public void T1_ValidSignature ()
{
byte[] data = GetData ("SignedValidSignaturesTest1.eml");
SignedCms cms = new SignedCms ();
cms.Decode (data);
Assert.IsTrue (CheckHash (cms), "CheckHash");
Assert.IsTrue (CheckSignature (cms), "CheckSignature");
X509Certificate2 ee = GetCertificate ("ValidCertificatePathTest1EE.crt");
// certificates aren't in any particuliar order
Assert.IsTrue (cms.Certificates.Contains (ee), "EE");
Assert.IsTrue (cms.Certificates.Contains (GoodCACert), "GoodCACert");
Assert.IsFalse (cms.Detached, "Detached");
Assert.AreEqual (1, cms.Version, "Version");
Assert.AreEqual ("1.2.840.113549.1.7.1", cms.ContentInfo.ContentType.Value, "ContentInfo.Oid");
Assert.AreEqual ("43-6F-6E-74-65-6E-74-2D-54-79-70-65-3A-20-74-65-78-74-2F-70-6C-61-69-6E-3B-20-63-68-61-72-73-65-74-3D-69-73-6F-2D-38-38-35-39-2D-31-0D-0A-43-6F-6E-74-65-6E-74-2D-54-72-61-6E-73-66-65-72-2D-45-6E-63-6F-64-69-6E-67-3A-20-37-62-69-74-0D-0A-0D-0A-54-68-69-73-20-69-73-20-61-20-73-61-6D-70-6C-65-20-73-69-67-6E-65-64-20-6D-65-73-73-61-67-65-2E", BitConverter.ToString (cms.ContentInfo.Content), "ContentInfo.Content");
Assert.AreEqual (1, cms.SignerInfos.Count, "SignerInfos.Count");
Assert.AreEqual (ee, cms.SignerInfos[0].Certificate, "SignerInfos[0].Certificate");
Assert.AreEqual (0, cms.SignerInfos[0].CounterSignerInfos.Count, "SignerInfos[0].CounterSignerInfos.Count");
Assert.AreEqual ("1.3.14.3.2.26", cms.SignerInfos[0].DigestAlgorithm.Value, "cms.SignerInfos[0].DigestAlgorithm");
Assert.AreEqual (0, cms.SignerInfos[0].SignedAttributes.Count, "SignerInfos[0].SignedAttributes.Count");
Assert.AreEqual (SubjectIdentifierType.IssuerAndSerialNumber, cms.SignerInfos[0].SignerIdentifier.Type, "SignerInfos[0].SignerIdentifier.Type");
X509IssuerSerial xis = (X509IssuerSerial) cms.SignerInfos[0].SignerIdentifier.Value;
Assert.AreEqual ("CN=Good CA, O=Test Certificates, C=US", xis.IssuerName, "SignerInfos[0].SignerIdentifier.Value.IssuerName");
Assert.AreEqual ("01", xis.SerialNumber, "SignerInfos[0].SignerIdentifier.Value.SerialNumber");
Assert.AreEqual (0, cms.SignerInfos[0].UnsignedAttributes.Count, "SignerInfos[0].UnsignedAttributes.Count");
Assert.AreEqual (1, cms.SignerInfos[0].Version, "SignerInfos[0].Version");
}
private void DefaultProperties (SignedCms sp, int version)
{
// unaffected by constructors
Assert.AreEqual (0, sp.Certificates.Count, "Certificates");
Assert.AreEqual (0, sp.SignerInfos.Count, "SignerInfos");
Assert.AreEqual (version, sp.Version, "Version");
}
protected string CheckSig()
{
var formData = Request.Form;
var text = formData["txtSign"];
var sig = formData["txtSig"];
string output = "INVALID!";
if (!string.IsNullOrEmpty(sig))
{
try
{
ContentInfo contentInfo = new ContentInfo(Encoding.UTF8.GetBytes(text));
SignedCms signedCms = new SignedCms(contentInfo, true);
signedCms.Decode(Convert.FromBase64String(sig));
// This checks if the signature is valid, but doensn't actually verify the cert (TODO)
signedCms.CheckSignature(true);
output = "Signature valid.";
signedCms.CheckSignature(false);
output += "<br>Cert valid";
}
catch (Exception e)
{
output += "<br>" + e.ToString();
}
}
return output;
}
public bool ValidateToken(byte[] token, byte[] nonce, byte[] certificate, byte[] signature)
{
SignedCms cms = new SignedCms();
cms.Decode(certificate);
var certificates = cms.Certificates.Cast<X509Certificate2>().ToArray();
var leaf = certificates.Single(cert => cert.Extensions.Cast<X509Extension>().Any(usage =>
{
var eku = usage as X509EnhancedKeyUsageExtension;
if (eku != null)
{
return eku.EnhancedKeyUsages.Cast<Oid>().Any(oid => oid.Value == "1.3.6.1.4.1.311.10.5.40");
}
return false;
}));
var signedData = nonce.Concat(token).ToArray();
var publicKeyProvider = leaf.PublicKey.Key as System.Security.Cryptography.RSACryptoServiceProvider;
return publicKeyProvider.VerifyData(signedData, CryptoConfig.MapNameToOID("SHA1"), signature);
// not working either (same results)
//
//SHA1Managed hash = new SHA1Managed();
//byte[] hashedData;
//hashedData = hash.ComputeHash(signedData);
//if (!publicKeyProvider.VerifyHash(hashedData, CryptoConfig.MapNameToOID("SHA1"), signature))
// throw new Exception("Invalid or Corrupted HardwareToken");
}
/// <summary>
/// Firma el mensaje PKCS #7 con el certificado del firmante
/// </summary>
/// <param name="pMensaje">Mensaje (como cadena de bytes)</param>
/// <param name="pCertificadoFirmante">Certificado usado para firmar</param>
/// <returns>Mensaje Firmado (como cadena de bytes)</returns>
/// <remarks></remarks>
public static byte[] FirmarMensaje(byte[] pMensaje, X509Certificate2 pCertificadoFirmante)
{
byte[] msjFirmado;
try
{
// Se pone el Mensaje recibido en un objeto ContentInfo
ContentInfo infoContenidoMsj = new ContentInfo(pMensaje);
// Se instancia el CMS Firmado con el ContentInfo
SignedCms cmsFirmado = new SignedCms(infoContenidoMsj);
// Se instancia el objeto CmsSigner con las caracteristicas del firmante
CmsSigner cmsFirmante = new CmsSigner(pCertificadoFirmante);
cmsFirmante.IncludeOption = X509IncludeOption.EndCertOnly;
// Se firma el mensaje PKCS #7 con el certificado
cmsFirmado.ComputeSignature(cmsFirmante);
msjFirmado = cmsFirmado.Encode();
// Retorno el mensaje PKCS #7 firmado .
