batuhan-basoglu/NET-Web-API-w-Angular
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Updated the files.

Browse source
This commit is contained in:
Batuhan Berk Başoğlu 2024-02-08 19:38:41 -05:00
parent 1553e6b971
commit 753967d4f5
23418 changed files with 3784666 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

19
my-app/node_modules/@sigstore/verify/dist/key/certificate.d.ts generated vendored Executable file
View file

@ -0,0 +1,19 @@
import { X509Certificate } from '@sigstore/core';
import { CertAuthority } from '../trust';
export declare function verifyCertificateChain(leaf: X509Certificate, certificateAuthorities: CertAuthority[]): X509Certificate[];
interface CertificateChainVerifierOptions {
trustedCerts: X509Certificate[];
untrustedCert: X509Certificate;
}
export declare class CertificateChainVerifier {
private untrustedCert;
private trustedCerts;
private localCerts;
constructor(opts: CertificateChainVerifierOptions);
verify(): X509Certificate[];
private sort;
private buildPaths;
private findIssuer;
private checkPath;
}
export {};

205
my-app/node_modules/@sigstore/verify/dist/key/certificate.js generated vendored Executable file
View file

@ -0,0 +1,205 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.CertificateChainVerifier = exports.verifyCertificateChain = void 0;
const error_1 = require("../error");
const trust_1 = require("../trust");
function verifyCertificateChain(leaf, certificateAuthorities) {
// Filter list of trusted CAs to those which are valid for the given
// leaf certificate.
const cas = (0, trust_1.filterCertAuthorities)(certificateAuthorities, {
start: leaf.notBefore,
end: leaf.notAfter,
});
/* eslint-disable-next-line @typescript-eslint/no-explicit-any */
let error;
for (const ca of cas) {
try {
const verifier = new CertificateChainVerifier({
trustedCerts: ca.certChain,
untrustedCert: leaf,
});
return verifier.verify();
}
catch (err) {
error = err;
}
}
// If we failed to verify the certificate chain for all of the trusted
// CAs, throw the last error we encountered.
throw new error_1.VerificationError({
code: 'CERTIFICATE_ERROR',
message: 'Failed to verify certificate chain',
cause: error,
});
}
exports.verifyCertificateChain = verifyCertificateChain;
class CertificateChainVerifier {
constructor(opts) {
this.untrustedCert = opts.untrustedCert;
this.trustedCerts = opts.trustedCerts;
this.localCerts = dedupeCertificates([
...opts.trustedCerts,
opts.untrustedCert,
]);
}
verify() {
// Construct certificate path from leaf to root
const certificatePath = this.sort();
// Perform validation checks on each certificate in the path
this.checkPath(certificatePath);
// Return verified certificate path
return certificatePath;
}
sort() {
const leafCert = this.untrustedCert;
// Construct all possible paths from the leaf
let paths = this.buildPaths(leafCert);
// Filter for paths which contain a trusted certificate
paths = paths.filter((path) => path.some((cert) => this.trustedCerts.includes(cert)));
if (paths.length === 0) {
throw new error_1.VerificationError({
code: 'CERTIFICATE_ERROR',
message: 'no trusted certificate path found',
});
}
// Find the shortest of possible paths
/* istanbul ignore next */
const path = paths.reduce((prev, curr) => prev.length < curr.length ? prev : curr);
// Construct chain from shortest path
// Removes the last certificate in the path, which will be a second copy
// of the root certificate given that the root is self-signed.
return [leafCert, ...path].slice(0, -1);
}
// Recursively build all possible paths from the leaf to the root
buildPaths(certificate) {
const paths = [];
const issuers = this.findIssuer(certificate);
if (issuers.length === 0) {
throw new error_1.VerificationError({
