private string Sign(
SignatureType mode,
GostFlavor gostFlavor,
string certificateThumbprint,
XmlDocument signThis,
bool assignDs,
string nodeToSign,
bool ignoreExpiredCert = false,
string stringToSign = null,
byte[] bytesToSign = null,
bool?isAddSigningTime = null)
{
ICertificateProcessor cp = new CertificateProcessor();
X509Certificate2 certificate = cp.SearchCertificateByThumbprint(certificateThumbprint);
if (!certificate.HasPrivateKey)
{
throw ExceptionFactory.GetException(ExceptionType.PrivateKeyMissing, certificate.Subject);
}
if (!ignoreExpiredCert &&
cp.IsCertificateExpired(certificate))
{
throw ExceptionFactory.GetException(ExceptionType.CertExpired, certificate.Thumbprint);
}
return(Sign(mode, gostFlavor, certificate, signThis, assignDs, nodeToSign, stringToSign, bytesToSign, isAddSigningTime));
}
public void CreateListener(Dictionary <String, X509Certificate2> prefixes)
{
var certProc = new CertificateProcessor(ServerComms);
_listener = new System.Net.HttpListener();
foreach (string s in prefixes.Keys)
{
certProc.AddCertificateToHost(s, prefixes[s]);
_listener.Prefixes.Add(s);
}
_listener.Start();
var result = _listener.BeginGetContext(new AsyncCallback(ListenerCallback), _listener);
}
public async Task DelegateProcessor_Test()
{
IServiceCollection sc = new ServiceCollection();
HttpRequestMessage request = null;
sc.AddHttpClient(CertificateProcessor.HTTP_CLIENT_NAME)
.AddMockHttpMessageHandler()
.AddMock("*", HttpMethod.Get, async(req, res) =>
{
request = req;
await res.WriteObjectAsync(new ClientCertificateToken()
{
access_token = "1",
token_type = "1",
expires_in = 60
});
});
var sp = sc.BuildServiceProvider();
IHttpClientFactory factory = sp.GetRequiredService <IHttpClientFactory>();
var processor = CertificateProcessor.CreateDelegateProcessor(async(ci, client) =>
{
return(await client.GetAsync <ClientCertificateToken>("/cgi-bin/token", new NameValueCollection()
{
{ "grant_type", "client_credential" },
{ "appid", ci.ClientID },
{ "secret", ci.ClientSecret }
}));
});
var token = await processor.GetToken(new ClientCertificateInfo()
{
ClientID = "1",
ClientName = "1",
ClientSecret = "1",
AuthUrl = "https://auth.com"
}, factory);
string reqStr = request.RequestUri.AbsoluteUri;
Assert.Equal("https://auth.com/cgi-bin/token?grant_type=client_credential&appid=1&secret=1", reqStr);
}
public void CreateListener(Dictionary <String, X509Certificate2> prefixes)
{
var certProc = new CertificateProcessor(ServerComms);
_listener = new System.Net.HttpListener();
foreach (string s in prefixes.Keys)
{
certProc.AddCertificateToHost(s, prefixes[s]);
_listener.Prefixes.Add(s);
}
_listener.Start();
System.Threading.Tasks.Task.Factory.StartNew(() => {
while (_listener.IsListening)
{
var result = _listener.BeginGetContext(new AsyncCallback(ListenerCallback), _listener);
result.AsyncWaitHandle.WaitOne();
}
});
}
public VerifierResponse VerifyXmlSignature(
SignatureType mode,
XmlDocument message,
string certificateFilePath = null,
string certificateThumb = null,
string nodeId = null,
bool isVerifyCertificateChain = false)
{
SignedXml signedXml = new SignedXml(message);
Signer.Smev2SignedXml smev2SignedXml = null;
X509Certificate2 cert = null;
bool isCerFile;
if ((isCerFile = !string.IsNullOrEmpty(certificateFilePath)) ||
!string.IsNullOrEmpty(certificateThumb))
{
//means we are testing signature on external certificate
if (isCerFile)
{
cert = new X509Certificate2();
try
{
cert.Import(certificateFilePath);
}
catch (Exception e)
{
throw ExceptionFactory.GetException(
ExceptionType.CertificateImportException,
certificateFilePath,
e.Message);
}
}
else
{
//throws if not found
ICertificateProcessor cp = new CertificateProcessor();
cert = cp.SearchCertificateByThumbprint(certificateThumb);
}
}
XmlNodeList signaturesInDoc =
message.GetElementsByTagName(
"Signature",
SignedXml.XmlDsigNamespaceUrl
);
var signatures =
signaturesInDoc
.Cast <XmlElement>()
.ToDictionary(
(elt) =>
{
XNamespace ns = elt.GetXElement().Name.Namespace;
return(elt.GetXElement().Descendants(ns + "Reference").First().Attributes("URI").First()
.Value.Replace("#", ""));
},
(elt => elt)
);
if (!string.IsNullOrEmpty(nodeId) &&
!signatures.ContainsKey(nodeId))
{
throw ExceptionFactory.GetException(ExceptionType.ReferencedSignatureNotFound, nodeId);
}
if (signaturesInDoc.Count == 0)
{
throw ExceptionFactory.GetException(ExceptionType.NoSignaturesFound);
}
switch (mode)
{
case SignatureType.Smev2BaseDetached:
smev2SignedXml = new Signer.Smev2SignedXml(message);
try
{
smev2SignedXml.LoadXml(
!string.IsNullOrEmpty(nodeId)
? signatures[nodeId]
: signatures["body"]);
}
catch (Exception e)
{
throw ExceptionFactory.GetException(ExceptionType.CertificateContentCorrupted, e.Message);
