private string SignMessage(string msg, bool isProd)
{
var gen = new CmsSignedDataGenerator();
X509Certificate2 certificate = GetCertificate(isProd);
var privKey = DotNetUtilities.GetRsaKeyPair(certificate.GetRSAPrivateKey()).Private;
var cert = DotNetUtilities.FromX509Certificate(certificate);
gen.AddSigner(privKey, cert, CmsSignedDataGenerator.DigestSha1);
var certX509 = DotNetUtilities.ToX509Certificate(cert.CertificateStructure);
var certList = new List <Org.BouncyCastle.X509.X509Certificate>();
certList.Add(cert);
X509CollectionStoreParameters PP = new X509CollectionStoreParameters(certList);
IX509Store st1 = X509StoreFactory.Create("CERTIFICATE/COLLECTION", PP);
gen.AddCertificates(st1);
Encoding EncodedMsg = Encoding.UTF8;
byte[] dataToSign = EncodedMsg.GetBytes(msg);
CmsProcessable data = new CmsProcessableByteArray(dataToSign);
CmsSignedData signed = gen.Generate(PkcsObjectIdentifiers.Pkcs7, data, true);
var result = signed.GetEncoded();
return(Convert.ToBase64String(result));
}
byte[] CreateKeyVaultSignature(X509Certificate2 publicCert, SignatureManifest signatureManifest)
{
var chain = new X509Chain();
chain.Build(publicCert);
// Get the chain as bc certs
var additionals = chain.ChainElements.Cast <X509ChainElement>()
.Select(ce => DotNetUtilities.FromX509Certificate(ce.Certificate))
.ToList();
chain.Dispose();
var bcCer = DotNetUtilities.FromX509Certificate(publicCert);
var store = X509StoreFactory.Create("Certificate/Collection", new X509CollectionStoreParameters(additionals));
var generator = new CmsSignedDataGenerator();
var builder = new SignerInfoGeneratorBuilder();
var b = builder.Build(new RsaSignatureFactory("SHA256WITHRSA", provider), bcCer);
generator.AddSignerInfoGenerator(b);
generator.AddCertificates(store);
var msg = new CmsProcessableByteArray(signatureManifest.GetBytes());
var data = generator.Generate(msg, true);
var encoded = data.GetEncoded();
return(encoded);
}
public byte[] Sign(byte[] cmsData)
{
IList certs = new List <X509Certificate>();
byte[] signBytes = File.ReadAllBytes(GetFile());
X509Certificate2 signCert = new X509Certificate2(signBytes, Key, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable);
certs.Add(DotNetUtilities.FromX509Certificate(signCert));
IX509Store x509Certs = X509StoreFactory.Create("Certificate/Collection", new X509CollectionStoreParameters(certs));
CmsSignedDataGenerator gen = new CmsSignedDataGenerator();
AsymmetricCipherKeyPair pair = DotNetUtilities.GetKeyPair(signCert.PrivateKey);
X509Certificate bX509Certificate = DotNetUtilities.FromX509Certificate(signCert);
gen.AddSigner(pair.Private, bX509Certificate, CmsSignedGenerator.DigestSha1);
gen.AddSigner(pair.Private, bX509Certificate, CmsSignedGenerator.DigestSha256);
CmsSignedData unsignedData = new CmsSignedData(cmsData);
gen.AddCertificates(x509Certs);
CmsProcessable msg = new CmsProcessableByteArray(unsignedData.GetEncoded());
CmsSignedData cmsSignedData = gen.Generate(CmsSignedGenerator.Data, msg, true);
byte[] p7MData = cmsSignedData.GetEncoded();
return(p7MData);
}
protected static byte[] GenerateSignature(byte[] manifest, X509Certificate2 appleCert, X509Certificate2 passCert)
{
X509Certificate apple = DotNetUtilities.FromX509Certificate(appleCert);
X509Certificate cert = DotNetUtilities.FromX509Certificate(passCert);
var privateKey = DotNetUtilities.GetKeyPair(passCert.PrivateKey).Private;
var generator = new CmsSignedDataGenerator();
generator.AddSigner(privateKey, cert, CmsSignedGenerator.DigestSha1);
var list = new List <X509Certificate>();
list.Add(cert);
list.Add(apple);
X509CollectionStoreParameters storeParameters = new X509CollectionStoreParameters(list);
IX509Store store509 = X509StoreFactory.Create("CERTIFICATE/COLLECTION", storeParameters);
generator.AddCertificates(store509);
var content = new CmsProcessableByteArray(manifest);
var signature = generator.Generate(content, false).GetEncoded();
return(signature);
}
private static CryptographicAttributeObjectCollection CreateAttributeCollection(
X509Certificate2 certificate,
RSA privateKey,
Action <Asn1EncodableVector> addAttributes)
{
var content = new CmsProcessableByteArray(new byte[0]);
var attributes = new Asn1EncodableVector();
addAttributes(attributes);
var signedAttributes = new AttributeTable(attributes);
var unsignedAttributes = new AttributeTable(DerSet.Empty);
var generator = new CmsSignedDataGenerator();
var keyPair = DotNetUtilities.GetRsaKeyPair(privateKey);
generator.AddSigner(
keyPair.Private,
DotNetUtilities.FromX509Certificate(certificate),
Oids.Sha256,
signedAttributes,
unsignedAttributes);
var bcSignedCms = generator.Generate(content, encapsulate: true);
var signedCms = new SignedCms();
signedCms.Decode(bcSignedCms.GetEncoded());
return(signedCms.SignerInfos[0].SignedAttributes);
