public TestResult Validate(IReadOnlyList <ICmsSignature> graph, SignatureLogger verboseWriter, CheckConfiguration configuration)
{
var signatures = graph.VisitAll(SignatureKind.AnySignature);
int AIA_extension = 0;
Boolean AIACritical = false;
string authorityInformationAccess = "";
var pass = false;
foreach (var signature in signatures)
{
string serialNumber = "";
AIA_extension = 0;
AIACritical = false;
authorityInformationAccess = "";
string thumbprint = signature.Certificate.Thumbprint;
var digestStr = HashHelpers.GetHashForSignature(signature);//message digest of siganture(signature->details->advance->msg digest)
serialNumber = signature.Certificate.SerialNumber;
X509ExtensionCollection extensions = signature.Certificate.Extensions;
foreach (X509Extension extension in extensions)
{
/*This extension MUST be present and MUST NOT be marked critical.
* The extension MUST contain the HTTP URL of the CA’s OCSP responder (accessMethod = 1.3.6.1.5.5.7.48.1)
* and the HTTP URL for the Root CA’s certificate (accessMethod = 1.3.6.1.5.5.7.48.2).*/
if (extension.Oid.FriendlyName == "Authority Information Access")
{
if (AIA_extension != 0)
{
authorityInformationAccess = extension.Format(true);
AIACritical = extension.Critical;
}
Console.WriteLine(authorityInformationAccess);
}
}
if (authorityInformationAccess != "" && authorityInformationAccess.Contains("http://") && !AIACritical)
{
verboseWriter.LogSignatureMessage(signature, "Signature has properly provided OCSP distribution point.");
pass = true;
}
else
{
verboseWriter.LogSignatureMessage(signature, "Signature has not properly provided OCSP distribution point.");
pass = false;
}
}
return(pass ? TestResult.Pass : TestResult.Fail);
}
public TestResult Validate(IReadOnlyList <ICmsSignature> graph, SignatureLogger verboseWriter, CheckConfiguration configuration)
{
var signatures = graph.VisitAll(SignatureKind.AnySignature);
var pass = false;
foreach (var signature in signatures)
{
string serialNumber = "";
string crlDistPoint = "";
Boolean crlCritical = false;
string thumbprint = signature.Certificate.Thumbprint;
var digestStr = HashHelpers.GetHashForSignature(signature);//message digest of siganture(signature->details->advance->msg digest)
serialNumber = signature.Certificate.SerialNumber;
X509ExtensionCollection extensions = signature.Certificate.Extensions;
foreach (X509Extension extension in extensions)
{
if (extension.Oid.FriendlyName == "CRL Distribution Points")
{
/* This extension MAY be present.If present, it MUST NOT be marked critical,
* and it MUST contain the HTTP URL of the CA’s CRL service.*/
//Boolean crlHttpExists = false;
crlDistPoint = extension.Format(true);
crlCritical = extension.Critical;
Console.WriteLine(crlDistPoint);
/* if (crlDistPoint.Contains("http://"))
* {
* //crlHttpExists = true;
* Console.WriteLine("Has http crl");
* }
* if (crlDistPoint.Contains("ldap://"))
* {
* Console.WriteLine("Has ldap crl");
*
* }*/
}
}
if (crlDistPoint != "")
{
if (crlDistPoint.Contains("http://") && !crlCritical)
{
verboseWriter.LogSignatureMessage(signature, "Signature has properly provided CRL distribution point.");
pass = true;
}
else
{
verboseWriter.LogSignatureMessage(signature, "Signature has not properly provided CRL distribution point.");
pass = false;
}
}
else
{
verboseWriter.LogSignatureMessage(signature, "Signature has not provided CRL distribution point.");
pass = false;
}
}
return(pass ? TestResult.Pass : TestResult.Fail);
}
public TestResult Validate(IReadOnlyList <ICmsSignature> graph, SignatureLogger verboseWriter, CheckConfiguration configuration)
{
var signatures = graph.VisitAll(SignatureKind.AnySignature);
var pass = true;
int signatureIndex = 0;
foreach (var signature in signatures)
{
string repeatedExtension = "";
