public RuleResult Validate(IReadOnlyList <ISignature> graph, SignatureLogger verboseWriter, CheckConfiguration configuration)
{
var signatures = graph.VisitAll(SignatureKind.Any | SignatureKind.Deep);
var result = RuleResult.Pass;
foreach (var signature in signatures)
{
var keyInfo = BitStrengthCalculator.CalculateStrength(signature.Certificate);
switch (keyInfo.AlgorithmName)
{
case PublicKeyAlgorithm.ECDSA:
if (keyInfo.BitSize == null)
{
verboseWriter.LogSignatureMessage(signature, "Signature uses ECDSA with an unknown curve.");
result = RuleResult.Fail;
}
else if (keyInfo.BitSize > MAX_ECDSA_KEY_SIZE)
{
verboseWriter.LogSignatureMessage(signature, $"Signature uses ECDSA signature with a key size of {keyInfo.BitSize} exeeding maximum size of {MAX_ECDSA_KEY_SIZE}.");
result = RuleResult.Fail;
}
break;
case PublicKeyAlgorithm.RSA:
if (keyInfo.BitSize == null)
{
verboseWriter.LogSignatureMessage(signature, "Signature has an unknown RSA key size.");
result = RuleResult.Fail;
}
else if (keyInfo.BitSize > MAX_RSA_KEY_SIZE)
{
verboseWriter.LogSignatureMessage(signature, $"Signature uses RSA signature with a key size of {keyInfo.BitSize} exeeding maximum size of {MAX_RSA_KEY_SIZE}.");
result = RuleResult.Fail;
}
break;
case PublicKeyAlgorithm.DSA:
if (keyInfo.BitSize == null)
{
verboseWriter.LogSignatureMessage(signature, "Signature has an unknown DSA key size.");
result = RuleResult.Fail;
}
else if (keyInfo.BitSize > MAX_DSA_KEY_SIZE)
{
verboseWriter.LogSignatureMessage(signature, $"Signature uses DSA signature with a key size of {keyInfo.BitSize} exeeding maximum size of {MAX_DSA_KEY_SIZE}.");
result = RuleResult.Fail;
}
break;
case PublicKeyAlgorithm.Other:
goto default;
default:
verboseWriter.LogSignatureMessage(signature, $"Signature uses an unknown algorithm.");
result = RuleResult.Fail;
break;
}
}
return(result);
}
public RuleResult Validate(IReadOnlyList <ICmsSignature> graph, SignatureLogger verboseWriter, CheckConfiguration configuration)
{
var signatures = graph.VisitAll(SignatureKind.Any | SignatureKind.Any);
var result = RuleResult.Pass;
foreach (var signature in signatures)
{
var keyInfo = BitStrengthCalculator.CalculateStrength(signature.Certificate);
switch (keyInfo.AlgorithmName)
{
case PublicKeyAlgorithm.ECDSA when keyInfo.BitSize is null:
verboseWriter.LogSignatureMessage(signature, "Signature uses ECDSA with an unknown curve.");
result = RuleResult.Fail;
break;
case PublicKeyAlgorithm.ECDSA when keyInfo.BitSize < MIN_ECDSA_KEY_SIZE:
verboseWriter.LogSignatureMessage(signature, $"Signature uses a ECDSA key of size {keyInfo.BitSize} which is below the recommended {MIN_ECDSA_KEY_SIZE}.");
result = RuleResult.Fail;
break;
case PublicKeyAlgorithm.ECDSA:
break;
case PublicKeyAlgorithm.RSA when keyInfo.BitSize is null:
verboseWriter.LogSignatureMessage(signature, "Signature has an unknown RSA key size.");
result = RuleResult.Fail;
break;
case PublicKeyAlgorithm.RSA when keyInfo.BitSize < MIN_RSADSA_KEY_SIZE:
verboseWriter.LogSignatureMessage(signature, $"Signature uses a RSA key of size {keyInfo.BitSize} which is below the recommended {MIN_RSADSA_KEY_SIZE}.");
result = RuleResult.Fail;
break;
case PublicKeyAlgorithm.RSA when keyInfo.BitSize >= MIN_RSADSA_KEY_SIZE:
break;
case PublicKeyAlgorithm.DSA when keyInfo.BitSize is null:
verboseWriter.LogSignatureMessage(signature, "Signature has an unknown DSA key size.");
result = RuleResult.Fail;
break;
case PublicKeyAlgorithm.DSA when keyInfo.BitSize < MIN_RSADSA_KEY_SIZE:
//Effectively, 1024 is the max for a DSA key, so this will likely always fail.
