public static IList GetCrlsFromStore(
IX509Store crlStore)
{
try
{
IList crls = new ArrayList();
if (crlStore != null)
{
foreach (X509Crl c in crlStore.GetMatches(null))
{
crls.Add(
CertificateList.GetInstance(
Asn1Object.FromByteArray(c.GetEncoded())));
}
}
return crls;
}
catch (CrlException e)
{
throw new CmsException("error encoding crls", e);
}
catch (Exception e)
{
throw new CmsException("error processing crls", e);
}
}
private static X509Certificate GetCertificate(SignerInformation signer, IX509Store cmsCertificates)
{
X509Certificate cert = null;
// Create a selector with the information necessary to
// find the signer certificate
X509CertStoreSelector sel = new X509CertStoreSelector();
sel.Issuer = signer.SignerID.Issuer;
sel.SerialNumber = signer.SignerID.SerialNumber;
// Try find a match
IList certificatesFound = new ArrayList( cmsCertificates.GetMatches(sel) );
if (certificatesFound.Count > 0) // Match found
{
// Load certificate from CMS
Console.WriteLine("Loading signer's certificate from CMS...");
cert = (X509Certificate)certificatesFound[0];
}
else
{
// Load certificate from file
Console.WriteLine("Loading signer's certificate from file...");
ReadCertificate("..\\..\\example.cer");
}
return cert;
}
public static IList GetCertificatesFromStore(
IX509Store certStore)
{
try
{
IList certs = Platform.CreateArrayList();
if (certStore != null)
{
foreach (X509Certificate c in certStore.GetMatches(null))
{
certs.Add(
X509CertificateStructure.GetInstance(
Asn1Object.FromByteArray(c.GetEncoded())));
}
}
return certs;
}
catch (CertificateEncodingException e)
{
throw new CmsException("error encoding certs", e);
}
catch (Exception e)
{
throw new CmsException("error processing certs", e);
}
}
internal TripleUnwrapper(Level? level, ITimemarkProvider timemarkauthority, X509Certificate2Collection encCerts)
{
if (level == Level.L_Level || level == Level.A_level ) throw new ArgumentException("level", "Only null or levels B, T, LT and LTA are allowed");
this.level = level;
this.timemarkauthority = timemarkauthority;
//Wrap it inside a IX509Store to (incorrectly) returns an windows x509Certificate2
encCertStore = encCerts == null || encCerts.Count == 0 ? null : new WinX509CollectionStore(encCerts);
}
public static CertificateSecurityInformation VerifyAuth(Org.BouncyCastle.X509.X509Certificate cert, DateTime date, IX509Store certs, IList<CertificateList> crls, IList<BasicOcspResponse> ocsps, bool checkRevocation, bool checkTime)
{
CertificateSecurityInformation result = Verify(cert, date, certs, crls, ocsps, checkRevocation, checkTime);
if (!cert.GetKeyUsage()[0])
{
result.securityViolations.Add(CertSecurityViolation.NotValidForUsage);
trace.TraceEvent(TraceEventType.Warning, 0, "The key usage did not have the correct usage flag set");
}
return result;
}
static TspTest()
{
string signDN = "O=Bouncy Castle, C=AU";
AsymmetricCipherKeyPair signKP = TspTestUtil.MakeKeyPair();
X509Certificate signCert = TspTestUtil.MakeCACertificate(signKP, signDN, signKP, signDN);
string origDN = "CN=Eric H. Echidna, [email protected], O=Bouncy Castle, C=AU";
AsymmetricCipherKeyPair origKP = TspTestUtil.MakeKeyPair();
privateKey = origKP.Private;
cert = TspTestUtil.MakeCertificate(origKP, origDN, signKP, signDN);
IList certList = new ArrayList();
certList.Add(cert);
certList.Add(signCert);
certs = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(certList));
}
private void MakeCertStore(string[] _strs, out IX509Store certStore, out IX509Store crlStore)
{
ArrayList certs = new ArrayList();
ArrayList crls = new ArrayList();
crls.Add(trustedCRL);
for (int i = 0; i < _strs.Length; i++)
{
if (_strs[i].StartsWith("MIIC"))
{
certs.Add(certParser.ReadCertificate(Base64.Decode(_strs[i])));
}
else if (_strs[i].StartsWith("MIIB"))
{
crls.Add(crlParser.ReadCrl(Base64.Decode(_strs[i])));
}
else
{
throw new ArgumentException("Invalid certificate or crl");
}
}
// Insert elements backwards to muck up forward ordering dependency
// IList _vec2 = new ArrayList();
// for (int i = _vec.Count - 1; i >= 0; i--)
// {
// _vec2.Add(_vec[i]);
// }
certs.Reverse();
crls.Reverse();
certStore = X509StoreFactory.Create("Certificate/Collection",
new X509CollectionStoreParameters(certs));
crlStore = X509StoreFactory.Create("CRL/Collection",
new X509CollectionStoreParameters(crls));
}
private static CertificateSecurityInformation Verify(Org.BouncyCastle.X509.X509Certificate cert, DateTime date, IX509Store certs, IList<CertificateList> crls, IList<BasicOcspResponse> ocsps, bool checkRevocation, bool checkTime)
{
CertificateSecurityInformation result = new CertificateSecurityInformation();
AsymmetricKeyParameter key = cert.GetPublicKey();
//check key type
if (!(key is RsaKeyParameters))
{
result.securityViolations.Add(CertSecurityViolation.NotValidKeyType);
trace.TraceEvent(TraceEventType.Warning, 0, "The key should be RSA but was {0}", key.GetType());
}
//check key size
if (!VerifyKeySize(key, EteeActiveConfig.Unseal.MinimumSignatureKeySize))
{
result.securityViolations.Add(CertSecurityViolation.NotValidKeySize);
trace.TraceEvent(TraceEventType.Warning, 0, "The key was smaller then {0}", EteeActiveConfig.Unseal.MinimumSignatureKeySize);
}
X509Certificate2Collection extraStore = new X509Certificate2Collection();
foreach (Org.BouncyCastle.X509.X509Certificate obj in certs.GetMatches(null))
{
extraStore.Add(new X509Certificate2(obj.GetEncoded()));
}
Chain chain;
if (checkRevocation)
chain = new X509Certificate2(cert.GetEncoded()).BuildChain(date, extraStore, ref crls, ref ocsps, checkTime ? DateTime.UtcNow : date);
else
chain = new X509Certificate2(cert.GetEncoded()).BuildBasicChain(date, extraStore);
CertificateSecurityInformation dest = null;
foreach (ChainElement ce in chain.ChainElements)
{
if (dest == null) {
dest = result;
}
else
{
dest.IssuerInfo = new CertificateSecurityInformation();
dest = dest.IssuerInfo;
}
dest.Certificate = ce.Certificate;
foreach (X509ChainStatus status in ce.ChainElementStatus.Where(x => x.Status != X509ChainStatusFlags.NoError))
{
dest.securityViolations.Add((CertSecurityViolation)Enum.Parse(typeof(CertSecurityViolation), Enum.GetName(typeof(X509ChainStatusFlags), status.Status)));
}
}
if (chain.ChainStatus.Count(x => x.Status == X509ChainStatusFlags.PartialChain) > 0)
{
result.securityViolations.Add(CertSecurityViolation.IssuerTrustUnknown);
}
trace.TraceEvent(TraceEventType.Verbose, 0, "Verified certificate {0} for date {1}", cert.SubjectDN.ToString(), date);
return result;
}
public static CertificateSecurityInformation VerifyEnc(Org.BouncyCastle.X509.X509Certificate encCert, Org.BouncyCastle.X509.X509Certificate authCert, DateTime date, IX509Store certs, bool checkRevocation)
{
CertificateSecurityInformation result = new CertificateSecurityInformation();
result.Certificate = new X509Certificate2(encCert.GetEncoded());
//check validity
try
{
encCert.CheckValidity(date);
}
catch (CertificateExpiredException)
{
result.securityViolations.Add(CertSecurityViolation.NotTimeValid);
}
catch (CertificateNotYetValidException)
{
result.securityViolations.Add(CertSecurityViolation.NotTimeValid);
}
//check key usage
int[] keyUsageIndexes = new int[] { 2, 3 };
foreach (int i in keyUsageIndexes)
{
if (!encCert.GetKeyUsage()[i])
{
result.securityViolations.Add(CertSecurityViolation.NotValidForUsage);
trace.TraceEvent(TraceEventType.Warning, 0, "The key usage did not have the correct usage flag set");
}
}
//check issuer/subject
if (!encCert.IssuerDN.Equivalent(encCert.SubjectDN, false)) result.securityViolations.Add(CertSecurityViolation.HasNotPermittedNameConstraint);
//check key size
if (!VerifyKeySize(encCert.GetPublicKey(), EteeActiveConfig.Unseal.MinimumEncryptionKeySize.AsymmerticRecipientKey)) result.securityViolations.Add(CertSecurityViolation.NotValidKeySize);
//check key type
if (!(encCert.GetPublicKey() is RsaKeyParameters)) result.securityViolations.Add(CertSecurityViolation.NotValidKeyType);
if (authCert != null)
{
//check signature
try
{
encCert.Verify(authCert.GetPublicKey());
}
catch (InvalidKeyException)
{
result.securityViolations.Add(CertSecurityViolation.NotSignatureValid);
}
//Validate
result.IssuerInfo = VerifyBoth(authCert, date, certs, new List<CertificateList>(0), new List<BasicOcspResponse>(0), checkRevocation, false);
}
else
{
//We assume that we have the authCert in case it's of a 3rd person, we don't care if its or own encryption cert (we only care for the validity)
}
return result;
}
/**
* Add the attribute certificates contained in the passed in store to the
* generator.
*
* @param store a store of Version 2 attribute certificates
* @throws CmsException if an error occurse processing the store.
