// This function is called by the Index method (see above). It contains examples of signature validation parameters.
private static void setValidationParameters(PadesSignatureExplorer sigExplorer, int caseNumber)
{
switch (caseNumber)
{
/*
* Example #1: accept any PAdES signature as long as the signer has an ICP-Brasil certificate (RECOMMENDED)
*
* These parameters will only accept signatures made with ICP-Brasil certificates that comply with the
* minimal security features defined in the PAdES standard (ETSI TS 102 778). The signatures need not, however,
* follow the extra requirements defined in the ICP-Brasil signature policy documentation (DOC-ICP-15.03).
*
* These are the recommended parameters for ICP-Brasil, since the PAdES policies, released on 2016-06-01,
* are still in adoption phase by most implementors.
*/
case 1:
// By omitting the accepted policies catalog and defining a default policy, we're telling Rest PKI to validate
// all signatures in the file with the default policy -- even signatures with an explicit signature policy.
sigExplorer.AcceptableExplicitPolicies = null;
sigExplorer.DefaultSignaturePolicyId = StandardPadesSignaturePolicies.Basic;
// The PAdES Basic policy requires us to choose a security context
sigExplorer.SecurityContextId = StandardSecurityContexts.PkiBrazil;
break;
/*
* Example #2: accept only 100%-compliant ICP-Brasil signatures
*/
case 2:
// By specifying a catalog of acceptable policies and omitting the default signature policy, we're telling Rest PKI
// that only the policies in the catalog should be accepted
sigExplorer.AcceptableExplicitPolicies = SignaturePolicyCatalog.GetPkiBrazilPades();
sigExplorer.DefaultSignaturePolicyId = null;
break;
/*
* Example #3: accept any PAdES signature as long as the signer is trusted by Windows
*
* Same case as example #1, but using the WindowsServer trust arbitrator
*/
case 3:
sigExplorer.AcceptableExplicitPolicies = null;
sigExplorer.DefaultSignaturePolicyId = StandardPadesSignaturePolicies.Basic;
sigExplorer.SecurityContextId = StandardSecurityContexts.WindowsServer;
break;
/*
* Example #4: accept only 100%-compliant ICP-Brasil signatures that provide signer certificate protection.
*
* "Signer certificate protection" means that a signature keeps its validity even after the signer certificate
* is revoked or expires. On ICP-Brasil, this translates to policies AD-RT and up (not AD-RB).
*/
case 4:
sigExplorer.AcceptableExplicitPolicies = SignaturePolicyCatalog.GetPkiBrazilPadesWithSignerCertificateProtection();
sigExplorer.DefaultSignaturePolicyId = null;
break;
}
}
// GET: CheckCadesRest?c={id}
public ActionResult Index(string c)
{
// On PrinterFriendlyVersionController, we stored the unformatted version of the verification
// code (without hyphens) but used the formatted version (with hiphens) on the printer-friendly
// PDF. Now, we remove the hyphens before looking it up.
var verificationCode = AlphaCode.Parse(c);
// Get document associated with verification code.
var fileId = StorageMock.LookupVerificationCode(verificationCode);
if (fileId == null)
{
// Invalid code give!
// Small delay to slow down brute-force attacks (if you want to be extra careful you might
// want to add a CAPTCHA to the process).
Thread.Sleep(TimeSpan.FromSeconds(2));
// Return Not Found
return(HttpNotFound());
}
// Read document from storage.
var fileContent = StorageMock.Read(fileId);
// Get an instance of the CadesSignatureExplorer class, used to open/validate CAdES signatures.
var sigExplorer = new CadesSignatureExplorer(Util.GetRestPkiClient())
{
// Specify that we want to validate the signatures in the file, not only inspect them.
Validate = true,
// Specify the parameters for the signature validation:
// Full compliance with ICP-Brasil as long as the signer has an ICP-Brasil certificate.
AcceptableExplicitPolicies = SignaturePolicyCatalog.GetPkiBrazilCades(),
// Specify the security context to be used to determine trust in the certificate chain. We
// have encapsulated the security context choice on Util.cs.
SecurityContextId = Util.GetSecurityContextId()
};
// Set the CAdES file.
sigExplorer.SetSignatureFile(fileContent);
// Call the Open() method, which returns the signature file's information.
var signature = sigExplorer.Open();
// Render the information (see file Check/Index.html for more information on
// the information returned).
return(View(new OpenCadesSignatureModel()
{
Signature = signature,
File = fileId
}));
}
public async Task <ActionResult> Index(string userfile)
{
// Our action only works if a userfile is given to work with.
string userfilePath;
if (!StorageMock.TryGetFile(userfile, out userfilePath))
{
return(HttpNotFound());
}
// Get an instance of the CadesSignatureExplorer class, used to open/validate CAdES
// signatures.
var sigExplorer = new CadesSignatureExplorer(Util.GetRestPkiClient())
{
// Specify that we want to validate the signatures in the file, not only inspect them.
