private bool checkServerIdentity(Mono.Security.X509.X509Certificate cert)
{
string targetHost = this.Context.ClientSettings.TargetHost;
Mono.Security.X509.X509Extension extension = cert.Extensions["2.5.29.17"];
if (extension != null)
{
SubjectAltNameExtension altNameExtension = new SubjectAltNameExtension(extension);
foreach (string dnsName in altNameExtension.DNSNames)
{
if (TlsServerCertificate.Match(targetHost, dnsName))
{
return(true);
}
}
foreach (string ipAddress in altNameExtension.IPAddresses)
{
if (ipAddress == targetHost)
{
return(true);
}
}
}
return(this.checkDomainName(cert.SubjectName));
}
private bool checkCertificateUsage(Mono.Security.X509.X509Certificate cert)
{
ClientContext context = (ClientContext)this.Context;
if (cert.Version < 3)
{
return(true);
}
KeyUsages usage = KeyUsages.none;
switch (context.Negotiating.Cipher.ExchangeAlgorithmType)
{
case ExchangeAlgorithmType.DiffieHellman:
usage = KeyUsages.keyAgreement;
break;
case ExchangeAlgorithmType.Fortezza:
return(false);
case ExchangeAlgorithmType.RsaKeyX:
usage = KeyUsages.keyEncipherment;
break;
case ExchangeAlgorithmType.RsaSign:
usage = KeyUsages.digitalSignature;
break;
}
KeyUsageExtension keyUsageExtension1 = (KeyUsageExtension)null;
ExtendedKeyUsageExtension keyUsageExtension2 = (ExtendedKeyUsageExtension)null;
Mono.Security.X509.X509Extension extension1 = cert.Extensions["2.5.29.15"];
if (extension1 != null)
{
keyUsageExtension1 = new KeyUsageExtension(extension1);
}
Mono.Security.X509.X509Extension extension2 = cert.Extensions["2.5.29.37"];
if (extension2 != null)
{
keyUsageExtension2 = new ExtendedKeyUsageExtension(extension2);
}
if (keyUsageExtension1 != null && keyUsageExtension2 != null)
{
if (!keyUsageExtension1.Support(usage))
{
return(false);
}
return(keyUsageExtension2.KeyPurpose.Contains((object)"1.3.6.1.5.5.7.3.1") || keyUsageExtension2.KeyPurpose.Contains((object)"2.16.840.1.113730.4.1"));
}
if (keyUsageExtension1 != null)
{
return(keyUsageExtension1.Support(usage));
}
if (keyUsageExtension2 != null)
{
return(keyUsageExtension2.KeyPurpose.Contains((object)"1.3.6.1.5.5.7.3.1") || keyUsageExtension2.KeyPurpose.Contains((object)"2.16.840.1.113730.4.1"));
}
Mono.Security.X509.X509Extension extension3 = cert.Extensions["2.16.840.1.113730.1.1"];
return(extension3 == null || new NetscapeCertTypeExtension(extension3).Support(NetscapeCertTypeExtension.CertTypes.SslServer));
}
internal ServiceMetadata GetMetaDataFromSml(string recipientParticipant, string businessIdScheme, string smlDomain, string documentIdScheme, string documentIdValue)
{
XmlDocument doc = LoadMetadataXml(recipientParticipant, businessIdScheme, smlDomain, documentIdScheme, documentIdValue);
XmlDocument nextDoc = null;
int redirectFromDoc = doc.GetElementsByTagName("Redirect", "*").Count;
// Redirect node exits
if (redirectFromDoc > 0)
{
// Get Redirect href from doc metadata
string href = doc.GetElementsByTagName("Redirect", "*")[0].Attributes["href"].InnerText;
// Get certificateUID from doc
string UIDFromDoc = doc.GetElementsByTagName("CertificateUID", "*")[0].InnerText;
// Load new metadata from redirect
nextDoc = LoadMetadataXml(href);
// If there is another redirect in metadata, throw ex;
int redirectFromNextDoc = nextDoc.GetElementsByTagName("Redirect", "*").Count;
if (redirectFromNextDoc > 0)
{
//TODO: log
throw new Exception("WARNING: More than one Redirection was found in Metadata for Participant.");
}
// Get certificate from redirect request
string smpCertificate = nextDoc.GetElementsByTagName("X509Certificate", "*")[0].InnerText;
byte[] arrayCertificate;
arrayCertificate = Convert.FromBase64String(smpCertificate);
Mono.Security.X509.X509Certificate smpCrt = new Mono.Security.X509.X509Certificate(arrayCertificate);
// Get Subject UID
if (smpCrt.SubjectUniqueIdentifier != null)
{
Encoding enc = Encoding.Default;
string smpSubjectUID = enc.GetString(smpCrt.SubjectUniqueIdentifier);
// If subject UID from metadata and certificate are not equal, throw ex;
if (smpSubjectUID != UIDFromDoc)
{
throw new Exception("WARNING: Identifier of the destination SMP signing certificate does not corresponds to the unique identifier which the redirecting SMP claims belongs to the destination SMP.");
}
}
else
{
// Certificate does not contain subject UID
Trace.WriteLine("WARNING: Subject Unique Identifier Could not be obtained from the Certificate Entry.");
}
}
else
{
VerifySignature(doc); // process continues as default, throws exception if invalid
nextDoc = doc;
}
return(ReadMetadataFromXml(nextDoc));
}
private static Mono.Security.X509.X509Certificate FindCertificateParent(Mono.Security.X509.X509Certificate child)