var counterSignatures = signature.VisitAll(SignatureKind.AnyCounterSignature).ToList();
int ts = counterSignatures.Count;
var isSigned = false;
var strongSign = 0;
var tsDigestString = "";
string otherExtensions = "";
string serialNumber = "";
int pathLength = 0;
Boolean BC_CA = false;
Boolean hasPathLength = false;
string KU = "";
Boolean KUCritical = false;
string SKI = "";
string EKU_oidStr = "";
string AKI = "";
string certificatePolicies = "";
string crlDistPoint = "";
string authorityInformationAccess = "";
Boolean crlCritical = false;
Boolean EKUCritical = false;
Boolean BCCritical = false;
Boolean CPCritical = false;
Boolean SKICritical = false;
Boolean AKICritical = false;
Boolean AIACritical = false;
// Boolean CS_EKU = false;
int KU_extension = 0;
int EKU_extension = 0;
int BC_extension = 0;
int SKI_extension = 0;
int AKI_extension = 0;
int crl_extension = 0;
int CP_extension = 0;
int AIA_extension = 0;
string thumbprint = signature.Certificate.Thumbprint;
var digestStr = HashHelpers.GetHashForSignature(signature);//message digest of siganture(signature->details->advance->msg digest)
DBConnect.InsertSignatureTable(Program.fileName, Program.appName, digestStr, signature.DigestAlgorithm.FriendlyName, signature.Certificate.Version, ts, thumbprint, signature.Certificate.Issuer, signature.Certificate.IssuerName.Name, signature.Certificate.Subject, signature.Certificate.SubjectName.Name, signatureIndex);
System.DateTime notBeforeDate = signature.Certificate.NotBefore;
System.DateTime notAfterDate = signature.Certificate.NotAfter;
serialNumber = signature.Certificate.SerialNumber;
DBConnect.InsertSignatureDateTable(Program.appName, Program.fileName, digestStr, notBeforeDate.Year, notBeforeDate.Month, notBeforeDate.Day, notAfterDate.Year, notAfterDate.Month, notAfterDate.Day, thumbprint, signatureIndex);
X509ExtensionCollection extensions = signature.Certificate.Extensions;
foreach (X509Extension extension in extensions)
{
//extension.Oid.FriendlyName
Console.WriteLine(extension.Oid.FriendlyName + "(" + extension.Oid.Value + ")");
if (extension.Oid.FriendlyName == "Key Usage")
{
X509KeyUsageExtension ext = (X509KeyUsageExtension)extension;
KUCritical = ext.Critical;
if (KU_extension != 0)
{
repeatedExtension += extension.Oid.FriendlyName + ",";
}
KU = ext.KeyUsages.ToString();
Console.WriteLine(KU);
KU_extension++;
}
else if (extension.Oid.FriendlyName == "Basic Constraints")
{
X509BasicConstraintsExtension ext = (X509BasicConstraintsExtension)extension;
BCCritical = ext.Critical;
if (BC_extension != 0)
{
repeatedExtension += extension.Oid.FriendlyName + ",";
}
BC_CA = ext.CertificateAuthority;
hasPathLength = ext.HasPathLengthConstraint;
pathLength = ext.PathLengthConstraint;
Console.WriteLine(BC_CA);
Console.WriteLine(hasPathLength);
Console.WriteLine(pathLength);
BC_extension++;
}
else if (extension.Oid.FriendlyName == "Subject Key Identifier")
{
X509SubjectKeyIdentifierExtension ext = (X509SubjectKeyIdentifierExtension)extension;
SKICritical = ext.Critical;
if (SKI_extension != 0)
{
repeatedExtension += extension.Oid.FriendlyName + ",";
}
SKI = ext.SubjectKeyIdentifier.ToString();
Console.WriteLine(SKI);
SKI_extension++;
}
else if (extension.Oid.FriendlyName == "Authority Key Identifier")
{
AKICritical = extension.Critical;
if (AKI_extension != 0)
{
repeatedExtension += extension.Oid.FriendlyName + ",";
}
AKI = extension.Format(true);
Console.WriteLine(AKI);
AKI_extension++;
}
else if (extension.Oid.FriendlyName == "Enhanced Key Usage")
{
if (EKU_extension != 0)
{
repeatedExtension += extension.Oid.FriendlyName + ",";
}
X509EnhancedKeyUsageExtension ext = (X509EnhancedKeyUsageExtension)extension;
OidCollection oids = ext.EnhancedKeyUsages;
EKUCritical = ext.Critical;
foreach (Oid oid in oids)
{
//if (oid.Equals("1.3.6.1.5.5.7.3.3"))