code: 'CERTIFICATE_ERROR',
message: 'no valid certificate path found',
});
}
for (let i = 0; i < issuers.length; i++) {
const issuer = issuers[i];
// Base case - issuer is self
if (issuer.equals(certificate)) {
paths.push([certificate]);
continue;
}
// Recursively build path for the issuer
const subPaths = this.buildPaths(issuer);
// Construct paths by appending the issuer to each subpath
for (let j = 0; j < subPaths.length; j++) {
paths.push([issuer, ...subPaths[j]]);
}
}
return paths;
}
// Return all possible issuers for the given certificate
findIssuer(certificate) {
let issuers = [];
let keyIdentifier;
// Exit early if the certificate is self-signed
if (certificate.subject.equals(certificate.issuer)) {
if (certificate.verify()) {
return [certificate];
}
}
// If the certificate has an authority key identifier, use that
// to find the issuer
if (certificate.extAuthorityKeyID) {
keyIdentifier = certificate.extAuthorityKeyID.keyIdentifier;
// TODO: Add support for authorityCertIssuer/authorityCertSerialNumber
// though Fulcio doesn't appear to use these
}
// Find possible issuers by comparing the authorityKeyID/subjectKeyID
// or issuer/subject. Potential issuers are added to the result array.
this.localCerts.forEach((possibleIssuer) => {
if (keyIdentifier) {
if (possibleIssuer.extSubjectKeyID) {
if (possibleIssuer.extSubjectKeyID.keyIdentifier.equals(keyIdentifier)) {
issuers.push(possibleIssuer);
}
return;
}
}
// Fallback to comparing certificate issuer and subject if
// subjectKey/authorityKey extensions are not present
if (possibleIssuer.subject.equals(certificate.issuer)) {
issuers.push(possibleIssuer);
}
});
// Remove any issuers which fail to verify the certificate
issuers = issuers.filter((issuer) => {
try {
return certificate.verify(issuer);
}
catch (ex) {
/* istanbul ignore next - should never error */
return false;
}
});
return issuers;
}
checkPath(path) {
/* istanbul ignore if */
if (path.length < 1) {
throw new error_1.VerificationError({
code: 'CERTIFICATE_ERROR',
message: 'certificate chain must contain at least one certificate',
});
}
// Ensure that all certificates beyond the leaf are CAs
const validCAs = path.slice(1).every((cert) => cert.isCA);
if (!validCAs) {
throw new error_1.VerificationError({
code: 'CERTIFICATE_ERROR',
message: 'intermediate certificate is not a CA',
});
}
// Certificate's issuer must match the subject of the next certificate
// in the chain
for (let i = path.length - 2; i >= 0; i--) {
/* istanbul ignore if */
if (!path[i].issuer.equals(path[i + 1].subject)) {
throw new error_1.VerificationError({
code: 'CERTIFICATE_ERROR',
message: 'incorrect certificate name chaining',
});
}
}
// Check pathlength constraints
for (let i = 0; i < path.length; i++) {
const cert = path[i];
// If the certificate is a CA, check the path length
if (cert.extBasicConstraints?.isCA) {
const pathLength = cert.extBasicConstraints.pathLenConstraint;
// The path length, if set, indicates how many intermediate
// certificates (NOT including the leaf) are allowed to follow. The
// pathLength constraint of any intermediate CA certificate MUST be
// greater than or equal to it's own depth in the chain (with an
// adjustment for the leaf certificate)
if (pathLength !== undefined && pathLength < i - 1) {
throw new error_1.VerificationError({
code: 'CERTIFICATE_ERROR',
message: 'path length constraint exceeded',
});
}
}
}
}
}
exports.CertificateChainVerifier = CertificateChainVerifier;
// Remove duplicate certificates from the array
function dedupeCertificates(certs) {
for (let i = 0; i < certs.length; i++) {
for (let j = i + 1; j < certs.length; j++) {
if (certs[i].equals(certs[j])) {
certs.splice(j, 1);
j--;
}
}
}
return certs;
}

