private static bool IsMatch( X509Certificate2 certificate, EssCertIdV2 essCertIdV2, Errors errors, bool isIssuerSerialRequired) { if (isIssuerSerialRequired) { if (essCertIdV2.IssuerSerial == null || essCertIdV2.IssuerSerial.GeneralNames.Count == 0) { throw new SignatureException(errors.InvalidSignature, errors.InvalidSignatureString); } } if (essCertIdV2.IssuerSerial != null) { if (!AreSerialNumbersEqual(essCertIdV2.IssuerSerial, certificate)) { return(false); } if (!AreGeneralNamesEqual(essCertIdV2.IssuerSerial, certificate)) { return(false); } } var hashAlgorithmName = CryptoHashUtility.OidToHashAlgorithmName(essCertIdV2.HashAlgorithm.Algorithm.Value); var actualHash = CertificateUtility.GetHash(certificate, hashAlgorithmName); return(essCertIdV2.CertificateHash.SequenceEqual(actualHash)); }
public void CreateSigningCertificateV2_WithValidInput_ReturnsAttribute(Common.HashAlgorithmName hashAlgorithmName) { using (var certificate = _fixture.GetDefaultCertificate()) { var attribute = AttributeUtility.CreateSigningCertificateV2(certificate, hashAlgorithmName); Assert.Equal(Oids.SigningCertificateV2, attribute.Oid.Value); Assert.Equal(1, attribute.Values.Count); var signingCertificateV2 = SigningCertificateV2.Read(attribute.Values[0].RawData); Assert.Equal(1, signingCertificateV2.Certificates.Count); var essCertIdV2 = signingCertificateV2.Certificates[0]; var expectedHash = SignTestUtility.GetHash(certificate, hashAlgorithmName); SignTestUtility.VerifyByteArrays(expectedHash, essCertIdV2.CertificateHash); Assert.Equal( hashAlgorithmName, CryptoHashUtility.OidToHashAlgorithmName(essCertIdV2.HashAlgorithm.Algorithm.Value)); Assert.Equal(certificate.IssuerName.Name, essCertIdV2.IssuerSerial.GeneralNames[0].DirectoryName.Name); var serialNumber = certificate.GetSerialNumber(); // Convert from little endian to big endian. Array.Reverse(serialNumber); SignTestUtility.VerifyByteArrays( serialNumber, essCertIdV2.IssuerSerial.SerialNumber); } }
public void OidToHashAlgorithmName_WithUnknown_Throws() { var exception = Assert.Throws <ArgumentException>( () => CryptoHashUtility.OidToHashAlgorithmName(Oids.Sha1)); Assert.Equal("oid", exception.ParamName); Assert.StartsWith($"Hash algorithm '{Oids.Sha1}' is unsupported.", exception.Message); }
private static BcEssCertIdV2 CreateBcEssCertIdV2(HashAlgorithmName hashAlgorithmName, string text) { var hash = CryptoHashUtility.ComputeHash(hashAlgorithmName, Encoding.UTF8.GetBytes(text)); var bcAlgorithmIdentifier = new BcAlgorithmIdentifier( new DerObjectIdentifier(hashAlgorithmName.ConvertToOidString())); return(new BcEssCertIdV2(bcAlgorithmIdentifier, hash)); }
private static BcEssCertId CreateBcEssCertId(string text) { using (var hashAlgorithm = CryptoHashUtility.GetSha1HashProvider()) { var hash = hashAlgorithm.ComputeHash(Encoding.UTF8.GetBytes(text)); return(new BcEssCertId(hash)); } }
internal static string GenerateFingerprint(X509Certificate certificate) { using (var hashAlgorithm = CryptoHashUtility.GetSha1HashProvider()) { var hash = hashAlgorithm.ComputeHash(certificate.GetEncoded()); return(BitConverter.ToString(hash).Replace("-", "")); } }
/// <summary> /// Write the content to a stream. /// </summary> private void Save(Stream stream) { using (var writer = new KeyPairFileWriter(stream, _signingSpecifications.Encoding, leaveOpen: true)) { writer.WritePair("Version", _signingSpecifications.Version); writer.WriteSectionBreak(); writer.WritePair(CryptoHashUtility.ConvertToOidString(HashAlgorithm) + "-Hash", HashValue); writer.WriteSectionBreak(); } }