EKU_oidStr = oid.FriendlyName + "(" + oid.Value + ")" + ";" + EKU_oidStr;
}
Console.WriteLine(EKU_oidStr);
EKU_extension++;
}
else if (extension.Oid.FriendlyName == "CRL Distribution Points")
{
/*This extension MUST be present, MUST NOT be marked critical,
* and MUST contain the HTTP URL of the CA’s CRL service*/
//Boolean crlHttpExists = false;
if (crl_extension != 0)
{
repeatedExtension += extension.Oid.FriendlyName + ",";
}
crlDistPoint = extension.Format(true);
crlCritical = extension.Critical;
Console.WriteLine(crlDistPoint);
if (crlDistPoint.Contains("http://"))
{
//crlHttpExists = true;
Console.WriteLine("has http crl");
}
if (crlDistPoint.Contains("ldap://"))
{
Console.WriteLine("has ldap crl");
}
crl_extension++;
}
else if (extension.Oid.FriendlyName == "Certificate Policies")
{
if (CP_extension != 0)
{
repeatedExtension += extension.Oid.FriendlyName + ",";
}
certificatePolicies = extension.Format(true);
CPCritical = extension.Critical;
Console.WriteLine(certificatePolicies);
CP_extension++;
}
else if (extension.Oid.FriendlyName == "Authority Information Access")
{
if (AIA_extension != 0)
{
repeatedExtension += extension.Oid.FriendlyName + ",";
}
authorityInformationAccess = extension.Format(true);
AIACritical = extension.Critical;
Console.WriteLine(authorityInformationAccess);
AIA_extension++;
}
else
{
otherExtensions += ";" + extension.Oid.FriendlyName + "(" + extension.Oid.Value.ToString() + ")";
}
}
DBConnect.InsertRepeatedExtensionsTable(Program.appName, Program.fileName, repeatedExtension, thumbprint);
DBConnect.InsertExtensionsTable(Program.appName, Program.fileName, digestStr, serialNumber, Convert.ToInt32(BC_CA), pathLength, Convert.ToInt32(hasPathLength), KU, SKI, EKU_oidStr, AKI, certificatePolicies, crlDistPoint, Convert.ToInt32(crlCritical), Convert.ToInt32(EKUCritical), Convert.ToInt32(KUCritical), Convert.ToInt32(BCCritical), Convert.ToInt32(CPCritical), Convert.ToInt32(SKICritical), Convert.ToInt32(AKICritical), otherExtensions, authorityInformationAccess, Convert.ToInt32(AIACritical), thumbprint, signatureIndex);
Validation.validateWithSignTool(Program.filePath, signatureIndex, thumbprint);
int tssignatureIndex = 0;
foreach (var counterSignature in counterSignatures)
{
//reset extensions' values
otherExtensions = "";
serialNumber = "";
pathLength = 0;
BC_CA = false;
hasPathLength = false;
KU = "";
KUCritical = false;
SKI = "";
EKU_oidStr = "";
AKI = "";
certificatePolicies = "";
crlDistPoint = "";
authorityInformationAccess = "";
crlCritical = false;
EKUCritical = false;
BCCritical = false;
CPCritical = false;
SKICritical = false;
AKICritical = false;
AIACritical = false;
tsDigestString = HashHelpers.GetHashForSignature(counterSignature);//message digest of siganture(signature->details->advance->msg digest)
System.DateTime tsNotBeforeDate = counterSignature.Certificate.NotBefore;
System.DateTime tsNotAfterDate = counterSignature.Certificate.NotAfter;
DBConnect.InsertTSSignatureDateTable(Program.appName, Program.fileName, tsDigestString, tsNotBeforeDate.Year, tsNotBeforeDate.Month, tsNotBeforeDate.Day, tsNotAfterDate.Year, tsNotAfterDate.Month, tsNotAfterDate.Day, counterSignature.Certificate.Thumbprint, tssignatureIndex);
isSigned = true;
if (counterSignature.DigestAlgorithm.Value == signature.DigestAlgorithm.Value)
{
strongSign++;
DBConnect.InsertTSSignatureTable(Program.appName, Program.fileName, tsDigestString, counterSignature.DigestAlgorithm.FriendlyName, counterSignature.Certificate.Version, 1, thumbprint, counterSignature.Certificate.Thumbprint, counterSignature.Certificate.Issuer, counterSignature.Certificate.IssuerName.Name, counterSignature.Certificate.Subject, counterSignature.Certificate.SubjectName.Name);
}
else
{