}
private CmsCompressedData GetStdData()
{
CmsProcessableByteArray testData = new CmsProcessableByteArray(TEST_DATA);
CmsCompressedDataGenerator gen = new CmsCompressedDataGenerator();
return(gen.Generate(testData, CmsCompressedDataGenerator.ZLib));
}
/// <summary>
/// Method that performs the signing process
/// </summary>
/// <param name="input"></param>
/// <param name="parameters"></param>
/// <param name="signedData"></param>
/// <returns></returns>
private SignatureDocument ComputeSignature(CmsProcessableByteArray content, SignatureParameters parameters, CmsSignedData signedData)
{
byte[] toBeSigned = ToBeSigned(content, parameters, signedData, false);
byte[] signature = parameters.Signer.SignData(toBeSigned, parameters.DigestMethod);
PreComputedSigner preComputedSigner = new PreComputedSigner(signature);
CustomCMSSignedDataGenerator generator = CreateSignedGenerator(preComputedSigner, parameters, signedData);
CmsSignedData newSignedData = null;
if (parameters.SignaturePackaging == SignaturePackaging.ATTACHED_IMPLICIT && parameters.PreCalculatedDigest == null)
{
newSignedData = generator.Generate(content, true);
}
else
{
if (parameters.PreCalculatedDigest != null)
{
generator.PreCalculatedDigest = parameters.PreCalculatedDigest;
newSignedData = generator.Generate(null, false);
}
else if (content != null)
{
newSignedData = generator.Generate(content, false);
}
else
{
generator.PreCalculatedDigest = GetDigestValue(signedData.GetSignerInfos(), parameters.DigestMethod);
newSignedData = generator.Generate(null, false);
}
}
return(new SignatureDocument(new CmsSignedData(newSignedData.GetEncoded())));
}
static void SignManifest(ZipFile zipFile, byte[] manifestFileData, X509Certificate2 signingCertificate, X509Certificate2Collection chainCertificates)
{
var signingCert = DotNetUtilities.FromX509Certificate(signingCertificate);
var certList = new System.Collections.ArrayList();
foreach (X509Certificate2 cert in chainCertificates)
{
certList.Add(DotNetUtilities.FromX509Certificate(cert));
}
var privateKey = DotNetUtilities.GetKeyPair(signingCertificate.PrivateKey).Private;
var generator = new CmsSignedDataGenerator();
generator.AddSigner(privateKey, signingCert, CmsSignedDataGenerator.DigestSha1);
Org.BouncyCastle.X509.Store.X509CollectionStoreParameters PP = new Org.BouncyCastle.X509.Store.X509CollectionStoreParameters(certList);
Org.BouncyCastle.X509.Store.IX509Store st1 = Org.BouncyCastle.X509.Store.X509StoreFactory.Create("CERTIFICATE/COLLECTION", PP);
generator.AddCertificates(st1);
var content = new CmsProcessableByteArray(manifestFileData);
var signedData = generator.Generate(content, false);
var data = signedData.GetEncoded();
zipFile.AddEntry("signature", data);
}
static void SignManifest(ZipFile zipFile, byte[] manifestFileData, X509Certificate2 certificate)
{
var cert = DotNetUtilities.FromX509Certificate(certificate);
var privateKey = DotNetUtilities.GetKeyPair(certificate.PrivateKey).Private;
var generator = new CmsSignedDataGenerator();
generator.AddSigner(privateKey, cert, CmsSignedDataGenerator.DigestSha1);
var certList = new System.Collections.ArrayList();
//var a1Cert = new X509Certificate2(Path.Combine(AppDomain.CurrentDomain.BaseDirectory, "AppleWWDRCA.cer"));
//var a2Cert = new X509Certificate2(Path.Combine(AppDomain.CurrentDomain.BaseDirectory, "AppleIncRootCertificate.cer"));
certList.Add(cert);
//certList.Add(DotNetUtilities.FromX509Certificate(a1Cert));
//certList.Add(DotNetUtilities.FromX509Certificate(a2Cert));
Org.BouncyCastle.X509.Store.X509CollectionStoreParameters PP = new Org.BouncyCastle.X509.Store.X509CollectionStoreParameters(certList);
Org.BouncyCastle.X509.Store.IX509Store st1 = Org.BouncyCastle.X509.Store.X509StoreFactory.Create("CERTIFICATE/COLLECTION", PP);
generator.AddCertificates(st1);
var content = new CmsProcessableByteArray(manifestFileData);
var signedData = generator.Generate(content, false);
var data = signedData.GetEncoded();
zipFile.AddEntry("signature", data);
}
public static bool ValidateSignature(byte[] messageBytes, byte[] signatureBytes, X509Certificate certificate)
{
CmsProcessable signedContent = new CmsProcessableByteArray(messageBytes);
CmsSignedData signedData = new CmsSignedData(signedContent, signatureBytes);
IX509Store certificateStore = signedData.GetCertificates("Collection");
SignerInformationStore signerInfoStore = signedData.GetSignerInfos();
ICollection signers = signerInfoStore.GetSigners();
foreach (SignerInformation signer in signers)
{
bool isChainValid = ValidateCertificateChain(certificateStore, signer.SignerID);
if (!isChainValid)
{
return(false);
}
bool verified = signer.Verify(certificate);
if (!verified)
{
return(false);
}
}
return(true);
}
