easy_code_sign 0.1.0

data/lib/easy_code_sign/timestamp/response.rb

@@ -0,0 +1,246 @@
+# frozen_string_literal: true
+
+require "openssl"
+
+module EasyCodeSign
+  module Timestamp
+    # RFC 3161 Timestamp Response parser
+    #
+    # Parses TimeStampResp ASN.1 structures returned by TSAs.
+    #
+    # @example
+    #   response = Timestamp::Response.parse(der_bytes)
+    #   if response.success?
+    #     puts response.timestamp
+    #     puts response.serial_number
+    #   end
+    #
+    class Response
+      # PKIStatus values
+      STATUS_GRANTED = 0
+      STATUS_GRANTED_WITH_MODS = 1
+      STATUS_REJECTION = 2
+      STATUS_WAITING = 3
+      STATUS_REVOCATION_WARNING = 4
+      STATUS_REVOCATION_NOTIFICATION = 5
+
+      STATUS_NAMES = {
+        STATUS_GRANTED => "granted",
+        STATUS_GRANTED_WITH_MODS => "granted_with_mods",
+        STATUS_REJECTION => "rejection",
+        STATUS_WAITING => "waiting",
+        STATUS_REVOCATION_WARNING => "revocation_warning",
+        STATUS_REVOCATION_NOTIFICATION => "revocation_notification"
+      }.freeze
+
+      attr_reader :raw_response, :status, :status_string, :failure_info,
+                  :timestamp_token, :tst_info
+
+      # Parse a DER-encoded TimeStampResp
+      # @param der [String] DER-encoded response
+      # @return [Response]
+      def self.parse(der)
+        new(der)
+      end
+
+      def initialize(der)
+        @raw_response = der
+        parse_response
+      end
+
+      # Check if the timestamp was granted
+      # @return [Boolean]
+      def success?
+        status == STATUS_GRANTED || status == STATUS_GRANTED_WITH_MODS
+      end
+
+      # Check if there was a failure
+      # @return [Boolean]
+      def failure?
+        !success?
+      end
+
+      # Get the timestamp time
+      # @return [Time, nil]
+      def timestamp
+        return nil unless @tst_info
+
+        @timestamp ||= extract_gen_time
+      end
+
+      # Get the TSA serial number
+      # @return [Integer, nil]
+      def serial_number
+        return nil unless @tst_info
+
+        @serial_number ||= extract_serial_number
+      end
+
+      # Get the nonce from the response
+      # @return [Integer, nil]
+      def nonce
+        return nil unless @tst_info
+
+        @nonce ||= extract_nonce
+      end
+
+      # Get the message imprint hash from the response
+      # @return [String, nil]
+      def message_imprint_hash
+        return nil unless @tst_info
+
+        @message_imprint_hash ||= extract_message_imprint
+      end
+
+      # Get the TSA policy OID
+      # @return [String, nil]
+      def policy_oid
+        return nil unless @tst_info
+
+        @policy_oid ||= extract_policy
+      end
+
+      # Get the raw timestamp token (CMS SignedData)
+      # @return [String, nil] DER-encoded token
+      def token_der
+        return nil unless @timestamp_token
+
+        @timestamp_token.to_der
+      end
+
+      # Verify the nonce matches the request
+      # @param request_nonce [Integer]
+      # @return [Boolean]
+      def nonce_matches?(request_nonce)
+        nonce == request_nonce
+      end
+
+      # Get human-readable status
+      # @return [String]
+      def status_name
+        STATUS_NAMES[status] || "unknown(#{status})"
+      end
+
+      # Get error message if failed
+      # @return [String, nil]
+      def error_message
+        return nil if success?