10
my-app/node_modules/@sigstore/verify/dist/key/index.d.ts generated vendored Executable file
View file

@ -0,0 +1,10 @@
import { X509Certificate } from '@sigstore/core';
import { VerifiedSCTProvider } from './sct';
import type { Signer } from '../shared.types';
import type { TrustMaterial } from '../trust';
export type CertificateVerificationResult = {
signer: Signer;
scts: VerifiedSCTProvider[];
};
export declare function verifyPublicKey(hint: string, timestamps: Date[], trustMaterial: TrustMaterial): Signer;
export declare function verifyCertificate(leaf: X509Certificate, timestamps: Date[], trustMaterial: TrustMaterial): CertificateVerificationResult;

72
my-app/node_modules/@sigstore/verify/dist/key/index.js generated vendored Executable file
View file

@ -0,0 +1,72 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.verifyCertificate = exports.verifyPublicKey = void 0;
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const core_1 = require("@sigstore/core");
const error_1 = require("../error");
const certificate_1 = require("./certificate");
const sct_1 = require("./sct");
const OID_FULCIO_ISSUER_V1 = '1.3.6.1.4.1.57264.1.1';
const OID_FULCIO_ISSUER_V2 = '1.3.6.1.4.1.57264.1.8';
function verifyPublicKey(hint, timestamps, trustMaterial) {
const key = trustMaterial.publicKey(hint);
timestamps.forEach((timestamp) => {
if (!key.validFor(timestamp)) {
throw new error_1.VerificationError({
code: 'PUBLIC_KEY_ERROR',
message: `Public key is not valid for timestamp: ${timestamp.toISOString()}`,
});
}
});
return { key: key.publicKey };
}
exports.verifyPublicKey = verifyPublicKey;
function verifyCertificate(leaf, timestamps, trustMaterial) {
// Check that leaf certificate chains to a trusted CA
const path = (0, certificate_1.verifyCertificateChain)(leaf, trustMaterial.certificateAuthorities);
// Check that ALL certificates are valid for ALL of the timestamps
const validForDate = timestamps.every((timestamp) => path.every((cert) => cert.validForDate(timestamp)));
if (!validForDate) {
throw new error_1.VerificationError({
code: 'CERTIFICATE_ERROR',
message: 'certificate is not valid or expired at the specified date',
});
}
return {
scts: (0, sct_1.verifySCTs)(path[0], path[1], trustMaterial.ctlogs),
signer: getSigner(path[0]),
};
}
exports.verifyCertificate = verifyCertificate;
function getSigner(cert) {
let issuer;
const issuerExtension = cert.extension(OID_FULCIO_ISSUER_V2);
if (issuerExtension) {
issuer = issuerExtension.valueObj.subs?.[0]?.value.toString('ascii');
}
else {
issuer = cert.extension(OID_FULCIO_ISSUER_V1)?.value.toString('ascii');
}
const identity = {
extensions: { issuer },
subjectAlternativeName: cert.subjectAltName,
};
return {
key: core_1.crypto.createPublicKey(cert.publicKey),
identity,
};
}

5
my-app/node_modules/@sigstore/verify/dist/key/sct.d.ts generated vendored Executable file
View file

@ -0,0 +1,5 @@
/// <reference types="node" />
import { X509Certificate } from '@sigstore/core';
import type { TLogAuthority } from '../trust';
export type VerifiedSCTProvider = Buffer;
export declare function verifySCTs(cert: X509Certificate, issuer: X509Certificate, ctlogs: TLogAuthority[]): VerifiedSCTProvider[];

79
my-app/node_modules/@sigstore/verify/dist/key/sct.js generated vendored Executable file
View file

@ -0,0 +1,79 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.verifySCTs = void 0;
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const core_1 = require("@sigstore/core");
const error_1 = require("../error");
const trust_1 = require("../trust");
function verifySCTs(cert, issuer, ctlogs) {
let extSCT;
// Verifying the SCT requires that we remove the SCT extension and
// re-encode the TBS structure to DER -- this value is part of the data
// over which the signature is calculated. Since this is a destructive action
// we create a copy of the certificate so we can remove the SCT extension
// without affecting the original certificate.
const clone = cert.clone();
// Intentionally not using the findExtension method here because we want to
// remove the the SCT extension from the certificate before calculating the
// PreCert structure
for (let i = 0; i < clone.extensions.length; i++) {
const ext = clone.extensions[i];
if (ext.subs[0].toOID() === core_1.EXTENSION_OID_SCT) {
extSCT = new core_1.X509SCTExtension(ext);
// Remove the extension from the certificate
clone.extensions.splice(i, 1);
break;
}
}
// No SCT extension found to verify
if (!extSCT) {
return [];
}
// Found an SCT extension but it has no SCTs
/* istanbul ignore if -- too difficult to fabricate test case for this */
if (extSCT.signedCertificateTimestamps.length === 0) {
return [];
}
// Construct the PreCert structure
// https://www.rfc-editor.org/rfc/rfc6962#section-3.2
const preCert = new core_1.ByteStream();
// Calculate hash of the issuer's public key
const issuerId = core_1.crypto.hash(issuer.publicKey);
preCert.appendView(issuerId);
// Re-encodes the certificate to DER after removing the SCT extension
const tbs = clone.tbsCertificate.toDER();
preCert.appendUint24(tbs.length);
preCert.appendView(tbs);
// Calculate and return the verification results for each SCT
return extSCT.signedCertificateTimestamps.map((sct) => {
// Find the ctlog instance that corresponds to the SCT's logID
const validCTLogs = (0, trust_1.filterTLogAuthorities)(ctlogs, {
logID: sct.logID,
targetDate: sct.datetime,
});
// See if the SCT is valid for any of the CT logs
const verified = validCTLogs.some((log) => sct.verify(preCert.buffer, log.publicKey));
if (!verified) {
throw new error_1.VerificationError({
code: 'CERTIFICATE_ERROR',
message: 'SCT verification failed',
});
}
return sct.logID;
});
}
exports.verifySCTs = verifySCTs;