private void SignManigestFile(PassGeneratorRequest request, string manifestFileAndPath)
{
byte[] dataToSign = File.ReadAllBytes(manifestFileAndPath);
X509Certificate2 card = GetCertificate(request);
Org.BouncyCastle.X509.X509Certificate cert = DotNetUtilities.FromX509Certificate(card);
Org.BouncyCastle.Crypto.AsymmetricKeyParameter privateKey = DotNetUtilities.GetKeyPair(card.PrivateKey).Private;
X509Certificate2 appleCA = GetAppleCertificate();
Org.BouncyCastle.X509.X509Certificate appleCert = DotNetUtilities.FromX509Certificate(appleCA);
ArrayList intermediateCerts = new ArrayList();
intermediateCerts.Add(appleCert);
intermediateCerts.Add(cert);
Org.BouncyCastle.X509.Store.X509CollectionStoreParameters PP = new Org.BouncyCastle.X509.Store.X509CollectionStoreParameters(intermediateCerts);
Org.BouncyCastle.X509.Store.IX509Store st1 = Org.BouncyCastle.X509.Store.X509StoreFactory.Create("CERTIFICATE/COLLECTION", PP);
CmsSignedDataGenerator generator = new CmsSignedDataGenerator();
generator.AddSigner(privateKey, cert, CmsSignedDataGenerator.DigestSha1);
generator.AddCertificates(st1);
CmsProcessable content = new CmsProcessableByteArray(dataToSign);
CmsSignedData signedData = generator.Generate(content, false);
string outputDirectory = Path.GetDirectoryName(manifestFileAndPath);
string signatureFileAndPath = Path.Combine(outputDirectory, "signature");
File.WriteAllBytes(signatureFileAndPath, signedData.GetEncoded());
}
private void SignManigestFile(PassGeneratorRequest request)
{
X509Certificate2 card = GetCertificate(request);
if (card == null)
{
throw new FileNotFoundException("Certificate could not be found. Please ensure the thumbprint and cert location values are correct.");
}
Org.BouncyCastle.X509.X509Certificate cert = DotNetUtilities.FromX509Certificate(card);
Org.BouncyCastle.Crypto.AsymmetricKeyParameter privateKey = DotNetUtilities.GetKeyPair(card.PrivateKey).Private;
X509Certificate2 appleCA = GetAppleCertificate(request);
Org.BouncyCastle.X509.X509Certificate appleCert = DotNetUtilities.FromX509Certificate(appleCA);
ArrayList intermediateCerts = new ArrayList();
intermediateCerts.Add(appleCert);
intermediateCerts.Add(cert);
Org.BouncyCastle.X509.Store.X509CollectionStoreParameters PP = new Org.BouncyCastle.X509.Store.X509CollectionStoreParameters(intermediateCerts);
Org.BouncyCastle.X509.Store.IX509Store st1 = Org.BouncyCastle.X509.Store.X509StoreFactory.Create("CERTIFICATE/COLLECTION", PP);
CmsSignedDataGenerator generator = new CmsSignedDataGenerator();
generator.AddSigner(privateKey, cert, CmsSignedDataGenerator.DigestSha1);
generator.AddCertificates(st1);
CmsProcessable content = new CmsProcessableByteArray(manifestFile);
CmsSignedData signedData = generator.Generate(content, false);
signatureFile = signedData.GetEncoded();
}
PrimarySignature CreateKeyVaultPrimarySignature(SignPackageRequest request, SignatureContent signatureContent, SignatureType signatureType)
{
// Get the chain
var getter = typeof(SignPackageRequest).GetProperty("Chain", BindingFlags.Instance | BindingFlags.NonPublic)
.GetGetMethod(true);
var certs = (IReadOnlyList <X509Certificate2>)getter.Invoke(request, null);
var attribs = SigningUtility.CreateSignedAttributes(request, certs);
// Convert .NET crypto attributes to Bouncy Castle
var attribTable = new AttributeTable(new Asn1EncodableVector(attribs.Cast <CryptographicAttributeObject>()
.Select(ToBcAttribute)
.ToArray()));
// SignerInfo generator setup
var signerInfoGeneratorBuilder = new SignerInfoGeneratorBuilder()
.WithSignedAttributeGenerator(new DefaultSignedAttributeTableGenerator(attribTable));
// Subject Key Identifier (SKI) is smaller and less prone to accidental matching than issuer and serial
// number. However, to ensure cross-platform verification, SKI should only be used if the certificate
// has the SKI extension attribute.
// Try to look for the value
var bcCer = DotNetUtilities.FromX509Certificate(request.Certificate);
var ext = bcCer.GetExtensionValue(new DerObjectIdentifier(Oids.SubjectKeyIdentifier));
SignerInfoGenerator signerInfoGenerator;
if (ext != null)
{
var ski = new SubjectKeyIdentifierStructure(ext);
signerInfoGenerator = signerInfoGeneratorBuilder.Build(new RsaSignatureFactory(HashAlgorithmToBouncyCastle(request.SignatureHashAlgorithm), provider), ski.GetKeyIdentifier());
}
else
{
signerInfoGenerator = signerInfoGeneratorBuilder.Build(new RsaSignatureFactory(HashAlgorithmToBouncyCastle(request.SignatureHashAlgorithm), provider), bcCer);
}
var generator = new CmsSignedDataGenerator();
generator.AddSignerInfoGenerator(signerInfoGenerator);
// Get the chain as bc certs
generator.AddCertificates(X509StoreFactory.Create("Certificate/Collection",
new X509CollectionStoreParameters(certs.Select(DotNetUtilities.FromX509Certificate).
