/**
* Signs a document with a PAdES-LTV Timestamp. The document is closed at the end.
* @param sap the signature appearance
* @param tsa the timestamp generator
* @param signatureName the signature name or null to have a name generated
* automatically
* @throws Exception
*/
public static void Timestamp(PdfSignatureAppearance sap, ITSAClient tsa, String signatureName) {
int contentEstimated = tsa.GetTokenSizeEstimate();
sap.SetVisibleSignature(new Rectangle(0,0,0,0), 1, signatureName);
PdfSignature dic = new PdfSignature(PdfName.ADOBE_PPKLITE, PdfName.ETSI_RFC3161);
dic.Put(PdfName.TYPE, PdfName.DOCTIMESTAMP);
sap.CryptoDictionary = dic;
Dictionary<PdfName,int> exc = new Dictionary<PdfName,int>();
exc[PdfName.CONTENTS] = contentEstimated * 2 + 2;
sap.PreClose(exc);
Stream data = sap.RangeStream;
IDigest messageDigest = DigestUtilities.GetDigest(tsa.GetDigestAlgorithm());
byte[] buf = new byte[4096];
int n;
while ((n = data.Read(buf, 0, buf.Length)) > 0) {
messageDigest.BlockUpdate(buf, 0, n);
}
byte[] tsImprint = new byte[messageDigest.GetDigestSize()];
messageDigest.DoFinal(tsImprint, 0);
byte[] tsToken = tsa.GetTimeStampToken(tsImprint);
if (contentEstimated + 2 < tsToken.Length)
throw new Exception("Not enough space");
byte[] paddedSig = new byte[contentEstimated];
System.Array.Copy(tsToken, 0, paddedSig, 0, tsToken.Length);
PdfDictionary dic2 = new PdfDictionary();
dic2.Put(PdfName.CONTENTS, new PdfString(paddedSig).SetHexWriting(true));
sap.Close(dic2);
}
/**
* Gets the bytes for the PKCS7SignedData object. Optionally the authenticatedAttributes
* in the signerInfo can also be set, OR a time-stamp-authority client
* may be provided.
* @param secondDigest the digest in the authenticatedAttributes
* @param signingTime the signing time in the authenticatedAttributes
* @param tsaClient TSAClient - null or an optional time stamp authority client
* @return byte[] the bytes for the PKCS7SignedData object
* @since 2.1.6
*/
public byte[] GetEncodedPKCS7(byte[] secondDigest, DateTime signingTime, ITSAClient tsaClient, byte[] ocsp) {
if (externalDigest != null) {
digest = externalDigest;
if (RSAdata != null)
RSAdata = externalRSAdata;
}
else if (externalRSAdata != null && RSAdata != null) {
RSAdata = externalRSAdata;
sig.BlockUpdate(RSAdata, 0, RSAdata.Length);
digest = sig.GenerateSignature();
}
else {
if (RSAdata != null) {
RSAdata = new byte[messageDigest.GetDigestSize()];
messageDigest.DoFinal(RSAdata, 0);
sig.BlockUpdate(RSAdata, 0, RSAdata.Length);
}
digest = sig.GenerateSignature();
}
// Create the set of Hash algorithms
Asn1EncodableVector digestAlgorithms = new Asn1EncodableVector();
foreach (string dal in digestalgos.Keys) {
Asn1EncodableVector algos = new Asn1EncodableVector();
algos.Add(new DerObjectIdentifier(dal));
algos.Add(DerNull.Instance);
digestAlgorithms.Add(new DerSequence(algos));
}
// Create the contentInfo.
Asn1EncodableVector v = new Asn1EncodableVector();
v.Add(new DerObjectIdentifier(ID_PKCS7_DATA));
if (RSAdata != null)
v.Add(new DerTaggedObject(0, new DerOctetString(RSAdata)));
DerSequence contentinfo = new DerSequence(v);
// Get all the certificates
//
v = new Asn1EncodableVector();
foreach (X509Certificate xcert in certs) {
Asn1InputStream tempstream = new Asn1InputStream(new MemoryStream(xcert.GetEncoded()));
v.Add(tempstream.ReadObject());
}
DerSet dercertificates = new DerSet(v);
// Create signerinfo structure.