return msjFirmado;
}
catch (Exception excepcionAlFirmar)
{
throw new Exception("ERROR: Procedimiento: FirmarMensaje. Al intentar firmar el mensaje con el certificado del firmante: " + excepcionAlFirmar.Message);
}
}
/// <summary>
/// Firma mensaje
/// </summary>
/// <param name="argBytesMsg">Bytes del mensaje</param>
/// <param name="argCertFirmante">Certificado usado para firmar</param>
/// <returns>Bytes del mensaje firmado</returns>
/// <remarks></remarks>
public static byte[] FirmaBytesMensaje(byte[] argBytesMsg, X509Certificate2 argCertFirmante)
{
try
{
// Pongo el mensaje en un objeto ContentInfo (requerido para construir el obj SignedCms)
ContentInfo infoContenido = new ContentInfo(argBytesMsg);
SignedCms cmsFirmado = new SignedCms(infoContenido);
// Creo objeto CmsSigner que tiene las caracteristicas del firmante
CmsSigner cmsFirmante = new CmsSigner(argCertFirmante);
cmsFirmante.IncludeOption = X509IncludeOption.EndCertOnly;
if (VerboseMode)
{
Console.WriteLine("***Firmando bytes del mensaje...");
}
// Firmo el mensaje PKCS #7
cmsFirmado.ComputeSignature(cmsFirmante);
if (VerboseMode)
{
Console.WriteLine("***OK mensaje firmado");
}
// Encodeo el mensaje PKCS #7.
return cmsFirmado.Encode();
}
catch (Exception excepcionAlFirmar)
{
throw new Exception("***Error al firmar: " + excepcionAlFirmar.Message);
}
}
internal SignerInfo(SignedCms signedCms, System.Security.Cryptography.SafeLocalAllocHandle pbCmsgSignerInfo)
{
this.m_signedCms = signedCms;
this.m_parentSignerInfo = null;
this.m_encodedSignerInfo = null;
this.m_pbCmsgSignerInfo = pbCmsgSignerInfo;
this.m_cmsgSignerInfo = (System.Security.Cryptography.CAPI.CMSG_SIGNER_INFO) Marshal.PtrToStructure(pbCmsgSignerInfo.DangerousGetHandle(), typeof(System.Security.Cryptography.CAPI.CMSG_SIGNER_INFO));
}
private byte[] Sign(byte[] messageBytes)
{
Pkcs.ContentInfo content = new Pkcs.ContentInfo(messageBytes);
Pkcs.SignedCms signed = new Pkcs.SignedCms(content);
Pkcs.CmsSigner signer = new Pkcs.CmsSigner(_signerCert);
signed.ComputeSignature(signer);
byte[] signedBytes = signed.Encode();
return(signedBytes);
}
public byte[] Sign(byte[] data)
{
ContentInfo contentInfo = new ContentInfo(_md5.ComputeHash(data));
SignedCms signedCms = new SignedCms(contentInfo);
CmsSigner cmsSigner = new CmsSigner(_cert);
cmsSigner.IncludeOption = X509IncludeOption.WholeChain;
signedCms.ComputeSignature(cmsSigner);
return signedCms.Encode();
}
internal SignerInfo (SignedCms signedCms, SafeLocalAllocHandle pbCmsgSignerInfo) {
// Sanity check.
Debug.Assert(signedCms != null && pbCmsgSignerInfo != null && !pbCmsgSignerInfo.IsInvalid);
m_signedCms = signedCms;
m_parentSignerInfo = null;
m_encodedSignerInfo = null;
m_pbCmsgSignerInfo = pbCmsgSignerInfo;
m_cmsgSignerInfo = (CAPI.CMSG_SIGNER_INFO) Marshal.PtrToStructure(pbCmsgSignerInfo.DangerousGetHandle(), typeof(CAPI.CMSG_SIGNER_INFO));
}
/// <summary>
/// Gets certificates contained in pkcs 7.
/// </summary>
/// <returns>Returns certificates contained in pkcs 7. Returns null if no certificates.</returns>
public X509Certificate2Collection GetCertificates()
{
if(this.Data == null){
return null;
}
SignedCms signedCms = new SignedCms();
signedCms.Decode(this.Data);
return signedCms.Certificates;
}
public static void CheckSig(byte[] sig, byte[] data)
{
ContentInfo contentInfo = new ContentInfo(data);
SignedCms signedCms = new SignedCms(contentInfo, true);
signedCms.Decode(sig);
// This checks if the signature is valid, but doensn't actually verify the cert (TODO)
signedCms.CheckSignature(true);
signedCms.CheckSignature(false);
}
public static bool VerifySign(byte[] data)
{
try
{
SignedCms signed = new SignedCms();
signed.Decode(data);
}
catch
{
return false; // Arquivo não assinado
}
return true;
}
public bool Verify(byte[] data, byte[] signature)
{
var signedCms = new SignedCms();
signedCms.Decode(signature);
try
{
signedCms.CheckSignature(_certificate2Collection, false);
}
catch(Exception e)
{
return false;
}
return signedCms.ContentInfo.Content.SequenceEqual(_md5.ComputeHash(data));
}
/// <summary>
/// Gets signed mime content. Value null means no content.