{
foreach (Mono.Security.X509.X509Certificate potentialParent in certs)
{
if (IsParent(child, potentialParent))
{
return(potentialParent);
}
}
return(null);
}
public void UpdateCertificateRSA()
{
if (this.clientCertificate == null)
{
this.certificateRSA = (RSAManaged)null;
}
else
{
Mono.Security.X509.X509Certificate x509Certificate = new Mono.Security.X509.X509Certificate(this.clientCertificate.GetRawCertData());
this.certificateRSA = new RSAManaged(x509Certificate.RSA.KeySize);
this.certificateRSA.ImportParameters(x509Certificate.RSA.ExportParameters(false));
}
}
private static string CertificateNumber(Mono.Security.X509.X509Certificate cert)
{
var sn = cert.SerialNumber;
Array.Reverse(sn);
string hexadecimalString = ToHexString(sn);
StringBuilder sb = new StringBuilder();
for (int i = 0; i <= hexadecimalString.Length - 2; i += 2)
{
sb.Append(Convert.ToString(Convert.ToChar(Int32.Parse(hexadecimalString.Substring(i, 2), System.Globalization.NumberStyles.HexNumber))));
}
return(sb.ToString());
}
/// <summary>
/// Checks if the specfied certificate is signed by the specified public key.
/// </summary>
/// <param name="certificate">The certificate to validate.</param>
/// <param name="issuerCertificate">The certificate of the issuer.</param>
/// <returns>
/// <c>true</c> on success; <c>false</c> if the specified certificate is not signed by the
/// specified issuer.
/// </returns>
/// <exception cref="ArgumentNullException"><paramref name="certificate"/>
/// or <paramref name="issuerCertificate"/> is <c>null</c>.</exception>
public static bool ValidateCertificateIssuer(X509Certificate2 certificate, PublicKey publicKey)
{
if (certificate == null)
{
throw new ArgumentNullException("certificate");
}
if (publicKey == null)
{
throw new ArgumentNullException("publicKey");
}
var monoCertificate = new Mono.Security.X509.X509Certificate(certificate.GetRawCertData());
return(monoCertificate.VerifySignature(publicKey.Key));
}
//
//
// obj is SslStream
public bool ValidateClientCertificate(object obj, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
m_log.InfoFormat("[NSL CERT VERIFY]: ValidateClientCertificate: Policy is ({0})", sslPolicyErrors);
X509Certificate2 certificate2 = new X509Certificate2(certificate);
string simplename = certificate2.GetNameInfo(X509NameType.SimpleName, false);
//m_log.InfoFormat("[NSL CERT VERIFY]: ValidateClientCertificate: Simple Name is \"{0}\"", simplename);
/*
* // RemoteCertificateNotAvailableはエラーとする.
* if ((sslPolicyErrors & SslPolicyErrors.RemoteCertificateNotAvailable)==SslPolicyErrors.RemoteCertificateNotAvailable) {
* m_log.InfoFormat("[NSL CERT VERIFY]: ValidateClientCertificate: Policy Error! {0}", sslPolicyErrors);
* return false;
* }
*/
// None, ChainErrors 以外は全てエラーとする.
if (sslPolicyErrors != SslPolicyErrors.None && sslPolicyErrors != SslPolicyErrors.RemoteCertificateChainErrors)
{
m_log.InfoFormat("[NSL CERT VERIFY]: ValidateClientCertificate: Policy Error! {0}", sslPolicyErrors);
return(false);
}
// check CRL
if (m_clientcrl != null)
{
Mono.Security.X509.X509Certificate monocert = new Mono.Security.X509.X509Certificate(certificate.GetRawCertData());
Mono.Security.X509.X509Crl.X509CrlEntry entry = m_clientcrl.GetCrlEntry(monocert);
if (entry != null)
{
m_log.InfoFormat("[NSL CERT VERIFY]: Common Name \"{0}\" was revoked at {1}", simplename, entry.RevocationDate.ToString());
return(false);
}
}
bool valid = CheckPrivateChain(certificate2);
if (valid)
{
m_log.InfoFormat("[NSL CERT VERIFY]: Valid Client Certification for \"{0}\"", simplename);
}
else
{
m_log.InfoFormat("[NSL CERT VERIFY]: Failed to Verify Client Certification for \"{0}\"", simplename);
}
return(valid);
}
/// <summary>
/// Validate Client Certificate Callback Function
/// </summary>
/// <param name="obj"></param>
/// <param name="certificate"></param>
/// <param name="chain"></param>
/// <param name="sslPolicyErrors"></param>
/// <returns></returns>
public bool ValidateClientCertificate(object obj, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
m_log.InfoFormat("[NSL CLIENT CERT VERIFY]: ValidateClientCertificate: Start.");
if (certificate == null)
{
m_log.InfoFormat("[NSL CLIENT CERT VERIFY]: ValidateClientCertificate: Client does not have a Certificate!");
return(false);
}
X509Certificate2 certificate2 = new X509Certificate2(certificate);
string commonname = certificate2.GetNameInfo(X509NameType.SimpleName, false);
m_log.InfoFormat("[NSL CLIENT CERT VERIFY]: ValidateClientCertificate: Common Name is \"{0}\"", commonname);
// None, ChainErrors 以外は全てエラーとする.
