public CmsRecipientCollection (SubjectIdentifierType recipientIdentifierType, X509Certificate2Collection certificates) : base () { foreach (X509Certificate2 x509 in certificates) { CmsRecipient p7r = new CmsRecipient (recipientIdentifierType, x509); _list.Add (p7r); } }
public CmsSigner(SubjectIdentifierType signerIdentifierType, X509Certificate2 certificate) { switch (signerIdentifierType) { case SubjectIdentifierType.Unknown: this.SignerIdentifierType = SubjectIdentifierType.IssuerAndSerialNumber; this.IncludeOption = X509IncludeOption.ExcludeRoot; break; case SubjectIdentifierType.IssuerAndSerialNumber: this.SignerIdentifierType = signerIdentifierType; this.IncludeOption = X509IncludeOption.ExcludeRoot; break; case SubjectIdentifierType.SubjectKeyIdentifier: this.SignerIdentifierType = signerIdentifierType; this.IncludeOption = X509IncludeOption.ExcludeRoot; break; case SubjectIdentifierType.NoSignature: this.SignerIdentifierType = signerIdentifierType; this.IncludeOption = X509IncludeOption.None; break; default: this.SignerIdentifierType = SubjectIdentifierType.IssuerAndSerialNumber; this.IncludeOption = X509IncludeOption.ExcludeRoot; break; } this.Certificate = certificate; this.DigestAlgorithm = new Oid("1.3.14.3.2.26"); this.m_signedAttributes = new CryptographicAttributeObjectCollection(); this.m_unsignedAttributes = new CryptographicAttributeObjectCollection(); this.m_certificates = new X509Certificate2Collection(); }
public EnvelopedCms (SubjectIdentifierType recipientIdentifierType, ContentInfo contentInfo) : this (contentInfo) { _idType = recipientIdentifierType; if (_idType == SubjectIdentifierType.SubjectKeyIdentifier) _version = 2; }
// constructor public CmsRecipient (X509Certificate2 certificate) { if (certificate == null) throw new ArgumentNullException ("certificate"); _recipient = SubjectIdentifierType.IssuerAndSerialNumber; _certificate = certificate; }
public CmsSigner (SubjectIdentifierType signerIdentifierType) : this () { if (signerIdentifierType == SubjectIdentifierType.Unknown) _signer = SubjectIdentifierType.IssuerAndSerialNumber; else _signer = signerIdentifierType; }
public CmsSigner (SubjectIdentifierType signerIdentifierType, X509Certificate2 certificate) { switch (signerIdentifierType) { case SubjectIdentifierType.Unknown: this.SignerIdentifierType = SubjectIdentifierType.IssuerAndSerialNumber; this.IncludeOption = X509IncludeOption.ExcludeRoot; break; case SubjectIdentifierType.IssuerAndSerialNumber: this.SignerIdentifierType = signerIdentifierType; this.IncludeOption = X509IncludeOption.ExcludeRoot; break; case SubjectIdentifierType.SubjectKeyIdentifier: this.SignerIdentifierType = signerIdentifierType; this.IncludeOption = X509IncludeOption.ExcludeRoot; break; case SubjectIdentifierType.NoSignature: this.SignerIdentifierType = signerIdentifierType; this.IncludeOption = X509IncludeOption.None; break; default: this.SignerIdentifierType = SubjectIdentifierType.IssuerAndSerialNumber; this.IncludeOption = X509IncludeOption.ExcludeRoot; break; } this.Certificate = certificate; this.DigestAlgorithm = Oid.FromOidValue(CAPI.szOID_OIWSEC_sha1, OidGroup.HashAlgorithm); m_signedAttributes = new CryptographicAttributeObjectCollection(); m_unsignedAttributes = new CryptographicAttributeObjectCollection(); m_certificates = new X509Certificate2Collection(); }