/// </summary>
/// <returns>Returns signed mime content. Value null means no content.</returns>
/// <remarks>This method is valid only if <b>Content-Type</b> parameter <b>smime-type=signed-data</b>.</remarks>
/// <exception cref="InvalidOperationException">Is raised when <b>smime-type != signed-data</b>.</exception>
public MIME_Message GetSignedMime()
{
if(!string.Equals(this.Entity.ContentType.Parameters["smime-type"],"signed-data",StringComparison.InvariantCultureIgnoreCase)){
throw new InvalidOperationException("The VerifySignature method is only valid if Content-Type parameter smime-type=signed-data.");
}
if(this.Data != null){
SignedCms signedCms = new SignedCms();
signedCms.Decode(this.Data);
return MIME_Message.ParseFromStream(new MemoryStream(signedCms.ContentInfo.Content));
}
else{
return null;
}
}
public static String CheckFileSignature(ContentInfo content, byte[] signature)
{
var verifyCms = new SignedCms(content, true);
verifyCms.Decode(signature);
var cert = verifyCms.SignerInfos[0].Certificate;
try
{
verifyCms.CheckSignature(new X509Certificate2Collection(cert), false);
return @"Signature is valid";
}
catch (CryptographicException)
{
return @"Signature is not valid for content";
}
}
internal unsafe SignerInfo(SignedCms signedCms, SignerInfo parentSignerInfo, byte[] encodedSignerInfo)
{
uint cbDecodedValue = 0;
System.Security.Cryptography.SafeLocalAllocHandle invalidHandle = System.Security.Cryptography.SafeLocalAllocHandle.InvalidHandle;
fixed (byte* numRef = encodedSignerInfo)
{
if (!System.Security.Cryptography.CAPI.DecodeObject(new IntPtr(500L), new IntPtr((void*) numRef), (uint) encodedSignerInfo.Length, out invalidHandle, out cbDecodedValue))
{
throw new CryptographicException(Marshal.GetLastWin32Error());
}
}
this.m_signedCms = signedCms;
this.m_parentSignerInfo = parentSignerInfo;
this.m_encodedSignerInfo = (byte[]) encodedSignerInfo.Clone();
this.m_pbCmsgSignerInfo = invalidHandle;
this.m_cmsgSignerInfo = (System.Security.Cryptography.CAPI.CMSG_SIGNER_INFO) Marshal.PtrToStructure(invalidHandle.DangerousGetHandle(), typeof(System.Security.Cryptography.CAPI.CMSG_SIGNER_INFO));
}
private byte[] FirmaBytesMensaje( byte[] argBytesMsg, X509Certificate2 argCertFirmante )
{
ContentInfo infoContenido = new ContentInfo( argBytesMsg );
SignedCms cmsFirmado = new SignedCms( infoContenido );
CmsSigner cmsFirmante = new CmsSigner( argCertFirmante );
try
{
cmsFirmante.IncludeOption = X509IncludeOption.EndCertOnly;
cmsFirmado.ComputeSignature( cmsFirmante );
}
catch ( Exception error )
{
this.manejadorErrores.ManejarError( error, "FirmaBytesMensaje", error.Message );
}
return cmsFirmado.Encode();
}
private MailMessage GenerateHtmlMessage(string from, string to, string subject, string content, string[] attachmentFilepaths)
{
MailMessage mail = new MailMessage();
mail.From = new MailAddress(from);
mail.To.Add(to);
mail.Subject = subject;
string body = null;
if (attachmentFilepaths != null && attachmentFilepaths.Length > 0)
{
StringBuilder sb = new StringBuilder();
sb.Append("MIME-Version: 1.0\r\n");
sb.Append("Content-Type: multipart/mixed; boundary=unique-boundary-1\r\n");
sb.Append("\r\n");
sb.Append("This is a multi-part message in MIME format.\r\n");
sb.Append("--unique-boundary-1\r\n");
sb.Append("Content-Type: text/html\r\n"); //could use text/plain as well here if you want a plaintext message
sb.Append("Content-Transfer-Encoding: 7Bit\r\n\r\n");
sb.Append(content);
if (!content.EndsWith("\r\n"))
sb.Append("\r\n");
sb.Append("\r\n\r\n");
foreach (string filepath in attachmentFilepaths)
{
sb.Append(GenerateRawAttachement(filepath));
}
body = sb.ToString();
}
else
{
body = "Content-Type: text/html\r\nContent-Transfer-Encoding: 7Bit\r\n\r\n" + content;
}
//input your certification and private key.
