public static Rfc3161TimestampToken LoadAndVerifyHash(byte[] encodedToken, byte[] hash)
{
if (encodedToken == null)
{
throw new ArgumentNullException(nameof(encodedToken));
}
if (hash == null)
{
throw new ArgumentNullException(nameof(hash));
}
Rfc3161TimestampToken token = CryptVerifyTimeStampSignature(encodedToken, null);
if (!token.TokenInfo.HasMessageHash(hash))
{
const int NTE_BAD_HASH = unchecked ((int)0x80090002);
token.SignerCertificate?.Dispose();
foreach (var cert in token.AdditionalCerts)
{
cert?.Dispose();
}
throw new CryptographicException(NTE_BAD_HASH);
}
return(token);
}
public Rfc3161TimestampTokenNet472Wrapper(
IRfc3161TimestampTokenInfo tstInfo,
X509Certificate2 signerCertificate,
X509Certificate2Collection additionalCerts,
byte[] encoded)
{
_rfc3161TimestampToken = new Rfc3161TimestampToken(
tstInfo,
signerCertificate,
additionalCerts,
encoded);
}
private static void ValidateTimestampResponse(byte[] nonce, byte[] data, Rfc3161TimestampToken timestampToken)
{
if (!nonce.SequenceEqual(timestampToken.TokenInfo.GetNonce()))
{
throw new TimestampException(NuGetLogCode.NU3026, Strings.TimestampFailureNonceMismatch);
}
if (!timestampToken.TokenInfo.HasMessageHash(data))
{
throw new TimestampException(NuGetLogCode.NU3019, Strings.TimestampIntegrityCheckFailed);
}
}
private static void ValidateTimestampResponseNonce(
byte[] nonce,
Rfc3161TimestampToken timestampToken)
{
if (!nonce.SequenceEqual(timestampToken.TokenInfo.GetNonce()))
{
throw new TimestampException(LogMessage.CreateError(
NuGetLogCode.NU3026,
string.Format(CultureInfo.CurrentCulture,
Strings.TimestampResponseExceptionGeneral,
Strings.TimestampFailureNonceMismatch)));
}
}
private static void ValidateTimestampCms(SigningSpecifications spec, SignedCms timestampCms, Rfc3161TimestampToken timestampToken)
{
var signerInfo = timestampCms.SignerInfos[0];
try
{
signerInfo.CheckSignature(verifySignatureOnly: true);
}
catch (Exception e)
{
throw new TimestampException(NuGetLogCode.NU3021, Strings.SignError_TimestampSignatureValidationFailed, e);
}
if (signerInfo.Certificate == null)
{
throw new TimestampException(NuGetLogCode.NU3020, Strings.SignError_TimestampNoCertificate);
}
if (!CertificateUtility.IsSignatureAlgorithmSupported(signerInfo.Certificate))
{
var certificateSignatureAlgorithm = GetNameOrOidString(signerInfo.Certificate.SignatureAlgorithm);
var supportedSignatureAlgorithms = string.Join(", ", spec.AllowedSignatureAlgorithms);
var errorMessage = string.Format(CultureInfo.CurrentCulture,
Strings.TimestampCertificateUnsupportedSignatureAlgorithm,
certificateSignatureAlgorithm,
supportedSignatureAlgorithms);
throw new TimestampException(NuGetLogCode.NU3022, errorMessage);
}
if (!CertificateUtility.IsCertificatePublicKeyValid(signerInfo.Certificate))
{
throw new TimestampException(NuGetLogCode.NU3023, Strings.SignError_TimestampCertificateFailsPublicKeyLengthRequirement);
}
if (!spec.AllowedHashAlgorithmOids.Contains(signerInfo.DigestAlgorithm.Value))
{
var digestAlgorithm = GetNameOrOidString(signerInfo.DigestAlgorithm);
var supportedSignatureAlgorithms = string.Join(", ", spec.AllowedHashAlgorithms);
var errorMessage = string.Format(CultureInfo.CurrentCulture,
Strings.TimestampResponseUnsupportedDigestAlgorithm,
digestAlgorithm,
supportedSignatureAlgorithms);
throw new TimestampException(NuGetLogCode.NU3024, errorMessage);
}
if (CertificateUtility.IsCertificateValidityPeriodInTheFuture(signerInfo.Certificate))
{
throw new TimestampException(NuGetLogCode.NU3025, Strings.SignError_TimestampNotYetValid);
}
if (!CertificateUtility.IsDateInsideValidityPeriod(signerInfo.Certificate, timestampToken.TokenInfo.Timestamp))
{
throw new TimestampException(NuGetLogCode.NU3036, Strings.SignError_TimestampGeneralizedTimeInvalid);
}
}