//
Asn1EncodableVector signerinfo = new Asn1EncodableVector();
// Add the signerInfo version
//
signerinfo.Add(new DerInteger(signerversion));
v = new Asn1EncodableVector();
v.Add(GetIssuer(signCert.GetTbsCertificate()));
v.Add(new DerInteger(signCert.SerialNumber));
signerinfo.Add(new DerSequence(v));
// Add the digestAlgorithm
v = new Asn1EncodableVector();
v.Add(new DerObjectIdentifier(digestAlgorithm));
v.Add(DerNull.Instance);
signerinfo.Add(new DerSequence(v));
// add the authenticated attribute if present
if (secondDigest != null /*&& signingTime != null*/) {
signerinfo.Add(new DerTaggedObject(false, 0, GetAuthenticatedAttributeSet(secondDigest, signingTime, ocsp)));
}
// Add the digestEncryptionAlgorithm
v = new Asn1EncodableVector();
v.Add(new DerObjectIdentifier(digestEncryptionAlgorithm));
v.Add(DerNull.Instance);
signerinfo.Add(new DerSequence(v));
// Add the digest
signerinfo.Add(new DerOctetString(digest));
// When requested, go get and add the timestamp. May throw an exception.
// Added by Martin Brunecky, 07/12/2007 folowing Aiken Sam, 2006-11-15
// Sam found Adobe expects time-stamped SHA1-1 of the encrypted digest
if (tsaClient != null) {
byte[] tsImprint = PdfEncryption.DigestComputeHash(tsaClient.GetDigestAlgorithm(), digest);
byte[] tsToken = tsaClient.GetTimeStampToken(tsImprint);
if (tsToken != null) {
Asn1EncodableVector unauthAttributes = BuildUnauthenticatedAttributes(tsToken);
if (unauthAttributes != null) {
signerinfo.Add(new DerTaggedObject(false, 1, new DerSet(unauthAttributes)));
}
}
}
// Finally build the body out of all the components above
Asn1EncodableVector body = new Asn1EncodableVector();
body.Add(new DerInteger(version));
body.Add(new DerSet(digestAlgorithms));
body.Add(contentinfo);
body.Add(new DerTaggedObject(false, 0, dercertificates));
// if (crls.Count > 0) {
// v = new Asn1EncodableVector();
// for (Iterator i = crls.Iterator();i.HasNext();) {
// Asn1InputStream t = new Asn1InputStream(new ByteArrayInputStream((((X509CRL)i.Next()).GetEncoded())));
// v.Add(t.ReadObject());
// }
// DERSet dercrls = new DERSet(v);
// body.Add(new DERTaggedObject(false, 1, dercrls));
// }
// Only allow one signerInfo
body.Add(new DerSet(new DerSequence(signerinfo)));
// Now we have the body, wrap it in it's PKCS7Signed shell
// and return it
//
Asn1EncodableVector whole = new Asn1EncodableVector();
whole.Add(new DerObjectIdentifier(ID_PKCS7_SIGNED_DATA));
whole.Add(new DerTaggedObject(0, new DerSequence(body)));
MemoryStream bOut = new MemoryStream();
Asn1OutputStream dout = new Asn1OutputStream(bOut);
dout.WriteObject(new DerSequence(whole));
dout.Close();
return bOut.ToArray();
}
/**
* Gets the bytes for the PKCS7SignedData object. Optionally the authenticatedAttributes
* in the signerInfo can also be set, OR a time-stamp-authority client
* may be provided.
* @param secondDigest the digest in the authenticatedAttributes
* @param signingTime the signing time in the authenticatedAttributes
* @param tsaClient TSAClient - null or an optional time stamp authority client
* @return byte[] the bytes for the PKCS7SignedData object
* @since 2.1.6
*/
public byte[] GetEncodedPKCS7(byte[] secondDigest, DateTime signingTime, ITSAClient tsaClient, byte[] ocsp, ICollection <byte[]> crlBytes, bool cades)
{
if (externalDigest != null)
{
digest = externalDigest;
if (RSAdata != null)
{
RSAdata = externalRSAdata;
}
}
else if (externalRSAdata != null && RSAdata != null)
{
RSAdata = externalRSAdata;
sig.BlockUpdate(RSAdata, 0, RSAdata.Length);
digest = sig.GenerateSignature();
}
else
{
if (RSAdata != null)
{
RSAdata = new byte[messageDigest.GetDigestSize()];
messageDigest.DoFinal(RSAdata, 0);
sig.BlockUpdate(RSAdata, 0, RSAdata.Length);
}
digest = sig.GenerateSignature();
}
// Create the set of Hash algorithms
Asn1EncodableVector digestAlgorithms = new Asn1EncodableVector();
foreach (string dal in digestalgos.Keys)
{
Asn1EncodableVector algos = new Asn1EncodableVector();
algos.Add(new DerObjectIdentifier(dal));
algos.Add(DerNull.Instance);
digestAlgorithms.Add(new DerSequence(algos));
}
// Create the contentInfo.
