private static void CollectCertificate(
Dictionary <string, HashedCertificate> thumbprintToCertificate,
HashedCertificate hashedCertificate)
{
if (!thumbprintToCertificate.ContainsKey(hashedCertificate.Thumbprint))
{
thumbprintToCertificate.Add(hashedCertificate.Thumbprint, hashedCertificate);
}
}
public ExtractedCertificates(
HashedCertificate signatureEndCertificate,
IReadOnlyList <HashedCertificate> signatureParentCertificates,
HashedCertificate timestampEndCertificate,
IReadOnlyList <HashedCertificate> timestampParentCertificates)
{
SignatureEndCertificate = signatureEndCertificate ?? throw new ArgumentNullException(nameof(signatureEndCertificate));
SignatureParentCertificates = signatureParentCertificates ?? throw new ArgumentNullException(nameof(signatureParentCertificates));
TimestampEndCertificate = timestampEndCertificate ?? throw new ArgumentNullException(nameof(timestampEndCertificate));
TimestampParentCertificates = timestampParentCertificates ?? throw new ArgumentNullException(nameof(timestampParentCertificates));
}
private PackageSignature InitializePackageSignature(
int packageKey,
PackageSignatureType type,
HashedCertificate signatureEndCertificate,
IReadOnlyDictionary <string, EndCertificate> thumbprintToEndCertificate)
{
var packageSignature = new PackageSignature
{
CreatedAt = DateTime.UtcNow,
EndCertificate = thumbprintToEndCertificate[signatureEndCertificate.Thumbprint],
PackageKey = packageKey,
Status = PackageSignatureStatus.Unknown,
Type = type,
TrustedTimestamps = new List <TrustedTimestamp>(),
};
packageSignature.EndCertificateKey = packageSignature.EndCertificate.Key;
_entitiesContext.PackageSignatures.Add(packageSignature);
return(packageSignature);
}
private void ConnectCertificates(
HashedCertificate endCertificate,
IReadOnlyCollection <HashedCertificate> parentCertificates,
IReadOnlyDictionary <string, EndCertificate> thumbprintToEndCertificate,
IReadOnlyDictionary <string, ParentCertificate> thumbprintToParentCertificates)
{
var endCertificateEntity = thumbprintToEndCertificate[endCertificate.Thumbprint];
var parentCertificateKeys = new HashSet <long>(endCertificateEntity
.CertificateChainLinks
.Select(x => x.ParentCertificateKey));
foreach (var parentCertificate in parentCertificates)
{
var parentCertificateEntity = thumbprintToParentCertificates[parentCertificate.Thumbprint];
// If either end of the link is new, the link must be new.
if (endCertificateEntity.Key == default(long) ||
parentCertificateEntity.Key == default(long) ||
!parentCertificateKeys.Contains(parentCertificateEntity.Key))
{
var link = new CertificateChainLink
{
EndCertificate = endCertificateEntity,
ParentCertificate = parentCertificateEntity,
};
_entitiesContext.CertificateChainLinks.Add(link);
endCertificateEntity.CertificateChainLinks.Add(link);
parentCertificateEntity.CertificateChainLinks.Add(link);
if (parentCertificateEntity.Key != default(long))
{
parentCertificateKeys.Add(parentCertificateEntity.Key);
}
}
}
}
public EndCertificateAndUse(HashedCertificate hashedCertificate, EndCertificateUse endCertificateUse)
{
Certificate = hashedCertificate ?? throw new ArgumentNullException(nameof(hashedCertificate));
Use = endCertificateUse;
}
private void InitializeTrustedTimestamp(
PackageSignature packageSignature,
Signature signature,
HashedCertificate timestampEndCertificate,
IReadOnlyDictionary <string, EndCertificate> thumbprintToEndCertificate)
{
if (packageSignature.TrustedTimestamps.Count > 1)
{
_logger.LogError(
"There are {Count} trusted timestamps for the {SignatureType} signature on package {PackageKey}. There should be either zero or one.",
packageSignature.TrustedTimestamps.Count,
signature.Type,
packageSignature.PackageKey);
throw new InvalidOperationException("There should never be more than one trusted timestamp per package signature.");
}
// Determine the value of the timestamp.