Validate = true,
// Specify the parameters for the signature validation:
// Full compliance with ICP-Brasil as long as the signer has an ICP-Brasil certificate.
AcceptableExplicitPolicies = SignaturePolicyCatalog.GetPkiBrazilCades(),
// Specify the security context to be used to determine trust in the certificate chain. We
// have encapsulated the security context choice on Util.cs.
SecurityContextId = Util.GetSecurityContextId(),
};
// Set the CAdES signature file.
sigExplorer.SetSignatureFile(userfilePath);
// Call the OpenAndExtractContent() method, which returns the signature file's information and the encapsulated content.
var data = await sigExplorer.OpenAndExtractContentAsync();
var signature = data.Signature;
var encapsulatedContent = data.Signature.HasEncapsulatedContent ? data.EncapsulatedContent : null;
// Render the information (see file OpenCadesSignature/Index.html for more information on
// the information returned).
return(View(new OpenCadesSignatureModel()
{
Signature = signature,
// WARNING: this sample always consider the encapsulated content type as pdf, so the downloadable file uses pdf extension
File = encapsulatedContent != null ? StorageMock.Store(encapsulatedContent.GetContent(), ".pdf") : ""
}));
}
// This function is called by the Index method (see above). It contains examples of signature validation parameters.
private static void setValidationParameters(CadesSignatureExplorer sigExplorer, int caseNumber)
{
switch (caseNumber)
{
/*
* Example #1: accept only 100%-compliant ICP-Brasil signatures
*/
case 1:
// By specifying a catalog of acceptable policies and omitting the default signature policy, we're telling Rest PKI
// that only the policies in the catalog should be accepted
sigExplorer.AcceptableExplicitPolicies = SignaturePolicyCatalog.GetPkiBrazilCades();
sigExplorer.DefaultSignaturePolicyId = null;
break;
/*
* Example #2: accept any CAdES signature as long as the signer has an ICP-Brasil certificate
*
* These parameters will only accept signatures made with ICP-Brasil certificates that comply with the
* minimal security features defined in the CAdES standard (ETSI TS 101 733). The signatures need not, however,
* follow the extra requirements defined in the ICP-Brasil signature policy documentation (DOC-ICP-15.03).
*
* These parameters are less restrictive than the parameters from example #1
*/
case 2:
// By omitting the accepted policies catalog and defining a default policy, we're telling Rest PKI to validate
// all signatures in the file with the default policy -- even signatures with an explicit signature policy.
sigExplorer.AcceptableExplicitPolicies = null;
sigExplorer.DefaultSignaturePolicyId = StandardCadesSignaturePolicies.CadesBes;
// The CadesBes policy requires us to choose a security context
sigExplorer.SecurityContextId = StandardSecurityContexts.PkiBrazil;
break;
/*
* Example #3: accept any CAdES signature as long as the signer is trusted by Windows
*
* Same case as example #2, but using the WindowsServer trust arbitrator
*/
case 3:
sigExplorer.AcceptableExplicitPolicies = null;
sigExplorer.DefaultSignaturePolicyId = StandardCadesSignaturePolicies.CadesBes;
sigExplorer.SecurityContextId = StandardSecurityContexts.WindowsServer;
break;
/*
* Example #4: accept only 100%-compliant ICP-Brasil signatures that provide signer certificate protection.
*
* "Signer certificate protection" means that a signature keeps its validity even after the signer certificate
* is revoked or expires. On ICP-Brasil, this translates to policies AD-RT and up (but not AD-RB).
*/
case 4:
sigExplorer.AcceptableExplicitPolicies = SignaturePolicyCatalog.GetPkiBrazilCadesWithSignerCertificateProtection();
sigExplorer.DefaultSignaturePolicyId = null;
break;
/*
* Example #5: accept only 100%-compliant ICP-Brasil signatures that provide CA certificate protection (besides signer
* certificate protection).
*
* "CA certificate protection" means that a signature keeps its validity even after either the signer certificate or
* its Certification Authority (CA) certificate expires or is revoked. On ICP-Brasil, this translates to policies
* AD-RC/AD-RV and up (but not AD-RB nor AD-RT).
*/
case 5:
sigExplorer.AcceptableExplicitPolicies = SignaturePolicyCatalog.GetPkiBrazilCadesWithCACertificateProtection();
sigExplorer.DefaultSignaturePolicyId = null;
break;
}
}
