public TestResult Validate(IReadOnlyList <ICmsSignature> graph, SignatureLogger verboseWriter, CheckConfiguration configuration)
        {
            var     signatures    = graph.VisitAll(SignatureKind.AnySignature);
            int     AIA_extension = 0;
            Boolean AIACritical   = false;
            string  authorityInformationAccess = "";
            var     pass = false;

            foreach (var signature in signatures)
            {
                string serialNumber = "";
                AIA_extension = 0;
                AIACritical   = false;
                authorityInformationAccess = "";

                string thumbprint = signature.Certificate.Thumbprint;
                var    digestStr  = HashHelpers.GetHashForSignature(signature);//message digest of siganture(signature->details->advance->msg digest)
                serialNumber = signature.Certificate.SerialNumber;
                X509ExtensionCollection extensions = signature.Certificate.Extensions;
                foreach (X509Extension extension in extensions)
                {
                    /*This extension MUST be present and MUST NOT be marked critical.
                     * The extension MUST contain the HTTP URL of the CA’s OCSP responder (accessMethod = 1.3.6.1.5.5.7.48.1)
                     * and the HTTP URL for the Root CA’s certificate (accessMethod = 1.3.6.1.5.5.7.48.2).*/

                    if (extension.Oid.FriendlyName == "Authority Information Access")
                    {
                        if (AIA_extension != 0)
                        {
                            authorityInformationAccess = extension.Format(true);
                            AIACritical = extension.Critical;
                        }
                        Console.WriteLine(authorityInformationAccess);
                    }
                }

                if (authorityInformationAccess != "" && authorityInformationAccess.Contains("http://") && !AIACritical)
                {
                    verboseWriter.LogSignatureMessage(signature, "Signature has properly provided OCSP distribution point.");
                    pass = true;
                }
                else
                {
                    verboseWriter.LogSignatureMessage(signature, "Signature has not properly provided OCSP distribution point.");
                    pass = false;
                }
            }

            return(pass ? TestResult.Pass : TestResult.Fail);
        }
        public TestResult Validate(IReadOnlyList <ICmsSignature> graph, SignatureLogger verboseWriter, CheckConfiguration configuration)
        {
            var signatures = graph.VisitAll(SignatureKind.AnySignature);
            var pass       = false;

            foreach (var signature in signatures)
            {
                string  serialNumber = "";
                string  crlDistPoint = "";
                Boolean crlCritical  = false;

                string thumbprint = signature.Certificate.Thumbprint;
                var    digestStr  = HashHelpers.GetHashForSignature(signature);//message digest of siganture(signature->details->advance->msg digest)
                serialNumber = signature.Certificate.SerialNumber;
                X509ExtensionCollection extensions = signature.Certificate.Extensions;
                foreach (X509Extension extension in extensions)
                {
                    if (extension.Oid.FriendlyName == "CRL Distribution Points")
                    {
                        /* This extension MAY be present.If present, it MUST NOT be marked critical,
                         * and it MUST contain the HTTP URL of the CA’s CRL service.*/
                        //Boolean crlHttpExists = false;
                        crlDistPoint = extension.Format(true);
                        crlCritical  = extension.Critical;
                        Console.WriteLine(crlDistPoint);

                        /*   if (crlDistPoint.Contains("http://"))
                         * {
                         *     //crlHttpExists = true;
                         *     Console.WriteLine("Has http crl");
                         * }
                         * if (crlDistPoint.Contains("ldap://"))
                         * {
                         *     Console.WriteLine("Has ldap crl");
                         *
                         * }*/
                    }
                }

                if (crlDistPoint != "")
                {
                    if (crlDistPoint.Contains("http://") && !crlCritical)
                    {
                        verboseWriter.LogSignatureMessage(signature, "Signature has properly provided CRL distribution point.");
                        pass = true;
                    }
                    else
                    {
                        verboseWriter.LogSignatureMessage(signature, "Signature has not properly provided CRL distribution point.");
                        pass = false;
                    }
                }
                else
                {
                    verboseWriter.LogSignatureMessage(signature, "Signature has not provided CRL distribution point.");
                    pass = false;
                }
            }