public void Read_WithOnlyCertificateHash_ReturnsEssCertIdV2() { var hash = CryptoHashUtility.ComputeHash(HashAlgorithmName.SHA256, Encoding.UTF8.GetBytes("peach")); var bcEssCertId = new BcEssCertIdV2(hash); var bytes = bcEssCertId.GetDerEncoded(); var essCertIdV2 = EssCertIdV2.Read(bytes); Assert.Equal(Oids.Sha256, essCertIdV2.HashAlgorithm.Algorithm.Value); SigningTestUtility.VerifyByteArrays(hash, essCertIdV2.CertificateHash); Assert.Null(essCertIdV2.IssuerSerial); }
public void Read_WithValidInput_ReturnsInstance(string oid) { var data = Encoding.UTF8.GetBytes("peach"); var hashAlgorithmName = CryptoHashUtility.OidToHashAlgorithmName(oid); var hash = hashAlgorithmName.ComputeHash(data); var bcAlgorithmIdentifier = new BcAlgorithmIdentifier(new DerObjectIdentifier(oid)); var bcMessageImprint = new BcMessageImprint(bcAlgorithmIdentifier, hash); var bytes = bcMessageImprint.GetDerEncoded(); var messageImprint = MessageImprint.Read(bytes); Assert.Equal(oid, messageImprint.HashAlgorithm.Algorithm.Value); Assert.Equal(hash, messageImprint.HashedMessage); }
private HashAlgorithmName ValidateAndParseFingerprintAlgorithm(string algorithm) { if (string.IsNullOrEmpty(algorithm)) { return(HashAlgorithmName.SHA256); } var hashAlgorithm = CryptoHashUtility.GetHashAlgorithmName(algorithm); if (hashAlgorithm == HashAlgorithmName.Unknown || !SigningSpecifications.V1.AllowedHashAlgorithms.Contains(hashAlgorithm)) { throw new ArgumentException(string.Format(CultureInfo.CurrentCulture, Strings.Error_NotSupportedHashAlgorithm, algorithm)); } return(hashAlgorithm); }
public void GetSha1HashProvider_ReturnsCorrectImplementation() { using (var hashAlgorithm = CryptoHashUtility.GetSha1HashProvider()) { Assert.True(hashAlgorithm is SHA1); #if !IS_CORECLR if (AllowOnlyFipsAlgorithms()) { Assert.IsType <SHA1CryptoServiceProvider>(hashAlgorithm); } else { Assert.IsType <SHA1Managed>(hashAlgorithm); } #endif } }
/// <summary> /// Parses a command line argument's value to a supported hash algorithm and validates it is supported in the given specification /// </summary> /// <param name="optionValue">Value entered by the user in the given command line argument</param> /// <param name="optionName">Name of the command line argument</param> /// <param name="spec">Signing specification to validate parsed hash algorithm</param> /// <returns>Supported hash algorithm</returns> internal static HashAlgorithmName ParseAndValidateHashAlgorithm(string optionValue, string optionName, SigningSpecifications spec) { HashAlgorithmName hashAlgorithm = HashAlgorithmName.SHA256; if (!string.IsNullOrEmpty(optionValue)) { hashAlgorithm = CryptoHashUtility.GetHashAlgorithmName(optionValue); } if (hashAlgorithm == HashAlgorithmName.Unknown || !spec.AllowedHashAlgorithms.Contains(hashAlgorithm)) { throw new ArgumentException(string.Format(CultureInfo.CurrentCulture, Strings.Err_InvalidValue, optionName, string.Join(",", spec.AllowedHashAlgorithms))); } return(hashAlgorithm); }