*/
public void AddAttributeCertificates(
IX509Store store)
{
try
{
foreach (IX509AttributeCertificate attrCert in store.GetMatches(null))
{
_certs.Add(new DerTaggedObject(false, 2,
AttributeCertificate.GetInstance(Asn1Object.FromByteArray(attrCert.GetEncoded()))));
}
}
catch (Exception e)
{
throw new CmsException("error processing attribute certs", e);
}
}
public static Stream ReplaceCertificatesAndCrls(Stream original, IX509Store x509Certs, IX509Store x509Crls, IX509Store x509AttrCerts, Stream outStr)
{
CmsSignedDataStreamGenerator cmsSignedDataStreamGenerator = new CmsSignedDataStreamGenerator();
CmsSignedDataParser cmsSignedDataParser = new CmsSignedDataParser(original);
cmsSignedDataStreamGenerator.AddDigests(cmsSignedDataParser.DigestOids);
CmsTypedStream signedContent = cmsSignedDataParser.GetSignedContent();
bool flag = signedContent != null;
Stream stream = cmsSignedDataStreamGenerator.Open(outStr, cmsSignedDataParser.SignedContentType.Id, flag);
if (flag)
{
Streams.PipeAll(signedContent.ContentStream, stream);
}
if (x509AttrCerts != null)
{
cmsSignedDataStreamGenerator.AddAttributeCertificates(x509AttrCerts);
}
if (x509Certs != null)
{
cmsSignedDataStreamGenerator.AddCertificates(x509Certs);
}
if (x509Crls != null)
{
cmsSignedDataStreamGenerator.AddCrls(x509Crls);
}
cmsSignedDataStreamGenerator.AddSigners(cmsSignedDataParser.GetSignerInfos());
stream.Close();
return(outStr);
}
private void testNoNonse(AsymmetricKeyParameter privateKey, X509Certificate cert, IX509Store certs)
{
TimeStampTokenGenerator tsTokenGen = new TimeStampTokenGenerator(
privateKey, cert, TspAlgorithms.MD5, "1.2.3");
tsTokenGen.SetCertificates(certs);
TimeStampRequestGenerator reqGen = new TimeStampRequestGenerator();
TimeStampRequest request = reqGen.Generate(TspAlgorithms.Sha1, new byte[20]);
ArrayList algorithms = new ArrayList();
algorithms.Add(TspAlgorithms.Sha1);
request.Validate(algorithms, new ArrayList(), new ArrayList());
Assert.False(request.CertReq);
TimeStampResponseGenerator tsRespGen = new TimeStampResponseGenerator(tsTokenGen, TspAlgorithms.Allowed);
TimeStampResponse tsResp = tsRespGen.Generate(request, new BigInteger("24"), DateTime.UtcNow);
tsResp = new TimeStampResponse(tsResp.GetEncoded());
TimeStampToken tsToken = tsResp.TimeStampToken;
tsToken.Validate(cert);
tsResp.Validate(request);
TimeStampTokenInfo tstInfo = tsToken.TimeStampInfo;
GenTimeAccuracy accuracy = tstInfo.GenTimeAccuracy;
Assert.IsNull(accuracy);
Assert.IsTrue(new BigInteger("24").Equals(tstInfo.SerialNumber));
Assert.IsTrue("1.2.3" == tstInfo.Policy);
Assert.False(tstInfo.IsOrdered);
Assert.IsNull(tstInfo.Nonce);
//
// test certReq
//
IX509Store store = tsToken.GetCertificates();
ICollection certificates = store.GetMatches(null);
Assert.IsTrue(0 == certificates.Count);
}
public OriginatorInfoGenerator(IX509Store origCerts)
: this(origCerts, null)
{
}
private void badAlgorithmTest(AsymmetricKeyParameter privateKey, X509Certificate cert, IX509Store certs)
{
TimeStampTokenGenerator tsTokenGen = new TimeStampTokenGenerator(
privateKey, cert, TspAlgorithms.Sha1, "1.2");
tsTokenGen.SetCertificates(certs);
TimeStampRequestGenerator reqGen = new TimeStampRequestGenerator();
TimeStampRequest request = reqGen.Generate(new DerObjectIdentifier("1.2.3.4.5"), new byte[21]);
TimeStampResponseGenerator tsRespGen = new TimeStampResponseGenerator(tsTokenGen, TspAlgorithms.Allowed);
TimeStampResponse tsResp = tsRespGen.Generate(request, BigInteger.ValueOf(23), DateTime.UtcNow);
tsResp = new TimeStampResponse(tsResp.GetEncoded());
TimeStampToken tsToken = tsResp.TimeStampToken;
if (tsToken != null)
{
Assert.Fail("badAlgorithm - token not null.");
}
PkiFailureInfo failInfo = tsResp.GetFailInfo();
if (failInfo == null)
{
Assert.Fail("badAlgorithm - failInfo set to null.");
}
if (failInfo.IntValue != PkiFailureInfo.BadAlg)
{
Assert.Fail("badAlgorithm - wrong failure info returned.");
}
}
private void incorrectHashTest(AsymmetricKeyParameter privateKey, X509Certificate cert, IX509Store certs)
{
TimeStampTokenGenerator tsTokenGen = new TimeStampTokenGenerator(
privateKey, cert, TspAlgorithms.Sha1, "1.2");
tsTokenGen.SetCertificates(certs);
TimeStampRequestGenerator reqGen = new TimeStampRequestGenerator();
TimeStampRequest request = reqGen.Generate(TspAlgorithms.Sha1, new byte[16]);
TimeStampResponseGenerator tsRespGen = new TimeStampResponseGenerator(tsTokenGen, TspAlgorithms.Allowed);
TimeStampResponse tsResp = tsRespGen.Generate(request, BigInteger.ValueOf(23), DateTime.UtcNow);
tsResp = new TimeStampResponse(tsResp.GetEncoded());
TimeStampToken tsToken = tsResp.TimeStampToken;
Assert.IsNull(tsToken, "incorrect hash -- token not null");
PkiFailureInfo failInfo = tsResp.GetFailInfo();
if (failInfo == null)
{
Assert.Fail("incorrectHash - failInfo set to null.");
}
if (failInfo.IntValue != PkiFailureInfo.BadDataFormat)
{
Assert.Fail("incorrectHash - wrong failure info returned.");
}
}
private void badPolicyTest(AsymmetricKeyParameter privateKey, X509Certificate cert, IX509Store certs)
{
TimeStampTokenGenerator tsTokenGen = new TimeStampTokenGenerator(
privateKey, cert, TspAlgorithms.Sha1, "1.2");
tsTokenGen.SetCertificates(certs);
TimeStampRequestGenerator reqGen = new TimeStampRequestGenerator();
reqGen.SetReqPolicy("1.1");
TimeStampRequest request = reqGen.Generate(TspAlgorithms.Sha1, new byte[20]);
TimeStampResponseGenerator tsRespGen = new TimeStampResponseGenerator(tsTokenGen, TspAlgorithms.Allowed, new ArrayList());
TimeStampResponse tsResp = tsRespGen.Generate(request, BigInteger.ValueOf(23), DateTime.UtcNow);
tsResp = new TimeStampResponse(tsResp.GetEncoded());
TimeStampToken tsToken = tsResp.TimeStampToken;
if (tsToken != null)
{
Assert.Fail("badPolicy - token not null.");
}
PkiFailureInfo failInfo = tsResp.GetFailInfo();
if (failInfo == null)
{
Assert.Fail("badPolicy - failInfo set to null.");
}
if (failInfo.IntValue != PkiFailureInfo.UnacceptedPolicy)
{
Assert.Fail("badPolicy - wrong failure info returned.");
}
}
private void timeNotAvailableTest(AsymmetricKeyParameter privateKey, X509Certificate cert, IX509Store certs)
{
TimeStampTokenGenerator tsTokenGen = new TimeStampTokenGenerator(
privateKey, cert, TspAlgorithms.Sha1, "1.2");
tsTokenGen.SetCertificates(certs);
TimeStampRequestGenerator reqGen = new TimeStampRequestGenerator();
TimeStampRequest request = reqGen.Generate(new DerObjectIdentifier("1.2.3.4.5"), new byte[20]);
TimeStampResponseGenerator tsRespGen = new TimeStampResponseGenerator(tsTokenGen, TspAlgorithms.Allowed);
TimeStampResponse tsResp = null;
//
// This is different to the java api.