ToList())));
var msg = new CmsProcessableByteArray(signatureContent.GetBytes());
var data = generator.Generate(msg, true);
var encoded = data.ContentInfo.GetDerEncoded();
return(PrimarySignature.Load(encoded));
}
private void SignManigestFile(PassGeneratorRequest request)
{
Trace.TraceInformation("Signing the manifest file...");
X509Certificate2 card = GetCertificate(request);
if (card == null)
{
throw new FileNotFoundException("Certificate could not be found. Please ensure the thumbprint and cert location values are correct.");
}
X509Certificate2 appleCA = GetAppleCertificate(request);
if (appleCA == null)
{
throw new FileNotFoundException("Apple Certficate could not be found. Please downloaad from http://www.apple.com/certificateauthority/ and install into your LOCAL MACHINE certificate store.");
}
try
{
Org.BouncyCastle.X509.X509Certificate cert = DotNetUtilities.FromX509Certificate(card);
Org.BouncyCastle.Crypto.AsymmetricKeyParameter privateKey = DotNetUtilities.GetKeyPair(card.PrivateKey).Private;
Trace.TraceInformation("Fetching Apple Certificate for signing..");
Org.BouncyCastle.X509.X509Certificate appleCert = DotNetUtilities.FromX509Certificate(appleCA);
Trace.TraceInformation("Constructing the certificate chain..");
ArrayList intermediateCerts = new ArrayList();
intermediateCerts.Add(appleCert);
intermediateCerts.Add(cert);
Org.BouncyCastle.X509.Store.X509CollectionStoreParameters PP = new Org.BouncyCastle.X509.Store.X509CollectionStoreParameters(intermediateCerts);
Org.BouncyCastle.X509.Store.IX509Store st1 = Org.BouncyCastle.X509.Store.X509StoreFactory.Create("CERTIFICATE/COLLECTION", PP);
CmsSignedDataGenerator generator = new CmsSignedDataGenerator();
generator.AddSigner(privateKey, cert, CmsSignedDataGenerator.DigestSha1);
generator.AddCertificates(st1);
Trace.TraceInformation("Processing the signature..");
CmsProcessable content = new CmsProcessableByteArray(manifestFile);
CmsSignedData signedData = generator.Generate(content, false);
signatureFile = signedData.GetEncoded();
Trace.TraceInformation("The file has been successfully signed!");
}
catch (Exception exp)
{
Trace.TraceError("Failed to sign the manifest file: [{0}]", exp.Message);
throw new ManifestSigningException("Failed to sign manifest", exp);
}
}
public void CreateSign()
{
byte[] data = File.ReadAllBytes(Path.Combine(_settings.PackagePath, _manifestFilename));
X509Certificate2 certificate = new X509Certificate2(_settings.CertificatePath, _settings.CertificatePassword, X509KeyStorageFlags.Exportable);
X509Certificate2 intermCertificate = new X509Certificate2(_settings.IntermCertificatePath);
var privKey = SecurityUtils.GetRsaKeyPair(certificate.GetRSAPrivateKey()).Private;
var cert = SecurityUtils.FromX509Certificate(certificate);
var interm = SecurityUtils.FromX509Certificate(intermCertificate);
CmsProcessableByteArray content = new CmsProcessableByteArray(data);
CmsSignedDataGenerator generator = new CmsSignedDataGenerator();
generator.AddSigner(privKey, cert, CmsSignedGenerator.EncryptionRsa, CmsSignedGenerator.DigestSha256);
CmsSignedData signedContent = generator.Generate(content, false);
var si = signedContent.GetSignerInfos();
var signer = si.GetSigners().Cast <SignerInformation>().First();
SignerInfo signerInfo = signer.ToSignerInfo();
Asn1EncodableVector digestAlgorithmsVector = new Asn1EncodableVector();
digestAlgorithmsVector.Add(new AlgorithmIdentifier(
algorithm: new DerObjectIdentifier(_oidSHA256),
parameters: DerNull.Instance));
// Construct SignedData.encapContentInfo
ContentInfo encapContentInfo = new ContentInfo(
contentType: new DerObjectIdentifier(_oidPKCS7IdData),
content: null);
Asn1EncodableVector certificatesVector = new Asn1EncodableVector();
certificatesVector.Add(X509CertificateStructure.GetInstance(Asn1Object.FromByteArray(cert.GetEncoded())));
certificatesVector.Add(X509CertificateStructure.GetInstance(Asn1Object.FromByteArray(interm.GetEncoded())));
// Construct SignedData.signerInfos
Asn1EncodableVector signerInfosVector = new Asn1EncodableVector();
signerInfosVector.Add(signerInfo.ToAsn1Object());
// Construct SignedData
SignedData signedData = new SignedData(
digestAlgorithms: new DerSet(digestAlgorithmsVector),
contentInfo: encapContentInfo,
certificates: new BerSet(certificatesVector),
crls: null,
signerInfos: new DerSet(signerInfosVector));
ContentInfo contentInfo = new ContentInfo(
contentType: new DerObjectIdentifier(_oidPKCS7IdSignedData),
content: signedData);
File.WriteAllBytes(Path.Combine(_settings.PackagePath, _signatureFilename), contentInfo.GetDerEncoded());