private void Reset(SubjectIdentifierType recipientIdentifierType, X509Certificate2 certificate) { if (certificate == null) { throw new ArgumentNullException("certificate"); } switch (recipientIdentifierType) { case SubjectIdentifierType.Unknown: recipientIdentifierType = SubjectIdentifierType.IssuerAndSerialNumber; break; case SubjectIdentifierType.IssuerAndSerialNumber: break; case SubjectIdentifierType.SubjectKeyIdentifier: if (!PkcsUtils.CmsSupported()) { throw new CryptographicException(SecurityResources.GetResourceString("Cryptography_Cms_Not_Supported")); } break; default: throw new CryptographicException(SecurityResources.GetResourceString("Cryptography_Cms_Invalid_Subject_Identifier_Type"), recipientIdentifierType.ToString()); } this.m_recipientIdentifierType = recipientIdentifierType; this.m_certificate = certificate; }
internal SubjectIdentifier(CAPI.CRYPTOAPI_BLOB issuer, CAPI.CRYPTOAPI_BLOB serialNumber) { bool flag = true; byte* numPtr = (byte*)(void*)serialNumber.pbData; for (uint index = 0U; index < serialNumber.cbData; ++index) { if ((int)*numPtr++ != 0) { flag = false; break; } } if (flag) { byte[] numArray = new byte[(IntPtr)issuer.cbData]; Marshal.Copy(issuer.pbData, numArray, 0, numArray.Length); if (string.Compare("CN=Dummy Signer", new X500DistinguishedName(numArray).Name, StringComparison.OrdinalIgnoreCase) == 0) { this.Reset(SubjectIdentifierType.NoSignature, (object)null); return; } } if (flag) { this.m_type = SubjectIdentifierType.SubjectKeyIdentifier; this.m_value = (object)string.Empty; uint cbDecodedValue = 0U; SafeLocalAllocHandle decodedValue = SafeLocalAllocHandle.InvalidHandle; if (!CAPI.DecodeObject(new IntPtr(7L), issuer.pbData, issuer.cbData, out decodedValue, out cbDecodedValue)) throw new CryptographicException(Marshal.GetLastWin32Error()); using (decodedValue) { CAPI.CERT_NAME_INFO certNameInfo = (CAPI.CERT_NAME_INFO)Marshal.PtrToStructure(decodedValue.DangerousGetHandle(), typeof(CAPI.CERT_NAME_INFO)); for (uint index1 = 0U; index1 < certNameInfo.cRDN; ++index1) { CAPI.CERT_RDN certRdn = (CAPI.CERT_RDN)Marshal.PtrToStructure(new IntPtr((long)certNameInfo.rgRDN + (long)index1 * (long)Marshal.SizeOf(typeof(CAPI.CERT_RDN))), typeof(CAPI.CERT_RDN)); for (uint index2 = 0U; index2 < certRdn.cRDNAttr; ++index2) { CAPI.CERT_RDN_ATTR certRdnAttr = (CAPI.CERT_RDN_ATTR)Marshal.PtrToStructure(new IntPtr((long)certRdn.rgRDNAttr + (long)index2 * (long)Marshal.SizeOf(typeof(CAPI.CERT_RDN_ATTR))), typeof(CAPI.CERT_RDN_ATTR)); if (string.Compare("1.3.6.1.4.1.311.10.7.1", certRdnAttr.pszObjId, StringComparison.OrdinalIgnoreCase) == 0 && (int)certRdnAttr.dwValueType == 2) { byte[] numArray = new byte[(IntPtr)certRdnAttr.Value.cbData]; Marshal.Copy(certRdnAttr.Value.pbData, numArray, 0, numArray.Length); this.Reset(SubjectIdentifierType.SubjectKeyIdentifier, (object)X509Utils.EncodeHexString(numArray)); return; } } } } throw new CryptographicException(-2146889715); } else { CAPI.CERT_ISSUER_SERIAL_NUMBER pIssuerAndSerial; pIssuerAndSerial.Issuer = issuer; pIssuerAndSerial.SerialNumber = serialNumber; this.Reset(SubjectIdentifierType.IssuerAndSerialNumber, (object)PkcsUtils.DecodeIssuerSerial(pIssuerAndSerial)); } }
public CmsRecipientCollection(SubjectIdentifierType recipientIdentifierType, X509Certificate2Collection certificates) { this.m_recipients = new ArrayList(certificates.Count); for (int i = 0; i < certificates.Count; i++) { this.m_recipients.Add(new CmsRecipient(recipientIdentifierType, certificates[i])); } }
public CmsRecipientCollection (SubjectIdentifierType recipientIdentifierType, X509Certificate2Collection certificates) { // no null check, MS throws a NullReferenceException here foreach (X509Certificate2 x509 in certificates) { CmsRecipient p7r = new CmsRecipient (recipientIdentifierType, x509); _list.Add (p7r); } }
// constructors public CmsSigner () { _signer = SubjectIdentifierType.IssuerAndSerialNumber; _digest = new Oid ("1.3.14.3.2.26"); _options = X509IncludeOption.ExcludeRoot; _signed = new CryptographicAttributeObjectCollection (); _unsigned = new CryptographicAttributeObjectCollection (); _coll = new X509Certificate2Collection (); }
