44
55using Spectre . Console ;
66
7+ using static System . Net . Mime . MediaTypeNames ;
8+
79namespace SAPTeam . EasySign . CommandLine
810{
9- public abstract partial class CommandProvider < TBundle >
11+ public abstract partial class CommandProvider < TBundle , TConfiguration >
1012 {
1113 /// <summary>
1214 /// Gets or sets the bundle.
@@ -273,7 +275,8 @@ protected virtual void RunInfo(StatusContext statusContext)
273275 /// </summary>
274276 /// <param name="statusContext">The status context for interacting with <see cref="AnsiConsole.Status"/>.</param>
275277 /// <param name="certificates">The certificates.</param>
276- protected virtual void RunSign ( StatusContext statusContext , X509Certificate2Collection certificates )
278+ /// <param name="skipVerify">A value indicating whether to skip certificate verification.</param>
279+ protected virtual void RunSign ( StatusContext statusContext , X509Certificate2Collection certificates , bool skipVerify )
277280 {
278281 Logger . LogInformation ( "Running sign command" ) ;
279282
@@ -305,14 +308,17 @@ protected virtual void RunSign(StatusContext statusContext, X509Certificate2Coll
305308
306309 CertificateUtilities . DisplayCertificate ( cert ) ;
307310
308- Logger . LogDebug ( "Verifying certificate {cert}" , cert ) ;
309- statusContext . Status ( "[yellow]Verifying Certificate[/]" ) ;
310-
311- bool verifyCert = VerifyCertificate ( cert , false ) ;
312- if ( ! verifyCert )
311+ if ( ! skipVerify )
313312 {
314- Logger . LogWarning ( "Skipping signing with {cert}" , cert ) ;
315- continue ;
313+ Logger . LogDebug ( "Verifying certificate {cert}" , cert ) ;
314+ statusContext . Status ( "[yellow]Verifying Certificate[/]" ) ;
315+
316+ bool verifyCert = VerifyCertificate ( cert , false ) ;
317+ if ( ! verifyCert )
318+ {
319+ Logger . LogWarning ( "Skipping signing with {cert}" , cert ) ;
320+ continue ;
321+ }
316322 }
317323
318324 Logger . LogDebug ( "Acquiring RSA private key for {cert}" , cert ) ;
@@ -526,6 +532,9 @@ protected bool VerifyCertificate(X509Certificate2 certificate, bool ignoreTime)
526532 throw new ApplicationException ( "Bundle is not initialized" ) ;
527533 }
528534
535+ List < bool > verificationResults = [ ] ;
536+ List < X509ChainStatus [ ] > verificationStatuses = [ ] ;
537+
529538 X509Certificate2 ? rootCA ;
530539 if ( ( rootCA = GetSelfSigningRootCA ( ) ) != null )
531540 {
@@ -537,9 +546,12 @@ protected bool VerifyCertificate(X509Certificate2 certificate, bool ignoreTime)
537546 selfSignPolicy . VerificationFlags |= X509VerificationFlags . IgnoreNotTimeValid ;
538547 selfSignPolicy . RevocationMode = X509RevocationMode . NoCheck ;
539548
540- bool selfSignVerification = Bundle . VerifyCertificate ( certificate , out _ , policy : selfSignPolicy ) ;
549+ bool selfSignVerification = Bundle . VerifyCertificate ( certificate , out X509ChainStatus [ ] selfSignChainStatuses , policy : selfSignPolicy ) ;
541550 Logger . LogInformation ( "Certificate verification with self-signing root CA for {cert}: {result}" , certificate , selfSignVerification ) ;
542551
552+ verificationResults . Add ( selfSignVerification ) ;
553+ verificationStatuses . Add ( selfSignChainStatuses ) ;
554+
543555 if ( selfSignVerification )
544556 {
545557 AnsiConsole . MarkupLine ( $ "[{ Color . Green } ] Certificate Verification with Self-Signing Root CA Successful[/]") ;
@@ -548,29 +560,48 @@ protected bool VerifyCertificate(X509Certificate2 certificate, bool ignoreTime)
548560 }
549561
550562 X509ChainPolicy policy = new ( ) ;
563+ policy . ExtraStore . AddRange ( Configuration . LoadCertificates ( CertificateStore . IntermediateCA ) ) ;
551564
552565 if ( ignoreTime )
553566 {
554567 policy . VerificationFlags |= X509VerificationFlags . IgnoreCtlNotTimeValid ;
555568 }
556569
557570 Logger . LogDebug ( "Verifying certificate {cert} with system trust store" , certificate ) ;
558- bool defaultVerification = Bundle . VerifyCertificate ( certificate , out X509ChainStatus [ ] statuses , policy ) ;
559-
571+ bool defaultVerification = Bundle . VerifyCertificate ( certificate , out X509ChainStatus [ ] defaultChainStatuses , policy ) ;
560572 Logger . LogInformation ( "Certificate verification with system trust store for {cert}: {result}" , certificate , defaultVerification ) ;
561573
562- if ( ! defaultVerification )
574+ verificationResults . Add ( defaultVerification ) ;
575+ verificationStatuses . Add ( defaultChainStatuses ) ;
576+
577+ if ( ! verificationResults . Any ( x => x ) && Configuration . TrustedRootCA . Count > 0 )
563578 {
564- Utilities . EnumerateStatuses ( statuses ) ;
579+ policy . TrustMode = X509ChainTrustMode . CustomRootTrust ;
580+ policy . CustomTrustStore . AddRange ( Configuration . LoadCertificates ( CertificateStore . TrustedRootCA ) ) ;
581+
582+ Logger . LogDebug ( "Verifying certificate {cert} with custom trust store" , certificate ) ;
583+ bool customVerification = Bundle . VerifyCertificate ( certificate , out X509ChainStatus [ ] customChainStatuses , policy ) ;
584+ Logger . LogInformation ( "Certificate verification with custom trust store for {cert}: {result}" , certificate , defaultVerification ) ;
585+
586+ verificationResults . Add ( customVerification ) ;
587+ verificationStatuses . Add ( customChainStatuses ) ;
565588 }
566- else
589+
590+ if ( ! verificationResults . Any ( x => x ) )
567591 {
568- AnsiConsole . MarkupLine ( $ "[green] Certificate Verification Successful[/]") ;
569- return true ;
592+ var statuses = verificationStatuses . Aggregate ( ( prev , next ) =>
593+ {
594+ return prev . Intersect ( next ) . ToArray ( ) ;
595+ } ) ;
596+
597+ Utilities . EnumerateStatuses ( statuses ) ;
598+
599+ AnsiConsole . MarkupLine ( $ "[red] Certificate Verification Failed[/]") ;
600+ return false ;
570601 }
571602
572- AnsiConsole . MarkupLine ( $ "[red ] Certificate Verification Failed [/]") ;
573- return false ;
603+ AnsiConsole . MarkupLine ( $ "[green ] Certificate Verification Successful [/]") ;
604+ return true ;
574605 }
575606 }
576607}
0 commit comments