in net/JetBrains.SignatureVerifier/src/Crypt/SignerInfoVerifier.cs [227:264]
private async Task<VerifySignatureResult> buildCertificateChainAsync(
X509Certificate primary,
IStore<X509Certificate> intermediateCertsStore,
SignatureVerificationParams signatureVerificationParams)
{
_logger.Trace(
$"Signature validation time: {signatureVerificationParams.SignatureValidationTime?.ToString("dd.MM.yyyy HH:mm:ss") ?? "<null>"}");
var builderParams = new CustomPkixBuilderParameters(
signatureVerificationParams.RootCertificates,
intermediateCertsStore,
new X509CertStoreSelector { Certificate = primary },
signatureVerificationParams.SignatureValidationTime);
var useOCSP = signatureVerificationParams.WithRevocationCheck &&
await builderParams.PrepareCrls(_crlProvider);
try
{
var builder = new PkixCertPathBuilder();
var chain = builder.Build(builderParams);
if (useOCSP)
{
_logger.Trace($"Start OCSP for certificate {primary.FormatId()}");
var issuerCert = getIssuerCert(chain, primary);
return await new OcspVerifier(signatureVerificationParams.OcspResponseTimeout, _logger)
.CheckCertificateRevocationStatusAsync(primary, issuerCert);
}
return VerifySignatureResult.Valid;
}
catch (PkixCertPathBuilderException ex)
{
_logger.Error($"Build chain for certificate was failed. {primary.FormatId()} {ex.FlatMessages()}");
return VerifySignatureResult.InvalidChain(ex.FlatMessages());
}
}