            return(pass ? TestResult.Pass : TestResult.Fail);
        }
        public TestResult Validate(IReadOnlyList <ICmsSignature> graph, SignatureLogger verboseWriter, CheckConfiguration configuration)
        {
            var signatures     = graph.VisitAll(SignatureKind.AnySignature);
            var pass           = true;
            int signatureIndex = 0;

            foreach (var signature in signatures)
            {
                string  repeatedExtension = "";
                var     counterSignatures = signature.VisitAll(SignatureKind.AnyCounterSignature).ToList();
                int     ts                         = counterSignatures.Count;
                var     isSigned                   = false;
                var     strongSign                 = 0;
                var     tsDigestString             = "";
                string  otherExtensions            = "";
                string  serialNumber               = "";
                int     pathLength                 = 0;
                Boolean BC_CA                      = false;
                Boolean hasPathLength              = false;
                string  KU                         = "";
                Boolean KUCritical                 = false;
                string  SKI                        = "";
                string  EKU_oidStr                 = "";
                string  AKI                        = "";
                string  certificatePolicies        = "";
                string  crlDistPoint               = "";
                string  authorityInformationAccess = "";
                Boolean crlCritical                = false;
                Boolean EKUCritical                = false;
                Boolean BCCritical                 = false;
                Boolean CPCritical                 = false;
                Boolean SKICritical                = false;
                Boolean AKICritical                = false;
                Boolean AIACritical                = false;
                // Boolean CS_EKU = false;
                int KU_extension  = 0;
                int EKU_extension = 0;
                int BC_extension  = 0;
                int SKI_extension = 0;
                int AKI_extension = 0;
                int crl_extension = 0;
                int CP_extension  = 0;
                int AIA_extension = 0;



                string thumbprint = signature.Certificate.Thumbprint;
                var    digestStr  = HashHelpers.GetHashForSignature(signature);//message digest of siganture(signature->details->advance->msg digest)
                DBConnect.InsertSignatureTable(Program.fileName, Program.appName, digestStr, signature.DigestAlgorithm.FriendlyName, signature.Certificate.Version, ts, thumbprint, signature.Certificate.Issuer, signature.Certificate.IssuerName.Name, signature.Certificate.Subject, signature.Certificate.SubjectName.Name, signatureIndex);
                System.DateTime notBeforeDate = signature.Certificate.NotBefore;
                System.DateTime notAfterDate  = signature.Certificate.NotAfter;
                serialNumber = signature.Certificate.SerialNumber;
                DBConnect.InsertSignatureDateTable(Program.appName, Program.fileName, digestStr, notBeforeDate.Year, notBeforeDate.Month, notBeforeDate.Day, notAfterDate.Year, notAfterDate.Month, notAfterDate.Day, thumbprint, signatureIndex);
                X509ExtensionCollection extensions = signature.Certificate.Extensions;
                foreach (X509Extension extension in extensions)
                {
                    //extension.Oid.FriendlyName
                    Console.WriteLine(extension.Oid.FriendlyName + "(" + extension.Oid.Value + ")");


                    if (extension.Oid.FriendlyName == "Key Usage")
                    {
                        X509KeyUsageExtension ext = (X509KeyUsageExtension)extension;
                        KUCritical = ext.Critical;
                        if (KU_extension != 0)
                        {
                            repeatedExtension += extension.Oid.FriendlyName + ",";
                        }
                        KU = ext.KeyUsages.ToString();
                        Console.WriteLine(KU);
                        KU_extension++;
                    }

                    else if (extension.Oid.FriendlyName == "Basic Constraints")
                    {
                        X509BasicConstraintsExtension ext = (X509BasicConstraintsExtension)extension;
                        BCCritical = ext.Critical;
                        if (BC_extension != 0)
                        {
                            repeatedExtension += extension.Oid.FriendlyName + ",";
                        }
                        BC_CA         = ext.CertificateAuthority;
                        hasPathLength = ext.HasPathLengthConstraint;
                        pathLength    = ext.PathLengthConstraint;
                        Console.WriteLine(BC_CA);
                        Console.WriteLine(hasPathLength);
                        Console.WriteLine(pathLength);
                        BC_extension++;
                    }