Asn1EncodableVector v = new Asn1EncodableVector();
v.Add(new DerObjectIdentifier(SecurityIDs.ID_PKCS7_DATA));
if (RSAdata != null)
{
v.Add(new DerTaggedObject(0, new DerOctetString(RSAdata)));
}
DerSequence contentinfo = new DerSequence(v);
// Get all the certificates
//
v = new Asn1EncodableVector();
foreach (X509Certificate xcert in certs)
{
Asn1InputStream tempstream = new Asn1InputStream(new MemoryStream(xcert.GetEncoded()));
v.Add(tempstream.ReadObject());
}
DerSet dercertificates = new DerSet(v);
// Create signerinfo structure.
//
Asn1EncodableVector signerinfo = new Asn1EncodableVector();
// Add the signerInfo version
//
signerinfo.Add(new DerInteger(signerversion));
v = new Asn1EncodableVector();
v.Add(CertificateInfo.GetIssuer(signCert.GetTbsCertificate()));
v.Add(new DerInteger(signCert.SerialNumber));
signerinfo.Add(new DerSequence(v));
// Add the digestAlgorithm
v = new Asn1EncodableVector();
v.Add(new DerObjectIdentifier(digestAlgorithmOid));
v.Add(DerNull.Instance);
signerinfo.Add(new DerSequence(v));
// add the authenticated attribute if present
if (secondDigest != null /*&& signingTime != null*/)
{
signerinfo.Add(new DerTaggedObject(false, 0, GetAuthenticatedAttributeSet(secondDigest, signingTime, ocsp, crlBytes, cades)));
}
// Add the digestEncryptionAlgorithm
v = new Asn1EncodableVector();
v.Add(new DerObjectIdentifier(digestEncryptionAlgorithmOid));
v.Add(DerNull.Instance);
signerinfo.Add(new DerSequence(v));
// Add the digest
signerinfo.Add(new DerOctetString(digest));
// When requested, go get and add the timestamp. May throw an exception.
// Added by Martin Brunecky, 07/12/2007 folowing Aiken Sam, 2006-11-15
// Sam found Adobe expects time-stamped SHA1-1 of the encrypted digest
if (tsaClient != null)
{
byte[] tsImprint = PdfEncryption.DigestComputeHash(tsaClient.GetDigestAlgorithm(), digest);
byte[] tsToken = tsaClient.GetTimeStampToken(tsImprint);
if (tsToken != null)
{
Asn1EncodableVector unauthAttributes = BuildUnauthenticatedAttributes(tsToken);
if (unauthAttributes != null)
{
signerinfo.Add(new DerTaggedObject(false, 1, new DerSet(unauthAttributes)));
}
}
}
// Finally build the body out of all the components above
Asn1EncodableVector body = new Asn1EncodableVector();
body.Add(new DerInteger(version));
body.Add(new DerSet(digestAlgorithms));
body.Add(contentinfo);
body.Add(new DerTaggedObject(false, 0, dercertificates));
// Only allow one signerInfo
body.Add(new DerSet(new DerSequence(signerinfo)));
// Now we have the body, wrap it in it's PKCS7Signed shell
// and return it
//
Asn1EncodableVector whole = new Asn1EncodableVector();
whole.Add(new DerObjectIdentifier(SecurityIDs.ID_PKCS7_SIGNED_DATA));
whole.Add(new DerTaggedObject(0, new DerSequence(body)));
MemoryStream bOut = new MemoryStream();
Asn1OutputStream dout = new Asn1OutputStream(bOut);
dout.WriteObject(new DerSequence(whole));
dout.Close();
return(bOut.ToArray());
}