}
XmlNodeList referenceList =
smev2SignedXml.KeyInfo
.GetXml()
.GetElementsByTagName("Reference", Signer.WsSecurityWsseNamespaceUrl);
if (referenceList.Count == 0)
{
throw ExceptionFactory.GetException(ExceptionType.Smev2CertificateReferenceNotFound);
}
string binaryTokenReference = ((XmlElement)referenceList[0]).GetAttribute("URI");
if (string.IsNullOrEmpty(binaryTokenReference) ||
binaryTokenReference[0] != '#')
{
throw ExceptionFactory.GetException(ExceptionType.Smev2MalformedCertificateReference);
}
XmlElement binaryTokenElement = smev2SignedXml.GetIdElement(
message,
binaryTokenReference.Substring(1));
if (binaryTokenElement == null)
{
throw ExceptionFactory.GetException(
ExceptionType.Smev2CertificateNotFound,
binaryTokenReference.Substring(1));
}
try
{
cert = new X509Certificate2(Convert.FromBase64String(binaryTokenElement.InnerText));
}
catch (Exception e)
{
throw ExceptionFactory.GetException(ExceptionType.Smev2CertificateCorrupted, e.Message);
}
break;
case SignatureType.Smev2ChargeEnveloped:
if (signaturesInDoc.Count > 1)
{
throw ExceptionFactory.GetException(
ExceptionType.ChargeTooManySignaturesFound,
signaturesInDoc.Count);
}
if (!ChargeStructureOk(message))
{
throw ExceptionFactory.GetException(ExceptionType.ChargeMalformedDocument);
}
try
{
signedXml.LoadXml(signatures.First().Value);
}
catch (Exception e)
{
throw ExceptionFactory.GetException(ExceptionType.CertificateContentCorrupted, e.Message);
}
break;
case SignatureType.Smev2SidebysideDetached:
case SignatureType.Smev3BaseDetached:
case SignatureType.Smev3SidebysideDetached:
try
{
XmlDsigSmevTransform smevTransform = new XmlDsigSmevTransform();
signedXml.SafeCanonicalizationMethods.Add(smevTransform.Algorithm);
signedXml.LoadXml(
!string.IsNullOrEmpty(nodeId)
? signatures[nodeId]
: signatures.First().Value);
}
catch (Exception e)
{
throw ExceptionFactory.GetException(ExceptionType.CertificateContentCorrupted, e.Message);
}
break;
case SignatureType.Pkcs7String:
case SignatureType.Pkcs7StringAllCert:
case SignatureType.Pkcs7StringNoCert:
case SignatureType.SigDetached:
case SignatureType.SigDetachedAllCert:
case SignatureType.SigDetachedNoCert:
throw new NotSupportedException(
$"Detached signature verification is not supported by this method. Use {nameof(VerifyDetachedSignature)} method instead.");
case SignatureType.Unknown:
case SignatureType.Smev3Ack:
case SignatureType.Rsa2048Sha256String:
case SignatureType.RsaSha256String:
throw ExceptionFactory.GetException(ExceptionType.UnsupportedSignatureType, mode);
default:
throw new ArgumentOutOfRangeException(nameof(mode), mode, null);
}
var isSignatureValid = smev2SignedXml?.CheckSignature(cert.PublicKey.Key)
??
(cert == null
? signedXml.CheckSignature()
: signedXml.CheckSignature(cert, true)
);
var isCertificateChainValid = cert?.Verify() ?? true;
StringBuilder verificationMessage = new StringBuilder();
if (!isSignatureValid)
{
verificationMessage.AppendLine("Signature is invalid");
}
if (!isCertificateChainValid)
{
verificationMessage.AppendLine("Certificate chain is invalid");
}
var verifierResponse = new VerifierResponse()
{
IsCertificateChainValid = isCertificateChainValid,
IsSignatureMathematicallyValid = isSignatureValid,
IsSignatureSigningDateValid = true, // we do not check this for this type of signature
Message = verificationMessage.ToString()
};
return(verifierResponse);
}
public X509CertificateSerializable CertificateToSerializable(
CertificateSource source,
string filePath,
string nodeId)
{
switch (source)
{
case CertificateSource.Xml:
ICertificateProcessor cp = new CertificateProcessor();
return(new X509CertificateSerializable(
cp.ReadCertificateFromXmlDocument(XDocument.Load(filePath), nodeId)));
case CertificateSource.Base64:
try
{
return(new X509CertificateSerializable(new X509Certificate2(File.ReadAllBytes(filePath))));
}
catch (Exception e)
{
throw ExceptionFactory.GetException(ExceptionType.CertificateFileCorrupted, e.Message);
}
case CertificateSource.Cer:
try
{
X509Certificate2 cer = new X509Certificate2();
if (Path.GetExtension(filePath) == ".p7b")
{
X509Certificate2Collection collection = new X509Certificate2Collection();
collection.Import(filePath);
if (collection.Count < 1)
{
throw ExceptionFactory.GetException(ExceptionType.NoCertificatesFound, filePath);
}
if (collection.Count == 1)
{
cer = collection[0];
}
if (collection.Count > 1)
{
return(new X509CertificateSerializable(collection));
}
}
else
{
cer.Import(filePath);
}
return(new X509CertificateSerializable(cer));
}
catch (Exception e)
{
throw ExceptionFactory.GetException(ExceptionType.CertificateFileCorrupted, e.Message);
}
default:
throw ExceptionFactory.GetException(ExceptionType.UnknownCertificateSource);
}
}
