summary refs log tree commit diff
diff options
context:
space:
mode:
authorPeter Dettman <peter.dettman@bouncycastle.org>2023-04-05 12:22:26 +0700
committerPeter Dettman <peter.dettman@bouncycastle.org>2023-04-05 12:22:26 +0700
commit2ba60e27a977781625f7e84360a9a6225a49cf28 (patch)
tree85e8d65fc407937a8fa67c1fdee475e0ff3dccf0
parentX509: generation/validation of alternative signatures for certs and CRLs. (diff)
downloadBouncyCastle.NET-ed25519-2ba60e27a977781625f7e84360a9a6225a49cf28.tar.xz
X509: Signature checks that return bool
Diffstat
-rw-r--r--crypto/src/x509/X509Certificate.cs68


-rw-r--r--crypto/src/x509/X509Crl.cs80


-rw-r--r--crypto/src/x509/X509V2AttributeCertificate.cs27


3 files changed, 115 insertions, 60 deletions
diff --git a/crypto/src/x509/X509Certificate.cs b/crypto/src/x509/X509Certificate.cs

index 39df381df..c903811d4 100644
--- a/crypto/src/x509/X509Certificate.cs
+++ b/crypto/src/x509/X509Certificate.cs
@@ -632,6 +632,42 @@ namespace Org.BouncyCastle.X509
             return buf.ToString();
         }
 
+        public virtual bool IsSignatureValid(AsymmetricKeyParameter key)
+        {
+            return CheckSignatureValid(new Asn1VerifierFactory(c.SignatureAlgorithm, key));
+        }
+
+        public virtual bool IsSignatureValid(IVerifierFactoryProvider verifierProvider)
+        {
+            return CheckSignatureValid(verifierProvider.CreateVerifierFactory(c.SignatureAlgorithm));
+        }
+
+        public virtual bool IsAlternativeSignatureValid(IVerifierFactoryProvider verifierProvider)
+        {
+            var tbsCertificate = c.TbsCertificate;
+            var extensions = tbsCertificate.Extensions;
+
+            AltSignatureAlgorithm altSigAlg = AltSignatureAlgorithm.FromExtensions(extensions);
+            AltSignatureValue altSigValue = AltSignatureValue.FromExtensions(extensions);
+
+            var verifier = verifierProvider.CreateVerifierFactory(altSigAlg.Algorithm);
+
+            Asn1Sequence tbsSeq = Asn1Sequence.GetInstance(tbsCertificate.ToAsn1Object());
+            Asn1EncodableVector v = new Asn1EncodableVector();
+
+            for (int i = 0; i < tbsSeq.Count - 1; i++)
+            {
+                if (i != 2) // signature field - must be ver 3 so version always present
+                {
+                    v.Add(tbsSeq[i]);
+                }
+            }
+
+            v.Add(X509Utilities.TrimExtensions(3, extensions));
+
+            return X509Utilities.VerifySignature(verifier, new DerSequence(v), altSigValue.Signature);
+        }
+
         /// <summary>
         /// Verify the certificate's signature using the nominated public key.
         /// </summary>
@@ -662,40 +698,24 @@ namespace Org.BouncyCastle.X509
         /// algorithm is invalid.</exception>
         public virtual void VerifyAltSignature(IVerifierFactoryProvider verifierProvider)
         {
-            var tbsCertificate = c.TbsCertificate;
-            var extensions = tbsCertificate.Extensions;
-
-            AltSignatureAlgorithm altSigAlg = AltSignatureAlgorithm.FromExtensions(extensions);
-            AltSignatureValue altSigValue = AltSignatureValue.FromExtensions(extensions);
-
-            var verifier = verifierProvider.CreateVerifierFactory(altSigAlg.Algorithm);
-
-            Asn1Sequence tbsSeq = Asn1Sequence.GetInstance(tbsCertificate.ToAsn1Object());
-            Asn1EncodableVector v = new Asn1EncodableVector();
-
-            for (int i = 0; i < tbsSeq.Count - 1; i++)
-            {
-                if (i != 2) // signature field - must be ver 3 so version always present
-                {
-                    v.Add(tbsSeq[i]);
-                }
-            }
-
-            v.Add(X509Utilities.TrimExtensions(3, extensions));
-
-            if (!X509Utilities.VerifySignature(verifier, new DerSequence(v), altSigValue.Signature))
+            if (!IsAlternativeSignatureValid(verifierProvider))
                 throw new InvalidKeyException("Public key presented not for certificate alternative signature");
         }
 
