public Rfc3161TimestampTokenNetstandard21Wrapper( System.Security.Cryptography.Pkcs.Rfc3161TimestampToken rfc3161TimestampToken) { _rfc3161TimestampToken = rfc3161TimestampToken; TokenInfo = new Rfc3161TimestampTokenInfoNetstandard21Wrapper(_rfc3161TimestampToken.TokenInfo); }
private bool ProcessResponse( ReadOnlyMemory <byte> source, out Rfc3161TimestampToken token, out Rfc3161RequestResponseStatus status, out int bytesConsumed, bool shouldThrow) { status = Rfc3161RequestResponseStatus.Unknown; token = null; Rfc3161TimeStampResp resp; try { resp = AsnSerializer.Deserialize <Rfc3161TimeStampResp>(source, AsnEncodingRules.DER, out bytesConsumed); } catch (CryptographicException) when(!shouldThrow) { bytesConsumed = 0; status = Rfc3161RequestResponseStatus.DoesNotParse; return(false); } // bytesRead will be set past this point PkiStatus pkiStatus = (PkiStatus)resp.Status.Status; if (pkiStatus != PkiStatus.Granted && pkiStatus != PkiStatus.GrantedWithMods) { if (shouldThrow) { throw new CryptographicException( SR.Format( SR.Cryptography_TimestampReq_Failure, pkiStatus, resp.Status.FailInfo.GetValueOrDefault())); } status = Rfc3161RequestResponseStatus.RequestFailed; return(false); } if (!Rfc3161TimestampToken.TryDecode(resp.TimeStampToken.GetValueOrDefault(), out token, out _)) { if (shouldThrow) { throw new CryptographicException(SR.Cryptography_TimestampReq_BadResponse); } bytesConsumed = 0; status = Rfc3161RequestResponseStatus.DoesNotParse; return(false); } status = ValidateResponse(token, shouldThrow); return(status == Rfc3161RequestResponseStatus.Accepted); }
private Rfc3161RequestResponseStatus ValidateResponse( Rfc3161TimestampToken token, bool shouldThrow) { Debug.Assert(token != null); // This method validates the acceptance criteria sprinkled throughout the // field descriptions in https://tools.ietf.org/html/rfc3161#section-2.4.1 and // https://tools.ietf.org/html/rfc3161#section-2.4.2 if (!token.VerifyHash(GetMessageHash().Span, HashAlgorithmId.Value)) { if (shouldThrow) { throw new CryptographicException(SR.Cryptography_BadHashValue); } return(Rfc3161RequestResponseStatus.HashMismatch); } Rfc3161TimestampTokenInfo tokenInfo = token.TokenInfo; // We only understand V1 messaging and validation if (tokenInfo.Version != 1) { if (shouldThrow) { throw new CryptographicException(SR.Cryptography_TimestampReq_BadResponse); } return(Rfc3161RequestResponseStatus.VersionTooNew); } // reqPolicy is what the policy SHOULD be, so we can't reject it here. ReadOnlyMemory <byte>?requestNonce = GetNonce(); ReadOnlyMemory <byte>?responseNonce = tokenInfo.GetNonce(); // The RFC says that if a nonce was in the request it MUST be present in // the response and it MUST be equal. // // It does not say that if no nonce was requested that the response MUST NOT include one, so // don't check anything if no nonce was requested. if (requestNonce != null) { if (responseNonce == null || !requestNonce.Value.Span.SequenceEqual(responseNonce.Value.Span)) { if (shouldThrow) { throw new CryptographicException(SR.Cryptography_TimestampReq_BadNonce); } return(Rfc3161RequestResponseStatus.NonceMismatch); } } SignedCms tokenCms = token.AsSignedCms(); if (RequestSignerCertificate) { // If the certificate was requested it // A) MUST be present in token.AsSignedCms().Certificates // B) the ESSCertID(2) identifier MUST be correct. // // Other certificates are permitted, and will not be validated. if (tokenCms.SignerInfos[0].Certificate == null) { if (shouldThrow) { throw new CryptographicException(SR.Cryptography_TimestampReq_NoCertFound); } return(Rfc3161RequestResponseStatus.RequestedCertificatesMissing); } } else { // If no certificate was requested then the CMS Certificates collection // MUST be empty. if (tokenCms.Certificates.Count != 0) { if (shouldThrow) { throw new CryptographicException(SR.Cryptography_TimestampReq_UnexpectedCertFound); } return(Rfc3161RequestResponseStatus.UnexpectedCertificates); } } return(Rfc3161RequestResponseStatus.Accepted); }