if (sslPolicyErrors != SslPolicyErrors.None && sslPolicyErrors != SslPolicyErrors.RemoteCertificateChainErrors)
{
m_log.InfoFormat("[NSL CLIENT CERT VERIFY]: ValidateClientCertificate: Policy Error! {0}", sslPolicyErrors);
return(false);
}
// check CRL
if (m_clientcrl != null)
{
Mono.Security.X509.X509Certificate monocert = new Mono.Security.X509.X509Certificate(certificate.GetRawCertData());
Mono.Security.X509.X509Crl.X509CrlEntry entry = m_clientcrl.GetCrlEntry(monocert);
if (entry != null)
{
m_log.InfoFormat("[NSL CLIENT CERT VERIFY]: Common Name \"{0}\" was revoked at {1}", commonname, entry.RevocationDate.ToString());
return(false);
}
}
bool valid = CheckPrivateChain(certificate2);
if (valid)
{
m_log.InfoFormat("[NSL CLIENT CERT VERIFY]: Valid Client Certification for \"{0}\"", commonname);
}
else
{
m_log.InfoFormat("[NSL CLIENT CERT VERIFY]: Failed to Verify Client Certification for \"{0}\"", commonname);
}
return(valid);
}
private static string CertificateTaxId(Mono.Security.X509.X509Certificate certificate)
{
string taxIdCertificate = "";
string[] subjects = certificate.SubjectName.Trim().Split(',');
foreach (var strTemp in subjects.ToList())
{
string[] strConceptoTemp = strTemp.Split('=');
if (strConceptoTemp[0].Trim() == "OID.2.5.4.45")
{
taxIdCertificate = strConceptoTemp[1].Trim().Split('/')[0];
//Bug Fix replace "
taxIdCertificate = taxIdCertificate.Replace("\"", "");
break;
}
}
return(taxIdCertificate.Trim().ToUpper());
}
private static bool IsParent(Mono.Security.X509.X509Certificate child, Mono.Security.X509.X509Certificate parent)
{
if (child.IssuerName != parent.SubjectName)
{
return(false);
}
if (parent.RSA != null && child.VerifySignature(parent.RSA))
{
return(true);
}
if (parent.DSA != null && child.VerifySignature(parent.DSA))
{
return(true);
}
return(false);
}
public static void Main(string[] args)
{
// check that name on cert = name of host user is connecting to
// var x5092 = new System.Security.Cryptography.X509Certificates.X509Certificate2(certificateBytes);
// string hostName = x5092.GetNameInfo(System.Security.Cryptography.X509Certificates.X509NameType.DnsName, false);
// bool hostNameMatch = string.Compare(hostName, this.Server, true) == 0;
// need to build x509chain obj , call build with cert, examine chainstatus property to see why failed.
// open store
X509Store store = new X509Store(StoreName.Root, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadWrite);
byte[] b = GetStreamBytes();
var x509 = new Mono.Security.X509.X509Certificate(b);
var chain = new Mono.Security.X509.X509Chain();
bool certificateStatus = chain.Build(x509);
Console.WriteLine(certificateStatus);
// output true
// X509Certificate2 newcert = new X509Certificate2();
//byte[] b = GetStreamBytes();
//newcert.Import(b);
//buildChain(newcert);
//byte[] b = GetStreamBytes();
//newcert.Import(b);
//store.Add(newcert);
//PrintStore();
//PrintMore();
// 3
// read certs
}
public static byte[] CrearPFX(byte[] bytesCER, byte[] bytesKEY, string password)
{
try
{
if (bytesCER == null || bytesKEY == null)
{
throw new Exception("Empty cer and or key");
}
var certificate = new Mono.Security.X509.X509Certificate(bytesCER);
char[] arrayOfChars = password.ToCharArray();
AsymmetricKeyParameter privateKey = Org.BouncyCastle.Security.PrivateKeyFactory.DecryptKey(arrayOfChars, bytesKEY);
RSA subjectKey = DotNetUtilitiesCustom.ToRSA((RsaPrivateCrtKeyParameters)privateKey);
Mono.Security.X509.PKCS12 p12 = new Mono.Security.X509.PKCS12();
p12.Password = password;
ArrayList list = new ArrayList();
// we use a fixed array to avoid endianess issues
// (in case some tools requires the ID to be 1).