}
public CmsReadable GetReadable(
KeyParameter sKey,
Org.BouncyCastle.Asn1.X509.AlgorithmIdentifier algorithm,
CmsProcessableByteArray readable)
{
IBufferedCipher cipher;
try
{
cipher = CipherUtilities.GetCipher(algorithm.Algorithm);
var asn1Enc = algorithm.Parameters;
var asn1Params = asn1Enc == null ? null : asn1Enc.ToAsn1Object();
ICipherParameters cipherParameters = sKey;
if (asn1Params != null && !(asn1Params is Asn1Null))
{
cipherParameters = ParameterUtilities.GetCipherParameters(
algorithm.Algorithm, cipherParameters, asn1Params);
}
else
{
string alg = algorithm.Algorithm.Id;
if (alg.Equals(CmsEnvelopedGenerator.DesEde3Cbc) ||
alg.Equals(CmsEnvelopedGenerator.IdeaCbc) ||
alg.Equals(CmsEnvelopedGenerator.Cast5Cbc))
{
cipherParameters = new ParametersWithIV(cipherParameters, new byte[8]);
}
}
cipher.Init(false, cipherParameters);
}
catch (SecurityUtilityException e)
{
throw new CmsException("couldn't create cipher.", e);
}
catch (InvalidKeyException e)
{
throw new CmsException("key invalid in message.", e);
}
catch (IOException e)
{
throw new CmsException("error decoding algorithm parameters.", e);
}
try
{
return(new CmsProcessableInputStream(
new CipherStream(readable.GetInputStream(), cipher, null)));
}
catch (IOException e)
{
throw new CmsException("error reading content.", e);
}
}
private SignatureDocument ComputeSignature(byte[] input, SignatureParameters parameters, CmsSignedData signedData)
{
CmsProcessableByteArray content = null;
if (input != null)
{
content = new CmsProcessableByteArray(input);
}
return(ComputeSignature(content, parameters, signedData));
}
// Sign the message with the private key of the signer.
static public byte[] SignMsg(Byte[] msg, X509Certificate2 signerCert, bool detached, bool UsaTSA, string TSAurl, string TSAuser, string TSApass)
{
try
{
SHA256Managed hashSha256 = new SHA256Managed();
byte[] certHash = hashSha256.ComputeHash(signerCert.RawData);
EssCertIDv2 essCert1 = new EssCertIDv2(new Org.BouncyCastle.Asn1.X509.AlgorithmIdentifier("2.16.840.1.101.3.4.2.1"), certHash);
SigningCertificateV2 scv2 = new SigningCertificateV2(new EssCertIDv2[] { essCert1 });
Org.BouncyCastle.Asn1.Cms.Attribute CertHAttribute = new Org.BouncyCastle.Asn1.Cms.Attribute(Org.BouncyCastle.Asn1.Pkcs.PkcsObjectIdentifiers.IdAASigningCertificateV2, new DerSet(scv2));
Asn1EncodableVector v = new Asn1EncodableVector();
v.Add(CertHAttribute);
Org.BouncyCastle.Asn1.Cms.AttributeTable AT = new Org.BouncyCastle.Asn1.Cms.AttributeTable(v);
CmsSignedDataGenWithRsaCsp cms = new CmsSignedDataGenWithRsaCsp();
var rsa = (RSACryptoServiceProvider)signerCert.PrivateKey;
Org.BouncyCastle.X509.X509Certificate certCopy = DotNetUtilities.FromX509Certificate(signerCert);
cms.MyAddSigner(rsa, certCopy, "1.2.840.113549.1.1.1", "2.16.840.1.101.3.4.2.1", AT, null);
ArrayList certList = new ArrayList();
certList.Add(certCopy);
Org.BouncyCastle.X509.Store.X509CollectionStoreParameters PP = new Org.BouncyCastle.X509.Store.X509CollectionStoreParameters(certList);
Org.BouncyCastle.X509.Store.IX509Store st1 = Org.BouncyCastle.X509.Store.X509StoreFactory.Create("CERTIFICATE/COLLECTION", PP);
cms.AddCertificates(st1);
CmsProcessableByteArray file = new CmsProcessableByteArray(msg); //CmsProcessableFile(File);
CmsSignedData Firmato = cms.Generate(file, false); //se settato a true, il secondo argomento integra l'intero file
byte[] bb = Firmato.GetEncoded();
if (UsaTSA)
{
CmsSignedData sd = new CmsSignedData(bb);
SignerInformationStore signers = sd.GetSignerInfos();
byte[] signature = null;
SignerInformation signer = null;
foreach (SignerInformation signer_ in signers.GetSigners())
{
signer = signer_;
break;
}
signature = signer.GetSignature();
Org.BouncyCastle.Asn1.Cms.AttributeTable at = new Org.BouncyCastle.Asn1.Cms.AttributeTable(GetTimestamp(signature, TSAurl, TSAuser, TSApass));
signer = SignerInformation.ReplaceUnsignedAttributes(signer, at);
IList signerInfos = new ArrayList();
signerInfos.Add(signer);
sd = CmsSignedData.ReplaceSigners(sd, new SignerInformationStore(signerInfos));
bb = sd.GetEncoded();
}
return(bb);
}
catch (Exception ex)
{
MessageBox.Show(ex.ToString());
return(null);
}
}
/// <summary>
/// Verschlüsselt die Daten mit dem angegebenen Empfänger-Zertifikat
/// </summary>
/// <param name="data">Die zu verschlüsselnden Daten</param>
/// <param name="cert">Das Empfänger-Zertifikat</param>
/// <returns>Die verschlüsselten Daten</returns>
public static byte[] EncryptData(byte[] data, X509Certificate cert)
{