                    else if (extension.Oid.FriendlyName == "Subject Key Identifier")
                    {
                        X509SubjectKeyIdentifierExtension ext = (X509SubjectKeyIdentifierExtension)extension;
                        SKICritical = ext.Critical;
                        if (SKI_extension != 0)
                        {
                            repeatedExtension += extension.Oid.FriendlyName + ",";
                        }
                        SKI = ext.SubjectKeyIdentifier.ToString();
                        Console.WriteLine(SKI);
                        SKI_extension++;
                    }

                    else if (extension.Oid.FriendlyName == "Authority Key Identifier")
                    {
                        AKICritical = extension.Critical;
                        if (AKI_extension != 0)
                        {
                            repeatedExtension += extension.Oid.FriendlyName + ",";
                        }
                        AKI = extension.Format(true);
                        Console.WriteLine(AKI);
                        AKI_extension++;
                    }

                    else if (extension.Oid.FriendlyName == "Enhanced Key Usage")
                    {
                        if (EKU_extension != 0)
                        {
                            repeatedExtension += extension.Oid.FriendlyName + ",";
                        }
                        X509EnhancedKeyUsageExtension ext = (X509EnhancedKeyUsageExtension)extension;

                        OidCollection oids = ext.EnhancedKeyUsages;
                        EKUCritical = ext.Critical;

                        foreach (Oid oid in oids)
                        {
                            //if (oid.Equals("1.3.6.1.5.5.7.3.3"))


                            EKU_oidStr = oid.FriendlyName + "(" + oid.Value + ")" + ";" + EKU_oidStr;
                        }
                        Console.WriteLine(EKU_oidStr);
                        EKU_extension++;
                    }
                    else if (extension.Oid.FriendlyName == "CRL Distribution Points")
                    {
                        /*This extension MUST be present, MUST NOT be marked critical,
                         * and MUST contain the HTTP URL of the CA’s CRL service*/
                        //Boolean crlHttpExists = false;
                        if (crl_extension != 0)
                        {
                            repeatedExtension += extension.Oid.FriendlyName + ",";
                        }
                        crlDistPoint = extension.Format(true);
                        crlCritical  = extension.Critical;
                        Console.WriteLine(crlDistPoint);
                        if (crlDistPoint.Contains("http://"))
                        {
                            //crlHttpExists = true;
                            Console.WriteLine("has http crl");
                        }
                        if (crlDistPoint.Contains("ldap://"))
                        {
                            Console.WriteLine("has ldap crl");
                        }
                        crl_extension++;
                    }
                    else if (extension.Oid.FriendlyName == "Certificate Policies")
                    {
                        if (CP_extension != 0)
                        {
                            repeatedExtension += extension.Oid.FriendlyName + ",";
                        }
                        certificatePolicies = extension.Format(true);
                        CPCritical          = extension.Critical;
                        Console.WriteLine(certificatePolicies);
                        CP_extension++;
                    }

                    else if (extension.Oid.FriendlyName == "Authority Information Access")
                    {
                        if (AIA_extension != 0)
                        {
                            repeatedExtension += extension.Oid.FriendlyName + ",";
                        }
                        authorityInformationAccess = extension.Format(true);
                        AIACritical = extension.Critical;
                        Console.WriteLine(authorityInformationAccess);
                        AIA_extension++;
                    }