list.Add(new byte[4] {
1, 0, 0, 0
});
Hashtable attributes = new Hashtable(1);
attributes.Add(Mono.Security.X509.PKCS9.localKeyId, list);
p12.AddCertificate(certificate, attributes);
p12.AddPkcs8ShroudedKeyBag(subjectKey, attributes);
return(p12.GetBytes());
}
catch (Exception ex)
{
throw new Exception("Los datos del Certificado CER KEY o Password son incorrectos. No es posible leer la llave privada.", ex);
}
}
// this gets complicated because we must:
// 1. build the chain using a X509Certificate2 class;
// 2. test for root using the Mono.Security.X509.X509Certificate class;
// 3. add the certificates as X509Certificate instances;
private void AddCertificatesChainFrom(X509Certificate cert, bool root)
{
X509Chain chain = new X509Chain();
chain.Build(new X509Certificate2(cert));
foreach (X509ChainElement ce in chain.ChainElements)
{
byte[] rawdata = ce.Certificate.RawData;
if (!root)
{
// exclude root
Mono.Security.X509.X509Certificate mx = new Mono.Security.X509.X509Certificate(rawdata);
if (mx.IsSelfSigned)
{
rawdata = null;
}
}
if (rawdata != null)
{
AddCertificate(new X509Certificate(rawdata));
}
}
}
public void RemoveCertificate(Mono.Security.X509.X509Certificate cert, System.Collections.IDictionary attrs)
{
}
VoidSecurity.Cryptography.X509Certificates.X509ExtensionCollection::.ctor(Mono.Security.X509.X509Certificate) VoidSecurity.Cryptography.X509Certificates.X509ExtensionCollection::System.Collections.ICollection.CopyToArrayInt32)
private void validateCertificates(Mono.Security.X509.X509CertificateCollection certificates)
{
ClientContext context = (ClientContext)this.Context;
AlertDescription description1 = AlertDescription.BadCertificate;
if (context.SslStream.HaveRemoteValidation2Callback)
{
ValidationResult validationResult = context.SslStream.RaiseServerCertificateValidation2(certificates);
if (!validationResult.Trusted)
{
long errorCode = (long)validationResult.ErrorCode;
AlertDescription description2;
switch (errorCode)
{
case 2148204801:
description2 = AlertDescription.CertificateExpired;
break;
case 2148204809:
description2 = AlertDescription.UnknownCA;
break;
case 2148204810:
description2 = AlertDescription.UnknownCA;
break;
default:
description2 = AlertDescription.CertificateUnknown;
break;
}
string str = string.Format("0x{0:x}", (object)errorCode);
throw new TlsException(description2, "Invalid certificate received from server. Error code: " + str);
}
}
else
{
Mono.Security.X509.X509Certificate certificate1 = certificates[0];
System.Security.Cryptography.X509Certificates.X509Certificate certificate2 = new System.Security.Cryptography.X509Certificates.X509Certificate(certificate1.RawData);
ArrayList arrayList = new ArrayList();
if (!this.checkCertificateUsage(certificate1))
{
arrayList.Add((object)-2146762490);
}
if (!this.checkServerIdentity(certificate1))
{
arrayList.Add((object)-2146762481);
}
Mono.Security.X509.X509CertificateCollection chain = new Mono.Security.X509.X509CertificateCollection(certificates);
chain.Remove(certificate1);
Mono.Security.X509.X509Chain x509Chain = new Mono.Security.X509.X509Chain(chain);
bool flag;
try
{
flag = x509Chain.Build(certificate1);
}
catch (Exception)
{
flag = false;
}
if (!flag)
{
switch (x509Chain.Status)
{
case Mono.Security.X509.X509ChainStatusFlags.NotTimeValid:
description1 = AlertDescription.CertificateExpired;
arrayList.Add((object)-2146762495);
break;
case Mono.Security.X509.X509ChainStatusFlags.NotTimeNested:
arrayList.Add((object)-2146762494);
break;
case Mono.Security.X509.X509ChainStatusFlags.NotSignatureValid:
arrayList.Add((object)-2146869232);
break;
case Mono.Security.X509.X509ChainStatusFlags.UntrustedRoot:
description1 = AlertDescription.UnknownCA;
arrayList.Add((object)-2146762487);
break;
case Mono.Security.X509.X509ChainStatusFlags.InvalidBasicConstraints:
arrayList.Add((object)-2146869223);
break;
case Mono.Security.X509.X509ChainStatusFlags.PartialChain:
description1 = AlertDescription.UnknownCA;
arrayList.Add((object)-2146762486);
break;
default:
description1 = AlertDescription.CertificateUnknown;
arrayList.Add((object)(int)x509Chain.Status);
break;
}
}
int[] array = (int[])arrayList.ToArray(typeof(int));