         protected virtual void CheckSignature(IVerifierFactory verifier)
         {
+            if (!CheckSignatureValid(verifier))
+                throw new InvalidKeyException("Public key presented not for certificate signature");
+        }
+
+        protected virtual bool CheckSignatureValid(IVerifierFactory verifier)
+        {
             var tbsCertificate = c.TbsCertificate;
 
             if (!IsAlgIDEqual(c.SignatureAlgorithm, tbsCertificate.Signature))
                 throw new CertificateException("signature algorithm in TBS cert not same as outer cert");
 
-            if (!X509Utilities.VerifySignature(verifier, tbsCertificate, c.Signature))
-                throw new InvalidKeyException("Public key presented not for certificate signature");
+            return X509Utilities.VerifySignature(verifier, tbsCertificate, c.Signature);
         }
 
         private CachedEncoding GetCachedEncoding()
diff --git a/crypto/src/x509/X509Crl.cs b/crypto/src/x509/X509Crl.cs

index 1fc13a0a2..5a1ce95e2 100644
--- a/crypto/src/x509/X509Crl.cs
+++ b/crypto/src/x509/X509Crl.cs
@@ -104,9 +104,49 @@ namespace Org.BouncyCastle.X509
 				:	null;
 		}
 
+        public virtual bool IsSignatureValid(AsymmetricKeyParameter key)
+        {
+            return CheckSignatureValid(new Asn1VerifierFactory(c.SignatureAlgorithm, key));
+        }
+
+        public virtual bool IsSignatureValid(IVerifierFactoryProvider verifierProvider)
+        {
+            return CheckSignatureValid(verifierProvider.CreateVerifierFactory(c.SignatureAlgorithm));
+        }
+
+        public virtual bool IsAlternativeSignatureValid(IVerifierFactoryProvider verifierProvider)
+        {
+            var tbsCertList = c.TbsCertList;
+            var extensions = tbsCertList.Extensions;
+
+            AltSignatureAlgorithm altSigAlg = AltSignatureAlgorithm.FromExtensions(extensions);
+            AltSignatureValue altSigValue = AltSignatureValue.FromExtensions(extensions);
+
+            var verifier = verifierProvider.CreateVerifierFactory(altSigAlg.Algorithm);
+
+            Asn1Sequence tbsSeq = Asn1Sequence.GetInstance(tbsCertList.ToAsn1Object());
+            Asn1EncodableVector v = new Asn1EncodableVector();
+
+            int start = 1;    //  want to skip signature field
+            if (tbsSeq[0] is DerInteger version)
+            {
+                v.Add(version);
+                start++;
+            }
+
+            for (int i = start; i < tbsSeq.Count - 1; i++)
+            {
+                v.Add(tbsSeq[i]);
+            }
+
+            v.Add(X509Utilities.TrimExtensions(0, extensions));
+
+			return X509Utilities.VerifySignature(verifier, new DerSequence(v), altSigValue.Signature);
+        }
+
 		public virtual void Verify(AsymmetricKeyParameter publicKey)
 		{
-            Verify(new Asn1VerifierFactoryProvider(publicKey));
+			CheckSignature(new Asn1VerifierFactory(c.SignatureAlgorithm, publicKey));
 		}
 