// only accessible from SignedPkcs7.SignerInfos internal SignerInfo (string hashName, X509Certificate2 certificate, SubjectIdentifierType type, object o, int version) { _digest = new Oid (CryptoConfig.MapNameToOID (hashName)); _certificate = certificate; _counter = new SignerInfoCollection (); _signed = new CryptographicAttributeObjectCollection (); _unsigned = new CryptographicAttributeObjectCollection (); _signer = new SubjectIdentifier (type, o); _version = version; }
public CmsRecipient (SubjectIdentifierType recipientIdentifierType, X509Certificate2 certificate) { if (certificate == null) throw new ArgumentNullException ("certificate"); if (recipientIdentifierType == SubjectIdentifierType.Unknown) _recipient = SubjectIdentifierType.IssuerAndSerialNumber; else _recipient = recipientIdentifierType; _certificate = certificate; }
public CmsRecipientCollection(SubjectIdentifierType recipientIdentifierType, X509Certificate2Collection certificates) { if (certificates == null) throw new NullReferenceException(); //Desktop compat: this is the wrong exception to throw but it is the compatible one. _recipients = new List<CmsRecipient>(certificates.Count); for (int index = 0; index < certificates.Count; index++) { _recipients.Add(new CmsRecipient(recipientIdentifierType, certificates[index])); } }
/// <summary> /// Initializes a new instance of the <see cref="MimeKit.Cryptography.CmsRecipient"/> class. /// </summary> /// <remarks> /// The initial value of the <see cref="EncryptionAlgorithms"/> property will be set to /// the Triple-DES encryption algorithm, which should be safe to assume for all modern /// S/MIME v3.x client implementations. /// </remarks> /// <param name="certificate">The recipient's certificate.</param> /// <param name="recipientIdentifierType">The recipient identifier type.</param> /// <exception cref="System.ArgumentNullException"> /// <paramref name="certificate"/> is <c>null</c>. /// </exception> public CmsRecipient (X509Certificate certificate, SubjectIdentifierType recipientIdentifierType = SubjectIdentifierType.IssuerAndSerialNumber) { if (certificate == null) throw new ArgumentNullException (nameof (certificate)); if (recipientIdentifierType == SubjectIdentifierType.IssuerAndSerialNumber) RecipientIdentifierType = SubjectIdentifierType.IssuerAndSerialNumber; else RecipientIdentifierType = SubjectIdentifierType.SubjectKeyIdentifier; EncryptionAlgorithms = new EncryptionAlgorithm[] { EncryptionAlgorithm.TripleDes }; Certificate = certificate; }
public EnvelopedCms(SubjectIdentifierType recipientIdentifierType, ContentInfo contentInfo, AlgorithmIdentifier encryptionAlgorithm) { if (contentInfo == null) throw new ArgumentNullException("contentInfo"); if (contentInfo.Content == null) throw new ArgumentNullException("contentInfo.Content"); if (encryptionAlgorithm == null) throw new ArgumentNullException("encryptionAlgorithm"); this.m_safeCryptMsgHandle = SafeCryptMsgHandle.InvalidHandle; this.m_version = recipientIdentifierType == SubjectIdentifierType.SubjectKeyIdentifier ? 2 : 0; this.m_recipientIdentifierType = recipientIdentifierType; this.m_contentInfo = contentInfo; this.m_encryptionAlgorithm = encryptionAlgorithm; this.m_encryptionAlgorithm.Parameters = new byte[0]; this.m_certificates = new X509Certificate2Collection(); this.m_unprotectedAttributes = new CryptographicAttributeObjectCollection(); }