var gen = new CmsEnvelopedDataGenerator();
gen.AddKeyTransRecipient(cert);
var message = new CmsProcessableByteArray(data);
var envelopedData = gen.Generate(message, PkcsObjectIdentifiers.DesEde3Cbc.Id);
var encryptedData = envelopedData.GetEncoded();
return(encryptedData);
}
private static byte[] EncryptEnvelop(X509Certificate certificate, byte[] bsOrgData)
{
var gen = new CmsEnvelopedDataGenerator();
var data = new CmsProcessableByteArray(bsOrgData);
gen.AddKeyTransRecipient(certificate);
var enveloped = gen.Generate(data, CmsEnvelopedGenerator.DesEde3Cbc);
var a = enveloped.ContentInfo.ToAsn1Object();
return(a.GetEncoded());
}
public void SignedCmsRoundTripWithBouncyCastleLocalCertificate()
{
var content = "This is some content";
// Get cert
var netcert = GetLocalSignerCert();
var chain = new X509Chain();
chain.Build(netcert);
// Get the chain without the root CA
var additionals = chain.ChainElements.Cast <X509ChainElement>()
.Where(ce => ce.Certificate.Issuer != ce.Certificate.SubjectName.Name)
.Select(ce => DotNetUtilities.FromX509Certificate(ce.Certificate))
.ToList();
chain.Dispose();
var bcCer = DotNetUtilities.FromX509Certificate(netcert);
var bcKey = DotNetUtilities.GetRsaKeyPair(netcert.GetRSAPrivateKey());
var store = X509StoreFactory.Create("Certificate/Collection", new X509CollectionStoreParameters(additionals));
var generator = new CmsSignedDataGenerator();
var builder = new SignerInfoGeneratorBuilder();
var b = builder.Build(new Asn1SignatureFactory("SHA256WITHRSA", bcKey.Private), bcCer);
generator.AddSignerInfoGenerator(b);
// generator.AddSigner(bcKey.Private, bcCer, CmsSignedDataGenerator.DigestSha256);
generator.AddCertificates(store);
var msg = new CmsProcessableByteArray(Encoding.UTF8.GetBytes(content));
var data = generator.Generate(msg, true);
var encoded = data.GetEncoded();
var signedCms = new SignedCms();
signedCms.Decode(encoded);
signedCms.CheckSignature(true); // don't validate the certiciate itself here
var cContent = signedCms.ContentInfo.Content;
var str = Encoding.UTF8.GetString(cContent);
Assert.Equal(content, str);
}
public void Test4_3()
{
CmsProcessableByteArray unencap = new CmsProcessableByteArray(exContent);
byte[] data = GetRfc4134Data("4.3.bin");
CmsSignedData signedData = new CmsSignedData(unencap, data);
VerifySignatures(signedData, sha1);
CmsSignedDataParser parser = new CmsSignedDataParser(
new CmsTypedStream(unencap.GetInputStream()), data);
VerifySignatures(parser);
}
public void AssinarCriptografar(EnvioRemessaCobrancaBradescoJson model)
{
try
{
var utilClass = new MetodosUteis();
var encoding = new UTF8Encoding();
var generator = new CmsSignedDataGenerator();
var signerInfoGeneratorBuilder = new SignerInfoGeneratorBuilder();
var certList = new ArrayList();
var criticas = utilClass.Criticas(model);
if (criticas.Any())
{
return;
}
var data = utilClass.ConverterParaJsonAspasSimples(model);
var privateCert = this.RetornaCertificado();
//convertendo certificado para objeto que o bouncycastle conhece
var bouncyCastleKey = DotNetUtilities.GetKeyPair(privateCert.PrivateKey).Private;
var x5091 = new X509Certificate(privateCert.RawData);
var x509CertBouncyCastle = DotNetUtilities.FromX509Certificate(x5091);
generator.AddSignerInfoGenerator(signerInfoGeneratorBuilder.Build(new Asn1SignatureFactory("SHA256WithRSA", bouncyCastleKey), x509CertBouncyCastle));
//criando certstore que o bouncycastle conhece
certList.Add(x509CertBouncyCastle);
var store509BouncyCastle = X509StoreFactory.Create("Certificate/Collection", new X509CollectionStoreParameters(certList));
generator.AddCertificates(store509BouncyCastle);
var messageBytes = encoding.GetBytes(data);
var cmsdata = new CmsProcessableByteArray(messageBytes);
//assina
var signeddata = generator.Generate(cmsdata, true);
var mensagemFinal = signeddata.GetEncoded();
//converte para base64 que eh o formato que o serviço espera
var mensagemConvertidaparaBase64 = Convert.ToBase64String(mensagemFinal);
//chama serviço convertendo a string na base64 em bytes
EnviaParaWebService(ParametrosUteis.RetornaUrlEnvio(), encoding.GetBytes(mensagemConvertidaparaBase64));
}
catch (Exception ex)
{
throw ex;
}
}
private static byte[] CreateEnvelopedDataPkcs7(byte[] pkcs10RequestData, X509Certificate2Collection caChain)
{
if (caChain.Count == 0)
{
throw new ArgumentException("The SCEP service did not provide any certificates for SCEP communication");
}
// Find a certificate
// - without key usage extension that forbids Key encipherment