// the java version has two calls, generateGrantedResponse and generateRejectedResponse
// See line 726 of NewTspTest
//
tsResp = tsRespGen.Generate(request, new BigInteger("23"), null);
tsResp = new TimeStampResponse(tsResp.GetEncoded());
TimeStampToken tsToken = tsResp.TimeStampToken;
if (tsToken != null)
{
Assert.Fail("timeNotAvailable - token not null.");
}
PkiFailureInfo failInfo = tsResp.GetFailInfo();
if (failInfo == null)
{
Assert.Fail("timeNotAvailable - failInfo set to null.");
}
if (failInfo.IntValue != PkiFailureInfo.TimeNotAvailable)
{
Assert.Fail("timeNotAvailable - wrong failure info returned.");
}
}
private void tokenEncodingTest(AsymmetricKeyParameter privateKey, X509Certificate cert, IX509Store certs)
{
TimeStampTokenGenerator tsTokenGen = new TimeStampTokenGenerator(
privateKey, cert, TspAlgorithms.Sha1, "1.2.3.4.5.6");
tsTokenGen.SetCertificates(certs);
TimeStampRequestGenerator reqGen = new TimeStampRequestGenerator();
TimeStampRequest request = reqGen.Generate(TspAlgorithms.Sha1, new byte[20], BigInteger.ValueOf(100));
TimeStampResponseGenerator tsRespGen = new TimeStampResponseGenerator(tsTokenGen, TspAlgorithms.Allowed);
TimeStampResponse tsResp = tsRespGen.Generate(request, BigInteger.ValueOf(23), DateTime.UtcNow);
tsResp = new TimeStampResponse(tsResp.GetEncoded());
TimeStampResponse tsResponse = new TimeStampResponse(tsResp.GetEncoded());
if (!Arrays.AreEqual(tsResponse.GetEncoded(), tsResp.GetEncoded()) ||
!Arrays.AreEqual(tsResponse.TimeStampToken.GetEncoded(),
tsResp.TimeStampToken.GetEncoded()))
{
Assert.Fail();
}
}
private void certReqTest(AsymmetricKeyParameter privateKey, X509Certificate cert, IX509Store certs)
{
TimeStampTokenGenerator tsTokenGen = new TimeStampTokenGenerator(
privateKey, cert, TspAlgorithms.MD5, "1.2");
tsTokenGen.SetCertificates(certs);
TimeStampRequestGenerator reqGen = new TimeStampRequestGenerator();
reqGen.SetCertReq(false);
TimeStampRequest request = reqGen.Generate(TspAlgorithms.Sha1, new byte[20], BigInteger.ValueOf(100));
TimeStampResponseGenerator tsRespGen = new TimeStampResponseGenerator(tsTokenGen, TspAlgorithms.Allowed);
TimeStampResponse tsResp = tsRespGen.Generate(request, BigInteger.ValueOf(23), DateTime.UtcNow);
tsResp = new TimeStampResponse(tsResp.GetEncoded());
TimeStampToken tsToken = tsResp.TimeStampToken;
Assert.IsNull(tsToken.TimeStampInfo.GenTimeAccuracy); // check for abscence of accuracy
Assert.True("1.2".Equals(tsToken.TimeStampInfo.Policy));
try
{
tsToken.Validate(cert);
}
catch (TspValidationException)
{
Assert.Fail("certReq(false) verification of token failed.");
}
IX509Store store = tsToken.GetCertificates();
ICollection certsColl = store.GetMatches(null);
if (certsColl.Count > 0)
{
Assert.Fail("certReq(false) found certificates in response.");
}
}
private void testAccuracyZeroCerts(AsymmetricKeyParameter privateKey, X509Certificate cert, IX509Store certs)
{
TimeStampTokenGenerator tsTokenGen = new TimeStampTokenGenerator(
privateKey, cert, TspAlgorithms.MD5, "1.2");
tsTokenGen.SetCertificates(certs);
tsTokenGen.SetAccuracySeconds(1);
tsTokenGen.SetAccuracyMillis(2);
tsTokenGen.SetAccuracyMicros(3);
TimeStampRequestGenerator reqGen = new TimeStampRequestGenerator();
TimeStampRequest request = reqGen.Generate(TspAlgorithms.Sha1, new byte[20], BigInteger.ValueOf(100));
TimeStampResponseGenerator tsRespGen = new TimeStampResponseGenerator(tsTokenGen, TspAlgorithms.Allowed);
TimeStampResponse tsResp = tsRespGen.Generate(request, BigInteger.ValueOf(23), DateTime.UtcNow);
tsResp = new TimeStampResponse(tsResp.GetEncoded());
TimeStampToken tsToken = tsResp.TimeStampToken;
tsResp.Validate(request);
TimeStampTokenInfo tstInfo = tsToken.TimeStampInfo;
GenTimeAccuracy accuracy = tstInfo.GenTimeAccuracy;
Assert.IsTrue(1 == accuracy.Seconds);
Assert.IsTrue(2 == accuracy.Millis);
Assert.IsTrue(3 == accuracy.Micros);
Assert.IsTrue(new BigInteger("23").Equals(tstInfo.SerialNumber));
Assert.IsTrue("1.2" == tstInfo.Policy);
IX509Store store = tsToken.GetCertificates();
ICollection certificates = store.GetMatches(null);
Assert.IsTrue(0 == certificates.Count);
}
/**
* Adds an additional Bouncy Castle {@link Store} to find CRLs, certificates,
* attribute certificates or cross certificates.
* <p>
* You should not use this method. This method is used for adding additional
* X.509 stores, which are used to add (remote) locations, e.g. LDAP, found
* during X.509 object processing, e.g. in certificates or CRLs. This method
* is used in PKIX certification path processing.
* </p><p>
* If <code>store</code> is <code>null</code> it is ignored.
* </p>
*
* @param store The store to add.
* @see #getStores()
*/
public virtual void AddAdditionalStore(
IX509Store store)
{
if (store != null)
{
additionalStores.Add(store);
}
}
private void responseValidationTest(AsymmetricKeyParameter privateKey, X509Certificate cert, IX509Store certs)
{
TimeStampTokenGenerator tsTokenGen = new TimeStampTokenGenerator(
privateKey, cert, TspAlgorithms.MD5, "1.2");
tsTokenGen.SetCertificates(certs);
TimeStampRequestGenerator reqGen = new TimeStampRequestGenerator();
TimeStampRequest request = reqGen.Generate(TspAlgorithms.Sha1, new byte[20], BigInteger.ValueOf(100));
TimeStampResponseGenerator tsRespGen = new TimeStampResponseGenerator(tsTokenGen, TspAlgorithms.Allowed);
TimeStampResponse tsResp = tsRespGen.Generate(request, BigInteger.ValueOf(23), DateTime.UtcNow);
tsResp = new TimeStampResponse(tsResp.GetEncoded());
TimeStampToken tsToken = tsResp.TimeStampToken;
tsToken.Validate(cert);
try
{
request = reqGen.Generate(TspAlgorithms.Sha1, new byte[20], BigInteger.ValueOf(101));
tsResp.Validate(request);
Assert.Fail("response validation failed on invalid nonce.");
}
catch (TspValidationException e)
{
// ignore
}
try
{
request = reqGen.Generate(TspAlgorithms.Sha1, new byte[22], BigInteger.ValueOf(100));
tsResp.Validate(request);
Assert.Fail("response validation failed on wrong digest.");
}
catch (TspValidationException e)
{
// ignore
}
try
{
request = reqGen.Generate(TspAlgorithms.MD5, new byte[20], BigInteger.ValueOf(100));
tsResp.Validate(request);
Assert.Fail("response validation failed on wrong digest.");
}
catch (TspValidationException e)
{
// ignore
}
}
public void SetCrls(
IX509Store crls)
{
this.x509Crls = crls;
}
private void overrideAttrsTest(AsymmetricKeyParameter privateKey, X509Certificate cert, IX509Store certs)
{
SignerInfoGeneratorBuilder signerInfoGenBuilder = new SignerInfoGeneratorBuilder();
IssuerSerial issuerSerial = new IssuerSerial(
new GeneralNames(
new GeneralName(
X509CertificateStructure.GetInstance(cert.GetEncoded()).Issuer)),
new DerInteger(cert.SerialNumber));
byte[] certHash256;
byte[] certHash;
{
Asn1DigestFactory digCalc = Asn1DigestFactory.Get(OiwObjectIdentifiers.IdSha1);
IStreamCalculator calc = digCalc.CreateCalculator();
using (Stream s = calc.Stream)
{
byte[] crt = cert.GetEncoded();
s.Write(crt, 0, crt.Length);
}
certHash = ((SimpleBlockResult)calc.GetResult()).Collect();
}
{
Asn1DigestFactory digCalc = Asn1DigestFactory.Get(NistObjectIdentifiers.IdSha256);
IStreamCalculator calc = digCalc.CreateCalculator();
using (Stream s = calc.Stream)
{
byte[] crt = cert.GetEncoded();
s.Write(crt, 0, crt.Length);
}
certHash256 = ((SimpleBlockResult)calc.GetResult()).Collect();
}
EssCertID essCertid = new EssCertID(certHash, issuerSerial);
EssCertIDv2 essCertidV2 = new EssCertIDv2(certHash256, issuerSerial);
signerInfoGenBuilder.WithSignedAttributeGenerator(new TestAttrGen()
{
EssCertID = essCertid,
EssCertIDv2 = essCertidV2
});
Asn1SignatureFactory sigfact = new Asn1SignatureFactory("SHA1WithRSA", privateKey);
SignerInfoGenerator
signerInfoGenerator = signerInfoGenBuilder.Build(sigfact, cert);
TimeStampTokenGenerator tsTokenGen = new TimeStampTokenGenerator(
signerInfoGenerator,
Asn1DigestFactory.Get(OiwObjectIdentifiers.IdSha1), new DerObjectIdentifier("1.2"), true);
tsTokenGen.SetCertificates(certs);
TimeStampRequestGenerator reqGen = new TimeStampRequestGenerator();
TimeStampRequest request = reqGen.Generate(TspAlgorithms.Sha1, new byte[20], BigInteger.ValueOf(100));
TimeStampResponseGenerator tsRespGen = new TimeStampResponseGenerator(tsTokenGen, TspAlgorithms.Allowed);