DBConnect.InsertTSSignatureTable(Program.appName, Program.fileName, tsDigestString, counterSignature.DigestAlgorithm.FriendlyName, counterSignature.Certificate.Version, 0, thumbprint, counterSignature.Certificate.Thumbprint, counterSignature.Certificate.Issuer, counterSignature.Certificate.IssuerName.Name, counterSignature.Certificate.Subject, counterSignature.Certificate.SubjectName.Name);
}
//extracting extensions of timestamp certificate
X509ExtensionCollection tsEextensions = signature.Certificate.Extensions;
foreach (X509Extension extension in tsEextensions)
{
//extension.Oid.FriendlyName
Console.WriteLine(extension.Oid.FriendlyName + "(" + extension.Oid.Value + ")");
if (extension.Oid.FriendlyName == "Key Usage")
{
X509KeyUsageExtension ext = (X509KeyUsageExtension)extension;
KUCritical = ext.Critical;
KU = ext.KeyUsages.ToString();
Console.WriteLine(KU);
}
else if (extension.Oid.FriendlyName == "Basic Constraints")
{
X509BasicConstraintsExtension ext = (X509BasicConstraintsExtension)extension;
BCCritical = ext.Critical;
BC_CA = ext.CertificateAuthority;
hasPathLength = ext.HasPathLengthConstraint;
pathLength = ext.PathLengthConstraint;
Console.WriteLine(BC_CA);
Console.WriteLine(hasPathLength);
Console.WriteLine(pathLength);
}
else if (extension.Oid.FriendlyName == "Subject Key Identifier")
{
X509SubjectKeyIdentifierExtension ext = (X509SubjectKeyIdentifierExtension)extension;
SKICritical = ext.Critical;
SKI = ext.SubjectKeyIdentifier.ToString();
Console.WriteLine(SKI);
}
else if (extension.Oid.FriendlyName == "Authority Key Identifier")
{
AKICritical = extension.Critical;
AKI = extension.Format(true);
Console.WriteLine(AKI);
}
else if (extension.Oid.FriendlyName == "Enhanced Key Usage")
{
//Boolean CS_EKU;
X509EnhancedKeyUsageExtension ext = (X509EnhancedKeyUsageExtension)extension;
OidCollection oids = ext.EnhancedKeyUsages;
EKUCritical = ext.Critical;
foreach (Oid oid in oids)
{
//if (oid.Equals("1.3.6.1.5.5.7.3.3"))
// CS_EKU = true;
EKU_oidStr = oid.FriendlyName + "(" + oid.Value + ")" + ";" + EKU_oidStr;
}
Console.WriteLine(EKU_oidStr);
}
else if (extension.Oid.FriendlyName == "CRL Distribution Points")
{
/*This extension MUST be present, MUST NOT be marked critical,
* and MUST contain the HTTP URL of the CA’s CRL service*/
//Boolean crlHttpExists = false;
crlDistPoint = extension.Format(true);
crlCritical = extension.Critical;
Console.WriteLine(crlDistPoint);
if (crlDistPoint.Contains("http://"))
{
//crlHttpExists = true;
Console.WriteLine("has http crl");
}
if (crlDistPoint.Contains("ldap://"))
{
Console.WriteLine("has ldap crl");
}
}
else if (extension.Oid.FriendlyName == "Certificate Policies")
{
certificatePolicies = extension.Format(true);
CPCritical = extension.Critical;
Console.WriteLine(certificatePolicies);
}
else if (extension.Oid.FriendlyName == "Authority Information Access")
{
authorityInformationAccess = extension.Format(true);
AIACritical = extension.Critical;
Console.WriteLine(authorityInformationAccess);
}
else
{
otherExtensions += ";" + extension.Oid.FriendlyName + "(" + extension.Oid.Value.ToString() + ")";
}
}
DBConnect.InsertTSExtensionsTable(Program.appName, Program.fileName, digestStr, serialNumber, Convert.ToInt32(BC_CA), pathLength, Convert.ToInt32(hasPathLength), KU, SKI, EKU_oidStr, AKI, certificatePolicies, crlDistPoint, Convert.ToInt32(crlCritical), Convert.ToInt32(EKUCritical), Convert.ToInt32(KUCritical), Convert.ToInt32(BCCritical), Convert.ToInt32(CPCritical), Convert.ToInt32(SKICritical), Convert.ToInt32(AKICritical), otherExtensions, authorityInformationAccess, Convert.ToInt32(AIACritical), thumbprint, tssignatureIndex);
tssignatureIndex++;
}
if (!isSigned && strongSign >= 1)
{
throw new InvalidOperationException("Unexpectedly have a strong signature.");
}
if (!isSigned)
{
verboseWriter.LogSignatureMessage(signature, "Signature is not timestamped.");
pass = false;
}
