private OCSPClientEstEID OCSPClient(Org.BouncyCastle.X509.X509Certificate signer)
{
OCSPConf ocsp;
X509CertStoreEntry storeEntry = null;
Org.BouncyCastle.X509.X509Certificate checkerCert, issuerCert, responderCert;
string certPath, certPassword;
string ocspUrl;
certPath = conf.Pkcs12Cert;
certPassword = conf.Pkcs12Pass;
// open PKCS12 store
DirectoryPKCS12CertStore pkcs12 = new DirectoryPKCS12CertStore(certPath, certPassword);
if (pkcs12.Open() == false)
{
throw new Exception(pkcs12.lastError);
}
// public key
checkerCert = pkcs12.Chain[0];
// private key
AsymmetricKeyParameter privKey = (AsymmetricKeyParameter)pkcs12.Key;
// signing cert issuer name
string signerKey = X509Utils.GetIssuerFields(signer, "CN");
if (signerKey.Length == 0)
{
this.lastError = Resources.CERT_ISSUER_MISSING;
return(null);
}
// load issuer cert
storeEntry = store.GetIssuerCert(signerKey);
if (storeEntry == null)
{
this.lastError = Resources.ISSUER_CERT_MISSING + signerKey;
return(null);
}
// load responder cert, will be used for verify
ocsp = conf.GetOCSPConf(signerKey);
if (ocsp == null)
{
this.lastError = Resources.RESPONDER_CET_MISSING + signerKey;
return(null);
}
issuerCert = storeEntry.Certificate;
responderCert = X509Utils.LoadCertificate(ocsp.Cert)[0];
ocspUrl = ocsp.Url;
if (ocspUrl == null || ocspUrl.Length == 0)
{
this.lastError = Resources.OCSP_URL_MISSING;
return(null);
}
return(new OCSPClientEstEID(signer, checkerCert, issuerCert, ocspUrl, privKey, responderCert));
}
private void SignUsingEstEIDCard2(string filename, string outfile)
{
statusHandler(Resources.VERIFYING_DOCUMENT, false);
AcroFields af = this.reader.AcroFields;
ArrayList names = af.GetSignatureNames();
bool nextRevision = ((names != null) && (names.Count > 0));
// already signed ?
if (nextRevision)
{
// pick always first signature
string name = (string)names[0];
PdfPKCS7 pkc7 = af.VerifySignature(name);
bool verify = pkc7.Verify();
if (!verify)
{
string who = PdfPKCS7.GetSubjectFields(pkc7.SigningCertificate).GetField("CN");
throw new DocVerifyException(Resources.DOC_VERIFY_FAILED + who);
}
}
statusHandler(Resources.CONNECTING_SMARTCARD, false);
// open EstEID
EstEIDReader estEidReader = new EstEIDReader();
string pkcs11_lib = conf.PKCS11DriverPath;
bool b = estEidReader.Open(pkcs11_lib);
if (b == false)
{
throw new Exception(Resources.PKCS11_OPEN);
}
statusHandler(Resources.READ_CERTS, false);
PKCS11Signer signer = LocateSigner(estEidReader);
Org.BouncyCastle.X509.X509Certificate[] chain = X509Utils.LoadCertificate(signer.Cert.RawData);
statusHandler(Resources.VERIFYING_OCSP, false);
OCSPClientEstEID ocspClient = OCSPClient(chain[0]);
if (ocspClient == null)
{
throw new Exception(this.lastError);
}
byte[] ocsp = ocspClient.GetEncoded();
if (ocsp == null)
{
throw new RevocationException(ocspClient.lastError);
}
X509Certificate2 card = signer.Cert;
Oid oid = card.SignatureAlgorithm;
if (oid.Value != PkcsObjectIdentifiers.Sha1WithRsaEncryption.Id)
{
throw new Exception(Resources.INVALID_CERT);
}
PdfReader reader = new PdfReader(filename);
Document document = new Document(reader.GetPageSizeWithRotation(1));
PdfStamper stp = PdfStamper.CreateSignature(reader, new FileStream(outfile, FileMode.Create), '\0', null, nextRevision);
if (metadata != null)
{
stp.XmpMetadata = metadata.getStreamedMetaData();
}
PdfSignatureAppearance sap = stp.SignatureAppearance;
if (appearance.Visible)
{
if (appearance.SigLocation.UseSector)
{
appearance.SigLocation.Bounds = document.PageSize;
}
sap.SetVisibleSignature(appearance.SigLocation, (int)appearance.Page, null);
}
sap.SignDate = DateTime.Now;
sap.SetCrypto(null, chain, null, null);
sap.Reason = (appearance.Reason.Length > 0) ? appearance.Reason : null;
sap.Location = (appearance.Location.Length > 0) ? appearance.Location : null;
sap.Contact = (appearance.Contact.Length > 0) ? appearance.Contact : null;
sap.Acro6Layers = true;
sap.Render = appearance.SignatureRender;
sap.Layer2Text = appearance.SignatureText(sap.SignDate, chain[0]);
PdfSignature dic = new PdfSignature(PdfName.ADOBE_PPKLITE, PdfName.ADBE_PKCS7_SHA1);
dic.Date = new PdfDate(sap.SignDate);
dic.Name = PdfPKCS7.GetSubjectFields(chain[0]).GetField("CN");
if (sap.Reason != null)
{
dic.Reason = sap.Reason;
}
if (sap.Location != null)
{
dic.Location = sap.Location;
}
if (sap.Contact != null)
{
dic.Contact = sap.Contact;
}
sap.CryptoDictionary = dic;
sap.SetExternalDigest(new byte[SIGNATURE_LENGTH], new byte[Digest.SHA1_LENGTH], "RSA");
// expect 6K to be enough if TSA response, else 2K ?