TimeStampResponse tsResp = tsRespGen.Generate(request, BigInteger.ValueOf(23), DateTime.UtcNow);
tsResp = new TimeStampResponse(tsResp.GetEncoded());
TimeStampToken tsToken = tsResp.TimeStampToken;
tsToken.Validate(cert);
Asn1.Cms.AttributeTable table = tsToken.SignedAttributes;
Assert.NotNull(table[PkcsObjectIdentifiers.IdAASigningCertificate], "no signingCertificate attribute found");
Assert.NotNull(table[PkcsObjectIdentifiers.IdAASigningCertificateV2], "no signingCertificateV2 attribute found");
SigningCertificate sigCert = SigningCertificate.GetInstance(table[PkcsObjectIdentifiers.IdAASigningCertificate].AttrValues[0]);
Assert.IsTrue(cert.CertificateStructure.Issuer.Equals(sigCert.GetCerts()[0].IssuerSerial.Issuer.GetNames()[0].Name));
Assert.IsTrue(cert.CertificateStructure.SerialNumber.Value.Equals(sigCert.GetCerts()[0].IssuerSerial.Serial.Value));
Assert.IsTrue(Arrays.AreEqual(certHash, sigCert.GetCerts()[0].GetCertHash()));
SigningCertificate sigCertV2 = SigningCertificate.GetInstance(table[PkcsObjectIdentifiers.IdAASigningCertificateV2].AttrValues[0]);
Assert.IsTrue(cert.CertificateStructure.Issuer.Equals(sigCertV2.GetCerts()[0].IssuerSerial.Issuer.GetNames()[0].Name));
Assert.IsTrue(cert.CertificateStructure.SerialNumber.Value.Equals(sigCertV2.GetCerts()[0].IssuerSerial.Serial.Value));
Assert.IsTrue(Arrays.AreEqual(certHash256, sigCertV2.GetCerts()[0].GetCertHash()));
}
PkixCertPath BuildCertPath(HashSet anchors, IX509Store certificates, IX509Store crls, X509Certificate certificate, DateTime? signingTime)
{
var intermediate = new X509CertificateStore ();
foreach (X509Certificate cert in certificates.GetMatches (null))
intermediate.Add (cert);
var selector = new X509CertStoreSelector ();
selector.Certificate = certificate;
var parameters = new PkixBuilderParameters (anchors, selector);
parameters.AddStore (GetIntermediateCertificates ());
parameters.AddStore (intermediate);
var localCrls = GetCertificateRevocationLists ();
parameters.AddStore (localCrls);
parameters.AddStore (crls);
// Note: we disable revocation unless we actually have non-empty revocation lists
parameters.IsRevocationEnabled = localCrls.GetMatches (null).Count > 0;
parameters.ValidityModel = PkixParameters.ChainValidityModel;
if (signingTime.HasValue)
parameters.Date = new DateTimeObject (signingTime.Value);
var result = new PkixCertPathBuilder ().Build (parameters);
return result.CertPath;
}
private void additionalExtensionTest(AsymmetricKeyParameter privateKey, X509Certificate cert, IX509Store certs)
{
TimeStampTokenGenerator tsTokenGen = new TimeStampTokenGenerator(
privateKey, cert, TspAlgorithms.Sha1, "1.2");
tsTokenGen.SetCertificates(certs);
tsTokenGen.SetTsa(new Asn1.X509.GeneralName(new X509Name("CN=Test")));
TimeStampRequestGenerator reqGen = new TimeStampRequestGenerator();
TimeStampRequest request = reqGen.Generate(TspAlgorithms.Sha1, new byte[20], BigInteger.ValueOf(100));
TimeStampResponseGenerator tsRespGen = new TimeStampResponseGenerator(tsTokenGen, TspAlgorithms.Allowed);
X509ExtensionsGenerator extensionsGenerator = new X509ExtensionsGenerator();
extensionsGenerator.AddExtension(X509Extensions.AuditIdentity, false, new DerUtf8String("Test"));
TimeStampResponse tsResp = tsRespGen.GenerateGrantedResponse(request, new BigInteger("23"), new DateTimeObject(DateTime.UtcNow), "Okay", extensionsGenerator.Generate());
tsResp = new TimeStampResponse(tsResp.GetEncoded());
TimeStampToken tsToken = tsResp.TimeStampToken;
tsToken.Validate(cert);
Asn1.Cms.AttributeTable table = tsToken.SignedAttributes;
Assert.NotNull(table[PkcsObjectIdentifiers.IdAASigningCertificate], "no signingCertificate attribute found");
X509Extensions ext = tsToken.TimeStampInfo.TstInfo.Extensions;
Assert.True(1 == ext.GetExtensionOids().Length);
X509Extension left = new X509Extension(DerBoolean.False, new DerOctetString(new DerUtf8String("Test").GetEncoded()));
Assert.True(left.Equals(ext.GetExtension(X509Extensions.AuditIdentity)));
}
public void AddCertificates(
IX509Store certStore)
{
_certs.AddRange(CmsUtilities.GetCertificatesFromStore(certStore));
}
private void basicSha256Test(AsymmetricKeyParameter privateKey, X509Certificate cert, IX509Store certs)
{
SignerInfoGenerator sInfoGenerator = makeInfoGenerator(privateKey, cert, TspAlgorithms.Sha256, null, null);
TimeStampTokenGenerator tsTokenGen = new TimeStampTokenGenerator(
sInfoGenerator,
Asn1DigestFactory.Get(NistObjectIdentifiers.IdSha256), new DerObjectIdentifier("1.2"), true);
tsTokenGen.SetCertificates(certs);
TimeStampRequestGenerator reqGen = new TimeStampRequestGenerator();
TimeStampRequest request = reqGen.Generate(TspAlgorithms.Sha256, new byte[32], BigInteger.ValueOf(100));
TimeStampResponseGenerator tsRespGen = new TimeStampResponseGenerator(tsTokenGen, TspAlgorithms.Allowed);
TimeStampResponse tsResp = tsRespGen.Generate(request, new BigInteger("23"), DateTime.Now);
Assert.AreEqual((int)PkiStatus.Granted, tsResp.Status);
tsResp = new TimeStampResponse(tsResp.GetEncoded());
TimeStampToken tsToken = tsResp.TimeStampToken;
tsToken.Validate(cert);
Asn1.Cms.AttributeTable table = tsToken.SignedAttributes;
Assert.NotNull(table[PkcsObjectIdentifiers.IdAASigningCertificateV2]);
Asn1DigestFactory digCalc = Asn1DigestFactory.Get(NistObjectIdentifiers.IdSha256);
IStreamCalculator calc = digCalc.CreateCalculator();
using (Stream s = calc.Stream)
{
byte[] crt = cert.GetEncoded();
s.Write(crt, 0, crt.Length);
}
byte[] certHash = ((SimpleBlockResult)calc.GetResult()).Collect();
SigningCertificateV2 sigCertV2 = SigningCertificateV2.GetInstance(table[PkcsObjectIdentifiers.IdAASigningCertificateV2].AttrValues[0]);
Assert.IsTrue(Arrays.AreEqual(certHash, sigCertV2.GetCerts()[0].GetCertHash()));
}
/**
* return a X509Store containing CRLs, if any, contained
* in this message.
*
* @param type type of store to create
* @return a store of CRLs
* @exception NoSuchStoreException if the store type isn't available.
* @exception CmsException if a general exception prevents creation of the X509Store
*/
public IX509Store GetCrls(
string type)
{
if (_crlStore == null)
{
PopulateCertCrlSets();
_crlStore = Helper.CreateCrlStore(type, _crlSet);
}
return _crlStore;
}
private void resolutionTest(AsymmetricKeyParameter privateKey, X509.X509Certificate cert, IX509Store certs, Resolution resoution, string timeString)
{
TimeStampTokenGenerator tsTokenGen = new TimeStampTokenGenerator(
privateKey, cert, TspAlgorithms.Sha1, "1.2");
tsTokenGen.Resolution = resoution;
tsTokenGen.SetCertificates(certs);
TimeStampRequestGenerator reqGen = new TimeStampRequestGenerator();
TimeStampRequest request = reqGen.Generate(TspAlgorithms.Sha1, new byte[20], BigInteger.ValueOf(100));
TimeStampResponseGenerator tsRespGen = new TimeStampResponseGenerator(tsTokenGen, TspAlgorithms.Allowed);
TimeStampResponse tsResp = tsRespGen.Generate(request, BigInteger.ValueOf(23), UnixEpoch.AddMilliseconds(9999));
tsResp = new TimeStampResponse(tsResp.GetEncoded());
TimeStampToken tsToken = tsResp.TimeStampToken;
// This done instead of relying on string comparison.
Assert.AreEqual(timeString, tsToken.TimeStampInfo.TstInfo.GenTime.TimeString);
tsResp = tsRespGen.Generate(request, new BigInteger("23"), UnixEpoch.AddMilliseconds(9000));
tsToken = tsResp.TimeStampToken;
Assert.AreEqual("19700101000009Z", tsToken.TimeStampInfo.TstInfo.GenTime.TimeString);
if ((int)resoution > (int)Resolution.R_HUNDREDTHS_OF_SECONDS)
{
tsResp = tsRespGen.Generate(request, new BigInteger("23"), UnixEpoch.AddMilliseconds(9990));
tsToken = tsResp.TimeStampToken;
Assert.AreEqual("19700101000009.99Z", tsToken.TimeStampInfo.TstInfo.GenTime.TimeString);
}
if ((int)resoution > (int)Resolution.R_TENTHS_OF_SECONDS)
{
tsResp = tsRespGen.Generate(request, new BigInteger("23"), UnixEpoch.AddMilliseconds(9900));
tsToken = tsResp.TimeStampToken;
Assert.AreEqual("19700101000009.9Z", tsToken.TimeStampInfo.TstInfo.GenTime.TimeString);
}
}
private void doTestExceptions()
{
byte[] enc = { (byte)0, (byte)2, (byte)3, (byte)4, (byte)5 };
// MyCertPath mc = new MyCertPath(enc);
MemoryStream os = new MemoryStream();
MemoryStream ins;
byte[] arr;
// TODO Support serialization of cert paths?