+
+        msg = "Timestamp request failed: #{status_name}"
+        msg += " - #{status_string}" if status_string
+        msg += " (failure: #{failure_info})" if failure_info
+        msg
+      end
+
+      private
+
+      def parse_response
+        # TimeStampResp ::= SEQUENCE {
+        #   status          PKIStatusInfo,
+        #   timeStampToken  TimeStampToken OPTIONAL
+        # }
+
+        asn1 = OpenSSL::ASN1.decode(raw_response)
+        raise InvalidTimestampError, "Invalid response structure" unless asn1.is_a?(OpenSSL::ASN1::Sequence)
+
+        parse_status_info(asn1.value[0])
+
+        if asn1.value[1] && success?
+          parse_timestamp_token(asn1.value[1])
+        end
+      rescue OpenSSL::ASN1::ASN1Error => e
+        raise InvalidTimestampError, "Failed to parse timestamp response: #{e.message}"
+      end
+
+      def parse_status_info(status_info)
+        # PKIStatusInfo ::= SEQUENCE {
+        #   status        PKIStatus,
+        #   statusString  PKIFreeText OPTIONAL,
+        #   failInfo      PKIFailureInfo OPTIONAL
+        # }
+
+        @status = status_info.value[0].value.to_i
+
+        if status_info.value[1]
+          @status_string = extract_status_string(status_info.value[1])
+        end
+
+        if status_info.value[2]
+          @failure_info = status_info.value[2].value
+        end
+      end
+
+      def extract_status_string(asn1)
+        # PKIFreeText is a SEQUENCE of UTF8String
+        return asn1.value if asn1.is_a?(OpenSSL::ASN1::UTF8String)
+        return asn1.value.map(&:value).join("; ") if asn1.is_a?(OpenSSL::ASN1::Sequence)
+
+        asn1.value.to_s
+      end
+
+      def parse_timestamp_token(token_asn1)
+        # TimeStampToken is ContentInfo containing SignedData
+        @timestamp_token = OpenSSL::PKCS7.new(token_asn1.to_der)
+
+        # Extract TSTInfo from the SignedData content
+        signed_data_content = @timestamp_token.data
+        @tst_info = OpenSSL::ASN1.decode(signed_data_content) if signed_data_content
+      rescue OpenSSL::PKCS7::PKCS7Error => e
+        raise InvalidTimestampError, "Invalid timestamp token: #{e.message}"
+      end
+
+      def extract_gen_time
+        # TSTInfo.genTime is at a specific position in the sequence
+        return nil unless @tst_info.is_a?(OpenSSL::ASN1::Sequence)
+
+        # genTime is typically the 4th element (index 3) in TSTInfo
+        @tst_info.value.each do |elem|
+          if elem.is_a?(OpenSSL::ASN1::GeneralizedTime) || elem.is_a?(OpenSSL::ASN1::UTCTime)
+            return elem.value
+          end
+        end
+        nil
+      end
+
+      def extract_serial_number
+        return nil unless @tst_info.is_a?(OpenSSL::ASN1::Sequence)
+
+        # serialNumber is the 2nd element (index 1)
+        serial = @tst_info.value[1]
+        serial.is_a?(OpenSSL::ASN1::Integer) ? serial.value.to_i : nil
+      end
+
+      def extract_nonce
+        return nil unless @tst_info.is_a?(OpenSSL::ASN1::Sequence)
+
+        # nonce is optional, look for it after the mandatory fields
+        @tst_info.value.each do |elem|
+          next unless elem.is_a?(OpenSSL::ASN1::Integer)
+          next if elem == @tst_info.value[1] # Skip serial number
+
+          return elem.value.to_i
+        end
+        nil
+      end
+
+      def extract_message_imprint
+        return nil unless @tst_info.is_a?(OpenSSL::ASN1::Sequence)
+
+        # messageImprint is the 3rd element (index 2)
+        imprint = @tst_info.value[2]
+        return nil unless imprint.is_a?(OpenSSL::ASN1::Sequence)
+
+        # Get the hash value (2nd element of MessageImprint)
+        imprint.value[1]&.value
+      end
+
+      def extract_policy
