private static bool IsMatch(
X509Certificate2 certificate,
EssCertIdV2 essCertIdV2,
Errors errors,
bool isIssuerSerialRequired)
{
if (isIssuerSerialRequired)
{
if (essCertIdV2.IssuerSerial == null ||
essCertIdV2.IssuerSerial.GeneralNames.Count == 0)
{
throw new SignatureException(errors.InvalidSignature, errors.InvalidSignatureString);
}
}
if (essCertIdV2.IssuerSerial != null)
{
if (!AreSerialNumbersEqual(essCertIdV2.IssuerSerial, certificate))
{
return(false);
}
if (!AreGeneralNamesEqual(essCertIdV2.IssuerSerial, certificate))
{
return(false);
}
}
var hashAlgorithmName = CryptoHashUtility.OidToHashAlgorithmName(essCertIdV2.HashAlgorithm.Algorithm.Value);
var actualHash = CertificateUtility.GetHash(certificate, hashAlgorithmName);
return(essCertIdV2.CertificateHash.SequenceEqual(actualHash));
}
public static EssCertIdV2 Create(X509Certificate2 certificate, Common.HashAlgorithmName hashAlgorithmName)
{
if (certificate == null)
{
throw new ArgumentNullException(nameof(certificate));
}
var algorithm = new AlgorithmIdentifier(hashAlgorithmName.ConvertToOid());
var hash = CertificateUtility.GetHash(certificate, hashAlgorithmName);
var issuerSerial = IssuerSerial.Create(certificate);
return(new EssCertIdV2(algorithm, hash, issuerSerial));
}
private static string GetCertificateFingerprint(
Signature signature,
HashAlgorithmName fingerprintAlgorithm,
IDictionary <HashAlgorithmName, string> CertificateFingerprintLookUp)
{
if (!CertificateFingerprintLookUp.TryGetValue(fingerprintAlgorithm, out var fingerprintString))
{
var primarySignatureCertificateFingerprint = CertificateUtility.GetHash(signature.SignerInfo.Certificate, fingerprintAlgorithm);
fingerprintString = BitConverter.ToString(primarySignatureCertificateFingerprint).Replace("-", "");
CertificateFingerprintLookUp[fingerprintAlgorithm] = fingerprintString;
}
return(fingerprintString);
}
private bool IsSignatureAllowed(Signature signature)
{
// Get information needed for allow list verification
var primarySignatureCertificateFingerprint = CertificateUtility.GetHash(signature.SignerInfo.Certificate, _fingerprintAlgorithm);
var primarySignatureCertificateFingerprintString = BitConverter.ToString(primarySignatureCertificateFingerprint).Replace("-", "");
foreach (var allowedEntry in _allowList)
{
// Verify the certificate hash allow list objects
var certificateHashEntry = allowedEntry as CertificateHashAllowListEntry;
if (certificateHashEntry != null)
{
if (certificateHashEntry.VerificationTarget.HasFlag(VerificationTarget.Primary) &&
StringComparer.OrdinalIgnoreCase.Equals(certificateHashEntry.CertificateFingerprint, primarySignatureCertificateFingerprintString))
{
return(true);
}
}
}
return(false);
}