/// <summary> /// Parses a command line argument's value to a supported hash algorithm and validates it is supported in the given specification /// </summary> /// <param name="argumentValue">Value entered by the user in the given command line argument</param> /// <param name="argumentName">Name of the command line argument</param> /// <param name="spec">Signing specification to validate parsed hash algorithm</param> /// <returns>Supported hash algorithm</returns> public static HashAlgorithmName ParseAndValidateHashAlgorithmFromArgument(string argumentValue, string argumentName, SigningSpecifications spec) { var hashAlgorithm = HashAlgorithmName.SHA256; if (!string.IsNullOrEmpty(argumentValue)) { hashAlgorithm = CryptoHashUtility.GetHashAlgorithmName(argumentValue); } if (hashAlgorithm == HashAlgorithmName.Unknown || !spec.AllowedHashAlgorithms.Contains(hashAlgorithm)) { throw new ArgumentException(string.Format(CultureInfo.CurrentCulture, NuGetCommand.CommandInvalidArgumentException, argumentName)); } return(hashAlgorithm); }
public void Create_WithValidInput_ReturnsSigningCertificateV2(HashAlgorithmName hashAlgorithmName) { using (var certificate = _fixture.GetDefaultCertificate()) { var signingCertificateV2 = SigningCertificateV2.Create(certificate, hashAlgorithmName); Assert.Equal(1, signingCertificateV2.Certificates.Count); var essCertIdV2 = signingCertificateV2.Certificates[0]; Assert.Equal(hashAlgorithmName, CryptoHashUtility.OidToHashAlgorithmName(essCertIdV2.HashAlgorithm.Algorithm.Value)); Assert.Equal(SigningTestUtility.GetHash(certificate, hashAlgorithmName), essCertIdV2.CertificateHash); Assert.Equal(1, essCertIdV2.IssuerSerial.GeneralNames.Count); Assert.Equal(certificate.IssuerName.Name, essCertIdV2.IssuerSerial.GeneralNames[0].DirectoryName.Name); SigningTestUtility.VerifySerialNumber(certificate, essCertIdV2.IssuerSerial); Assert.Null(signingCertificateV2.Policies); } }
public void GetHashProvider_WhenHashAlgorithmNameIsSupported_ReturnsCorrectImplementation() { using (var hashAlgorithm = CryptoHashUtility.GetHashProvider(HashAlgorithmName.SHA256)) { Assert.True(hashAlgorithm is SHA256); #if !IS_CORECLR if (AllowOnlyFipsAlgorithms()) { Assert.IsType <SHA256CryptoServiceProvider>(hashAlgorithm); } else { Assert.IsType <SHA256Managed>(hashAlgorithm); } #endif } }
public void Read_WithDefaultAlgorithmIdentifier_ReturnsEssCertIdV2() { var directoryName = new X509Name("CN=test"); var generalNames = new GeneralNames( new BcGeneralName(BcGeneralName.DirectoryName, directoryName)); var bcIssuerSerial = new BcIssuerSerial(generalNames, new DerInteger(BigInteger.One)); var hash = CryptoHashUtility.ComputeHash(HashAlgorithmName.SHA256, Encoding.UTF8.GetBytes("peach")); var bcEssCertId = new BcEssCertIdV2(hash, bcIssuerSerial); var bytes = bcEssCertId.GetDerEncoded(); var essCertIdV2 = EssCertIdV2.Read(bytes); Assert.Equal(Oids.Sha256, essCertIdV2.HashAlgorithm.Algorithm.Value); Assert.Equal(1, essCertIdV2.IssuerSerial.GeneralNames.Count); Assert.Equal(directoryName.ToString(), essCertIdV2.IssuerSerial.GeneralNames[0].DirectoryName.Name); SigningTestUtility.VerifyByteArrays(hash, essCertIdV2.CertificateHash); SigningTestUtility.VerifyByteArrays(bcIssuerSerial.Serial.Value.ToByteArray(), essCertIdV2.IssuerSerial.SerialNumber); }
public void EmitTelemetryEvent(Guid parentId) { var telemetryEvent = new TelemetryEvent(PackagePreFetcherInformation); telemetryEvent["DownloadStartTime"] = _downloadStartTime; telemetryEvent["PackageFetchTime"] = _packageFetchTime; telemetryEvent["TaskReturnTime"] = _taskReturnTime; var packageId = CryptoHashUtility.GenerateUniqueToken(Package.ToString()); telemetryEvent.AddPiiData("PackageId", Package.ToString()); if (parentId != Guid.Empty) { telemetryEvent["ParentId"] = parentId.ToString(); } TelemetryActivity.EmitTelemetryEvent(telemetryEvent); }