// ObjectOutputStream oos = new ObjectOutputStream(os);
// oos.WriteObject(mc);
// oos.Flush();
// oos.Close();
try
{
// CertificateFactory cFac = CertificateFactory.GetInstance("X.509");
arr = os.ToArray();
ins = new MemoryStream(arr, false);
// cFac.generateCertPath(ins);
new PkixCertPath(ins);
}
catch (CertificateException)
{
// ignore okay
}
// CertificateFactory cf = CertificateFactory.GetInstance("X.509");
X509CertificateParser cf = new X509CertificateParser();
IList certCol = new ArrayList();
certCol.Add(cf.ReadCertificate(certA));
certCol.Add(cf.ReadCertificate(certB));
certCol.Add(cf.ReadCertificate(certC));
certCol.Add(cf.ReadCertificate(certD));
// CertPathBuilder pathBuilder = CertPathBuilder.GetInstance("PKIX");
PkixCertPathBuilder pathBuilder = new PkixCertPathBuilder();
X509CertStoreSelector select = new X509CertStoreSelector();
select.Subject = ((X509Certificate)certCol[0]).SubjectDN;
ISet trustanchors = new HashSet();
trustanchors.Add(new TrustAnchor(cf.ReadCertificate(rootCertBin), null));
// CertStore certStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(certCol));
IX509Store x509CertStore = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(certCol));
PkixBuilderParameters parameters = new PkixBuilderParameters(trustanchors, select);
parameters.AddStore(x509CertStore);
try
{
PkixCertPathBuilderResult result = pathBuilder.Build(parameters);
PkixCertPath path = result.CertPath;
Fail("found cert path in circular set");
}
catch (PkixCertPathBuilderException)
{
// expected
}
}
private void basicTest(AsymmetricKeyParameter privateKey, X509.X509Certificate cert, IX509Store certs)
{
TimeStampTokenGenerator tsTokenGen = new TimeStampTokenGenerator(
privateKey, cert, TspAlgorithms.Sha1, "1.2");
tsTokenGen.SetCertificates(certs);
TimeStampRequestGenerator reqGen = new TimeStampRequestGenerator();
TimeStampRequest request = reqGen.Generate(TspAlgorithms.Sha1, new byte[20], BigInteger.ValueOf(100));
TimeStampResponseGenerator tsRespGen = new TimeStampResponseGenerator(tsTokenGen, TspAlgorithms.Allowed);
TimeStampResponse tsResp = tsRespGen.Generate(request, BigInteger.ValueOf(23), DateTime.UtcNow);
tsResp = new TimeStampResponse(tsResp.GetEncoded());
TimeStampToken tsToken = tsResp.TimeStampToken;
tsToken.Validate(cert);
Asn1.Cms.AttributeTable table = tsToken.SignedAttributes;
Assert.IsNotNull(table[PkcsObjectIdentifiers.IdAASigningCertificate], "no signingCertificate attribute found");
}
private PkixCertPathBuilderResult doBuilderTest(
string trustAnchor,
string[] certs,
string[] crls,
ISet initialPolicies,
bool policyMappingInhibited,
bool anyPolicyInhibited)
{
ISet trustedSet = new HashSet();
trustedSet.Add(GetTrustAnchor(trustAnchor));
IList x509Certs = new ArrayList();
IList x509Crls = new ArrayList();
X509Certificate endCert = LoadCert(certs[certs.Length - 1]);
for (int i = 0; i != certs.Length - 1; i++)
{
x509Certs.Add(LoadCert(certs[i]));
}
x509Certs.Add(endCert);
for (int i = 0; i != crls.Length; i++)
{
x509Crls.Add(LoadCrl(crls[i]));
}
IX509Store x509CertStore = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(x509Certs));
IX509Store x509CrlStore = X509StoreFactory.Create(
"CRL/Collection",
new X509CollectionStoreParameters(x509Crls));
// CertPathBuilder builder = CertPathBuilder.GetInstance("PKIX");
PkixCertPathBuilder builder = new PkixCertPathBuilder();
X509CertStoreSelector endSelector = new X509CertStoreSelector();
endSelector.Certificate = endCert;
PkixBuilderParameters builderParams = new PkixBuilderParameters(trustedSet, endSelector);
if (initialPolicies != null)
{
builderParams.SetInitialPolicies(initialPolicies);
builderParams.IsExplicitPolicyRequired = true;
}
if (policyMappingInhibited)
{
builderParams.IsPolicyMappingInhibited = policyMappingInhibited;
}
if (anyPolicyInhibited)
{
builderParams.IsAnyPolicyInhibited = anyPolicyInhibited;
}
builderParams.AddStore(x509CertStore);
builderParams.AddStore(x509CrlStore);
// Perform validation as of this date since test certs expired
builderParams.Date = new DateTimeObject(DateTime.Parse("1/1/2011"));
try
{
return((PkixCertPathBuilderResult)builder.Build(builderParams));
}
catch (PkixCertPathBuilderException e)
{
throw e.InnerException;
}
}
public override void PerformTest()
{
X509CertificateParser certParser = new X509CertificateParser();
X509CrlParser crlParser = new X509CrlParser();
// initialise CertStore
X509Certificate rootCert = certParser.ReadCertificate(CertPathTest.rootCertBin);
X509Certificate interCert = certParser.ReadCertificate(CertPathTest.interCertBin);
X509Certificate finalCert = certParser.ReadCertificate(CertPathTest.finalCertBin);
X509Crl rootCrl = crlParser.ReadCrl(CertPathTest.rootCrlBin);
X509Crl interCrl = crlParser.ReadCrl(CertPathTest.interCrlBin);
IList x509Certs = new ArrayList();
x509Certs.Add(rootCert);
x509Certs.Add(interCert);
x509Certs.Add(finalCert);
IList x509Crls = new ArrayList();
x509Crls.Add(rootCrl);
x509Crls.Add(interCrl);
// CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(list);
// CertStore store = CertStore.GetInstance("Collection", ccsp);
// X509CollectionStoreParameters ccsp = new X509CollectionStoreParameters(list);
IX509Store x509CertStore = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(x509Certs));
IX509Store x509CrlStore = X509StoreFactory.Create(
"CRL/Collection",
new X509CollectionStoreParameters(x509Crls));
// NB: Month is 1-based in .NET
//DateTime validDate = new DateTime(2008,9,4,14,49,10).ToUniversalTime();
DateTime validDate = new DateTime(2008, 9, 4, 5, 49, 10);
//validating path
IList certchain = new ArrayList();
certchain.Add(finalCert);
certchain.Add(interCert);
// CertPath cp = CertificateFactory.GetInstance("X.509").GenerateCertPath(certchain);
PkixCertPath cp = new PkixCertPath(certchain);
ISet trust = new HashSet();
trust.Add(new TrustAnchor(rootCert, null));
// CertPathValidator cpv = CertPathValidator.GetInstance("PKIX");
PkixCertPathValidator cpv = new PkixCertPathValidator();
PkixParameters param = new PkixParameters(trust);
param.AddStore(x509CertStore);
param.AddStore(x509CrlStore);
param.Date = new DateTimeObject(validDate);
MyChecker checker = new MyChecker();
param.AddCertPathChecker(checker);
PkixCertPathValidatorResult result = (PkixCertPathValidatorResult)cpv.Validate(cp, param);
PkixPolicyNode policyTree = result.PolicyTree;
AsymmetricKeyParameter subjectPublicKey = result.SubjectPublicKey;
if (checker.GetCount() != 2)
{
Fail("checker not evaluated for each certificate");
}
if (!subjectPublicKey.Equals(finalCert.GetPublicKey()))
{
Fail("wrong public key returned");
}
IsTrue(result.TrustAnchor.TrustedCert.Equals(rootCert));
// try a path with trust anchor included.
certchain.Clear();
certchain.Add(finalCert);
certchain.Add(interCert);
certchain.Add(rootCert);
cp = new PkixCertPath(certchain);
cpv = new PkixCertPathValidator();
param = new PkixParameters(trust);
param.AddStore(x509CertStore);
param.AddStore(x509CrlStore);
param.Date = new DateTimeObject(validDate);
checker = new MyChecker();
param.AddCertPathChecker(checker);
result = (PkixCertPathValidatorResult)cpv.Validate(cp, param);
IsTrue(result.TrustAnchor.TrustedCert.Equals(rootCert));
//
// invalid path containing a valid one test
//
try
{
// initialise CertStore
rootCert = certParser.ReadCertificate(AC_RAIZ_ICPBRASIL);
interCert = certParser.ReadCertificate(AC_PR);
finalCert = certParser.ReadCertificate(schefer);
x509Certs = new ArrayList();
x509Certs.Add(rootCert);
x509Certs.Add(interCert);
x509Certs.Add(finalCert);
// ccsp = new CollectionCertStoreParameters(list);
// store = CertStore.GetInstance("Collection", ccsp);
// ccsp = new X509CollectionStoreParameters(list);
x509CertStore = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(x509Certs));
// NB: Month is 1-based in .NET
//validDate = new DateTime(2004,3,21,2,21,10).ToUniversalTime();
validDate = new DateTime(2004, 3, 20, 19, 21, 10);
//validating path
certchain = new ArrayList();
certchain.Add(finalCert);
certchain.Add(interCert);
// cp = CertificateFactory.GetInstance("X.509").GenerateCertPath(certchain);
cp = new PkixCertPath(certchain);
trust = new HashSet();
trust.Add(new TrustAnchor(rootCert, null));
// cpv = CertPathValidator.GetInstance("PKIX");
cpv = new PkixCertPathValidator();
param = new PkixParameters(trust);
param.AddStore(x509CertStore);
param.IsRevocationEnabled = false;
param.Date = new DateTimeObject(validDate);
result = (PkixCertPathValidatorResult)cpv.Validate(cp, param);
policyTree = result.PolicyTree;
subjectPublicKey = result.SubjectPublicKey;
Fail("Invalid path validated");
}
catch (Exception e)
{
if (e is PkixCertPathValidatorException &&
e.Message.StartsWith("Could not validate certificate signature."))
{
return;
}
Fail("unexpected exception", e);
}
}
/**
* Replace the certificate and CRL information associated with this
* CMSSignedData object with the new one passed in.
* <p>
* The output stream is returned unclosed.
* </p>
* @param original the signed data stream to be used as a base.
* @param certsAndCrls the new certificates and CRLs to be used.
* @param out the stream to Write the new signed data object to.
* @return out.
* @exception CmsException if there is an error processing the CertStore
*/
public static Stream ReplaceCertificatesAndCrls(
Stream original,
IX509Store x509Certs,
IX509Store x509Crls,
IX509Store x509AttrCerts,
Stream outStr)
{
if (x509AttrCerts != null)
{
throw new NotImplementedException("Currently can't replace attribute certificates");
}
Asn1StreamParser inStr = new Asn1StreamParser(original, CmsUtilities.MaximumMemory);
ContentInfoParser contentInfo = new ContentInfoParser((Asn1SequenceParser)inStr.ReadObject());
SignedDataParser signedData = SignedDataParser.GetInstance(contentInfo.GetContent(Asn1Tags.Sequence));
BerSequenceGenerator sGen = new BerSequenceGenerator(outStr);
sGen.AddObject(CmsObjectIdentifiers.SignedData);
BerSequenceGenerator sigGen = new BerSequenceGenerator(sGen.GetRawOutputStream(), 0, true);
// version number
sigGen.AddObject(signedData.Version);
// digests
WriteToGenerator(sigGen, signedData.GetDigestAlgorithms().ToAsn1Object());
// encap content info
ContentInfoParser encapContentInfo = signedData.GetEncapContentInfo();
BerSequenceGenerator eiGen = new BerSequenceGenerator(sigGen.GetRawOutputStream());
eiGen.AddObject(encapContentInfo.ContentType);
Asn1OctetStringParser octs = (Asn1OctetStringParser)encapContentInfo.GetContent(Asn1Tags.OctetString);
if (octs != null)
{
BerOctetStringGenerator octGen = new BerOctetStringGenerator(eiGen.GetRawOutputStream(), 0, true);
byte[] inBuffer = new byte[4096];
byte[] outBuffer = new byte[4096];
Stream inOctets = octs.GetOctetStream();
Stream outOctets = octGen.GetOctetOutputStream(outBuffer);
int len;
while ((len = inOctets.Read(inBuffer, 0, inBuffer.Length)) > 0)
{
outOctets.Write(inBuffer, 0, len);
}
outOctets.Close();
}
eiGen.Close();
//
// skip existing certs and CRLs
//
Asn1SetParser set = signedData.GetCertificates();
if (set != null)
{
set.ToAsn1Object();
}
set = signedData.GetCrls();
if (set != null)
{
set.ToAsn1Object();
}
//
// replace the certs and crls in the SignedData object
//
Asn1Set certs;
try
{
certs = CmsUtilities.CreateDerSetFromList(
CmsUtilities.GetCertificatesFromStore(x509Certs));
}
catch (X509StoreException e)
{
throw new CmsException("error getting certs from certStore", e);
}
if (certs.Count > 0)
{
WriteToGenerator(sigGen, new DerTaggedObject(false, 0, certs));
}
Asn1Set crls;
try
{
crls = CmsUtilities.CreateDerSetFromList(
CmsUtilities.GetCrlsFromStore(x509Crls));
}
catch (X509StoreException e)
{
throw new CmsException("error getting crls from certStore", e);
}
if (crls.Count > 0)
{
WriteToGenerator(sigGen, new DerTaggedObject(false, 1, crls));
}
WriteToGenerator(sigGen, signedData.GetSignerInfos().ToAsn1Object());
sigGen.Close();
sGen.Close();
return(outStr);
}
/**
* return a X509Store containing the public key certificates, if any, contained
* in this message.