                    else
                    {
                        otherExtensions += ";" + extension.Oid.FriendlyName + "(" + extension.Oid.Value.ToString() + ")";
                    }
                }
                DBConnect.InsertRepeatedExtensionsTable(Program.appName, Program.fileName, repeatedExtension, thumbprint);
                DBConnect.InsertExtensionsTable(Program.appName, Program.fileName, digestStr, serialNumber, Convert.ToInt32(BC_CA), pathLength, Convert.ToInt32(hasPathLength), KU, SKI, EKU_oidStr, AKI, certificatePolicies, crlDistPoint, Convert.ToInt32(crlCritical), Convert.ToInt32(EKUCritical), Convert.ToInt32(KUCritical), Convert.ToInt32(BCCritical), Convert.ToInt32(CPCritical), Convert.ToInt32(SKICritical), Convert.ToInt32(AKICritical), otherExtensions, authorityInformationAccess, Convert.ToInt32(AIACritical), thumbprint, signatureIndex);
                Validation.validateWithSignTool(Program.filePath, signatureIndex, thumbprint);
                int tssignatureIndex = 0;
                foreach (var counterSignature in counterSignatures)
                {
                    //reset extensions' values
                    otherExtensions = "";
                    serialNumber    = "";
                    pathLength      = 0;
                    BC_CA           = false;
                    hasPathLength   = false;
                    KU                         = "";
                    KUCritical                 = false;
                    SKI                        = "";
                    EKU_oidStr                 = "";
                    AKI                        = "";
                    certificatePolicies        = "";
                    crlDistPoint               = "";
                    authorityInformationAccess = "";
                    crlCritical                = false;
                    EKUCritical                = false;
                    BCCritical                 = false;
                    CPCritical                 = false;
                    SKICritical                = false;
                    AKICritical                = false;
                    AIACritical                = false;

                    tsDigestString = HashHelpers.GetHashForSignature(counterSignature);//message digest of siganture(signature->details->advance->msg digest)
                    System.DateTime tsNotBeforeDate = counterSignature.Certificate.NotBefore;
                    System.DateTime tsNotAfterDate  = counterSignature.Certificate.NotAfter;

                    DBConnect.InsertTSSignatureDateTable(Program.appName, Program.fileName, tsDigestString, tsNotBeforeDate.Year, tsNotBeforeDate.Month, tsNotBeforeDate.Day, tsNotAfterDate.Year, tsNotAfterDate.Month, tsNotAfterDate.Day, counterSignature.Certificate.Thumbprint, tssignatureIndex);
                    isSigned = true;
                    if (counterSignature.DigestAlgorithm.Value == signature.DigestAlgorithm.Value)
                    {
                        strongSign++;
                        DBConnect.InsertTSSignatureTable(Program.appName, Program.fileName, tsDigestString, counterSignature.DigestAlgorithm.FriendlyName, counterSignature.Certificate.Version, 1, thumbprint, counterSignature.Certificate.Thumbprint, counterSignature.Certificate.Issuer, counterSignature.Certificate.IssuerName.Name, counterSignature.Certificate.Subject, counterSignature.Certificate.SubjectName.Name);
                    }
                    else
                    {
                        DBConnect.InsertTSSignatureTable(Program.appName, Program.fileName, tsDigestString, counterSignature.DigestAlgorithm.FriendlyName, counterSignature.Certificate.Version, 0, thumbprint, counterSignature.Certificate.Thumbprint, counterSignature.Certificate.Issuer, counterSignature.Certificate.IssuerName.Name, counterSignature.Certificate.Subject, counterSignature.Certificate.SubjectName.Name);
                    }


                    //extracting extensions of timestamp certificate

                    X509ExtensionCollection tsEextensions = signature.Certificate.Extensions;
                    foreach (X509Extension extension in tsEextensions)
                    {
                        //extension.Oid.FriendlyName
                        Console.WriteLine(extension.Oid.FriendlyName + "(" + extension.Oid.Value + ")");


                        if (extension.Oid.FriendlyName == "Key Usage")
                        {
                            X509KeyUsageExtension ext = (X509KeyUsageExtension)extension;
                            KUCritical = ext.Critical;
                            KU         = ext.KeyUsages.ToString();
                            Console.WriteLine(KU);
                        }

                        else if (extension.Oid.FriendlyName == "Basic Constraints")
                        {
                            X509BasicConstraintsExtension ext = (X509BasicConstraintsExtension)extension;
                            BCCritical    = ext.Critical;
                            BC_CA         = ext.CertificateAuthority;
                            hasPathLength = ext.HasPathLengthConstraint;
                            pathLength    = ext.PathLengthConstraint;
                            Console.WriteLine(BC_CA);
                            Console.WriteLine(hasPathLength);
                            Console.WriteLine(pathLength);
                        }