X509Certificate2 cert = new X509Certificate2("emailcertification.pfx", "6522626", X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);
ContentInfo contentInfo = new ContentInfo(Encoding.UTF8.GetBytes(body));
SignedCms signedCms = new SignedCms(contentInfo, false);
CmsSigner Signer = new CmsSigner(SubjectIdentifierType.IssuerAndSerialNumber, cert);
signedCms.ComputeSignature(Signer);
byte[] signedBytes = signedCms.Encode();
MemoryStream stream = new MemoryStream(signedBytes);
AlternateView view = new AlternateView(stream, "application/pkcs7-mime; smime-type=signed-data;name=smime.p7m");
mail.AlternateViews.Add(view);
return mail;
}
public static bool IsSignedBy(this X509Certificate thisCertificate, X509Certificate signerCertificate)
{
X509Certificate2 c = new X509Certificate2(thisCertificate.GetTbsCertificate());
X509Certificate2 i = new X509Certificate2(signerCertificate.GetTbsCertificate());
X509Certificate2 c2 = new X509Certificate2(@"c:\temp\der.cer");
X509Certificate2 i2 = new X509Certificate2(@"c:\temp\cader.cer");
/*byte[] pvSubject = thisCertificate.GetTbsCertificate();
byte[] pvIssuer = signerCertificate.GetTbsCertificate();
*/
System.Text.Encoding.ASCII.GetString(c.RawData);
IntPtr pvSubject = c.Handle;
IntPtr pvIssuer = i.Handle;
int res = SspiProvider.CryptVerifyCertificateSignatureEx(IntPtr.Zero, X509_ASN_ENCODING,
CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT, pvSubject,
CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT, pvIssuer, 0,
IntPtr.Zero);
Marshal.GetLastWin32Error();
CmsSigner signer = new CmsSigner(i);
SignedCms signedMessage = new SignedCms();
// deserialize PKCS #7 byte array
signedMessage.Decode(thisCertificate.GetTbsCertificate());
Log.Write("Veryfy old");
Log.Write("EndVeryfy old");
Log.Write("Get signer's public key");
var publicKey = signerCertificate.GetPublicKey();
Log.Write("Got signer's public key");
try
{
Log.Write("Veryfy signature");
//TODO: log errors
thisCertificate.Verify(publicKey);
Log.Write("Verified");
}
catch (CertificateException)
{
return false;
}
catch (InvalidKeyException)
{
return false;
}
return true;
}
/// <summary>
///
/// </summary>
/// <param name="message"></param>
/// <param name="signingCertificate"></param>
/// <param name="encryptionCertificate"></param>
/// <returns></returns>
internal static byte[] GetSignature(Byte[] message, X509Certificate2 signingCertificate, X509Certificate2 encryptionCertificate)
{
SignedCms signedCms = new SignedCms(new ContentInfo(message), true);
CmsSigner cmsSigner = new CmsSigner(SubjectIdentifierType.IssuerAndSerialNumber, signingCertificate);
cmsSigner.IncludeOption = X509IncludeOption.WholeChain;
if (encryptionCertificate != null)
{
cmsSigner.Certificates.Add(encryptionCertificate);
}
Pkcs9SigningTime signingTime = new Pkcs9SigningTime();
cmsSigner.SignedAttributes.Add(signingTime);
signedCms.ComputeSignature(cmsSigner, false);
return signedCms.Encode();
}
internal static SignedCms RequestTimestamp(byte[] data, string hashAlgorithmOid, Uri timestampingAuthorityUrl)
{
var para = new CRYPT_TIMESTAMP_PARA()
{
fRequestCerts = true
};
IntPtr unmanagedContext = IntPtr.Zero;
byte[] encodedResponse;
try
{
NativeUtils.ThrowIfFailed(NativeMethods.CryptRetrieveTimeStamp(
wszUrl: timestampingAuthorityUrl.ToString(),
dwRetrievalFlags: NativeMethods.TIMESTAMP_VERIFY_CONTEXT_SIGNATURE,
dwTimeout: 5 * 1000 /* 5 second timeout */,
pszHashId: hashAlgorithmOid,
pPara: ref para,
pbData: data,
cbData: (uint)data.Length,
ppTsContext: out unmanagedContext,
ppTsSigner: IntPtr.Zero,
phStore: IntPtr.Zero));
// Copy the encoded response out
var context = (CRYPT_TIMESTAMP_CONTEXT)Marshal.PtrToStructure(unmanagedContext, typeof(CRYPT_TIMESTAMP_CONTEXT));
encodedResponse = new byte[context.cbEncoded];
Marshal.Copy(context.pbEncoded, encodedResponse, 0, (int)context.cbEncoded);
}
finally
{
if (unmanagedContext != IntPtr.Zero)
{
NativeMethods.CryptMemFree(unmanagedContext);
}
}
SignedCms cms = new SignedCms();
cms.Decode(encodedResponse);
return cms;
}
public static SignatureResponse Sign(byte[] data)
{
// TODO:
// padding configuration
// algorithm configuration
// encoding configuration
/*
SHA1Managed sha1 = new SHA1Managed();
byte[] hash = sha1.ComputeHash(data);
var sig = csp.SignHash(hash, CryptoConfig.MapNameToOID("SHA1"));
//sig = csp.SignData(Encoding.UTF8.GetBytes(text), CryptoConfig.MapNameToOID("SHA1"));
MessageBox.Show("SignData");
*/
var content = new ContentInfo(data);
var cms = new SignedCms(content, true); // TODO detached config
var signer = new CmsSigner();
signer.IncludeOption = X509IncludeOption.EndCertOnly;
cms.ComputeSignature(signer, false);
var sig = cms.Encode();
//ensure my signature is correct before continuing.
cms.CheckSignature(true);
var newCMS = new SignedCms(content, false);
newCMS.Decode(sig);
newCMS.CheckSignature(true);
var cert = cms.Certificates[0];
CheckSig(sig, data);
return new SignatureResponse
{
publicKey = Convert.ToBase64String(cert.PublicKey.EncodedKeyValue.RawData),
signature = Convert.ToBase64String(sig),
fullSig = null // TODO
};
}
public static byte[] SignFile(X509Certificate2 cert, byte[] data)
{
try
{
ContentInfo content = new ContentInfo(data);
SignedCms signedCms = new SignedCms(content, false);
if (VerifySign(data))
{
signedCms.Decode(data);
}
CmsSigner signer = new CmsSigner(cert);
signer.IncludeOption = X509IncludeOption.WholeChain;
signedCms.ComputeSignature(signer);
return signedCms.Encode();
}
catch (Exception ex)
{
throw new Exception("Erro ao assinar arquivo. A mensagem retornada foi: " + ex.Message);
}
}
internal unsafe SignerInfo (SignedCms signedCms, SignerInfo parentSignerInfo, byte[] encodedSignerInfo) {
// Sanity check.