         /// <summary>
@@ -128,45 +168,25 @@ namespace Org.BouncyCastle.X509
         /// algorithm is invalid.</exception>
         public virtual void VerifyAltSignature(IVerifierFactoryProvider verifierProvider)
         {
-            var tbsCertList = c.TbsCertList;
-            var extensions = tbsCertList.Extensions;
-
-            AltSignatureAlgorithm altSigAlg = AltSignatureAlgorithm.FromExtensions(extensions);
-            AltSignatureValue altSigValue = AltSignatureValue.FromExtensions(extensions);
-
-            var verifier = verifierProvider.CreateVerifierFactory(altSigAlg.Algorithm);
-
-			Asn1Sequence tbsSeq = Asn1Sequence.GetInstance(tbsCertList.ToAsn1Object());
-			Asn1EncodableVector v = new Asn1EncodableVector();
-
-			int start = 1;    //  want to skip signature field
-			if (tbsSeq[0] is DerInteger derInteger)
-            {
-				v.Add(derInteger);
-				start++;
-			}
-
-			for (int i = start; i < tbsSeq.Count - 1; i++)
-			{
-				v.Add(tbsSeq[i]);
-			}
-
-            v.Add(X509Utilities.TrimExtensions(0, extensions));
-
-            if (!X509Utilities.VerifySignature(verifier, new DerSequence(v), altSigValue.Signature))
+            if (!IsAlternativeSignatureValid(verifierProvider))
                 throw new InvalidKeyException("CRL alternative signature does not verify with supplied public key.");
         }
 
         protected virtual void CheckSignature(IVerifierFactory verifier)
         {
-			var tbsCertList = c.TbsCertList;
+			if (!CheckSignatureValid(verifier))
+                throw new InvalidKeyException("CRL does not verify with supplied public key.");
+        }
+
+        protected virtual bool CheckSignatureValid(IVerifierFactory verifier)
+        {
+            var tbsCertList = c.TbsCertList;
 
             // TODO Compare IsAlgIDEqual in X509Certificate.CheckSignature
             if (!c.SignatureAlgorithm.Equals(tbsCertList.Signature))
                 throw new CrlException("Signature algorithm on CertificateList does not match TbsCertList.");
 
-			if (!X509Utilities.VerifySignature(verifier, tbsCertList, c.Signature))
-                throw new InvalidKeyException("CRL does not verify with supplied public key.");
+			return X509Utilities.VerifySignature(verifier, tbsCertList, c.Signature);
         }
 
         public virtual int Version
diff --git a/crypto/src/x509/X509V2AttributeCertificate.cs b/crypto/src/x509/X509V2AttributeCertificate.cs

index 963f1ea4f..980b9f3d5 100644
--- a/crypto/src/x509/X509V2AttributeCertificate.cs
+++ b/crypto/src/x509/X509V2AttributeCertificate.cs
@@ -161,6 +161,16 @@ namespace Org.BouncyCastle.X509
             return cert.GetSignatureOctets();
 		}
 
+        public virtual bool IsSignatureValid(AsymmetricKeyParameter key)
+        {
+            return CheckSignatureValid(new Asn1VerifierFactory(cert.SignatureAlgorithm, key));
+        }
+
+        public virtual bool IsSignatureValid(IVerifierFactoryProvider verifierProvider)
+        {
+            return CheckSignatureValid(verifierProvider.CreateVerifierFactory(cert.SignatureAlgorithm));
+        }
+
         public virtual void Verify(AsymmetricKeyParameter key)
         {
             CheckSignature(new Asn1VerifierFactory(cert.SignatureAlgorithm, key));
@@ -179,17 +189,22 @@ namespace Org.BouncyCastle.X509
 
         protected virtual void CheckSignature(IVerifierFactory verifier)
         {
-			var acInfo = cert.ACInfo;
+			if (!CheckSignatureValid(verifier))
+				throw new InvalidKeyException("Public key presented not for certificate signature");
+		}
+
+        protected virtual bool CheckSignatureValid(IVerifierFactory verifier)
+        {
+            var acInfo = cert.ACInfo;
 
             // TODO Compare IsAlgIDEqual in X509Certificate.CheckSignature
             if (!cert.SignatureAlgorithm.Equals(acInfo.Signature))
-				throw new CertificateException("Signature algorithm in certificate info not same as outer certificate");
+                throw new CertificateException("Signature algorithm in certificate info not same as outer certificate");
 
-			if (!X509Utilities.VerifySignature(verifier, acInfo, cert.SignatureValue))
-				throw new InvalidKeyException("Public key presented not for certificate signature");
-		}
+			return X509Utilities.VerifySignature(verifier, acInfo, cert.SignatureValue);
+        }
 
-		public virtual byte[] GetEncoded()
+        public virtual byte[] GetEncoded()
 		{
 			return cert.GetEncoded();
 		}

 

generated by cgit-magenta 1.5.1 (git 2.48.1) at 2025-04-13 07:28:04 +0000