if (!context.SslStream.RaiseServerCertificateValidation(certificate2, array))
{
throw new TlsException(description1, "Invalid certificate received from server.");
}
}
}
public Boolean Mono.Security.X509.X509Crl::VerifySignature(Mono.Security.X509.X509Certificate) String Mono.Security.X509.X509Crl::GetHashName()
private void validateCertificates(Mono.Security.X509.X509CertificateCollection certificates)
{
ServerContext context = (ServerContext)this.Context;
AlertDescription description = AlertDescription.BadCertificate;
System.Security.Cryptography.X509Certificates.X509Certificate certificate1 = (System.Security.Cryptography.X509Certificates.X509Certificate)null;
int[] certificateErrors;
if (certificates.Count > 0)
{
Mono.Security.X509.X509Certificate certificate2 = certificates[0];
ArrayList arrayList = new ArrayList();
if (!this.checkCertificateUsage(certificate2))
{
arrayList.Add((object)-2146762490);
}
Mono.Security.X509.X509Chain x509Chain;
if (certificates.Count > 1)
{
Mono.Security.X509.X509CertificateCollection chain = new Mono.Security.X509.X509CertificateCollection(certificates);
chain.Remove(certificate2);
x509Chain = new Mono.Security.X509.X509Chain(chain);
}
else
{
x509Chain = new Mono.Security.X509.X509Chain();
}
bool flag;
try
{
flag = x509Chain.Build(certificate2);
}
catch (Exception)
{
flag = false;
}
if (!flag)
{
switch (x509Chain.Status)
{
case Mono.Security.X509.X509ChainStatusFlags.NotTimeValid:
description = AlertDescription.CertificateExpired;
arrayList.Add((object)-2146762495);
break;
case Mono.Security.X509.X509ChainStatusFlags.NotTimeNested:
arrayList.Add((object)-2146762494);
break;
case Mono.Security.X509.X509ChainStatusFlags.NotSignatureValid:
arrayList.Add((object)-2146869232);
break;
case Mono.Security.X509.X509ChainStatusFlags.UntrustedRoot:
description = AlertDescription.UnknownCA;
arrayList.Add((object)-2146762487);
break;
case Mono.Security.X509.X509ChainStatusFlags.InvalidBasicConstraints:
arrayList.Add((object)-2146869223);
break;
case Mono.Security.X509.X509ChainStatusFlags.PartialChain:
description = AlertDescription.UnknownCA;
arrayList.Add((object)-2146762486);
break;
default:
description = AlertDescription.CertificateUnknown;
arrayList.Add((object)(int)x509Chain.Status);
break;
}
}
certificate1 = new System.Security.Cryptography.X509Certificates.X509Certificate(certificate2.RawData);
certificateErrors = (int[])arrayList.ToArray(typeof(int));
}
else
{
certificateErrors = new int[0];
}
System.Security.Cryptography.X509Certificates.X509CertificateCollection certificateCollection = new System.Security.Cryptography.X509Certificates.X509CertificateCollection();
foreach (Mono.Security.X509.X509Certificate certificate2 in certificates)
{
certificateCollection.Add(new System.Security.Cryptography.X509Certificates.X509Certificate(certificate2.RawData));
}
if (!context.SslStream.RaiseClientCertificateValidation(certificate1, certificateErrors))
{
throw new TlsException(description, "Invalid certificate received from client.");
}
this.Context.ClientSettings.ClientCertificate = certificate1;
}
Mono.Security.X509.X509Certificate Mono.Security.X509.X509Chain::FindCertificateRoot(Mono.Security.X509.X509Certificate) Boolean Mono.Security.X509.X509Chain::IsTrusted(Mono.Security.X509.X509Certificate)
public bool VerifySignature(Mono.Security.X509.X509Certificate x509)
{
throw new NotImplementedException();
}
// this gets complicated because we must:
// 1. build the chain using a X509Certificate2 class;
// 2. test for root using the Mono.Security.X509.X509Certificate class;
// 3. add the certificates as X509Certificate instances;
private void AddCertificatesChainFrom (X509Certificate cert, bool root)
{
X509Chain chain = new X509Chain ();
chain.Build (new X509Certificate2 (cert));
foreach (X509ChainElement ce in chain.ChainElements) {
byte[] rawdata = ce.Certificate.RawData;
if (!root) {
// exclude root
Mono.Security.X509.X509Certificate mx = new Mono.Security.X509.X509Certificate (rawdata);
if (mx.IsSelfSigned)
rawdata = null;
}
if (rawdata != null)
AddCertificate (new X509Certificate (rawdata));
}
}
Mono.Security.X509.X509Certificate Mono.Security.X509.X509Chain::FindCertificateParent(Mono.Security.X509.X509Certificate) Mono.Security.X509.X509Certificate Mono.Security.X509.X509Chain::FindCertificateRoot(Mono.Security.X509.X509Certificate)