Debug.Assert(signedCms != null && encodedSignerInfo != null && encodedSignerInfo.Length > 0);
uint cbCmsgSignerInfo = 0;
SafeLocalAllocHandle pbCmsgSignerInfo = SafeLocalAllocHandle.InvalidHandle;
fixed (byte * pEncodedSignerInfo = &encodedSignerInfo[0]) {
if (!CAPI.DecodeObject(new IntPtr(CAPI.PKCS7_SIGNER_INFO),
new IntPtr(pEncodedSignerInfo),
(uint) encodedSignerInfo.Length,
out pbCmsgSignerInfo,
out cbCmsgSignerInfo))
throw new CryptographicException(Marshal.GetLastWin32Error());
}
m_signedCms = signedCms;
m_parentSignerInfo = parentSignerInfo;
m_encodedSignerInfo = (byte[]) encodedSignerInfo.Clone();
m_pbCmsgSignerInfo = pbCmsgSignerInfo;
m_cmsgSignerInfo = (CAPI.CMSG_SIGNER_INFO) Marshal.PtrToStructure(pbCmsgSignerInfo.DangerousGetHandle(), typeof(CAPI.CMSG_SIGNER_INFO));
}
internal static TimeStampToken VerifyTimestamp(byte[] data, SignedCms timestampCms)
{
var signer = Signer.FromSignerInfo(timestampCms.SignerInfos[0]);
bool trusted = signer.SignerCertificate.Verify();
var contentInfo = timestampCms.Encode();
IntPtr unmanagedContext = IntPtr.Zero;
try
{
NativeUtils.ThrowIfFailed(NativeMethods.CryptVerifyTimeStampSignature(
pbTSContentInfo: contentInfo,
cbTSContentInfo: (uint)contentInfo.Length,
pbData: data,
cbData: (uint)data.Length,
hAdditionalStore: IntPtr.Zero,
ppTsContext: out unmanagedContext,
ppTsSigner: IntPtr.Zero,
phStore: IntPtr.Zero));
// Copy the context out
var context = (CRYPT_TIMESTAMP_CONTEXT)Marshal.PtrToStructure(unmanagedContext, typeof(CRYPT_TIMESTAMP_CONTEXT));
// Copy the info out
var info = (CRYPT_TIMESTAMP_INFO)Marshal.PtrToStructure(context.pTimeStamp, typeof(CRYPT_TIMESTAMP_INFO));
return TimeStampToken.FromTimestampInfo(info, signer, trusted);
}
finally
{
if (unmanagedContext != IntPtr.Zero)
{
NativeMethods.CryptMemFree(unmanagedContext);
}
}
}
public static bool VerifyDetached(byte[] data, byte[] signature)
{
ContentInfo content = new ContentInfo(data);
SignedCms signedMessage = new SignedCms(content, true);
signedMessage.Decode(signature);
try
{
signedMessage.CheckSignature(false);
return true;
}
catch
{
return false;
}
}
InputSigner IAvalaraReturnSigner.Sign(InputSigner inputSigner)
{
try
{
InputSigner objBookDetails = new InputSigner();
List <X509Certificate2> certificates = new List <X509Certificate2>();
X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
X509Store store1 = new X509Store(StoreName.TrustedPublisher, StoreLocation.CurrentUser);
store.Open(OpenFlags.OpenExistingOnly);
foreach (X509Certificate2 cert in store.Certificates)
{
certificates.Add(cert);
}
X509Certificate2 certificate = new X509Certificate2();
X509Certificate2Collection cers = store.Certificates.Find(X509FindType.FindBySubjectName, inputSigner.ClientCertificateName, false);
if (cers.Count > 0)
{
certificate = cers[0];
}
else
{
return(new InputSigner()
{
Message = "Please connect your hardware digial signature (USB Token) Or Check the digital signature authority name you provided.",
ClientToolVersion = "1.0",
SignedPayload = string.Empty,
SignSucess = false,
ClientToolException = string.Empty
});
}
String text = Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(inputSigner.SummaryPayload));
ContentInfo contentInfo = new ContentInfo(System.Text.Encoding.UTF8.GetBytes(text));
System.Security.Cryptography.Pkcs.SignedCms cms = new System.Security.Cryptography.Pkcs.SignedCms(contentInfo, false);
CmsSigner signer = new CmsSigner(certificate);
// signer.IncludeOption = X509IncludeOption.None;
signer.DigestAlgorithm = new Oid("SHA256");
cms.ComputeSignature(signer, false);
byte[] signature = cms.Encode();
return(new InputSigner()
{
Message = "Payload Signed Sucessfully",
SignedPayload = Convert.ToBase64String(signature),
SummaryPayload = inputSigner.SummaryPayload,
ClientToolVersion = "1.0",
SignSucess = true,
ClientToolException = string.Empty
});
}
catch (Exception ex)
{
return(new InputSigner()
{
Message = "Payload Signed Sucessfylly",
SignedPayload = string.Empty,
SummaryPayload = inputSigner.SummaryPayload,
ClientToolVersion = "1.0",
SignSucess = true,
ClientToolException = ex.ToString()
});
}
}
private Rfc3161RequestResponseStatus ValidateResponse(
Rfc3161TimestampToken token,
bool shouldThrow)
{
Debug.Assert(token != null);
// This method validates the acceptance criteria sprinkled throughout the
// field descriptions in https://tools.ietf.org/html/rfc3161#section-2.4.1 and
// https://tools.ietf.org/html/rfc3161#section-2.4.2
if (!token.VerifyHash(GetMessageHash().Span, HashAlgorithmId.Value))
{
if (shouldThrow)
{
throw new CryptographicException(SR.Cryptography_BadHashValue);
}
return(Rfc3161RequestResponseStatus.HashMismatch);
}
Rfc3161TimestampTokenInfo tokenInfo = token.TokenInfo;
// We only understand V1 messaging and validation
if (tokenInfo.Version != 1)
{
if (shouldThrow)
{
throw new CryptographicException(SR.Cryptography_TimestampReq_BadResponse);
}
return(Rfc3161RequestResponseStatus.VersionTooNew);
}
// reqPolicy is what the policy SHOULD be, so we can't reject it here.
