// VisibleForTesting
public void Validate(ServerCertificate certificate)
{
try
{
if (!Curve.verifySignature(TrustRoot, certificate.Certificate, certificate.Signature))
{
throw new InvalidCertificateException("Signature failed");
}
if (REVOKED.Contains(certificate.KeyId))
{
throw new InvalidCertificateException("Server certificate has been revoked");
}
}
catch (InvalidKeyException e)
{
throw new InvalidCertificateException(e);
}
}
public SenderCertificate(byte[] serialized)
{
try
{
var wrapper = libsignalmetadata.protobuf.SenderCertificate.Parser.ParseFrom(serialized);
if (wrapper.SignatureOneofCase != libsignalmetadata.protobuf.SenderCertificate.SignatureOneofOneofCase.Signature ||
wrapper.CertificateOneofCase != libsignalmetadata.protobuf.SenderCertificate.CertificateOneofOneofCase.Certificate)
{
throw new InvalidCertificateException("Missing fields");
}
var certificate = libsignalmetadata.protobuf.SenderCertificate.Types.Certificate.Parser.ParseFrom(wrapper.Certificate);
if (certificate.SignerOneofCase != libsignalmetadata.protobuf.SenderCertificate.Types.Certificate.SignerOneofOneofCase.Signer ||
certificate.IdentityKeyOneofCase != libsignalmetadata.protobuf.SenderCertificate.Types.Certificate.IdentityKeyOneofOneofCase.IdentityKey ||
certificate.SenderDeviceOneofCase != libsignalmetadata.protobuf.SenderCertificate.Types.Certificate.SenderDeviceOneofOneofCase.SenderDevice ||
certificate.ExpiresOneofCase != libsignalmetadata.protobuf.SenderCertificate.Types.Certificate.ExpiresOneofOneofCase.Expires ||
certificate.SenderOneofCase != libsignalmetadata.protobuf.SenderCertificate.Types.Certificate.SenderOneofOneofCase.Sender)
{
throw new InvalidCertificateException("Missing fields");
}
Signer = new ServerCertificate(certificate.Signer.ToByteArray());
Key = Curve.decodePoint(certificate.IdentityKey.ToByteArray(), 0);
Sender = certificate.Sender;
SenderDeviceId = (int)certificate.SenderDevice;
Expiration = (long)certificate.Expires;
Serialized = serialized;
Certificate = wrapper.Certificate.ToByteArray();
Signature = wrapper.Signature.ToByteArray();
}
catch (InvalidProtocolBufferException e)
{
throw new InvalidCertificateException(e);
}
catch (InvalidKeyException e)
{
throw new InvalidCertificateException(e);
}
}
public void Validate(SenderCertificate certificate, long validationTime)
{
try
{
ServerCertificate serverCertificate = certificate.Signer;
Validate(serverCertificate);
if (!Curve.verifySignature(serverCertificate.Key, certificate.Certificate, certificate.Signature))
{
throw new InvalidCertificateException("Signature failed");
}
if (validationTime > certificate.Expiration)
{
throw new InvalidCertificateException("Certificate is expired");
}
}
catch (InvalidKeyException e)
{
throw new InvalidCertificateException(e);
}
}