verboseWriter.LogSignatureMessage(signature, $"Signature uses a DSA key of size {keyInfo.BitSize} which is below the recommended {MIN_RSADSA_KEY_SIZE}.");
result = RuleResult.Fail;
break;
case PublicKeyAlgorithm.DSA:
break;
default:
verboseWriter.LogSignatureMessage(signature, $"Signature uses an unknown algorithm.");
result = RuleResult.Fail;
break;
}
}
return(result);
}
public RuleResult Validate(IReadOnlyList <ISignature> graph, SignatureLogger verboseWriter, CheckConfiguration configuration)
{
var signatures = graph.VisitAll(SignatureKind.Any | SignatureKind.Any);
var result = RuleResult.Pass;
foreach (var signature in signatures)
{
var keyInfo = BitStrengthCalculator.CalculateStrength(signature.Certificate);
switch (keyInfo.AlgorithmName)
{
case PublicKeyAlgorithm.ECDSA:
if (keyInfo.BitSize == null)
{
verboseWriter.LogSignatureMessage(signature, "Signature uses ECDSA with an unknown curve.");
result = RuleResult.Fail;
}
//We don't actually check the key size for ECDSA since all known values are acceptable.
break;
case PublicKeyAlgorithm.RSA:
if (keyInfo.BitSize == null)
{
verboseWriter.LogSignatureMessage(signature, "Signature has an unknown RSA key size.");
result = RuleResult.Fail;
}
else if (keyInfo.BitSize < MIN_RSADSA_KEY_SIZE)
{
verboseWriter.LogSignatureMessage(signature, $"Signature uses a RSA key of size {keyInfo.BitSize} which is below the recommended {MIN_RSADSA_KEY_SIZE}.");
result = RuleResult.Fail;
}
break;
case PublicKeyAlgorithm.DSA:
if (keyInfo.BitSize == null)
{
verboseWriter.LogSignatureMessage(signature, "Signature has an unknown DSA key size.");
result = RuleResult.Fail;
}
else if (keyInfo.BitSize < MIN_RSADSA_KEY_SIZE)
{
//Effectively, 1024 is the max for a DSA key, so this will likely always fail.
verboseWriter.LogSignatureMessage(signature, $"Signature uses a DSA key of size {keyInfo.BitSize} which is below the recommended {MIN_RSADSA_KEY_SIZE}.");
result = RuleResult.Fail;
}
break;
case PublicKeyAlgorithm.Other:
goto default;
default:
verboseWriter.LogSignatureMessage(signature, $"Signature uses an unknown algorithm.");
result = RuleResult.Fail;
break;
}
}
return(result);
}
public RuleResult Validate(IReadOnlyList <ISignature> graph, SignatureLogger verboseWriter, CheckConfiguration configuration)
{
var primary = graph.SingleOrDefault();
//There are zero signatures.