static int Main( string[] args )
{
if (args.Length == 0) {
Console.WriteLine("DSIGInfo [-v] [-v] [-v] fontfile");
return 0;
}
OTFile f = new OTFile();
Table_DSIG tDSIG = null;
string filename = null;
verbose = 0;
for ( int i = 0; i < args.Length; i++ ) {
if ( "-v" == args[i] )
verbose++;
else
filename = args[i];
}
if ( !f.open(filename) )
{
Console.WriteLine("Error: Cannot open {0} as font file", filename);
return 0;
}
TTCHeader ttc = null;
if ( f.IsCollection() )
{
ttc = f.GetTTCHeader();
if ( f.GetTableManager().GetUnaliasedTableName(ttc.DsigTag) == "DSIG" )
{
MBOBuffer buf = f.ReadPaddedBuffer(ttc.DsigOffset, ttc.DsigLength);
tDSIG = (Table_DSIG) f.GetTableManager().CreateTableObject(ttc.DsigTag, buf);
}
for (uint i = 0; i < f.GetNumFonts() ; i++)
{
OTFont fn = f.GetFont(i);
Table_DSIG memDSIG = (Table_DSIG) fn.GetTable("DSIG");
if (memDSIG != null)
{
Console.WriteLine("Warning: DSIG in member font");
break;
}
}
}
else
{
OTFont fn = f.GetFont(0);
tDSIG = (Table_DSIG) fn.GetTable("DSIG");
}
Console.WriteLine("{0} DSIG table: {1}", filename,
( tDSIG == null ) ? "Absent" : "Present" );
if (tDSIG == null)
return 0;
if ( f.IsCollection() && ttc.version != 0x00020000 )
Console.WriteLine("Warning: TTC has DSIG but header version is 0x{0}, != 0x00020000", ttc.version.ToString("X8"));
if ( tDSIG.usNumSigs != 1 )
Console.WriteLine("NumSigs = {0}", tDSIG.usNumSigs);
for ( uint v = 0; v < tDSIG.usNumSigs ; v++ )
{
Table_DSIG.SignatureBlock sgb;
try {
sgb = tDSIG.GetSignatureBlock(v);
} catch (IndexOutOfRangeException)
{
Console.WriteLine("Error: Out of Range SignatureBlock {0}", v);
break;
}
SignedCms cms = new SignedCms();
cms.Decode(sgb.bSignature);
if ( cms.SignerInfos.Count > 1 )
Console.WriteLine( "#SignerInfos: {0}", cms.SignerInfos.Count );
foreach ( var si in cms.SignerInfos )
{
Console.WriteLine(si.Certificate);
if ( Type.GetType("Mono.Runtime") == null )
foreach ( var ua in si.UnsignedAttributes )
{
foreach ( var asnd in ua.Values )
{
try
{
ASN1 vv = new ASN1(asnd.RawData);
ASN1 t = new ASN1(vv[3][1][1].Value);
Console.WriteLine("Decoded Signing Time: {0}", ASN1Convert.ToDateTime (t) );
}
catch (Exception e)
{/* Nothing to do */ }
}
}
}
Console.WriteLine( "#Certificates: {0}", cms.Certificates.Count );
#if HAVE_MONO_X509
certs = new Mono.Security.X509.X509CertificateCollection ();
//Mono.Security.X509.X509Chain signerChain = new Mono.Security.X509.X509Chain ();
#endif
foreach ( var x509 in cms.Certificates )
{
#if HAVE_MONO_X509
certs.Add(new Mono.Security.X509.X509Certificate(x509.RawData));
#endif
if ( verbose > 0 )
{
Console.WriteLine(x509);
}
else
{
Console.WriteLine(x509.Subject);
}
};
#if HAVE_MONO_X509
Mono.Security.X509.X509Certificate x = new Mono.Security.X509.X509Certificate(cms.SignerInfos[0].Certificate.RawData);
Mono.Security.X509.X509Certificate parent = x;
while (x != null) { // Self-signed is fine - the font bundled CA is self-signed.
parent = x; // last valid
x = FindCertificateParent (x);
if (x != null && x.Equals(parent))
break;
}
#endif
ASN1 spc = new ASN1(cms.ContentInfo.Content);
ASN1 playload_oid = null;
ASN1 oid = null;
ASN1 digest = null;
ASN1 obsolete = null;
if ( Type.GetType("Mono.Runtime") == null )
{
// DotNet is much saner!
playload_oid = spc[0][0];
obsolete = spc[0][1][0];
oid = spc[1][0][0];
digest = spc[1][1];
}
else
{
playload_oid = spc[0];
obsolete = spc[1][0];
oid = spc[2][0][0];
digest = spc[2][1];
}
string algo = ASN1Convert.ToOid (oid);
string algoname = (new Oid(algo)).FriendlyName;
Console.WriteLine("Digest Algorithm: {0}", algoname);
byte[] Value = digest.Value;
StringBuilder hexLine_sig = new StringBuilder ();
for (int i = 0; i < Value.Length; i++) {
hexLine_sig.AppendFormat ("{0} ", Value [i].ToString ("X2"));
}
hexLine_sig.AppendFormat (Environment.NewLine);
switch ( algoname )
{
case "md5":
hash = HashAlgorithm.Create ("MD5");
break;
case "sha1":
hash = HashAlgorithm.Create ("SHA1");
break;
default:
throw new NotImplementedException("Unknown HashAlgorithm: " + algoname );
}
byte[] cdigest;
if ( f.IsCollection() )
{
cdigest = get_TTC_digest( f );