else if (strongSign == 0)
{
verboseWriter.LogSignatureMessage(signature, $"Signature is not timestamped with the expected hash algorithm {signature.DigestAlgorithm.FriendlyName}.");
pass = false;
}
signatureIndex++;
}
return(pass ? TestResult.Pass : TestResult.Fail);
}
public TestResult Validate(IReadOnlyList <ICmsSignature> graph, SignatureLogger verboseWriter, CheckConfiguration configuration)
{
var signatures = graph.VisitAll(SignatureKind.AnySignature);
var pass = true;
int signatureIndex = 0;
foreach (var signature in signatures)
{
var counterSignatures = signature.VisitAll(SignatureKind.AnyCounterSignature).ToList();
int ts = counterSignatures.Count;
var isSigned = false;
var strongSign = 0;
var tsDigestString = "";
string serialNumber = "";
string thumbprint = signature.Certificate.Thumbprint;
var digestStr = HashHelpers.GetHashForSignature(signature);//message digest of siganture(signature->details->advance->msg digest)
DBConnect.InsertSignatureTable(Program.fileName, Program.appName, digestStr, signature.DigestAlgorithm.FriendlyName, signature.Certificate.Version, ts, thumbprint, signature.Certificate.Issuer, signature.Certificate.IssuerName.Name, signature.Certificate.Subject, signature.Certificate.SubjectName.Name, signatureIndex);
System.DateTime notBeforeDate = signature.Certificate.NotBefore;
System.DateTime notAfterDate = signature.Certificate.NotAfter;
serialNumber = signature.Certificate.SerialNumber;
DBConnect.InsertSignatureDateTable(Program.appName, Program.fileName, digestStr, notBeforeDate.Year, notBeforeDate.Month, notBeforeDate.Day, notAfterDate.Year, notAfterDate.Month, notAfterDate.Day, thumbprint, signatureIndex);
X509ExtensionCollection extensions = signature.Certificate.Extensions;
int tssignatureIndex = 0;
foreach (var counterSignature in counterSignatures)
{
tsDigestString = HashHelpers.GetHashForSignature(counterSignature);//message digest of siganture(signature->details->advance->msg digest)
System.DateTime tsNotBeforeDate = counterSignature.Certificate.NotBefore;
System.DateTime tsNotAfterDate = counterSignature.Certificate.NotAfter;
DBConnect.InsertTSSignatureDateTable(Program.appName, Program.fileName, tsDigestString, tsNotBeforeDate.Year, tsNotBeforeDate.Month, tsNotBeforeDate.Day, tsNotAfterDate.Year, tsNotAfterDate.Month, tsNotAfterDate.Day, counterSignature.Certificate.Thumbprint, tssignatureIndex);
isSigned = true;
if (counterSignature.DigestAlgorithm.Value == signature.DigestAlgorithm.Value)
{
strongSign++;
DBConnect.InsertTSSignatureTable(Program.appName, Program.fileName, tsDigestString, counterSignature.DigestAlgorithm.FriendlyName, counterSignature.Certificate.Version, 1, thumbprint, counterSignature.Certificate.Thumbprint, counterSignature.Certificate.Issuer, counterSignature.Certificate.IssuerName.Name, counterSignature.Certificate.Subject, counterSignature.Certificate.SubjectName.Name);
}
else
{
DBConnect.InsertTSSignatureTable(Program.appName, Program.fileName, tsDigestString, counterSignature.DigestAlgorithm.FriendlyName, counterSignature.Certificate.Version, 0, thumbprint, counterSignature.Certificate.Thumbprint, counterSignature.Certificate.Issuer, counterSignature.Certificate.IssuerName.Name, counterSignature.Certificate.Subject, counterSignature.Certificate.SubjectName.Name);
}
}
if (!isSigned && strongSign >= 1)
{
throw new InvalidOperationException("Unexpectedly have a strong signature.");
}
if (!isSigned)
{
verboseWriter.LogSignatureMessage(signature, "Signature is not timestamped.");
pass = false;
}
else if (strongSign == 0)
{
verboseWriter.LogSignatureMessage(signature, $"Signature is not timestamped with the expected hash algorithm {signature.DigestAlgorithm.FriendlyName}.");
pass = false;
}
signatureIndex++;
}
return(pass ? TestResult.Pass : TestResult.Fail);
}