private bool ProcessResponse( ReadOnlyMemory <byte> source, [NotNullWhen(true)] out Rfc3161TimestampToken?token, out Rfc3161RequestResponseStatus status, out int bytesConsumed, bool shouldThrow) { status = Rfc3161RequestResponseStatus.Unknown; token = null; Rfc3161TimeStampResp resp; try { AsnValueReader reader = new AsnValueReader(source.Span, AsnEncodingRules.DER); int localBytesRead = reader.PeekEncodedValue().Length; Rfc3161TimeStampResp.Decode(ref reader, source, out resp); bytesConsumed = localBytesRead; } catch (CryptographicException) when(!shouldThrow) { bytesConsumed = 0; status = Rfc3161RequestResponseStatus.DoesNotParse; return(false); } // bytesRead will be set past this point PkiStatus pkiStatus = (PkiStatus)resp.Status.Status; if (pkiStatus != PkiStatus.Granted && pkiStatus != PkiStatus.GrantedWithMods) { if (shouldThrow) { throw new CryptographicException( SR.Format( SR.Cryptography_TimestampReq_Failure, pkiStatus, resp.Status.FailInfo.GetValueOrDefault())); } status = Rfc3161RequestResponseStatus.RequestFailed; return(false); } if (!Rfc3161TimestampToken.TryDecode(resp.TimeStampToken.GetValueOrDefault(), out token, out _)) { if (shouldThrow) { throw new CryptographicException(SR.Cryptography_TimestampReq_BadResponse); } bytesConsumed = 0; status = Rfc3161RequestResponseStatus.DoesNotParse; return(false); } status = ValidateResponse(token, shouldThrow); return(status == Rfc3161RequestResponseStatus.Accepted); }
/// <param name="encodedBytes" /> /// <param name="token" /> /// <param name="bytesConsumed" /> public static bool TryDecode(ReadOnlyMemory <byte> encodedBytes, out Rfc3161TimestampToken token, out int bytesConsumed) { throw new PlatformNotSupportedException(); }
public static bool TryDecode(ReadOnlyMemory <byte> source, out Rfc3161TimestampToken token, out int bytesConsumed) { bytesConsumed = 0; token = null; try { ContentInfoAsn contentInfo = AsnSerializer.Deserialize <ContentInfoAsn>(source, AsnEncodingRules.BER, out int bytesActuallyRead); // https://tools.ietf.org/html/rfc3161#section-2.4.2 // // A TimeStampToken is as follows. It is defined as a ContentInfo // ([CMS]) and SHALL encapsulate a signed data content type. // // TimeStampToken::= ContentInfo // --contentType is id-signedData([CMS]) // --content is SignedData ([CMS]) if (contentInfo.ContentType != Oids.Pkcs7Signed) { return(false); } SignedCms cms = new SignedCms(); cms.Decode(source); // The fields of type EncapsulatedContentInfo of the SignedData // construct have the following meanings: // // eContentType is an object identifier that uniquely specifies the // content type. For a time-stamp token it is defined as: // // id-ct-TSTInfo OBJECT IDENTIFIER ::= { iso(1) member-body(2) // us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 4} // // eContent is the content itself, carried as an octet string. // The eContent SHALL be the DER-encoded value of TSTInfo. if (cms.ContentInfo.ContentType.Value != Oids.TstInfo) { return(false); } // RFC3161: // The time-stamp token MUST NOT contain any signatures other than the // signature of the TSA. The certificate identifier (ESSCertID) of the // TSA certificate MUST be included as a signerInfo attribute inside a // SigningCertificate attribute. // RFC5816 says that ESSCertIDv2 should be allowed instead. SignerInfoCollection signerInfos = cms.SignerInfos; if (signerInfos.Count != 1) { return(false); } SignerInfo signer = signerInfos[0]; EssCertId certId; EssCertIdV2 certId2; if (!TryGetCertIds(signer, out certId, out certId2)) { return(false); } X509Certificate2 signerCert = signer.Certificate; if (signerCert == null && signer.SignerIdentifier.Type == SubjectIdentifierType.IssuerAndSerialNumber) { // If the cert wasn't provided, but the identifier was IssuerAndSerialNumber, // and the ESSCertId(V2) has specified an issuerSerial value, ensure it's a match. X509IssuerSerial issuerSerial = (X509IssuerSerial)signer.SignerIdentifier.Value; if (certId?.IssuerSerial != null) { if (!IssuerAndSerialMatch( certId.IssuerSerial.Value, issuerSerial.IssuerName, issuerSerial.SerialNumber)) { return(false); } } if (certId2?.IssuerSerial != null) { if (!IssuerAndSerialMatch( certId2.IssuerSerial.Value, issuerSerial.IssuerName, issuerSerial.SerialNumber)) { return(false); } } } Rfc3161TimestampTokenInfo tokenInfo; if (Rfc3161TimestampTokenInfo.TryDecode(cms.ContentInfo.Content, out tokenInfo, out _)) { if (signerCert != null && !CheckCertificate(signerCert, signer, certId, certId2, tokenInfo)) { return(false); } token = new Rfc3161TimestampToken { _parsedDocument = cms, _signerInfo = signer, _essCertId = certId, _essCertIdV2 = certId2, TokenInfo = tokenInfo, }; bytesConsumed = bytesActuallyRead; return(true); } } catch (CryptographicException) { } return(false); }
public static bool TryDecode(ReadOnlyMemory <byte> encodedBytes, out Rfc3161TimestampToken token, out int bytesConsumed) => throw null;