}
else
{
cdigest = get_TTF_digest( f );
}
StringBuilder hexLine = new StringBuilder ();
for (int i = 0; i < cdigest.Length; i++) {
hexLine.AppendFormat ("{0} ", cdigest [i].ToString ("X2"));
}
hexLine.AppendFormat (Environment.NewLine);
Console.WriteLine("{0} Signed Digest:\t{1}", algoname.ToUpper(), hexLine_sig);
Console.WriteLine("Calculated Digest:\t{0}", hexLine);
string root_thumb = "";
#if HAVE_MONO_X509
root_thumb =
(new System.Security.Cryptography.X509Certificates.X509Certificate2(parent.RawData)).Thumbprint;
Console.WriteLine("ChainEnd Name: {0}", parent.SubjectName);
Console.WriteLine("ChainEnd Self-Signed: {0}", parent.IsSelfSigned);
#endif
Console.WriteLine("ChainEnd: {0}", root_thumb);
bool trusted = false;
try
{
string root_id = trusted_roots[root_thumb];
Console.WriteLine("RootID: {0}", root_id);
trusted = true;
}
catch (KeyNotFoundException)
{}
Console.WriteLine("Trusted: {0}", trusted);
}
return 0;
}
Boolean Mono.Security.X509.X509Chain::IsParent(Mono.Security.X509.X509Certificate,Mono.Security.X509.X509Certificate)
static int Main(string[] args)
{
if (args.Length == 0)
{
Console.WriteLine("DSIGInfo [-v] [-v] [-v] fontfile");
return(0);
}
OTFile f = new OTFile();
Table_DSIG tDSIG = null;
string filename = null;
verbose = 0;
for (int i = 0; i < args.Length; i++)
{
if ("-v" == args[i])
{
verbose++;
}
else
{
filename = args[i];
}
}
if (!f.open(filename))
{
Console.WriteLine("Error: Cannot open {0} as font file", filename);
return(0);
}
TTCHeader ttc = null;
if (f.IsCollection())
{
ttc = f.GetTTCHeader();
if (f.GetTableManager().GetUnaliasedTableName(ttc.DsigTag) == "DSIG")
{
MBOBuffer buf = f.ReadPaddedBuffer(ttc.DsigOffset, ttc.DsigLength);
tDSIG = (Table_DSIG)f.GetTableManager().CreateTableObject(ttc.DsigTag, buf);
}
for (uint i = 0; i < f.GetNumFonts(); i++)
{
OTFont fn = f.GetFont(i);
Table_DSIG memDSIG = (Table_DSIG)fn.GetTable("DSIG");
if (memDSIG != null)
{
Console.WriteLine("Warning: DSIG in member font");
break;
}
}
}
else
{
OTFont fn = f.GetFont(0);
tDSIG = (Table_DSIG)fn.GetTable("DSIG");
}
Console.WriteLine("{0} DSIG table: {1}", filename,
(tDSIG == null) ? "Absent" : "Present");
if (tDSIG == null)
{
return(0);
}
if (f.IsCollection() && ttc.version != 0x00020000)
{
Console.WriteLine("Warning: TTC has DSIG but header version is 0x{0}, != 0x00020000", ttc.version.ToString("X8"));
}
if (tDSIG.usNumSigs != 1)
{
Console.WriteLine("NumSigs = {0}", tDSIG.usNumSigs);
}
for (uint v = 0; v < tDSIG.usNumSigs; v++)
{
Table_DSIG.SignatureBlock sgb;
try {
sgb = tDSIG.GetSignatureBlock(v);
} catch (IndexOutOfRangeException)
{
Console.WriteLine("Error: Out of Range SignatureBlock {0}", v);
break;
}
SignedCms cms = new SignedCms();
try
{
cms.Decode(sgb.bSignature);
}
catch (Exception e)
{
if (e is NullReferenceException || /* Mono */
e is CryptographicException /* .Net2 */)
{
Console.WriteLine("Error: Malformed Signature");
break;
}
Console.WriteLine("Error: Malformed Signature (Unexpected Case 1)");
throw;
}
if (cms.SignerInfos.Count > 1)
{
Console.WriteLine("#SignerInfos: {0}", cms.SignerInfos.Count);
}
foreach (var si in cms.SignerInfos)
{
Console.WriteLine(si.Certificate);
if (Type.GetType("Mono.Runtime") == null)
{
foreach (var ua in si.UnsignedAttributes)
{
foreach (var asnd in ua.Values)
{
try
{
ASN1 vv = new ASN1(asnd.RawData);
ASN1 t = new ASN1(vv[3][1][1].Value);
Console.WriteLine("Decoded Signing Time: {0}", ASN1Convert.ToDateTime(t));
}
catch (Exception)
{ /* Nothing to do */ }
}
}
}
}
Console.WriteLine("#Certificates: {0}", cms.Certificates.Count);
#if HAVE_MONO_X509
certs = new Mono.Security.X509.X509CertificateCollection();
//Mono.Security.X509.X509Chain signerChain = new Mono.Security.X509.X509Chain ();
#endif
foreach (var x509 in cms.Certificates)
{
#if HAVE_MONO_X509
certs.Add(new Mono.Security.X509.X509Certificate(x509.RawData));
#endif
if (verbose > 0)
{
Console.WriteLine(x509);
}
else
{
Console.WriteLine(x509.Subject);
}
}
;
#if HAVE_MONO_X509
Mono.Security.X509.X509Certificate x = new Mono.Security.X509.X509Certificate(cms.SignerInfos[0].Certificate.RawData);
Mono.Security.X509.X509Certificate parent = x;
while (x != null) // Self-signed is fine - the font bundled CA is self-signed.