ReadOnlyMemory <byte>?requestNonce = GetNonce();
ReadOnlyMemory <byte>?responseNonce = tokenInfo.GetNonce();
// The RFC says that if a nonce was in the request it MUST be present in
// the response and it MUST be equal.
//
// It does not say that if no nonce was requested that the response MUST NOT include one, so
// don't check anything if no nonce was requested.
if (requestNonce != null)
{
if (responseNonce == null ||
!requestNonce.Value.Span.SequenceEqual(responseNonce.Value.Span))
{
if (shouldThrow)
{
throw new CryptographicException(SR.Cryptography_TimestampReq_BadNonce);
}
return(Rfc3161RequestResponseStatus.NonceMismatch);
}
}
SignedCms tokenCms = token.AsSignedCms();
if (RequestSignerCertificate)
{
// If the certificate was requested it
// A) MUST be present in token.AsSignedCms().Certificates
// B) the ESSCertID(2) identifier MUST be correct.
//
// Other certificates are permitted, and will not be validated.
if (tokenCms.SignerInfos[0].Certificate == null)
{
if (shouldThrow)
{
throw new CryptographicException(SR.Cryptography_TimestampReq_NoCertFound);
}
return(Rfc3161RequestResponseStatus.RequestedCertificatesMissing);
}
}
else
{
// If no certificate was requested then the CMS Certificates collection
// MUST be empty.
if (tokenCms.Certificates.Count != 0)
{
if (shouldThrow)
{
throw new CryptographicException(SR.Cryptography_TimestampReq_UnexpectedCertFound);
}
return(Rfc3161RequestResponseStatus.UnexpectedCertificates);
}
}
return(Rfc3161RequestResponseStatus.Accepted);
}
private void GetSignature()
{
if (_vbaPart == null)
{
return;
}
var rel = _vbaPart.GetRelationshipsByType(schemaRelVbaSignature).FirstOrDefault();
if (rel != null)
{
Uri = UriHelper.ResolvePartUri(rel.SourceUri, rel.TargetUri);
Part = _vbaPart.Package.GetPart(Uri);
var stream = Part.GetStream();
BinaryReader br = new BinaryReader(stream);
uint cbSignature = br.ReadUInt32();
uint signatureOffset = br.ReadUInt32(); //44 ??
uint cbSigningCertStore = br.ReadUInt32();
uint certStoreOffset = br.ReadUInt32();
uint cbProjectName = br.ReadUInt32();
uint projectNameOffset = br.ReadUInt32();
uint fTimestamp = br.ReadUInt32();
uint cbTimestampUrl = br.ReadUInt32();
uint timestampUrlOffset = br.ReadUInt32();
byte[] signature = br.ReadBytes((int)cbSignature);
uint version = br.ReadUInt32();
uint fileType = br.ReadUInt32();
uint id = br.ReadUInt32();
while (id != 0)
{
uint encodingType = br.ReadUInt32();
uint length = br.ReadUInt32();
if (length > 0)
{
byte[] value = br.ReadBytes((int)length);
switch (id)
{
//Add property values here...
case 0x20:
Certificate = new X509Certificate2(value);
break;
default:
break;
}
}
id = br.ReadUInt32();
}
uint endel1 = br.ReadUInt32(); //0
uint endel2 = br.ReadUInt32(); //0
ushort rgchProjectNameBuffer = br.ReadUInt16();
ushort rgchTimestampBuffer = br.ReadUInt16();
#if Core
Verifier = new EnvelopedCms();
#else
Verifier = new System.Security.Cryptography.Pkcs.SignedCms();
#endif
Verifier.Decode(signature);
}
else
{
Certificate = null;
Verifier = null;
}
}
/// <summary>
/// Extracts the original message from the S/MIME envelope and exposes the SignedCms object containing signature informations via the Message.Signatures.Smime property.
/// </summary>
/// <returns>A Message object representing the message as it was before signing.</returns>
/// <example>
/// <code>
/// [C#]
///
/// // We retrieved a Message object by some means and have a reference to it in variable message.
/// Message originalMessage = message.SmimeDevelopeAndExposeSignature();
///
/// // Check the signature. The "true" argument indicates that we don't want to verify the signe's certificates at this time, but only the signature itself.
/// try
/// {
/// originalMessage.Signatures.Smime.CheckSignature(true);
/// }
/// catch(CryptographicException ex)
/// {
/// // Signature is invalid, do something.
/// }
/// </code>
/// </example>
#if !PocketPC
public Message SmimeDevelopeAndExposeSignature()
{
if (!this.HasSmimeSignature) throw new InvalidOperationException("This message doesn't seem to be signed, or the signing method is unknown.");
else
{
SignedCms cms = new SignedCms();
cms.Decode(this.PartTreeRoot.BinaryContent);
Message sub = Parser.ParseMessage(cms.ContentInfo.Content);
sub.Signatures.Smime = cms;
return sub;
}
}
/// <summary>
/// Signs the message and envelopes it.