                        else if (extension.Oid.FriendlyName == "Subject Key Identifier")
                        {
                            X509SubjectKeyIdentifierExtension ext = (X509SubjectKeyIdentifierExtension)extension;
                            SKICritical = ext.Critical;
                            SKI         = ext.SubjectKeyIdentifier.ToString();
                            Console.WriteLine(SKI);
                        }

                        else if (extension.Oid.FriendlyName == "Authority Key Identifier")
                        {
                            AKICritical = extension.Critical;
                            AKI         = extension.Format(true);
                            Console.WriteLine(AKI);
                        }

                        else if (extension.Oid.FriendlyName == "Enhanced Key Usage")
                        {
                            //Boolean CS_EKU;
                            X509EnhancedKeyUsageExtension ext = (X509EnhancedKeyUsageExtension)extension;
                            OidCollection oids = ext.EnhancedKeyUsages;
                            EKUCritical = ext.Critical;

                            foreach (Oid oid in oids)
                            {
                                //if (oid.Equals("1.3.6.1.5.5.7.3.3"))
                                //  CS_EKU = true;
                                EKU_oidStr = oid.FriendlyName + "(" + oid.Value + ")" + ";" + EKU_oidStr;
                            }
                            Console.WriteLine(EKU_oidStr);
                        }
                        else if (extension.Oid.FriendlyName == "CRL Distribution Points")
                        {
                            /*This extension MUST be present, MUST NOT be marked critical,
                             * and MUST contain the HTTP URL of the CA’s CRL service*/
                            //Boolean crlHttpExists = false;
                            crlDistPoint = extension.Format(true);
                            crlCritical  = extension.Critical;
                            Console.WriteLine(crlDistPoint);
                            if (crlDistPoint.Contains("http://"))
                            {
                                //crlHttpExists = true;
                                Console.WriteLine("has http crl");
                            }
                            if (crlDistPoint.Contains("ldap://"))
                            {
                                Console.WriteLine("has ldap crl");
                            }
                        }
                        else if (extension.Oid.FriendlyName == "Certificate Policies")
                        {
                            certificatePolicies = extension.Format(true);
                            CPCritical          = extension.Critical;
                            Console.WriteLine(certificatePolicies);
                        }

                        else if (extension.Oid.FriendlyName == "Authority Information Access")
                        {
                            authorityInformationAccess = extension.Format(true);
                            AIACritical = extension.Critical;
                            Console.WriteLine(authorityInformationAccess);
                        }

                        else
                        {
                            otherExtensions += ";" + extension.Oid.FriendlyName + "(" + extension.Oid.Value.ToString() + ")";
                        }
                    }
                    DBConnect.InsertTSExtensionsTable(Program.appName, Program.fileName, digestStr, serialNumber, Convert.ToInt32(BC_CA), pathLength, Convert.ToInt32(hasPathLength), KU, SKI, EKU_oidStr, AKI, certificatePolicies, crlDistPoint, Convert.ToInt32(crlCritical), Convert.ToInt32(EKUCritical), Convert.ToInt32(KUCritical), Convert.ToInt32(BCCritical), Convert.ToInt32(CPCritical), Convert.ToInt32(SKICritical), Convert.ToInt32(AKICritical), otherExtensions, authorityInformationAccess, Convert.ToInt32(AIACritical), thumbprint, tssignatureIndex);
                    tssignatureIndex++;
                }

                if (!isSigned && strongSign >= 1)
                {
                    throw new InvalidOperationException("Unexpectedly have a strong signature.");
                }
                if (!isSigned)
                {
                    verboseWriter.LogSignatureMessage(signature, "Signature is not timestamped.");
                    pass = false;
                }
                else if (strongSign == 0)
                {
                    verboseWriter.LogSignatureMessage(signature, $"Signature is not timestamped with the expected hash algorithm {signature.DigestAlgorithm.FriendlyName}.");
                    pass = false;
                }
                signatureIndex++;
            }

            return(pass ? TestResult.Pass : TestResult.Fail);
        }
Пример #4
0
        public TestResult Validate(IReadOnlyList <ICmsSignature> graph, SignatureLogger verboseWriter, CheckConfiguration configuration)
        {
            var signatures     = graph.VisitAll(SignatureKind.AnySignature);
            var pass           = true;
            int signatureIndex = 0;