{
parent = x; // last valid
x = FindCertificateParent(x);
if (x != null && x.Equals(parent))
{
break;
}
}
#endif
// Windows 10/.net 4.6.x throws here
ASN1 spc;
try
{
spc = new ASN1(cms.ContentInfo.Content);
}
catch (Exception e)
{
if (e is IndexOutOfRangeException)
{
Console.WriteLine("Error: Malformed Signature (Win10/.net 4.6.x)");
break;
}
Console.WriteLine("Error: Malformed Signature (Unexpected Case 2)");
throw;
}
ASN1 playload_oid = null;
ASN1 oid = null;
ASN1 digest = null;
ASN1 obsolete = null;
if (Type.GetType("Mono.Runtime") == null)
{
// DotNet is much saner!
playload_oid = spc[0][0];
obsolete = spc[0][1][0];
oid = spc[1][0][0];
digest = spc[1][1];
}
else
{
playload_oid = spc[0];
obsolete = spc[1][0];
oid = spc[2][0][0];
digest = spc[2][1];
}
string algo = ASN1Convert.ToOid(oid);
string algoname = (new Oid(algo)).FriendlyName;
Console.WriteLine("Digest Algorithm: {0}", algoname);
byte[] Value = digest.Value;
StringBuilder hexLine_sig = new StringBuilder();
for (int i = 0; i < Value.Length; i++)
{
hexLine_sig.AppendFormat("{0} ", Value [i].ToString("X2"));
}
hexLine_sig.AppendFormat(Environment.NewLine);
switch (algoname)
{
case "md5":
hash = HashAlgorithm.Create("MD5");
break;
case "sha1":
hash = HashAlgorithm.Create("SHA1");
break;
default:
throw new NotImplementedException("Unknown HashAlgorithm: " + algoname);
}
byte[] cdigest;
if (f.IsCollection())
{
cdigest = get_TTC_digest(f);
}
else
{
cdigest = get_TTF_digest(f);
}
StringBuilder hexLine = new StringBuilder();
for (int i = 0; i < cdigest.Length; i++)
{
hexLine.AppendFormat("{0} ", cdigest [i].ToString("X2"));
}
hexLine.AppendFormat(Environment.NewLine);
Console.WriteLine("{0} Signed Digest:\t{1}", algoname.ToUpper(), hexLine_sig);
Console.WriteLine("Calculated Digest:\t{0}", hexLine);
string root_thumb = "";
#if HAVE_MONO_X509
root_thumb =
(new System.Security.Cryptography.X509Certificates.X509Certificate2(parent.RawData)).Thumbprint;
Console.WriteLine("ChainEnd Name: {0}", parent.SubjectName);
Console.WriteLine("ChainEnd Self-Signed: {0}", parent.IsSelfSigned);
#endif
Console.WriteLine("ChainEnd: {0}", root_thumb);
bool trusted = false;
try
{
string root_id = trusted_roots[root_thumb];
Console.WriteLine("RootID: {0}", root_id);
trusted = true;
}
catch (KeyNotFoundException)
{}
Console.WriteLine("Trusted: {0}", trusted);
}
return(0);
}
public static ASN1 IssuerAndSerialNumber(Mono.Security.X509.X509Certificate x509)
{
throw new NotImplementedException();
}
public X509CrlEntry GetCrlEntry(Mono.Security.X509.X509Certificate x509)
{
throw new NotImplementedException();
}
Boolean Mono.Security.X509.X509Chain::IsValid(Mono.Security.X509.X509Certificate) Mono.Security.X509.X509Certificate Mono.Security.X509.X509Chain::FindCertificateParent(Mono.Security.X509.X509Certificate)
public void Import(Mono.Security.X509.X509Certificate certificate)
{
}
public void Remove(Mono.Security.X509.X509Certificate certificate)
{
}
//
//
// obj is SslStream
public bool ValidateClientCertificate(object obj, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
m_log.InfoFormat("[NSL CERT VERIFY]: ValidateClientCertificate: Policy is ({0})", sslPolicyErrors);
X509Certificate2 certificate2 = new X509Certificate2(certificate);
string simplename = certificate2.GetNameInfo(X509NameType.SimpleName, false);
// None, ChainErrors 以外は全てエラーとする.
if (sslPolicyErrors!=SslPolicyErrors.None && sslPolicyErrors!=SslPolicyErrors.RemoteCertificateChainErrors) {
m_log.InfoFormat("[NSL CERT VERIFY]: ValidateClientCertificate: Simple Name is \"{0}\"", simplename);
m_log.InfoFormat("[NSL CERT VERIFY]: ValidateClientCertificate: Policy Error!");
return false;
}
// check CRL
if (m_clientcrl!=null) {
Mono.Security.X509.X509Certificate monocert = new Mono.Security.X509.X509Certificate(certificate.GetRawCertData());
Mono.Security.X509.X509Crl.X509CrlEntry entry = m_clientcrl.GetCrlEntry(monocert);
if (entry!=null) {
m_log.InfoFormat("[NSL CERT VERIFY]: Common Name \"{0}\" was revoked at {1}", simplename, entry.RevocationDate.ToString());
return false;
}
}
bool valid = CheckPrivateChain(certificate2);
if (valid) {
m_log.InfoFormat("[NSL CERT VERIFY]: Valid Client Certification for \"{0}\"", simplename);
}
else {
m_log.InfoFormat("[NSL CERT VERIFY]: Failed to Verify Client Certification for \"{0}\"", simplename);
}
return valid;
}
public void AddCertificate(Mono.Security.X509.X509Certificate cert, System.Collections.IDictionary attributes)
{
}