var value = signature.Timestamps.Single().UpperLimit.UtcDateTime;
TrustedTimestamp trustedTimestamp;
if (packageSignature.TrustedTimestamps.Count == 0)
{
trustedTimestamp = new TrustedTimestamp
{
PackageSignature = packageSignature,
PackageSignatureKey = packageSignature.Key,
EndCertificate = thumbprintToEndCertificate[timestampEndCertificate.Thumbprint],
Value = value,
Status = TrustedTimestampStatus.Valid,
};
trustedTimestamp.EndCertificateKey = trustedTimestamp.EndCertificate.Key;
packageSignature.TrustedTimestamps.Add(trustedTimestamp);
_entitiesContext.TrustedTimestamps.Add(trustedTimestamp);
}
else
{
trustedTimestamp = packageSignature.TrustedTimestamps.Single();
if (trustedTimestamp.EndCertificate.Thumbprint != timestampEndCertificate.Thumbprint)
{
_logger.LogError(
"The timestamp end certificate thumbprint cannot change for the {SignatureType} signature " +
"on package {PackageKey}. The existing timestamp end certificate is {ExistingThumbprint}. " +
"The new thumprint is {NewThumbprint}.",
signature.Type,
packageSignature.PackageKey,
packageSignature.EndCertificate.Thumbprint,
timestampEndCertificate.Thumbprint);
throw new InvalidOperationException("The thumbprint of the timestamp end certificate cannot change.");
}
if (trustedTimestamp.Value != value)
{
_logger.LogError(
"The trusted timestamp value cannot change for the {SignatureType} signature on package " +
"{PackageKey}. The existing timestamp value is {ExistingValue}. The new value is {NewValue}.",
signature.Type,
packageSignature.PackageKey,
trustedTimestamp.Value,
value);
throw new InvalidOperationException("The value of the trusted timestamp cannot change.");
}
}
}
private async Task <PackageSignature> InitializePackageSignatureAsync(
int packageKey,
PackageSignatureType type,
HashedCertificate signatureEndCertificate,
IReadOnlyDictionary <string, EndCertificate> thumbprintToEndCertificate,
bool replacePackageSignature)
{
var packageSignatures = await _entitiesContext
.PackageSignatures
.Include(x => x.TrustedTimestamps)
.Include(x => x.EndCertificate)
.Where(x => x.PackageKey == packageKey && x.Type == type)
.ToListAsync();
if (packageSignatures.Count > 1)
{
_logger.LogError(
"There are {Count} package signatures for package key {PackageKey} and type {Type}. There should be either zero or one.",
packageSignatures.Count,
packageKey,
type);
throw new InvalidOperationException("There should never be more than one package signature per package and signature type.");
}
PackageSignature packageSignature;
if (packageSignatures.Count == 0)
{
packageSignature = InitializePackageSignature(
packageKey,
type,
signatureEndCertificate,
thumbprintToEndCertificate);
}
else
{
packageSignature = packageSignatures.Single();
if (packageSignature.EndCertificate.Thumbprint != signatureEndCertificate.Thumbprint)
{
if (replacePackageSignature)
{
_logger.LogWarning(
"The signature end certificate thumbprint has changed for package {PackageKey} and type " +
"{Type}. The previous signature end certificate is {ExistingThumbprint}. The new thumprint " +
"is {NewThumbprint}. The previous record with key {PackageSignatureKey} will be removed.",
packageKey,
type,
packageSignature.EndCertificate.Thumbprint,
signatureEndCertificate.Thumbprint,
packageSignature.Key);
// Remove the child trusted timestamps. This should be handled by cascading delete but to be
// explicit and to facilitate unit testing, we explicitly remove them.
foreach (var trustedTimestamp in packageSignature.TrustedTimestamps)
{
_entitiesContext.TrustedTimestamps.Remove(trustedTimestamp);
}
_entitiesContext.PackageSignatures.Remove(packageSignature);
packageSignature = InitializePackageSignature(
packageKey,
type,
signatureEndCertificate,
thumbprintToEndCertificate);
}
else
{
_logger.LogError(
"The signature end certificate thumbprint cannot change for package {PackageKey} and type " +
"{Type}. The existing signature end certificate is {ExistingThumbprint}. The new thumprint " +
"is {NewThumbprint}.",
packageKey,
type,
packageSignature.EndCertificate.Thumbprint,
signatureEndCertificate.Thumbprint);
throw new InvalidOperationException("The thumbprint of the signature end certificate cannot change.");
}
}
}
return(packageSignature);
}