var CertsWithoutKeyUsageExtensionMissingKeyEncipherment = caChain.OfType <X509Certificate2>()
.Select(cert => new Tuple <X509Certificate2, IEnumerable <X509Extension> >(cert, cert.Extensions.OfType <X509Extension>()))
.Where(tuple => !tuple.Item2.OfType <X509KeyUsageExtension>().Any(ku => !ku.KeyUsages.HasFlag(X509KeyUsageFlags.KeyEncipherment))); // certificates with Key Usage Extension but without Key Encipherment are not possible
if (!CertsWithoutKeyUsageExtensionMissingKeyEncipherment.Any())
{
throw new ArgumentException("The SCEP service provided its certificate, but it is not suitable for SCEP (KeyEncipherment as Key Usage");
}
// - that is trusted (trusted root anchor and unrevoked)
var UsableCerts = CertsWithoutKeyUsageExtensionMissingKeyEncipherment
.Where(tuple => tuple.Item1.Verify());
if (!UsableCerts.Any())
{
throw new ArgumentException("The SCEP service uses a certificate that is not trusted in this context. Add the CA certificate to the Trusted Root store in Windows.");
}
// if possible, use a CA
X509Certificate2 scepEncryptionCert = UsableCerts
.SingleOrDefault(tuple => !tuple.Item2.OfType <X509BasicConstraintsExtension>().Any(bc => bc.CertificateAuthority)) // prefer CAs
?.Item1;
if (null == scepEncryptionCert)
{
scepEncryptionCert = UsableCerts.First().Item1; // if there is no good CA, we will take the first cert with key encipherment
}
//if (null == scepEncryptionCert)
// scepEncryptionCert = caChain[0];
X509CertificateParser x509Parser = new X509CertificateParser();
X509Certificate certEncryption = x509Parser.ReadCertificate(scepEncryptionCert.Export(X509ContentType.Cert));
CmsEnvelopedDataGenerator edGen = new CmsEnvelopedDataGenerator();
edGen.AddKeyTransRecipient(certEncryption);
CmsProcessable deliveredCertContent = new CmsProcessableByteArray(pkcs10RequestData);
CmsEnvelopedData envelopedDataResult = edGen.Generate(deliveredCertContent, CmsEnvelopedGenerator.Aes256Cbc);
return(envelopedDataResult.ContentInfo.GetDerEncoded());
}
public CmsEnvelopedData(ContentInfo contentInfo)
{
this.contentInfo = contentInfo;
EnvelopedData instance = EnvelopedData.GetInstance(contentInfo.Content);
Asn1Set recipientInfos = instance.RecipientInfos;
EncryptedContentInfo encryptedContentInfo = instance.EncryptedContentInfo;
encAlg = encryptedContentInfo.ContentEncryptionAlgorithm;
CmsReadable readable = new CmsProcessableByteArray(encryptedContentInfo.EncryptedContent.GetOctets());
CmsSecureReadable secureReadable = new CmsEnvelopedHelper.CmsEnvelopedSecureReadable(encAlg, readable);
recipientInfoStore = CmsEnvelopedHelper.BuildRecipientInformationStore(recipientInfos, secureReadable);
unprotectedAttributes = instance.UnprotectedAttrs;
}
public void Test4_3()
{
CmsProcessableByteArray unencap = new CmsProcessableByteArray(exContent);
byte[] data = GetRfc4134Data("4.3.bin");
CmsSignedData signedData = new CmsSignedData(unencap, data);
VerifySignatures(signedData, sha1);
CmsSignedDataParser parser = new CmsSignedDataParser(
new CmsTypedStream(unencap.GetInputStream()), data);
VerifySignatures(parser);
}
public async void SignedCmsRoundTripWithKeyVault()
{
using (var materialized = await KeyVaultConfigurationDiscoverer.Materialize(certificateConfiguration))
{
var content = "This is some content";
var publicCert = materialized.PublicCertificate;
// Get cert
var chain = new X509Chain();
chain.Build(publicCert);
// Get the chain without the root CA
var additionals = chain.ChainElements.Cast <X509ChainElement>()
.Where(ce => ce.Certificate.Issuer != ce.Certificate.SubjectName.Name)
.Select(ce => DotNetUtilities.FromX509Certificate(ce.Certificate))
.ToList();
chain.Dispose();
var bcCer = DotNetUtilities.FromX509Certificate(publicCert);
var store = X509StoreFactory.Create("Certificate/Collection", new X509CollectionStoreParameters(additionals));
var generator = new CmsSignedDataGenerator();
var builder = new SignerInfoGeneratorBuilder();
var b = builder.Build(new RsaSignatureFactory("SHA256WITHRSA", materialized.ToRSA()), bcCer);
generator.AddSignerInfoGenerator(b);
generator.AddCertificates(store);
var msg = new CmsProcessableByteArray(Encoding.UTF8.GetBytes(content));
var data = generator.Generate(msg, true);
var encoded = data.GetEncoded();
var signedCms = new SignedCms();
signedCms.Decode(encoded);
signedCms.CheckSignature(true); // don't validate the certiciate itself here
var cContent = signedCms.ContentInfo.Content;
var str = Encoding.UTF8.GetString(cContent);
Assert.Equal(content, str);
}
}
/// <summary>
///Basic constructor - specify the contents of the PKIArchiveControl structure.