*
* @param type type of store to create
* @return a store of public key certificates
* @exception NoSuchStoreException if the store type isn't available.
* @exception CmsException if a general exception prevents creation of the X509Store
*/
public IX509Store GetCertificates(
string type)
{
if (certificateStore == null)
{
certificateStore = Helper.CreateCertificateStore(type, signedData.Certificates);
}
return certificateStore;
}
/**
* Adds a Bouncy Castle {@link Store} to find CRLs, certificates, attribute
* certificates or cross certificates.
* <p>
* This method should be used to add local stores, like collection based
* X.509 stores, if available. Local stores should be considered first,
* before trying to use additional (remote) locations, because they do not
* need possible additional network traffic.
* </p><p>
* If <code>store</code> is <code>null</code> it is ignored.
* </p>
*
* @param store The store to add.
* @see #getStores
*/
public virtual void AddStore(
IX509Store store)
{
if (store != null)
{
stores.Add(store);
}
}
/**
* Replace the certificate and CRL information associated with this
* CmsSignedData object with the new one passed in.
*
* @param signedData the signed data object to be used as a base.
* @param x509Certs the new certificates to be used.
* @param x509Crls the new CRLs to be used.
* @return a new signed data object.
* @exception CmsException if there is an error processing the stores
*/
public static CmsSignedData ReplaceCertificatesAndCrls(
CmsSignedData signedData,
IX509Store x509Certs,
IX509Store x509Crls,
IX509Store x509AttrCerts)
{
if (x509AttrCerts != null)
throw Platform.CreateNotImplementedException("Currently can't replace attribute certificates");
//
// copy
//
CmsSignedData cms = new CmsSignedData(signedData);
//
// replace the certs and crls in the SignedData object
//
Asn1Set certs = null;
try
{
Asn1Set asn1Set = CmsUtilities.CreateBerSetFromList(
CmsUtilities.GetCertificatesFromStore(x509Certs));
if (asn1Set.Count != 0)
{
certs = asn1Set;
}
}
catch (X509StoreException e)
{
throw new CmsException("error getting certificates from store", e);
}
Asn1Set crls = null;
try
{
Asn1Set asn1Set = CmsUtilities.CreateBerSetFromList(
CmsUtilities.GetCrlsFromStore(x509Crls));
if (asn1Set.Count != 0)
{
crls = asn1Set;
}
}
catch (X509StoreException e)
{
throw new CmsException("error getting CRLs from store", e);
}
//
// replace the CMS structure.
//
SignedData old = signedData.signedData;
cms.signedData = new SignedData(
old.DigestAlgorithms,
old.EncapContentInfo,
certs,
crls,
old.SignerInfos);
//
// replace the contentInfo with the new one
//
cms.contentInfo = new ContentInfo(cms.contentInfo.ContentType, cms.signedData);
return cms;
}
public void SetCertificates(
IX509Store certificates)
{
this.x509Certs = certificates;
}
public void AddCertificates(IX509Store certStore)
{
CollectionUtilities.AddRange(_certs, CmsUtilities.GetCertificatesFromStore(certStore));
}
/**
* Replace the certificate and CRL information associated with this
* CmsSignedData object with the new one passed in.
*
* @param signedData the signed data object to be used as a base.
* @param x509Certs the new certificates to be used.
* @param x509Crls the new CRLs to be used.
* @return a new signed data object.
* @exception CmsException if there is an error processing the stores
*/
public static CmsSignedData ReplaceCertificatesAndCrls(
CmsSignedData signedData,
IX509Store x509Certs,
IX509Store x509Crls,
IX509Store x509AttrCerts)
{
if (x509AttrCerts != null)
{
throw Platform.CreateNotImplementedException("Currently can't replace attribute certificates");
}
//
// copy
//
CmsSignedData cms = new CmsSignedData(signedData);
//
// replace the certs and crls in the SignedData object
//
Asn1Set certs = null;
try
{
Asn1Set asn1Set = CmsUtilities.CreateBerSetFromList(
CmsUtilities.GetCertificatesFromStore(x509Certs));
if (asn1Set.Count != 0)
{
certs = asn1Set;
}
}
catch (X509StoreException e)
{
throw new CmsException("error getting certificates from store", e);
}
Asn1Set crls = null;
try
{
Asn1Set asn1Set = CmsUtilities.CreateBerSetFromList(
CmsUtilities.GetCrlsFromStore(x509Crls));
if (asn1Set.Count != 0)
{
crls = asn1Set;
}
}
catch (X509StoreException e)
{
throw new CmsException("error getting CRLs from store", e);
}
//
// replace the CMS structure.
//
SignedData old = signedData.signedData;
cms.signedData = new SignedData(
old.DigestAlgorithms,
old.EncapContentInfo,
certs,
crls,
old.SignerInfos);
//
// replace the contentInfo with the new one
//
cms.contentInfo = new ContentInfo(cms.contentInfo.ContentType, cms.signedData);
return(cms);
}
private void extensionTest(AsymmetricKeyParameter privateKey, X509Certificate cert, IX509Store certs)
{
TimeStampTokenGenerator tsTokenGen = new TimeStampTokenGenerator(
privateKey, cert, TspAlgorithms.Sha1, "1.2");
tsTokenGen.SetCertificates(certs);
TimeStampRequestGenerator reqGen = new TimeStampRequestGenerator();
// --- These are test case only values
reqGen.SetReqPolicy("2.5.29.56");
reqGen.AddExtension(new DerObjectIdentifier("1.3.6.1.5.5.7.1.2"), true, new DerOctetString(new byte[20]));
// --- not for any real world purpose.
TimeStampRequest request = reqGen.Generate(TspAlgorithms.Sha1, new byte[20]);
try
{
request.Validate(new ArrayList(), new ArrayList(), new ArrayList());
Assert.Fail("expected exception");
} catch (Exception ex)
{
Assert.True("request contains unknown algorithm" == ex.Message);
}
ArrayList algorithms = new ArrayList();
algorithms.Add(TspAlgorithms.Sha1);
try
{
request.Validate(algorithms, new ArrayList(), new ArrayList());
Assert.Fail("no exception");
}
catch (Exception e)
{
Assert.IsTrue(e.Message == "request contains unknown policy");
}
ArrayList policies = new ArrayList();
// Testing only do not use in real world.
policies.Add("2.5.29.56");
try
{
request.Validate(algorithms, policies, new ArrayList());
Assert.Fail("no exception");
}
catch (Exception e)
{
Assert.IsTrue(e.Message == "request contains unknown extension");
}
ArrayList extensions = new ArrayList();
// Testing only do not use in real world/
extensions.Add("1.3.6.1.5.5.7.1.2");
// should validate with full set
request.Validate(algorithms, policies, extensions);
// should validate with null policy
request.Validate(algorithms, null, extensions);
TimeStampResponseGenerator tsRespGen = new TimeStampResponseGenerator(tsTokenGen, TspAlgorithms.Allowed);
TimeStampResponse tsResp = tsRespGen.Generate(request, new BigInteger("23"), DateTime.UtcNow);
tsResp = new TimeStampResponse(tsResp.GetEncoded());
TimeStampToken tsToken = tsResp.TimeStampToken;
tsToken.Validate(cert);
Asn1.Cms.AttributeTable table = tsToken.SignedAttributes;
Assert.NotNull(table[PkcsObjectIdentifiers.IdAASigningCertificate], "no signingCertificate attribute found");
}
/**
* return a X509Store containing the attribute certificates, if any, contained
* in this message.
*
* @param type type of store to create
* @return a store of attribute certificates
* @exception NoSuchStoreException if the store type isn't available.