            foreach (var signature in signatures)
            {
                var    counterSignatures = signature.VisitAll(SignatureKind.AnyCounterSignature).ToList();
                int    ts             = counterSignatures.Count;
                var    isSigned       = false;
                var    strongSign     = 0;
                var    tsDigestString = "";
                string serialNumber   = "";
                string thumbprint     = signature.Certificate.Thumbprint;
                var    digestStr      = HashHelpers.GetHashForSignature(signature);//message digest of siganture(signature->details->advance->msg digest)
                DBConnect.InsertSignatureTable(Program.fileName, Program.appName, digestStr, signature.DigestAlgorithm.FriendlyName, signature.Certificate.Version, ts, thumbprint, signature.Certificate.Issuer, signature.Certificate.IssuerName.Name, signature.Certificate.Subject, signature.Certificate.SubjectName.Name, signatureIndex);
                System.DateTime notBeforeDate = signature.Certificate.NotBefore;
                System.DateTime notAfterDate  = signature.Certificate.NotAfter;
                serialNumber = signature.Certificate.SerialNumber;
                DBConnect.InsertSignatureDateTable(Program.appName, Program.fileName, digestStr, notBeforeDate.Year, notBeforeDate.Month, notBeforeDate.Day, notAfterDate.Year, notAfterDate.Month, notAfterDate.Day, thumbprint, signatureIndex);
                X509ExtensionCollection extensions = signature.Certificate.Extensions;

                int tssignatureIndex = 0;
                foreach (var counterSignature in counterSignatures)
                {
                    tsDigestString = HashHelpers.GetHashForSignature(counterSignature);//message digest of siganture(signature->details->advance->msg digest)
                    System.DateTime tsNotBeforeDate = counterSignature.Certificate.NotBefore;
                    System.DateTime tsNotAfterDate  = counterSignature.Certificate.NotAfter;

                    DBConnect.InsertTSSignatureDateTable(Program.appName, Program.fileName, tsDigestString, tsNotBeforeDate.Year, tsNotBeforeDate.Month, tsNotBeforeDate.Day, tsNotAfterDate.Year, tsNotAfterDate.Month, tsNotAfterDate.Day, counterSignature.Certificate.Thumbprint, tssignatureIndex);
                    isSigned = true;
                    if (counterSignature.DigestAlgorithm.Value == signature.DigestAlgorithm.Value)
                    {
                        strongSign++;
                        DBConnect.InsertTSSignatureTable(Program.appName, Program.fileName, tsDigestString, counterSignature.DigestAlgorithm.FriendlyName, counterSignature.Certificate.Version, 1, thumbprint, counterSignature.Certificate.Thumbprint, counterSignature.Certificate.Issuer, counterSignature.Certificate.IssuerName.Name, counterSignature.Certificate.Subject, counterSignature.Certificate.SubjectName.Name);
                    }
                    else
                    {
                        DBConnect.InsertTSSignatureTable(Program.appName, Program.fileName, tsDigestString, counterSignature.DigestAlgorithm.FriendlyName, counterSignature.Certificate.Version, 0, thumbprint, counterSignature.Certificate.Thumbprint, counterSignature.Certificate.Issuer, counterSignature.Certificate.IssuerName.Name, counterSignature.Certificate.Subject, counterSignature.Certificate.SubjectName.Name);
                    }
                }
                if (!isSigned && strongSign >= 1)
                {
                    throw new InvalidOperationException("Unexpectedly have a strong signature.");
                }
                if (!isSigned)
                {
                    verboseWriter.LogSignatureMessage(signature, "Signature is not timestamped.");
                    pass = false;
                }
                else if (strongSign == 0)
                {
                    verboseWriter.LogSignatureMessage(signature, $"Signature is not timestamped with the expected hash algorithm {signature.DigestAlgorithm.FriendlyName}.");
                    pass = false;
                }
                signatureIndex++;
            }

            return(pass ? TestResult.Pass : TestResult.Fail);
        }