PrimarySignature CreateKeyVaultPrimarySignature(SignPackageRequest request, SignatureContent signatureContent, SignatureType signatureType)
{
// Get the chain
var getter = typeof(SignPackageRequest).GetProperty("Chain", BindingFlags.Instance | BindingFlags.NonPublic)
.GetGetMethod(true);
var certs = (IReadOnlyList <X509Certificate2>)getter.Invoke(request, null);
var attribs = SigningUtility.CreateSignedAttributes(request, certs);
// Convert .NET crypto attributes to Bouncy Castle
var attribTable = new AttributeTable(new Asn1EncodableVector(attribs.Cast <CryptographicAttributeObject>()
.Select(ToBcAttribute)
.ToArray()));
// SignerInfo generator setup
var signerInfoGeneratorBuilder = new SignerInfoGeneratorBuilder()
.WithSignedAttributeGenerator(new DefaultSignedAttributeTableGenerator(attribTable));
// Subject Key Identifier (SKI) is smaller and less prone to accidental matching than issuer and serial
// number. However, to ensure cross-platform verification, SKI should only be used if the certificate
// has the SKI extension attribute.
// Try to look for the value
var bcCer = DotNetUtilities.FromX509Certificate(request.Certificate);
var ext = bcCer.GetExtensionValue(new DerObjectIdentifier(Oids.SubjectKeyIdentifier));
SignerInfoGenerator signerInfoGenerator;
if (ext != null)
{
var ski = new SubjectKeyIdentifierStructure(ext);
signerInfoGenerator = signerInfoGeneratorBuilder.Build(new RsaSignatureFactory(HashAlgorithmToBouncyCastle(request.SignatureHashAlgorithm), provider), ski.GetKeyIdentifier());
}
else
{
signerInfoGenerator = signerInfoGeneratorBuilder.Build(new RsaSignatureFactory(HashAlgorithmToBouncyCastle(request.SignatureHashAlgorithm), provider), bcCer);
}
var generator = new CmsSignedDataGenerator();
generator.AddSignerInfoGenerator(signerInfoGenerator);
// Get the chain as bc certs
generator.AddCertificates(X509StoreFactory.Create("Certificate/Collection",
new X509CollectionStoreParameters(certs.Select(DotNetUtilities.FromX509Certificate).
ToList())));
var msg = new CmsProcessableByteArray(signatureContent.GetBytes());
var data = generator.Generate(msg, true);
var encoded = data.ContentInfo.GetDerEncoded();
return(PrimarySignature.Load(encoded));
}
public void CreateSignedAttributes_SignPackageRequest_WhenRequestNull_Throws()
{
using (var certificate = _fixture.GetDefaultCertificate())
{
var exception = Assert.Throws <ArgumentNullException>(
() => SigningUtility.CreateSignedAttributes((SignPackageRequest)null, new[] { certificate }));
Assert.Equal("request", exception.ParamName);
}
}
CmsSigner CreateCmsSigner(SignPackageRequest request, IReadOnlyList <X509Certificate2> chain, ILogger logger)
{
if (request == null)
{
throw new ArgumentNullException(nameof(request));
}
if (logger == null)
{
throw new ArgumentNullException(nameof(logger));
}
// Subject Key Identifier (SKI) is smaller and less prone to accidental matching than issuer and serial
// number. However, to ensure cross-platform verification, SKI should only be used if the certificate
// has the SKI extension attribute.
CmsSigner signer;
if (request.Certificate.Extensions[Oids.SubjectKeyIdentifier] == null)
{
signer = new CmsSigner(SubjectIdentifierType.IssuerAndSerialNumber, request.Certificate, provider);
}
else
{
signer = new CmsSigner(SubjectIdentifierType.SubjectKeyIdentifier, request.Certificate, provider);
}
foreach (var certificate in chain)
{
signer.Certificates.Add(certificate);
}
CryptographicAttributeObjectCollection attributes;
if (request.SignatureType == SignatureType.Repository)
{
attributes = SigningUtility.CreateSignedAttributes((RepositorySignPackageRequest)request, chain);
}
else
{
attributes = SigningUtility.CreateSignedAttributes(request, chain);
}
foreach (var attribute in attributes)
{
signer.SignedAttributes.Add(attribute);
}
// We built the chain ourselves and added certificates.
// Passing any other value here would trigger another chain build
// and possibly add duplicate certs to the collection.
signer.IncludeOption = X509IncludeOption.None;
signer.DigestAlgorithm = request.SignatureHashAlgorithm.ConvertToOid();
return(signer);
}
public void CreateSignedAttributes_RepositorySignPackageRequest_WhenChainListEmpty_Throws()
{
using (var certificate = _fixture.GetDefaultCertificate())
using (var request = CreateRequestRepository(certificate, new Uri("https://test.test"), new[] { "a" }))
{
var exception = Assert.Throws <ArgumentException>(
() => SigningUtility.CreateSignedAttributes(request, new X509Certificate2[0]));
Assert.Equal("chainList", exception.ParamName);
Assert.StartsWith("The argument cannot be null or empty.", exception.Message);
}
}
public void CreateSignedAttributes_SignPackageRequest_WhenChainListNull_Throws()
{
using (var certificate = _fixture.GetDefaultCertificate())
using (var request = CreateRequest(certificate))
{
var exception = Assert.Throws <ArgumentException>(
() => SigningUtility.CreateSignedAttributes(request, chainList: null));
Assert.Equal("chainList", exception.ParamName);
Assert.StartsWith("The argument cannot be null or empty.", exception.Message);
}
}
public void CreateSignedAttributes_RepositorySignPackageRequest_WhenPackageOwnersNonEmpty_ReturnsAttributes()
{
var v3ServiceIndexUrl = new Uri("https://test.test", UriKind.Absolute);
var packageOwners = new[] { "a" };
using (var certificate = _fixture.GetDefaultCertificate())
using (var request = CreateRequestRepository(certificate, v3ServiceIndexUrl, packageOwners))
{
var attributes = SigningUtility.CreateSignedAttributes(request, new[] { certificate });
Assert.Equal(5, attributes.Count);
VerifyAttributesRepository(attributes, request, v3ServiceIndexUrl, packageOwners);
}
}
public void CreateSignedAttributes_SignPackageRequest_WithValidInput_ReturnsAttributes()
{
using (var rootCertificate = SignTestUtility.GetCertificate("root.crt"))
using (var intermediateCertificate = SignTestUtility.GetCertificate("intermediate.crt"))
using (var leafCertificate = SignTestUtility.GetCertificate("leaf.crt"))
using (var request = CreateRequest(leafCertificate))
{
var certList = new[] { leafCertificate, intermediateCertificate, rootCertificate };
var attributes = SigningUtility.CreateSignedAttributes(request, certList);
Assert.Equal(3, attributes.Count);
VerifyAttributes(attributes, request);
}
}