public SmartCardSignature(BaseSigner signer, X509Certificate2 certificate, String hashAlgorithm)
{
mSigner = signer;
this.certificate = certificate;
this.hashAlgorithm = DigestAlgorithms.GetDigest(DigestAlgorithms.GetAllowedDigests(hashAlgorithm));
encryptionAlgorithm = "RSA";
}
public byte[] GetTimeStampToken(byte[] imprint)
{
byte[] respBytes = null;
//// Setup the time stamp request
var tsqGenerator = new TimeStampRequestGenerator();
tsqGenerator.SetCertReq(true);
//// tsqGenerator.setReqPolicy("1.3.6.1.4.1.601.10.3.1");
var nonce = BigInteger.ValueOf(DateTime.Now.Ticks + Environment.TickCount);
var request = tsqGenerator.Generate(DigestAlgorithms.GetAllowedDigests(this.digestAlgorithm), imprint, nonce);
var requestBytes = request.GetEncoded();
//// Call the communications layer
respBytes = this.GetTsaResponse(requestBytes);
//// Handle the TSA response
var response = new TimeStampResponse(respBytes);
//// validate communication level attributes (RFC 3161 PKIStatus)
response.Validate(request);
var failure = response.GetFailInfo();
var value = (failure == null) ? 0 : failure.IntValue;
if (value != 0)
{
//// @todo: Translate value of 15 error codes defined by PKIFailureInfo to string
throw new IOException(MessageLocalization.GetComposedMessage("invalid.tsa.1.response.code.2", this.url, value));
}
//// @todo: validate the time stap certificate chain (if we want assure we do not sign using an invalid timestamp).
//// extract just the time stamp token (removes communication status info)
var timeStampToken = response.TimeStampToken;
if (timeStampToken == null)
{
throw new IOException(MessageLocalization.GetComposedMessage("tsa.1.failed.to.return.time.stamp.token.2", this.url, response.GetStatusString()));
}
var timeStampInfo = timeStampToken.TimeStampInfo; // to view details
var encoded = timeStampToken.GetEncoded();
Log.Application.Info("Timestamp generated: " + timeStampInfo.GenTime);
if (this.tsaInfo != null)
{
this.tsaInfo.InspectTimeStampTokenInfo(timeStampInfo);
}
//// Update our token size estimate for the next call (padded to be safe)
this.tokenSizeEstimate = encoded.Length + 32;
return(encoded);
}
public byte[] GetTimeStampToken(byte[] imprint)
{
byte[] respBytes = null;
var tsqGenerator = new TimeStampRequestGenerator();
tsqGenerator.SetCertReq(true);
tsqGenerator.SetReqPolicy("2.16.76.1.6.6");
var nonce = BigInteger.ValueOf(DateTime.Now.Ticks + Environment.TickCount);
var request = tsqGenerator.Generate(DigestAlgorithms.GetAllowedDigests(this.digestAlgorithm), imprint, nonce);
var requestBytes = request.GetEncoded();
respBytes = this.GetTsaResponse(requestBytes);
var response = new TimeStampResponse(respBytes);
response.Validate(request);
var failure = response.GetFailInfo();
var value = (failure == null) ? 0 : failure.IntValue;
if (value != 0)
{
//// @todo: Translate value of 15 error codes defined by PKIFailureInfo to string
throw new IOException(MessageLocalization.GetComposedMessage("invalid.tsa.1.response.code.2", this.url, value));
}
//// @todo: validate the time stap certificate chain (if we want assure we do not sign using an invalid timestamp).
var timeStampToken = response.TimeStampToken;
if (timeStampToken == null)
{
throw new IOException(MessageLocalization.GetComposedMessage("tsa.1.failed.to.return.time.stamp.token.2", this.url, response.GetStatusString()));
}
var timeStampInfo = timeStampToken.TimeStampInfo;
var encoded = timeStampToken.GetEncoded();
Log.Application.Info("Timestamp generated: " + timeStampInfo.GenTime);
if (this.tsaInfo != null)
{
this.tsaInfo.InspectTimeStampTokenInfo(timeStampInfo);
}
this.tokenSizeEstimate = encoded.Length + 32;
return(encoded);
}
public virtual TimeStampResponse GetTimeStampResponse(DigestAlgorithm algorithm, byte[] digest)
{
this.digestAlgorithm = algorithm.GetName();
byte[] respBytes = null;
TimeStampRequestGenerator tsqGenerator = new TimeStampRequestGenerator();
tsqGenerator.SetCertReq(true);
// tsqGenerator.setReqPolicy("1.3.6.1.4.1.601.10.3.1");
BigInteger nonce = BigInteger.ValueOf(DateTime.Now.Ticks + Environment.TickCount);
TimeStampRequest request = tsqGenerator.Generate(DigestAlgorithms.GetAllowedDigests(digestAlgorithm), digest, nonce);
byte[] requestBytes = request.GetEncoded();
// Call the communications layer
respBytes = GetTSAResponse(requestBytes);
// Handle the TSA response
return(new TimeStampResponse(respBytes));
}
/// <summary>
/// Creates a signature using a X509Certificate2. It supports smartcards without
/// exportable private keys.
/// </summary>
/// <param name="certificate">The certificate with the private key</param>
/// <param name="hashAlgorithm">The hash algorithm for the signature. As the Windows CAPI is used
/// to do the signature the only hash guaranteed to exist is SHA-1</param>
public SmartCardSignature(X509Certificate2 certificate, String hashAlgorithm)
{
if (!certificate.HasPrivateKey)
{
throw new ArgumentException("No private key.");
}
this.certificate = certificate;
this.hashAlgorithm = DigestAlgorithms.GetDigest(DigestAlgorithms.GetAllowedDigests(hashAlgorithm));
if (certificate.PrivateKey is RSACryptoServiceProvider)
{
encryptionAlgorithm = "RSA";
}
else if (certificate.PrivateKey is DSACryptoServiceProvider)
{
encryptionAlgorithm = "DSA";
}
else
{
throw new ArgumentException("Unknown encryption algorithm " + certificate.PrivateKey);
}
}
/// <summary>
/// Creates a signature using a X509Certificate2. It supports smartcards without
/// exportable private keys.
/// </summary>
/// <param name="certificate">The certificate with the private key</param>
/// <param name="hashAlgorithm">The hash algorithm for the signature. As the Windows CAPI is used
/// to do the signature the only hash guaranteed to exist is SHA-1</param>
public X509Certificate2Signature(System.Security.Cryptography.X509Certificates.X509Certificate2 certificate, string hashAlgorithm)
{
if (!certificate.HasPrivateKey)
{
throw new System.ArgumentException("No private key.");
}
this.certificate = certificate;
this.hashAlgorithm = DigestAlgorithms.GetDigest(DigestAlgorithms.GetAllowedDigests(hashAlgorithm));
if (certificate.PrivateKey is System.Security.Cryptography.RSACryptoServiceProvider)
{
encryptionAlgorithm = "RSA";
}
else if (certificate.PrivateKey is System.Security.Cryptography.DSACryptoServiceProvider)
{
encryptionAlgorithm = "DSA";
}
else
{
throw new System.ArgumentException("Unknown encryption algorithm " + certificate.PrivateKey);
}
}