/// </summary>
/// <param name="signer">An object containing the signer's information.</param>
/// <example>
/// <code>
/// [C#]
///
/// CmsSigner signer = new CmsSigner(new X509Certificate2("C:\\mycertificate.pfx"));
///
/// // Here we only want the signer's certificate to be sent along. Not the whole chain.
/// signer.IncludeOption = X509IncludeOption.EndCertOnly;
///
/// message.SmimeEnvelopeAndSignBy(signer);
/// </code>
/// </example>
public void SmimeEnvelopeAndSignBy(CmsSigner signer)
{
string mimeString = this.ToMimeString();
byte[] tosign = Encoding.ASCII.GetBytes(mimeString);
SignedCms cms = new SignedCms(new ContentInfo(tosign));
cms.ComputeSignature(signer);
MimePart envelope = new MimePart();
envelope.ContentType.MimeType = "application/pkcs7-mime";
envelope.ContentType.Parameters.Add("smime-type", "signed-data");
envelope.ContentType.Parameters.Add("name", "smime.p7m");
envelope.ContentDisposition.Disposition = "attachment";
envelope.ContentDisposition.FileName = "smime.p7m";
envelope.ContentTransferEncoding = ContentTransferEncoding.Base64;
envelope.BinaryContent = cms.Encode();
this.PartTreeRoot = envelope;
this.ContentType = this.PartTreeRoot.ContentType;
this.ContentDisposition = this.PartTreeRoot.ContentDisposition;
this.ContentTransferEncoding = this.PartTreeRoot.ContentTransferEncoding;
}
/// <summary>
/// Attaches a clear signature to the message. It is advised to do so when the receiving party might not be S/MIME capable.
/// The content of the message is still visible, i.e. the message isn't enveloped.
/// </summary>
/// <param name="signer">An object containing the signer's information.</param>
/// <example>
/// <code>
/// [C#]
///
/// CmsSigner signer = new CmsSigner(new X509Certificate2("C:\\mycertificate.pfx"));
///
/// // Here we only want the signer's certificate to be sent along. Not the whole chain.
/// signer.IncludeOption = X509IncludeOption.EndCertOnly;
///
/// message.SmimeAttachSignatureBy(signer);
/// </code>
/// </example>
public void SmimeAttachSignatureBy(CmsSigner signer)
{
string body = this.PartTreeRoot.ToMimeString();
byte[] tosign = Encoding.ASCII.GetBytes(body.TrimEnd('\r', '\n') + "\r\n");
SignedCms cms = new SignedCms(new ContentInfo(tosign), true);
cms.ComputeSignature(signer);
MimePart envelope = new MimePart();
this.Signatures.Smime = cms;
envelope.ContentType.MimeType = "multipart/signed";
envelope.ContentType.Parameters.Add("protocol", "\"application/x-pkcs7-signature\"");
envelope.ContentType.Parameters.Add("micalg", cms.SignerInfos[0].DigestAlgorithm.FriendlyName);
string unique = Codec.GetUniqueString();
string boundary = "---AU_MimePart_" + unique;
envelope.ContentType.Parameters.Add("boundary", boundary);
envelope.SubParts.Add(this.PartTreeRoot);
envelope.SubParts.Add(MimePart.GetSignaturePart(cms));
this.PartTreeRoot = envelope;
this.ContentType = this.PartTreeRoot.ContentType;
this.ContentDisposition = this.PartTreeRoot.ContentDisposition;
this.ContentTransferEncoding = this.PartTreeRoot.ContentTransferEncoding;
}
public static bool IsTimestamped(string filename) {
try {
int encodingType;
int contentType;
int formatType;
IntPtr certStore = IntPtr.Zero;
IntPtr cryptMsg = IntPtr.Zero;
IntPtr context = IntPtr.Zero;
if (!WinCrypt.CryptQueryObject(
WinCrypt.CERT_QUERY_OBJECT_FILE,
Marshal.StringToHGlobalUni(filename),
WinCrypt.CERT_QUERY_CONTENT_FLAG_ALL,
WinCrypt.CERT_QUERY_FORMAT_FLAG_ALL,
0,
out encodingType,
out contentType,
out formatType,
ref certStore,
ref cryptMsg,
ref context)) {
throw new Win32Exception(Marshal.GetLastWin32Error());
}
//expecting contentType=10; CERT_QUERY_CONTENT_PKCS7_SIGNED_EMBED
//Logger.LogInfo(string.Format("Querying file '{0}':", filename));
//Logger.LogInfo(string.Format(" Encoding Type: {0}", encodingType));
//Logger.LogInfo(string.Format(" Content Type: {0}", contentType));
//Logger.LogInfo(string.Format(" Format Type: {0}", formatType));
//Logger.LogInfo(string.Format(" Cert Store: {0}", certStore.ToInt32()));
//Logger.LogInfo(string.Format(" Crypt Msg: {0}", cryptMsg.ToInt32()));
//Logger.LogInfo(string.Format(" Context: {0}", context.ToInt32()));
// Get size of the encoded message.
int cbData = 0;
if (!WinCrypt.CryptMsgGetParam(
cryptMsg,
WinCrypt.CMSG_ENCODED_MESSAGE, //Crypt32.CMSG_SIGNER_INFO_PARAM,
0,
IntPtr.Zero,
ref cbData)) {
throw new Win32Exception(Marshal.GetLastWin32Error());
}
var vData = new byte[cbData];
// Get the encoded message.
