hostname, IList <X509Certificate2> chain, CancellationToken cancellationToken)
{
if (string.IsNullOrEmpty(hostname))
{
throw new ArgumentNullException(nameof(hostname));
}
if (_hostnameValidator.ValidateHost(hostname))
{
return(await IsValidAsync(chain, cancellationToken).ConfigureAwait(false));
}
return(CtVerificationResult.DisabledForHost());
}
private bool VerifyCtResult(string host, IList <X509Certificate2> chain, CtVerificationResult result)
{
#if DEBUG
System.Diagnostics.Debug.WriteLine($"😺 CT Result, host: {host}, description: {result?.Description ?? string.Empty}");
#endif
if (!result.IsValid)
{
_logger.Event("ct_result_invalid", new Dictionary <string, string>()
{
{ "host", host },
{ "result", result?.Result.ToString() ?? string.Empty },
{ "description", result?.Description ?? string.Empty }
});
}
return(result.IsValid);
}
public CtVerificationResult PolicyVerificationResult(X509Certificate2 leafCertificate, IDictionary <string, SctVerificationResult> sctResults)
{
#if DEBUG
var moqCert = leafCertificate as MoqX509Certificate2;
var before = moqCert?.NotBefore ?? leafCertificate.NotBefore;
var after = moqCert?.NotAfter ?? leafCertificate.NotAfter;
#else
var before = leafCertificate.NotBefore;
var after = leafCertificate.NotAfter;
#endif
var(months, partial) = FlooredMonth(before, after);
var minValidScts = MinimumValidSignedCertificateTimestamps(months, partial);
var validScts = sctResults.Count(kv => kv.Value.IsValid);
if (validScts < minValidScts)
{
return(CtVerificationResult.TooFewSctsTrusted(sctResults.Values, minValidScts));
}
return(CtVerificationResult.Trusted(sctResults.Values, minValidScts));
}