+        return nil unless @tst_info.is_a?(OpenSSL::ASN1::Sequence)
+
+        # policy is the 1st element (index 0)
+        policy = @tst_info.value[0]
+        policy.is_a?(OpenSSL::ASN1::ObjectId) ? policy.oid : nil
+      end
+    end
+  end
+end

data/lib/easy_code_sign/timestamp/verifier.rb

@@ -0,0 +1,227 @@
+# frozen_string_literal: true
+
+require "openssl"
+
+module EasyCodeSign
+  module Timestamp
+    # Verifies RFC 3161 timestamp tokens
+    #
+    # @example
+    #   verifier = Timestamp::Verifier.new
+    #   result = verifier.verify(token_der, original_data)
+    #
+    class Verifier
+      attr_reader :trust_store
+
+      # Create a new timestamp verifier
+      #
+      # @param trust_store [OpenSSL::X509::Store, nil] custom trust store
+      #
+      def initialize(trust_store: nil)
+        @trust_store = trust_store || build_default_trust_store
+      end
+
+      # Verify a timestamp token
+      #
+      # @param token_der [String] DER-encoded timestamp token
+      # @param original_data [String] the data that was timestamped
+      # @param algorithm [Symbol] hash algorithm used (:sha256, :sha384, :sha512)
+      # @return [VerificationResult]
+      #
+      def verify(token_der, original_data, algorithm: :sha256)
+        result = VerificationResult.new
+
+        begin
+          pkcs7 = OpenSSL::PKCS7.new(token_der)
+          result.token_parsed = true
+
+          # Verify PKCS#7 signature
+          verify_pkcs7_signature(pkcs7, result)
+
+          # Parse and verify TSTInfo
+          tst_info = parse_tst_info(pkcs7)
+          result.tst_info_parsed = true
+
+          # Verify message imprint
+          verify_message_imprint(tst_info, original_data, algorithm, result)
+
+          # Extract timestamp info
+          extract_timestamp_info(tst_info, result)
+
+          # Verify certificate chain
+          verify_certificate_chain(pkcs7, result)
+
+          result.valid = result.signature_valid && result.imprint_valid && result.chain_valid
+        rescue OpenSSL::PKCS7::PKCS7Error => e
+          result.errors << "PKCS#7 error: #{e.message}"
+        rescue OpenSSL::ASN1::ASN1Error => e
+          result.errors << "ASN.1 parsing error: #{e.message}"
+        rescue StandardError => e
+          result.errors << "Verification error: #{e.message}"
+        end
+
+        result
+      end
+
+      private
+
+      def build_default_trust_store
+        store = OpenSSL::X509::Store.new
+        store.set_default_paths
+        store
+      end
+
+      def verify_pkcs7_signature(pkcs7, result)
+        # Verify the PKCS#7 signature using embedded certificates
+        if pkcs7.verify(pkcs7.certificates, trust_store, nil, OpenSSL::PKCS7::NOVERIFY)
+          result.signature_valid = true
+        else
+          result.signature_valid = false
+          result.errors << "PKCS#7 signature verification failed"
+        end
+      rescue OpenSSL::PKCS7::PKCS7Error => e
+        result.signature_valid = false
+        result.errors << "Signature verification error: #{e.message}"
+      end
+
+      def parse_tst_info(pkcs7)
+        content = pkcs7.data
+        raise InvalidTimestampError, "No content in timestamp token" unless content
+
+        OpenSSL::ASN1.decode(content)
+      end
+
+      def verify_message_imprint(tst_info, original_data, algorithm, result)
+        # Extract message imprint from TSTInfo
+        return unless tst_info.is_a?(OpenSSL::ASN1::Sequence)
+
+        imprint_seq = tst_info.value[2]
+        return unless imprint_seq.is_a?(OpenSSL::ASN1::Sequence)
+
+        # Get the hash from the timestamp
+        ts_hash = imprint_seq.value[1]&.value
+
+        # Compute expected hash
+        expected_hash = digest_class(algorithm).digest(original_data)
