license switch agpl -> busl1, sprints work, new product advisories

2026-01-20 15:32:20 +02:00
parent 4903395618
commit c32fff8f86
1835 changed files with 38630 additions and 4359 deletions
--- a/src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/Timestamping/EuTrustListService.cs
+++ b/src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/Timestamping/EuTrustListService.cs
@@ -5,7 +5,10 @@
 // Description: Implementation of EU Trusted List service.
 // -----------------------------------------------------------------------------

+using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
+using System.Security.Cryptography.Xml;
+using System.Xml;
 using System.Xml.Linq;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
@@ -258,6 +261,8 @@ public sealed class EuTrustListService : IEuTrustListService
                    }
                }

+                var certificates = ParseServiceCertificates(serviceInfo);
+
                entries.Add(new TrustListEntry
                {
                    TspName = tspName,
@@ -269,7 +274,8 @@ public sealed class EuTrustListService : IEuTrustListService
                    ServiceTypeIdentifier = serviceType ?? "",
                    CountryCode = ExtractCountryCode(tspName),
                    ServiceSupplyPoints = supplyPoints,
-                    StatusHistory = historyList
+                    StatusHistory = historyList,
+                    ServiceCertificates = certificates
                });
            }
        }
@@ -336,9 +342,64 @@ public sealed class EuTrustListService : IEuTrustListService

    private void VerifyTrustListSignature(string xmlContent)
    {
-        // Would verify the XML signature on the trust list
-        // Using XmlDsig signature verification
        _logger.LogDebug("Verifying trust list signature");
-        // Implementation would use System.Security.Cryptography.Xml
+
+        var xmlDoc = new XmlDocument
+        {
+            PreserveWhitespace = true,
+            XmlResolver = null
+        };
+        xmlDoc.LoadXml(xmlContent);
+
+        var nsManager = new XmlNamespaceManager(xmlDoc.NameTable);
+        nsManager.AddNamespace("ds", SignedXml.XmlDsigNamespaceUrl);
+
+        var signatureNode = xmlDoc.SelectSingleNode("//ds:Signature", nsManager) as XmlElement;
+        if (signatureNode is null)
+        {
+            throw new CryptographicException("Trust list signature element not found.");
+        }
+
+        var signedXml = new SignedXml(xmlDoc);
+        signedXml.LoadXml(signatureNode);
+
+        if (!signedXml.CheckSignature())
+        {
+            throw new CryptographicException("Trust list signature validation failed.");
+        }
+    }
+
+    private static IReadOnlyList<X509Certificate2>? ParseServiceCertificates(XElement serviceInfo)
+    {
+        var certElements = serviceInfo.Descendants()
+            .Where(e => e.Name.LocalName.Equals("X509Certificate", StringComparison.OrdinalIgnoreCase))
+            .Select(e => e.Value)
+            .Where(v => !string.IsNullOrWhiteSpace(v))
+            .ToList();
+
+        if (certElements.Count == 0)
+        {
+            return null;
+        }
+
+        var certificates = new List<X509Certificate2>();
+        foreach (var certBase64 in certElements)
+        {
+            try
+            {
+                var raw = Convert.FromBase64String(certBase64.Trim());
+                certificates.Add(X509CertificateLoader.LoadCertificate(raw));
+            }
+            catch (FormatException)
+            {
+                // Ignore malformed certificate entries.
+            }
+            catch (CryptographicException)
+            {
+                // Ignore malformed certificate entries.
+            }
+        }
+
+        return certificates.Count > 0 ? certificates : null;
    }
 }