public void GetESSCertIDv2Entries_ReturnsDecodedHashes(Common.HashAlgorithmName hashAlgorithm) { // Arrange var cert = TestCertificate.Generate().PublicCert; var cert2 = TestCertificate.Generate().PublicCert; var attribute = AttributeUtility.GetSigningCertificateV2( new[] { cert, cert2 }, hashAlgorithm); var certHash = CryptoHashUtility.ComputeHash(hashAlgorithm, cert.RawData); var cert2Hash = CryptoHashUtility.ComputeHash(hashAlgorithm, cert2.RawData); // Act var actual = AttributeUtility.GetESSCertIDv2Entries(attribute); // Assert actual.ShouldBeEquivalentTo(new[] { new KeyValuePair <Common.HashAlgorithmName, byte[]>(hashAlgorithm, certHash), new KeyValuePair <Common.HashAlgorithmName, byte[]>(hashAlgorithm, cert2Hash), }); }
private static bool TryReadPackageHashProperty( KeyValuePair <string, string> property, SigningSpecifications signingSpecifications, out HashAlgorithmName hashAlgorithmName) { hashAlgorithmName = HashAlgorithmName.Unknown; if (property.Key.EndsWith("-Hash", StringComparison.Ordinal)) { foreach (var hashAlgorithmOid in signingSpecifications.AllowedHashAlgorithmOids) { if (property.Key == $"{hashAlgorithmOid}-Hash") { hashAlgorithmName = CryptoHashUtility.OidToHashAlgorithmName(hashAlgorithmOid); return(true); } } } return(false); }
private static bool IsMatch(X509Certificate2 certificate, EssCertId essCertId) { if (essCertId.IssuerSerial != null) { if (!AreSerialNumbersEqual(essCertId.IssuerSerial, certificate)) { return(false); } if (!AreGeneralNamesEqual(essCertId.IssuerSerial, certificate)) { return(false); } } byte[] actualHash; using (var hashAlgorithm = CryptoHashUtility.GetSha1HashProvider()) { actualHash = hashAlgorithm.ComputeHash(certificate.RawData); } return(essCertId.CertificateHash.SequenceEqual(actualHash)); }
internal static SignatureVerificationStatusFlags ValidateTimestamp(Timestamp timestamp, Signature signature, bool treatIssuesAsErrors, List <SignatureLog> issues, SigningSpecifications spec) { if (timestamp == null) { throw new ArgumentNullException(nameof(timestamp)); } if (signature == null) { throw new ArgumentNullException(nameof(signature)); } if (issues == null) { throw new ArgumentNullException(nameof(issues)); } // Default to specification v1 spec = spec ?? SigningSpecifications.V1; var validationFlags = SignatureVerificationStatusFlags.NoErrors; var signerInfo = timestamp.SignerInfo; if (timestamp.SignerInfo.Certificate != null) { try { signerInfo.CheckSignature(verifySignatureOnly: true); } catch (Exception e) { issues.Add(SignatureLog.Issue(treatIssuesAsErrors, NuGetLogCode.NU3021, string.Format(CultureInfo.CurrentCulture, Strings.VerifyError_TimestampSignatureValidationFailed, signature.FriendlyName))); issues.Add(SignatureLog.DebugLog(e.ToString())); validationFlags |= SignatureVerificationStatusFlags.SignatureCheckFailed; } if (!CertificateUtility.IsSignatureAlgorithmSupported(signerInfo.Certificate)) { issues.Add(SignatureLog.Issue(treatIssuesAsErrors, NuGetLogCode.NU3022, string.Format(CultureInfo.CurrentCulture, Strings.VerifyError_TimestampUnsupportedSignatureAlgorithm, signature.FriendlyName))); validationFlags |= SignatureVerificationStatusFlags.SignatureAlgorithmUnsupported; } if (!CertificateUtility.IsCertificatePublicKeyValid(signerInfo.Certificate)) { issues.Add(SignatureLog.Issue(treatIssuesAsErrors, NuGetLogCode.NU3023, string.Format(CultureInfo.CurrentCulture, Strings.VerifyError_TimestampCertificateFailsPublicKeyLengthRequirement, signature.FriendlyName))); validationFlags |= SignatureVerificationStatusFlags.CertificatePublicKeyInvalid; } if (!spec.AllowedHashAlgorithmOids.Contains(signerInfo.DigestAlgorithm.Value)) { issues.Add(SignatureLog.Issue(treatIssuesAsErrors, NuGetLogCode.NU3024, string.Format(CultureInfo.CurrentCulture, Strings.VerifyError_TimestampUnsupportedSignatureAlgorithm, signature.FriendlyName))); validationFlags |= SignatureVerificationStatusFlags.HashAlgorithmUnsupported; } try { var hashAlgorithm = CryptoHashUtility.OidToHashAlgorithmName(timestamp.TstInfo.HashAlgorithmId.Value); var signatureValue = signature.GetSignatureValue(); var messageHash = hashAlgorithm.ComputeHash(signatureValue); if (!timestamp.TstInfo.HasMessageHash(messageHash)) { issues.Add(SignatureLog.Issue(treatIssuesAsErrors, NuGetLogCode.NU3019, string.Format(CultureInfo.CurrentCulture, Strings.VerifyError_TimestampIntegrityCheckFailed, signature.FriendlyName))); validationFlags |= SignatureVerificationStatusFlags.IntegrityCheckFailed; } } catch { // If the hash algorithm is not supported OidToHashAlgorithmName will throw issues.Add(SignatureLog.Issue(treatIssuesAsErrors, NuGetLogCode.NU3030, string.Format(CultureInfo.CurrentCulture, Strings.VerifyError_TimestampMessageImprintUnsupportedHashAlgorithm, signature.FriendlyName))); validationFlags |= SignatureVerificationStatusFlags.MessageImprintUnsupportedAlgorithm; } if (CertificateUtility.IsCertificateValidityPeriodInTheFuture(signerInfo.Certificate)) { issues.Add(SignatureLog.Issue(treatIssuesAsErrors, NuGetLogCode.NU3025, string.Format(CultureInfo.CurrentCulture, Strings.VerifyError_TimestampNotYetValid, signature.FriendlyName))); validationFlags |= SignatureVerificationStatusFlags.CertificateValidityInTheFuture; } if (!CertificateUtility.IsDateInsideValidityPeriod(signerInfo.Certificate, timestamp.GeneralizedTime)) { issues.Add(SignatureLog.Issue(treatIssuesAsErrors, NuGetLogCode.NU3036, string.Format(CultureInfo.CurrentCulture, Strings.VerifyError_TimestampGeneralizedTimeInvalid, signature.FriendlyName))); validationFlags |= SignatureVerificationStatusFlags.GeneralizedTimeOutsideValidity; } } else { issues.Add(SignatureLog.Issue(treatIssuesAsErrors, NuGetLogCode.NU3020, string.Format(CultureInfo.CurrentCulture, Strings.VerifyError_TimestampNoCertificate, signature.FriendlyName))); validationFlags |= SignatureVerificationStatusFlags.NoCertificate; } return(validationFlags); }
public CryptoHashProcessor(string cryptoHashKey) { _cryptoHashKey = cryptoHashKey; _cryptoHashFunction = (input) => CryptoHashUtility.ComputeHmacSHA256Hash(input, _cryptoHashKey); }
public void OidToHashAlgorithmName_WithValidInput_Succeeds(string oid, HashAlgorithmName expectedHashAlgorithmName) { var actualHashAlgorithmName = CryptoHashUtility.OidToHashAlgorithmName(oid); Assert.Equal(expectedHashAlgorithmName, actualHashAlgorithmName); }
public void GivenAString_WhenComputeHmac_CorrectHashShouldBeReturned(string input, string expectedHash) { string hash = CryptoHashUtility.ComputeHmacSHA256Hash(input, TestHashKey); Assert.Equal(expectedHash, hash); }