/// </summary>
/// <param name="privateKeyInfo">the private key to be archived.</param>
/// <param name="generalName">the general name to be associated with the private key.</param>
///
public PkiArchiveControlBuilder(PrivateKeyInfo privateKeyInfo, GeneralName generalName)
{
EncKeyWithID encKeyWithID = new EncKeyWithID(privateKeyInfo, generalName);
try
{
this.keyContent = new CmsProcessableByteArray(CrmfObjectIdentifiers.id_ct_encKeyWithID, encKeyWithID.GetEncoded());
}
catch (IOException e)
{
throw new InvalidOperationException("unable to encode key and general name info", e);
}
this.envGen = new CmsEnvelopedDataGenerator();
}
public CmsAuthenticatedData(ContentInfo contentInfo)
{
this.contentInfo = contentInfo;
AuthenticatedData instance = AuthenticatedData.GetInstance(contentInfo.Content);
Asn1Set recipientInfos = instance.RecipientInfos;
macAlg = instance.MacAlgorithm;
ContentInfo encapsulatedContentInfo = instance.EncapsulatedContentInfo;
CmsReadable readable = new CmsProcessableByteArray(Asn1OctetString.GetInstance(encapsulatedContentInfo.Content).GetOctets());
CmsSecureReadable secureReadable = new CmsEnvelopedHelper.CmsAuthenticatedSecureReadable(macAlg, readable);
recipientInfoStore = CmsEnvelopedHelper.BuildRecipientInformationStore(recipientInfos, secureReadable);
authAttrs = instance.AuthAttrs;
mac = instance.Mac.GetOctets();
unauthAttrs = instance.UnauthAttrs;
}
private static void SavePkcs7Data(X509Certificate bcCertificate, Pkcs10CertificationRequest request, AsymmetricKeyParameter privateKey)
{
var requestBytes = request.GetEncoded();
var typedData = new CmsProcessableByteArray(requestBytes);
var gen = new CmsSignedDataGenerator();
var signerInfoGeneratorBuilder = new SignerInfoGeneratorBuilder();
var factory = new Asn1SignatureFactory(SingingAlgorithm, privateKey);
gen.AddSignerInfoGenerator(signerInfoGeneratorBuilder.Build(factory, bcCertificate));
gen.AddCertificates(MakeCertStore(bcCertificate));
var signed = gen.Generate(typedData, true);
var signedBytes = signed.GetEncoded();
var cmsBase64 = Convert.ToBase64String(signedBytes);
/*
* you can check cert data here - https://lapo.it/asn1js
* just copy+paste cmsBase64 string
*/
var cmsData = new StringBuilder();
cmsData.Append("-----BEGIN CMS-----");
cmsData.Append("\\n");
var certLength = cmsBase64.Length;
for (var i = 0; i < certLength; i += 64)
{
var substr = certLength - i >= 64
? cmsBase64.Substring(i, 64)
: cmsBase64.Substring(i);
cmsData.Append(substr);
cmsData.Append("\\n");
}
cmsData.Append("-----END CMS-----");
cmsData.Append("\\n");
var cmsString = cmsData.ToString(); //add to http request in bank for approving you certificate
//after you will need copy bank certificate what approved you certificate from API
File.WriteAllText(@"certificate.cms", cmsString);
}
/// <summary><inheritDoc></inheritDoc></summary>
/// <exception cref="System.IO.IOException"></exception>
public virtual Document SignDocument(Document document, SignatureParameters parameters
, byte[] signatureValue)
{
if (parameters.SignaturePackaging != SignaturePackaging.ENVELOPING && parameters
.SignaturePackaging != SignaturePackaging.DETACHED)
{
throw new ArgumentException("Unsupported signature packaging " + parameters.SignaturePackaging);
}
try
{
//jbonilla - No aplica para C#
//string jsAlgorithm = parameters.GetSignatureAlgorithm().GetJavaSignatureAlgorithm
// (parameters.GetDigestAlgorithm());
//PreComputedContentSigner cs = new PreComputedContentSigner(jsAlgorithm, signatureValue
// );
PreComputedSigner s = new PreComputedSigner(signatureValue);
//DigestCalculatorProvider digestCalculatorProvider = new BcDigestCalculatorProvider
// ();
//CMSSignedDataGenerator generator = CreateCMSSignedDataGenerator(cs, digestCalculatorProvider
// , parameters, GetSigningProfile(parameters), true, null);
CmsSignedDataGenerator generator = CreateCMSSignedDataGenerator(s, parameters
, GetSigningProfile(parameters), true, null);
byte[] toBeSigned = Streams.ReadAll(document.OpenStream());
CmsProcessableByteArray content = new CmsProcessableByteArray(toBeSigned);
bool includeContent = true;
if (parameters.SignaturePackaging == SignaturePackaging.DETACHED)
{
includeContent = false;
}
CmsSignedData data = generator.Generate(content, includeContent);
Document signedDocument = new CMSSignedDocument(data);
CAdESSignatureExtension extension = GetExtensionProfile(parameters);
if (extension != null)
{
signedDocument = extension.ExtendSignatures(new CMSSignedDocument(data), document
, parameters);
}
return(signedDocument);
}
catch (CmsException e)
{
throw new RuntimeException(e);
}
}