int csize = (stamp != null) ? 1024 * 6 : 1024 * 2;
Hashtable exc = new Hashtable();
exc[PdfName.CONTENTS] = csize * 2 + 2;
sap.PreClose(exc);
// compute hash based on PDF bytes
byte[] digest = ComputeHash(estEidReader, sap);
statusHandler(Resources.ADD_SIGNATURE, false);
// sign hash
byte[] rsadata = EstEIDCardSign(estEidReader, signer, digest);
// if null, user requested Cancel
if (rsadata == null)
{
throw new Exception(Resources.CARD_INTERNAL_ERROR);
}
// create PKCS#7 envelope
PdfPKCS7 pk7 = new PdfPKCS7(null, chain, null, "SHA1", true);
pk7.SetExternalDigest(rsadata, digest, "RSA");
byte[] pk = pk7.GetEncodedPKCS7();
// user wants to add TSA response ?
if (stamp != null && pk != null)
{
statusHandler(Resources.TSA_REQUEST, false);
pk = TimestampAuthorityResponse(estEidReader, pk);
}
// PKCS#7 bytes too large ?
if (pk.Length >= csize)
{
throw new Exception(Resources.MEMORY_ERROR);
}
byte[] outc = new byte[csize];
PdfDictionary dic2 = new PdfDictionary();
Array.Copy(pk, 0, outc, 0, pk.Length);
dic2.Put(PdfName.CONTENTS, new PdfString(outc).SetHexWriting(true));
sap.Close(dic2);
}
private PKCS11Signer LocateSigner(EstEIDReader estEidReader)
{
uint slots;
uint i, rc;
X509Certificate2Collection col = null;
Mechanism mech = null;
PKCS11Signer signer = null;
X509Certificate2 cert = null;
ArrayList signers = null;
slots = estEidReader.GetSlotCount(1);
if (slots == 0)
{
throw new Exception(Resources.CARD_MISSING);
}
col = new X509Certificate2Collection();
mech = new Mechanism(Mechanism.CKF_SIGN | Mechanism.CKF_HW);
signers = new ArrayList((int)slots);
for (i = 0; i < slots; i++)
{
rc = estEidReader.IsMechanismSupported(i, mech);
// can't use this slot mechanism for signing
if (rc != EstEIDReader.ESTEID_OK)
{
// Mechanism not supported ?
if (rc == EstEIDReader.ESTEID_ERR)
{
continue;
}
throw new PKCS11Exception(rc);
}
TokenInfo token = new TokenInfo(estEidReader);
rc = token.ReadInfo(i);
if (rc != EstEIDReader.ESTEID_OK)
{
throw new PKCS11Exception(rc);
}
PKCS11Cert pkcs11Cert = new PKCS11Cert();
rc = estEidReader.LocateCertificate(i, pkcs11Cert);
if (rc != EstEIDReader.ESTEID_OK)
{
// did we find a certificate ?
if (rc == EstEIDReader.ESTEID_ERR)
{
continue;
}
throw new PKCS11Exception(rc);
}
byte[] raw = pkcs11Cert.CertificateToByteArray();
// can we use this cert for signing ?
string s = X509Utils.GetSubjectFields(raw, "OU");
if (!s.Equals("digital signature"))
{
continue;
}
cert = new X509Certificate2(raw);
col.Add(cert);
signer = new PKCS11Signer(i, cert, token);
signers.Add(signer);
}
// no valid certs found ?
if (col.Count == 0)
{
throw new Exception(Resources.CERTS_MISSING);
}
X509Certificate2Collection sel = X509CertificateUI.SelectFromCollection(col,
Resources.UI_CERTIFICATES, Resources.UI_PICK_CERTIFICATE);
// user requested Cancel or there are no certs ?
if (sel == null || sel.Count == 0)
{
throw new CancelException(Resources.ACTION_CANCELED);
}
X509Certificate2Enumerator en = sel.GetEnumerator();
en.MoveNext();
cert = en.Current;
byte[] s1 = cert.PublicKey.EncodedKeyValue.RawData;
IEnumerator enumerator = signers.GetEnumerator();
while (enumerator.MoveNext())
{
signer = (PKCS11Signer)enumerator.Current;
byte[] s2 = signer.Cert.PublicKey.EncodedKeyValue.RawData;
if (Arrays.AreEqual(s1, s2))
{
return(signer);
}
}
// didn't find any match ?
// data is being altered in memory ?
throw new Exception(Resources.CERT_DONT_MATCH);
}