private async Task UpdateTrustedSourceAsync(PackageSource packageSource) { var sourceRepositoryProvider = new CommandLineSourceRepositoryProvider(SourceProvider); var repositorySignatureResource = await sourceRepositoryProvider.CreateRepository(packageSource).GetResourceAsync <RepositorySignatureResource>() ?? throw new CommandLineException(LocalizedResourceManager.GetString("SourcesCommandSourceNotSupportRepoSign"), packageSource.Name); var trustedSource = new TrustedSource(packageSource.Name); foreach (var cert in repositorySignatureResource.RepositoryCertificateInfos) { foreach (var fingerprint in cert.Fingerprints) { trustedSource.Certificates.Add(new CertificateTrustEntry(fingerprint.Value, cert.Subject, CryptoHashUtility.OidToHashAlgorithmName(fingerprint.Key))); } } packageSource.TrustedSource = trustedSource; }
private static Hash MakeHash(HashAlgorithmName algorithm, string hashInput) { var digest = CryptoHashUtility.ComputeHash(algorithm, Encoding.ASCII.GetBytes(hashInput)); return(new Hash(algorithm, digest)); }
internal static bool IsTimestampValid(Timestamp timestamp, Signature signature, bool treatIssuesAsErrors, List <SignatureLog> issues, SigningSpecifications spec) { if (timestamp == null) { throw new ArgumentNullException(nameof(timestamp)); } if (signature == null) { throw new ArgumentNullException(nameof(signature)); } if (issues == null) { throw new ArgumentNullException(nameof(issues)); } // Default to specification v1 spec = spec ?? SigningSpecifications.V1; var isValid = true; var signerInfo = timestamp.SignerInfo; if (timestamp.SignerInfo.Certificate != null) { try { signerInfo.CheckSignature(verifySignatureOnly: true); } catch (Exception e) { issues.Add(SignatureLog.Issue(treatIssuesAsErrors, NuGetLogCode.NU3021, Strings.TimestampSignatureValidationFailed)); issues.Add(SignatureLog.DebugLog(e.ToString())); isValid = false; } if (!CertificateUtility.IsSignatureAlgorithmSupported(signerInfo.Certificate)) { issues.Add(SignatureLog.Issue(treatIssuesAsErrors, NuGetLogCode.NU3022, Strings.TimestampUnsupportedSignatureAlgorithm)); isValid = false; } if (!CertificateUtility.IsCertificatePublicKeyValid(signerInfo.Certificate)) { issues.Add(SignatureLog.Issue(treatIssuesAsErrors, NuGetLogCode.NU3023, Strings.TimestampCertificateFailsPublicKeyLengthRequirement)); isValid = false; } if (!spec.AllowedHashAlgorithmOids.Contains(signerInfo.DigestAlgorithm.Value)) { issues.Add(SignatureLog.Issue(treatIssuesAsErrors, NuGetLogCode.NU3024, Strings.TimestampUnsupportedSignatureAlgorithm)); isValid = false; } try { var hashAlgorithm = CryptoHashUtility.OidToHashAlgorithmName(timestamp.TstInfo.HashAlgorithmId.Value); var signatureValue = signature.GetSignatureValue(); var messageHash = hashAlgorithm.ComputeHash(signatureValue); if (!timestamp.TstInfo.HasMessageHash(messageHash)) { issues.Add(SignatureLog.Issue(treatIssuesAsErrors, NuGetLogCode.NU3019, Strings.TimestampIntegrityCheckFailed)); isValid = false; } } catch { // If the hash algorithm is not supported OidToHashAlgorithmName will throw issues.Add(SignatureLog.Issue(treatIssuesAsErrors, NuGetLogCode.NU3030, Strings.TimestampMessageImprintUnsupportedHashAlgorithm)); isValid = false; } if (CertificateUtility.IsCertificateValidityPeriodInTheFuture(signerInfo.Certificate)) { issues.Add(SignatureLog.Issue(treatIssuesAsErrors, NuGetLogCode.NU3025, Strings.TimestampNotYetValid)); isValid = false; } } else { issues.Add(SignatureLog.Issue(treatIssuesAsErrors, NuGetLogCode.NU3020, Strings.TimestampNoCertificate)); isValid = false; } return(isValid); }