if (!WinCrypt.CryptMsgGetParam(
cryptMsg,
WinCrypt.CMSG_ENCODED_MESSAGE, //Crypt32.CMSG_SIGNER_INFO_PARAM,
0,
vData,
ref cbData)) {
throw new Win32Exception(Marshal.GetLastWin32Error());
}
var signedCms = new SignedCms();
signedCms.Decode(vData);
foreach (var signerInfo in signedCms.SignerInfos) {
foreach (var unsignedAttribute in signerInfo.UnsignedAttributes) {
if (unsignedAttribute.Oid.Value == WinCrypt.szOID_RSA_counterSign) {
foreach (var counterSignInfo in signerInfo.CounterSignerInfos) {
foreach (var signedAttribute in counterSignInfo.SignedAttributes) {
if (signedAttribute.Oid.Value == WinCrypt.szOID_RSA_signingTime) {
var fileTime = new FILETIME();
int fileTimeSize = Marshal.SizeOf(fileTime);
IntPtr fileTimePtr = Marshal.AllocCoTaskMem(fileTimeSize);
Marshal.StructureToPtr(fileTime, fileTimePtr, true);
var buffdata = new byte[fileTimeSize];
Marshal.Copy(fileTimePtr, buffdata, 0, fileTimeSize);
var buffSize = (uint)buffdata.Length;
uint encoding = WinCrypt.X509_ASN_ENCODING | WinCrypt.PKCS_7_ASN_ENCODING;
var rsaSigningTime = (UIntPtr)(uint)Marshal.StringToHGlobalAnsi(WinCrypt.szOID_RSA_signingTime);
byte[] pbData = signedAttribute.Values[0].RawData;
var ucbData = (uint)pbData.Length;
bool workie = WinCrypt.CryptDecodeObject(encoding, rsaSigningTime, pbData, ucbData, 0, buffdata, ref buffSize);
if (workie) {
IntPtr fileTimePtr2 = Marshal.AllocCoTaskMem(buffdata.Length);
Marshal.Copy(buffdata, 0, fileTimePtr2, buffdata.Length);
var fileTime2 = (FILETIME)Marshal.PtrToStructure(fileTimePtr2, typeof (FILETIME));
long hFT2 = (((long)fileTime2.dwHighDateTime) << 32) + ((uint)fileTime2.dwLowDateTime);
DateTime dte = DateTime.FromFileTime(hFT2);
Console.WriteLine(dte.ToString());
} else {
throw new Win32Exception(Marshal.GetLastWin32Error());
}
}
}
}
return true;
}
}
}
} catch (Exception) {
// no logging
}
return false;
}
public static bool TryDecode(ReadOnlyMemory <byte> source, out Rfc3161TimestampToken token, out int bytesConsumed)
{
bytesConsumed = 0;
token = null;
try
{
ContentInfoAsn contentInfo =
AsnSerializer.Deserialize <ContentInfoAsn>(source, AsnEncodingRules.BER, out int bytesActuallyRead);
// https://tools.ietf.org/html/rfc3161#section-2.4.2
//
// A TimeStampToken is as follows. It is defined as a ContentInfo
// ([CMS]) and SHALL encapsulate a signed data content type.
//
// TimeStampToken::= ContentInfo
// --contentType is id-signedData([CMS])
// --content is SignedData ([CMS])
if (contentInfo.ContentType != Oids.Pkcs7Signed)
{
return(false);
}
SignedCms cms = new SignedCms();
cms.Decode(source);
// The fields of type EncapsulatedContentInfo of the SignedData
// construct have the following meanings:
//
// eContentType is an object identifier that uniquely specifies the
// content type. For a time-stamp token it is defined as:
//
// id-ct-TSTInfo OBJECT IDENTIFIER ::= { iso(1) member-body(2)
// us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 4}
//
// eContent is the content itself, carried as an octet string.
// The eContent SHALL be the DER-encoded value of TSTInfo.
if (cms.ContentInfo.ContentType.Value != Oids.TstInfo)
{
return(false);
}
// RFC3161:
// The time-stamp token MUST NOT contain any signatures other than the
// signature of the TSA. The certificate identifier (ESSCertID) of the
// TSA certificate MUST be included as a signerInfo attribute inside a
// SigningCertificate attribute.
// RFC5816 says that ESSCertIDv2 should be allowed instead.
SignerInfoCollection signerInfos = cms.SignerInfos;
if (signerInfos.Count != 1)
{
return(false);
}
SignerInfo signer = signerInfos[0];
EssCertId certId;
EssCertIdV2 certId2;
if (!TryGetCertIds(signer, out certId, out certId2))
{
return(false);
}
X509Certificate2 signerCert = signer.Certificate;
if (signerCert == null &&
signer.SignerIdentifier.Type == SubjectIdentifierType.IssuerAndSerialNumber)
{
// If the cert wasn't provided, but the identifier was IssuerAndSerialNumber,
// and the ESSCertId(V2) has specified an issuerSerial value, ensure it's a match.
X509IssuerSerial issuerSerial = (X509IssuerSerial)signer.SignerIdentifier.Value;
if (certId?.IssuerSerial != null)
{
if (!IssuerAndSerialMatch(
certId.IssuerSerial.Value,
issuerSerial.IssuerName,
issuerSerial.SerialNumber))
{
return(false);
}
}
if (certId2?.IssuerSerial != null)
{
if (!IssuerAndSerialMatch(
certId2.IssuerSerial.Value,
issuerSerial.IssuerName,
issuerSerial.SerialNumber))
{
return(false);
}
}
}
Rfc3161TimestampTokenInfo tokenInfo;
if (Rfc3161TimestampTokenInfo.TryDecode(cms.ContentInfo.Content, out tokenInfo, out _))
{
if (signerCert != null &&
!CheckCertificate(signerCert, signer, certId, certId2, tokenInfo))
{
return(false);
}
token = new Rfc3161TimestampToken
{
_parsedDocument = cms,
_signerInfo = signer,
_essCertId = certId,
_essCertIdV2 = certId2,
TokenInfo = tokenInfo,
};
bytesConsumed = bytesActuallyRead;
return(true);
}
}
catch (CryptographicException)
{
}
return(false);
}