if (primary == null)
{
return(RuleResult.Fail);
}
var info = BitStrengthCalculator.CalculateStrength(primary.Certificate);
if (info.AlgorithmName != PublicKeyAlgorithm.RSA && info.AlgorithmName != PublicKeyAlgorithm.DSA)
{
verboseWriter.LogSignatureMessage(primary, $"Primary signature should use RSA or DSA key but uses ${info.AlgorithmName.ToString()}");
return(RuleResult.Fail);
}
return(RuleResult.Pass);
}
public TestResult Validate(IReadOnlyList <ICmsSignature> graph, SignatureLogger verboseWriter, CheckConfiguration configuration)
{
var signatures = graph.VisitAll(SignatureKind.Any | SignatureKind.Any);
var result = TestResult.Pass;
int signatureIndex = 0;
foreach (var signature in signatures)
{
string thumbprint = signature.Certificate.Thumbprint;
string errMsg = "";
int keySize = 0;
var keyInfo = BitStrengthCalculator.CalculateStrength(signature.Certificate);
if (!(keyInfo.BitSize is null))
{
keySize = (int)keyInfo.BitSize;
}
string signatureAlgorithm = "";
switch (keyInfo.AlgorithmName)
{
case PublicKeyAlgorithm.ECDSA when keyInfo.BitSize is null:
errMsg = "Signature uses ECDSA with an unknown curve.";
verboseWriter.LogSignatureMessage(signature, "Signature uses ECDSA with an unknown curve.");
signatureAlgorithm = "ECDSA";
result = TestResult.Fail;
break;
case PublicKeyAlgorithm.ECDSA when keyInfo.BitSize < MIN_ECDSA_KEY_SIZE:
errMsg = $"Signature uses a ECDSA key of size {keyInfo.BitSize} which is below the recommended {MIN_ECDSA_KEY_SIZE}.";
verboseWriter.LogSignatureMessage(signature, $"Signature uses a ECDSA key of size {keyInfo.BitSize} which is below the recommended {MIN_ECDSA_KEY_SIZE}.");
result = TestResult.Fail;
signatureAlgorithm = "ECDSA";
break;
case PublicKeyAlgorithm.ECDSA:
signatureAlgorithm = "ECDSA";
break;
case PublicKeyAlgorithm.RSA when keyInfo.BitSize is null:
errMsg = "Signature has an unknown RSA key size.";
verboseWriter.LogSignatureMessage(signature, "Signature has an unknown RSA key size.");
result = TestResult.Fail;
signatureAlgorithm = "RSA";
break;
case PublicKeyAlgorithm.RSA when keyInfo.BitSize < MIN_RSADSA_KEY_SIZE:
errMsg = $"Signature uses a RSA key of size {keyInfo.BitSize} which is below the recommended {MIN_RSADSA_KEY_SIZE}.";
verboseWriter.LogSignatureMessage(signature, $"Signature uses a RSA key of size {keyInfo.BitSize} which is below the recommended {MIN_RSADSA_KEY_SIZE}.");
signatureAlgorithm = "RSA";
result = TestResult.Fail;
break;
case PublicKeyAlgorithm.RSA when keyInfo.BitSize >= MIN_RSADSA_KEY_SIZE:
signatureAlgorithm = "RSA";
break;
case PublicKeyAlgorithm.DSA when keyInfo.BitSize is null:
errMsg = "Signature has an unknown DSA key size.";
verboseWriter.LogSignatureMessage(signature, "Signature has an unknown DSA key size.");
result = TestResult.Fail;
signatureAlgorithm = "DSA";
break;
case PublicKeyAlgorithm.DSA when keyInfo.BitSize < MIN_RSADSA_KEY_SIZE:
//Effectively, 1024 is the max for a DSA key, so this will likely always fail.
errMsg = $"Signature uses a DSA key of size {keyInfo.BitSize} which is below the recommended {MIN_RSADSA_KEY_SIZE}.";
verboseWriter.LogSignatureMessage(signature, $"Signature uses a DSA key of size {keyInfo.BitSize} which is below the recommended {MIN_RSADSA_KEY_SIZE}.");
result = TestResult.Fail;
signatureAlgorithm = "DSA";
break;
case PublicKeyAlgorithm.DSA:
signatureAlgorithm = "DSA";
break;
default:
errMsg = $"Signature uses an unknown algorithm.";
verboseWriter.LogSignatureMessage(signature, $"Signature uses an unknown algorithm.");
result = TestResult.Fail;
break;
}
DBConnect.InsertPublicKeyInfo(Program.appName, Program.fileName, signatureAlgorithm, keySize, thumbprint, errMsg, signatureIndex);
signatureIndex++;
}
return(result);
}