* @exception CmsException if a general exception prevents creation of the X509Store
*/
public IX509Store GetAttributeCertificates(
string type)
{
if (attrCertStore == null)
{
attrCertStore = Helper.CreateAttributeStore(type, signedData.Certificates);
}
return attrCertStore;
}
/// <inheritdoc/>
public Task <bool> ValidateRemoteCertificateAsync(X509Certificate target, ILogger?logger = null)
{
if (AcceptAllRemoteCertificates)
{
return(Task.FromResult(true));
}
if (target == null)
{
throw new ArgumentNullException(nameof(target));
}
var trustedCerts = new Org.BouncyCastle.Utilities.Collections.HashSet();
var trustedCertsInfo = new DirectoryInfo(Path.Combine(_pkiPath, "trusted"));
if (!trustedCertsInfo.Exists)
{
trustedCertsInfo.Create();
}
foreach (var info in trustedCertsInfo.EnumerateFiles())
{
using (var crtStream = info.OpenRead())
{
var crt = _certParser.ReadCertificate(crtStream);
if (crt != null)
{
trustedCerts.Add(crt);
}
}
}
var intermediateCerts = new Org.BouncyCastle.Utilities.Collections.HashSet();
var intermediateCertsInfo = new DirectoryInfo(Path.Combine(_pkiPath, "issuer"));
if (!intermediateCertsInfo.Exists)
{
intermediateCertsInfo.Create();
}
foreach (var info in intermediateCertsInfo.EnumerateFiles())
{
using (var crtStream = info.OpenRead())
{
var crt = _certParser.ReadCertificate(crtStream);
if (crt != null)
{
intermediateCerts.Add(crt);
}
}
}
if (IsSelfSigned(target))
{
// Create the selector that specifies the starting certificate
var selector = new X509CertStoreSelector()
{
Certificate = target
};
IX509Store trustedCertStore = X509StoreFactory.Create("Certificate/Collection", new X509CollectionStoreParameters(trustedCerts));
if (trustedCertStore.GetMatches(selector).Count > 0)
{
return(Task.FromResult(true));
}
logger?.LogError($"Error validatingRemoteCertificate.");
StoreInRejectedFolder(target);
return(Task.FromResult(false));
}
try
{
var res = VerifyCertificate(target, trustedCerts, intermediateCerts);
}
catch (Exception ex)
{
logger?.LogError($"Error validatingRemoteCertificate. {ex.Message}");
StoreInRejectedFolder(target);
return(Task.FromResult(false));
}
return(Task.FromResult(true));
}
/**
* return a X509Store containing CRLs, if any, contained
* in this message.
*
* @param type type of store to create
* @return a store of CRLs
* @exception NoSuchStoreException if the store type isn't available.
* @exception CmsException if a general exception prevents creation of the X509Store
*/
public IX509Store GetCrls(
string type)
{
if (crlStore == null)
{
crlStore = Helper.CreateCrlStore(type, signedData.CRLs);
}
return crlStore;
}
/// <inheritdoc/>
public async Task <(X509Certificate?Certificate, RsaKeyParameters?Key)> GetLocalCertificateAsync(ApplicationDescription applicationDescription, ILogger?logger = null)
{
if (applicationDescription == null)
{
throw new ArgumentNullException(nameof(applicationDescription));
}
string?applicationUri = applicationDescription.ApplicationUri;
if (string.IsNullOrEmpty(applicationUri))
{
throw new ArgumentOutOfRangeException(nameof(applicationDescription), "Expecting ApplicationUri in the form of 'http://{hostname}/{appname}' -or- 'urn:{hostname}:{appname}'.");
}
string?subjectName = null;
string?hostName = null;
string?appName = null;
UriBuilder appUri = new UriBuilder(applicationUri);
if (appUri.Scheme == "http" && !string.IsNullOrEmpty(appUri.Host))
{
var path = appUri.Path.Trim('/');
if (!string.IsNullOrEmpty(path))
{
hostName = appUri.Host;
appName = path;
subjectName = $"CN={appName},DC={hostName}";
}
}
if (appUri.Scheme == "urn")
{
var parts = appUri.Path.Split(new[] { ':' }, 2);
if (parts.Length == 2)
{
hostName = parts[0];
appName = parts[1];
subjectName = $"CN={appName},DC={hostName}";
}
}
if (subjectName == null)
{
throw new ArgumentOutOfRangeException(nameof(applicationDescription), "Expecting ApplicationUri in the form of 'http://{hostname}/{appname}' -or- 'urn:{hostname}:{appname}'.");
}
var crt = default(X509Certificate);
var key = default(RsaKeyParameters);
// Build 'own/certs' certificate store.
var ownCerts = new Org.BouncyCastle.Utilities.Collections.HashSet();
var ownCertsInfo = new DirectoryInfo(Path.Combine(_pkiPath, "own", "certs"));
if (ownCertsInfo.Exists)
{
foreach (var info in ownCertsInfo.EnumerateFiles())
{
using (var crtStream = info.OpenRead())
{
var c = _certParser.ReadCertificate(crtStream);
if (c != null)
{
ownCerts.Add(c);
}
}
}
}
IX509Store ownCertStore = X509StoreFactory.Create("Certificate/Collection", new X509CollectionStoreParameters(ownCerts));
// Select the newest certificate that matches by subject name.
var selector = new X509CertStoreSelector()
{
Subject = new X509Name(subjectName)
};
crt = ownCertStore.GetMatches(selector).OfType <X509Certificate>().OrderBy(c => c.NotBefore).LastOrDefault();
if (crt != null)
{
// If certificate found, verify alt-name, and retrieve private key.
var asn1OctetString = crt.GetExtensionValue(X509Extensions.SubjectAlternativeName);
if (asn1OctetString != null)
{
var asn1Object = X509ExtensionUtilities.FromExtensionValue(asn1OctetString);
GeneralNames gns = GeneralNames.GetInstance(asn1Object);
if (gns.GetNames().Any(n => n.TagNo == GeneralName.UniformResourceIdentifier && n.Name.ToString() == applicationUri))
{
var ki = new FileInfo(Path.Combine(_pkiPath, "own", "private", $"{crt.SerialNumber}.key"));
if (ki.Exists)
{
using (var keyStream = new StreamReader(ki.OpenRead()))
{
var keyReader = new PemReader(keyStream);
var keyPair = keyReader.ReadObject() as AsymmetricCipherKeyPair;
if (keyPair != null)
{
key = keyPair.Private as RsaKeyParameters;
}
}
}
}
}
}
// If certificate and key are found, return to caller.
if (crt != null && key != null)
{
logger?.LogTrace($"Found certificate with subject alt name '{applicationUri}'.");
return(crt, key);
}
if (!CreateLocalCertificateIfNotExist)
{
return(null, null);
}
// Create new certificate
var subjectDN = new X509Name(subjectName);
// Create a keypair.
var kp = await Task.Run <AsymmetricCipherKeyPair>(() =>
{
RsaKeyPairGenerator kg = new RsaKeyPairGenerator();
kg.Init(new KeyGenerationParameters(_rng, 2048));
return(kg.GenerateKeyPair());
});
key = kp.Private as RsaPrivateCrtKeyParameters;
// Create a certificate.
X509V3CertificateGenerator cg = new X509V3CertificateGenerator();
var subjectSN = BigInteger.ProbablePrime(120, _rng);
cg.SetSerialNumber(subjectSN);
cg.SetSubjectDN(subjectDN);
cg.SetIssuerDN(subjectDN);
cg.SetNotBefore(DateTime.Now.Date.ToUniversalTime());
cg.SetNotAfter(DateTime.Now.Date.ToUniversalTime().AddYears(25));
cg.SetPublicKey(kp.Public);
cg.AddExtension(
X509Extensions.BasicConstraints.Id,
true,
new BasicConstraints(false));
cg.AddExtension(
X509Extensions.SubjectKeyIdentifier.Id,
false,
new SubjectKeyIdentifier(SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(kp.Public)));
cg.AddExtension(
X509Extensions.AuthorityKeyIdentifier.Id,
false,
new AuthorityKeyIdentifier(SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(kp.Public), new GeneralNames(new GeneralName(subjectDN)), subjectSN));
cg.AddExtension(
X509Extensions.SubjectAlternativeName,
false,
new GeneralNames(new[] { new GeneralName(GeneralName.UniformResourceIdentifier, applicationUri), new GeneralName(GeneralName.DnsName, hostName) }));
cg.AddExtension(
X509Extensions.KeyUsage,
true,
new KeyUsage(KeyUsage.DataEncipherment | KeyUsage.DigitalSignature | KeyUsage.NonRepudiation | KeyUsage.KeyCertSign | KeyUsage.KeyEncipherment));
cg.AddExtension(
X509Extensions.ExtendedKeyUsage,
true,
new ExtendedKeyUsage(KeyPurposeID.IdKPClientAuth, KeyPurposeID.IdKPServerAuth));
crt = cg.Generate(new Asn1SignatureFactory("SHA256WITHRSA", key, _rng));
logger?.LogTrace($"Created certificate with subject alt name '{applicationUri}'.");
var keyInfo = new FileInfo(Path.Combine(_pkiPath, "own", "private", $"{crt.SerialNumber}.key"));
if (!keyInfo.Directory.Exists)
{
Directory.CreateDirectory(keyInfo.DirectoryName);
}
else if (keyInfo.Exists)
{
keyInfo.Delete();
}
using (var keystream = new StreamWriter(keyInfo.OpenWrite()))
{
var pemwriter = new PemWriter(keystream);
pemwriter.WriteObject(key);
}
var crtInfo = new FileInfo(Path.Combine(_pkiPath, "own", "certs", $"{crt.SerialNumber}.crt"));
if (!crtInfo.Directory.Exists)
{
Directory.CreateDirectory(crtInfo.DirectoryName);
}
else if (crtInfo.Exists)
{
crtInfo.Delete();
}
using (var crtstream = new StreamWriter(crtInfo.OpenWrite()))
{
var pemwriter = new PemWriter(crtstream);
pemwriter.WriteObject(crt);
}
return(crt, key);
}
public void AddCertificates(
IX509Store certStore)
{
_certs.AddRange(CmsUtilities.GetCertificatesFromStore(certStore));
}
public void AddCrls(
IX509Store crlStore)
{
_crls.AddRange(CmsUtilities.GetCrlsFromStore(crlStore));
}
public void AddCrls(IX509Store crlStore)
{
CollectionUtilities.AddRange(_crls, CmsUtilities.GetCrlsFromStore(crlStore));
}
public void AddCertificates(
IX509Store certStore)
{
CollectionUtilities.AddRange(_certs, CmsUtilities.GetCertificatesFromStore(certStore));
}
X509Certificate GetCertificate(IX509Store store, SignerID signer)
{
var matches = store.GetMatches (signer);
foreach (X509Certificate certificate in matches) {
return certificate;
}
return GetCertificate (signer);
}
public void AddCrls(
IX509Store crlStore)
{
CollectionUtilities.AddRange(_crls, CmsUtilities.GetCrlsFromStore(crlStore));
}
public OriginatorInfoGenerator(IX509Store origCerts, IX509Store origCrls)
{
this.origCerts = CmsUtilities.GetCertificatesFromStore(origCerts);
this.origCrls = origCrls == null ? null : CmsUtilities.GetCrlsFromStore(origCrls);
}
public OriginatorInfoGenerator(IX509Store origCerts)
: this(origCerts, null)
{
}
public void AddCrls(
IX509Store crlStore)
{
_crls.AddRange(CmsUtilities.GetCrlsFromStore(crlStore));
}
public OriginatorInfoGenerator(IX509Store origCerts, IX509Store origCrls)
{
this.origCerts = CmsUtilities.GetCertificatesFromStore(origCerts);
this.origCrls = origCrls == null ? null : CmsUtilities.GetCrlsFromStore(origCrls);
}
/**
* return a X509Store containing the attribute certificates, if any, contained
* in this message.