+
+        if ts_hash == expected_hash
+          result.imprint_valid = true
+        else
+          result.imprint_valid = false
+          result.errors << "Message imprint does not match original data"
+        end
+      end
+
+      def extract_timestamp_info(tst_info, result)
+        return unless tst_info.is_a?(OpenSSL::ASN1::Sequence)
+
+        # Extract policy OID (index 0)
+        if tst_info.value[0].is_a?(OpenSSL::ASN1::ObjectId)
+          result.policy_oid = tst_info.value[0].oid
+        end
+
+        # Extract serial number (index 1)
+        if tst_info.value[1].is_a?(OpenSSL::ASN1::Integer)
+          result.serial_number = tst_info.value[1].value.to_i
+        end
+
+        # Extract genTime
+        tst_info.value.each do |elem|
+          if elem.is_a?(OpenSSL::ASN1::GeneralizedTime) || elem.is_a?(OpenSSL::ASN1::UTCTime)
+            result.timestamp = elem.value
+            break
+          end
+        end
+      end
+
+      def verify_certificate_chain(pkcs7, result)
+        certs = pkcs7.certificates
+        return unless certs&.any?
+
+        result.tsa_certificate = certs.first
+
+        # Verify the TSA certificate chain
+        begin
+          if trust_store.verify(certs.first, certs)
+            result.chain_valid = true
+          else
+            result.chain_valid = false
+            result.errors << "TSA certificate chain validation failed: #{trust_store.error_string}"
+          end
+        rescue OpenSSL::X509::StoreError => e
+          result.chain_valid = false
+          result.errors << "Certificate chain error: #{e.message}"
+        end
+
+        # Check if TSA certificate has extended key usage for timestamping
+        verify_tsa_extended_key_usage(certs.first, result)
+      end
+
+      def verify_tsa_extended_key_usage(cert, result)
+        return unless cert
+
+        eku = cert.extensions.find { |e| e.oid == "extendedKeyUsage" }
+        return unless eku
+
+        unless eku.value.include?("Time Stamping")
+          result.warnings << "TSA certificate does not have Time Stamping extended key usage"
+        end
+      end
+
+      def digest_class(algorithm)
+        case algorithm
+        when :sha256 then OpenSSL::Digest::SHA256
+        when :sha384 then OpenSSL::Digest::SHA384
+        when :sha512 then OpenSSL::Digest::SHA512
+        else raise ArgumentError, "Unsupported algorithm: #{algorithm}"
+        end
+      end
+    end
+
+    # Result of timestamp verification
+    class VerificationResult
+      attr_accessor :valid, :token_parsed, :tst_info_parsed,
+                    :signature_valid, :imprint_valid, :chain_valid,
+                    :timestamp, :serial_number, :policy_oid,
+                    :tsa_certificate, :errors, :warnings
+
+      def initialize
+        @valid = false
+        @token_parsed = false
+        @tst_info_parsed = false
+        @signature_valid = false
+        @imprint_valid = false
+        @chain_valid = false
+        @timestamp = nil
+        @serial_number = nil
+        @policy_oid = nil
+        @tsa_certificate = nil
+        @errors = []
+        @warnings = []
+      end
+
+      def valid?
+        valid
+      end
+
+      def tsa_name
+        tsa_certificate&.subject&.to_s
+      end
+
+      def to_h
+        {
+          valid: valid,
+          timestamp: timestamp,
+          serial_number: serial_number,
+          policy_oid: policy_oid,
+          tsa_name: tsa_name,
+          signature_valid: signature_valid,
+          imprint_valid: imprint_valid,
+          chain_valid: chain_valid,
+          errors: errors,
+          warnings: warnings
+        }
+      end
+    end
+  end
+end