*
* @param type type of store to create
* @return a store of attribute certificates
* @exception org.bouncycastle.x509.NoSuchStoreException if the store type isn't available.
* @exception CmsException if a general exception prevents creation of the X509Store
*/
public IX509Store GetAttributeCertificates(
string type)
{
if (_attributeStore == null)
{
PopulateCertCrlSets();
_attributeStore = Helper.CreateAttributeStore(type, _certSet);
}
return _attributeStore;
}
/**
* Replace the certificate and CRL information associated with this
* CMSSignedData object with the new one passed in.
* <p>
* The output stream is returned unclosed.
* </p>
* @param original the signed data stream to be used as a base.
* @param certsAndCrls the new certificates and CRLs to be used.
* @param out the stream to Write the new signed data object to.
* @return out.
* @exception CmsException if there is an error processing the CertStore
*/
public static Stream ReplaceCertificatesAndCrls(
Stream original,
IX509Store x509Certs,
IX509Store x509Crls,
IX509Store x509AttrCerts,
Stream outStr)
{
if (x509AttrCerts != null)
throw new NotImplementedException("Currently can't replace attribute certificates");
Asn1StreamParser inStr = new Asn1StreamParser(original, CmsUtilities.MaximumMemory);
ContentInfoParser contentInfo = new ContentInfoParser((Asn1SequenceParser)inStr.ReadObject());
SignedDataParser signedData = SignedDataParser.GetInstance(contentInfo.GetContent(Asn1Tags.Sequence));
BerSequenceGenerator sGen = new BerSequenceGenerator(outStr);
sGen.AddObject(CmsObjectIdentifiers.SignedData);
BerSequenceGenerator sigGen = new BerSequenceGenerator(sGen.GetRawOutputStream(), 0, true);
// version number
sigGen.AddObject(signedData.Version);
// digests
WriteToGenerator(sigGen, signedData.GetDigestAlgorithms().ToAsn1Object());
// encap content info
ContentInfoParser encapContentInfo = signedData.GetEncapContentInfo();
BerSequenceGenerator eiGen = new BerSequenceGenerator(sigGen.GetRawOutputStream());
eiGen.AddObject(encapContentInfo.ContentType);
Asn1OctetStringParser octs = (Asn1OctetStringParser)encapContentInfo.GetContent(Asn1Tags.OctetString);
if (octs != null)
{
BerOctetStringGenerator octGen = new BerOctetStringGenerator(eiGen.GetRawOutputStream(), 0, true);
byte[] inBuffer = new byte[4096];
byte[] outBuffer = new byte[4096];
Stream inOctets = octs.GetOctetStream();
Stream outOctets = octGen.GetOctetOutputStream(outBuffer);
int len;
while ((len = inOctets.Read(inBuffer, 0, inBuffer.Length)) > 0)
{
outOctets.Write(inBuffer, 0, len);
}
outOctets.Close();
}
eiGen.Close();
//
// skip existing certs and CRLs
//
GetAsn1Set(signedData.GetCertificates());
GetAsn1Set(signedData.GetCrls());
//
// replace the certs and crls in the SignedData object
//
Asn1Set certs;
try
{
certs = CmsUtilities.CreateDerSetFromList(
CmsUtilities.GetCertificatesFromStore(x509Certs));
}
catch (X509StoreException e)
{
throw new CmsException("error getting certs from certStore", e);
}
if (certs.Count > 0)
{
WriteToGenerator(sigGen, new DerTaggedObject(false, 0, certs));
}
Asn1Set crls;
try
{
crls = CmsUtilities.CreateDerSetFromList(
CmsUtilities.GetCrlsFromStore(x509Crls));
}
catch (X509StoreException e)
{
throw new CmsException("error getting crls from certStore", e);
}
if (crls.Count > 0)
{
WriteToGenerator(sigGen, new DerTaggedObject(false, 1, crls));
}
WriteToGenerator(sigGen, signedData.GetSignerInfos().ToAsn1Object());
sigGen.Close();
sGen.Close();
return outStr;
}
/**
* Replace the certificate and CRL information associated with this
* CMSSignedData object with the new one passed in.
* <p>
* The output stream is returned unclosed.
* </p>
* @param original the signed data stream to be used as a base.
* @param certsAndCrls the new certificates and CRLs to be used.
* @param out the stream to Write the new signed data object to.
* @return out.
* @exception CmsException if there is an error processing the CertStore
*/
public static Stream ReplaceCertificatesAndCrls(
Stream original,
IX509Store x509Certs,
IX509Store x509Crls,
IX509Store x509AttrCerts,
Stream outStr)
{
// NB: SecureRandom would be ignored since using existing signatures only
CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator();
CmsSignedDataParser parser = new CmsSignedDataParser(original);
gen.AddDigests(parser.DigestOids);
CmsTypedStream signedContent = parser.GetSignedContent();
bool encapsulate = (signedContent != null);
Stream contentOut = gen.Open(outStr, parser.SignedContentType.Id, encapsulate);
if (encapsulate)
{
Streams.PipeAll(signedContent.ContentStream, contentOut);
}
// gen.AddAttributeCertificates(parser.GetAttributeCertificates("Collection"));
// gen.AddCertificates(parser.GetCertificates("Collection"));
// gen.AddCrls(parser.GetCrls("Collection"));
if (x509AttrCerts != null)
gen.AddAttributeCertificates(x509AttrCerts);
if (x509Certs != null)
gen.AddCertificates(x509Certs);
if (x509Crls != null)
gen.AddCrls(x509Crls);
gen.AddSigners(parser.GetSignerInfos());
contentOut.Close();
return outStr;
}
/// <summary>
/// Verify signed bytes and PKCS#7 signature.
/// </summary>
/// <param name="signedBytes">signed bytes</param>
/// <param name="signatureBytes">signature bytes</param>
/// <param name="data">other data</param>
public void Verify(byte[] signedBytes, byte[] signatureBytes, CryptoSignatureVerificationData data = null)
{
if (signedBytes == null)
{
throw new ArgumentNullException(nameof(signedBytes));
}
if (signatureBytes == null)
{
throw new ArgumentNullException(nameof(signatureBytes));
}
if (_trustAnchors == null && data?.CertificateBytes == null)
{
throw new ArgumentException("No trust anchors given.");
}
CmsSignedData signedData;
try
{
CmsProcessableByteArray cmsProcessableByteArray = new CmsProcessableByteArray(signedBytes);
signedData = new CmsSignedData(cmsProcessableByteArray, signatureBytes);
}
catch (Exception e)
{
throw new PkiVerificationErrorException("Cannot create signature from " + nameof(signatureBytes), e);
}
SignerInformationStore signerInformationStore = signedData.GetSignerInfos();
ICollection signerCollection = signerInformationStore.GetSigners();
if (signerCollection.Count == 0)
{
throw new PkiVerificationFailedException("Signature does not contain any SignerInformation element.");
}
IX509Store x509Store = signedData.GetCertificates("collection");
IEnumerator signerInfoCollectionEnumerator = signerCollection.GetEnumerator();
while (signerInfoCollectionEnumerator.MoveNext())
{
SignerInformation signerInfo = (SignerInformation)signerInfoCollectionEnumerator.Current;
if (signerInfo == null)
{
throw new PkiVerificationErrorException("Signature does not contain any SignerInformation element.");
}
ICollection x509Collection = x509Store.GetMatches(signerInfo.SignerID);
IEnumerator x509CertificateCollectionEnumerator = x509Collection.GetEnumerator();
if (!x509CertificateCollectionEnumerator.MoveNext())
{
throw new PkiVerificationErrorException("Signature does not contain any x509 certificates.");
}
X509Certificate certificate = (X509Certificate)x509CertificateCollectionEnumerator.Current;
if (data != null)
{
try
{
CertificateTimeVerifier.Verify(certificate, data.SignTime);
}
catch (PkiVerificationFailedCertNotValidException ex)
{
throw new PkiVerificationFailedCertNotValidException("PKCS#7 signature certificate is not valid.", ex);
}
}
if (_certificateRdnSelector != null)
{
try
{
// Verify certificate with rdn selector
if (!_certificateRdnSelector.IsMatch(certificate))
{
throw new PkiVerificationFailedException("Certificate did not match with certificate subject rdn selector.");
}
}
catch (PkiVerificationFailedException)
{
throw;
}
catch (Exception e)
{
throw new PkiVerificationErrorException("Error when verifying PKCS#7 signature.", e);
}
}
try
{
if (!signerInfo.Verify(certificate))
{
throw new PkiVerificationFailedException("Signer information does not match with certificate.");
}
}
catch (CmsException e)
{
throw new PkiVerificationFailedException("Failed to verify PKCS#7 signature.", e);
}
catch (Exception e)
{
throw new PkiVerificationErrorException("Error when verifying PKCS#7 signature.", e);
}
ISet trustAnchors;
if (data?.CertificateBytes != null)
{
try
{
trustAnchors = new HashSet
{
new TrustAnchor(DotNetUtilities.FromX509Certificate(new X509Certificate2(data.CertificateBytes)), null)
};
}
catch (Exception e)
{
throw new PkiVerificationErrorException("Cannot create trust anchor certificate from " + nameof(data.CertificateBytes), e);
}
}
else
{
trustAnchors = _trustAnchors;
}
try
{
ValidateCertPath(certificate, x509Store, trustAnchors);
}
catch (PkiVerificationFailedException)
{
throw;
}
catch (Exception e)
{
throw new PkiVerificationErrorException("Error when verifying PKCS#7 signature.", e);
}
}
}