public SignedCms (SubjectIdentifierType signerIdentifierType, ContentInfo contentInfo, bool detached) { if (contentInfo == null) throw new ArgumentNullException("contentInfo"); if (contentInfo.Content == null) throw new ArgumentNullException("contentInfo.Content"); // Reset all states. if (signerIdentifierType != SubjectIdentifierType.SubjectKeyIdentifier && signerIdentifierType != SubjectIdentifierType.IssuerAndSerialNumber && signerIdentifierType != SubjectIdentifierType.NoSignature) { signerIdentifierType = SubjectIdentifierType.IssuerAndSerialNumber; } m_safeCryptMsgHandle = SafeCryptMsgHandle.InvalidHandle; m_signerIdentifierType = signerIdentifierType; m_version = 0; m_contentInfo = contentInfo; m_detached = detached; }
public SignedCms(SubjectIdentifierType signerIdentifierType, System.Security.Cryptography.Pkcs.ContentInfo contentInfo, bool detached) { if (contentInfo == null) { throw new ArgumentNullException("contentInfo"); } if (contentInfo.Content == null) { throw new ArgumentNullException("contentInfo.Content"); } if (((signerIdentifierType != SubjectIdentifierType.SubjectKeyIdentifier) && (signerIdentifierType != SubjectIdentifierType.IssuerAndSerialNumber)) && (signerIdentifierType != SubjectIdentifierType.NoSignature)) { signerIdentifierType = SubjectIdentifierType.IssuerAndSerialNumber; } this.m_safeCryptMsgHandle = System.Security.Cryptography.SafeCryptMsgHandle.InvalidHandle; this.m_signerIdentifierType = signerIdentifierType; this.m_version = 0; this.m_contentInfo = contentInfo; this.m_detached = detached; }
public CmsRecipient(SubjectIdentifierType recipientIdentifierType, X509Certificate2 certificate) { if (certificate == null) throw new ArgumentNullException(nameof(certificate)); switch (recipientIdentifierType) { case SubjectIdentifierType.Unknown: recipientIdentifierType = SubjectIdentifierType.IssuerAndSerialNumber; break; case SubjectIdentifierType.IssuerAndSerialNumber: break; case SubjectIdentifierType.SubjectKeyIdentifier: break; default: throw new CryptographicException(SR.Format(SR.Cryptography_Cms_Invalid_Subject_Identifier_Type, recipientIdentifierType)); } RecipientIdentifierType = recipientIdentifierType; Certificate = certificate; }
public SignedCms(SubjectIdentifierType signerIdentifierType, ContentInfo contentInfo, bool detached) { if (contentInfo == null) { throw new ArgumentNullException(nameof(contentInfo)); } if (contentInfo.Content == null) { throw new ArgumentNullException("contentInfo.Content"); } // signerIdentifierType is ignored. // In .NET Framework it is used for the signer type of a prompt-for-certificate signer. // In .NET Core we don't support prompting. // // .NET Framework turned any unknown value into IssuerAndSerialNumber, so no exceptions // are required, either. ContentInfo = contentInfo; Detached = detached; Version = 0; }
private static void CustomBuild_CertMatch( CertLoader loader, DateTimeOffset referenceTime, SigningCertificateOption v1Option, SigningCertificateOption v2Option, HashAlgorithmName v2AlgorithmName = default, X509IncludeOption includeOption = default, SubjectIdentifierType identifierType = SubjectIdentifierType.IssuerAndSerialNumber) { byte[] tokenBytes = BuildCustomToken( loader, referenceTime, v1Option, v2Option, v2AlgorithmName, includeOption, identifierType); Rfc3161TimestampToken token; Assert.True(Rfc3161TimestampToken.TryDecode(tokenBytes, out token, out int bytesRead)); Assert.Equal(tokenBytes.Length, bytesRead); Assert.NotNull(token); Assert.Equal(referenceTime, token.TokenInfo.Timestamp); using (X509Certificate2 cert = Certificates.ValidLookingTsaCert.GetCertificate()) { Assert.True( token.VerifySignatureForHash( token.TokenInfo.GetMessageHash().Span, token.TokenInfo.HashAlgorithmId, out X509Certificate2 signer, new X509Certificate2Collection(cert))); Assert.Equal(cert, signer); } }
internal SubjectIdentifier(SubjectIdentifierType type, object value) { Debug.Assert(value != null); #if DEBUG switch (type) { case SubjectIdentifierType.IssuerAndSerialNumber: Debug.Assert(value is X509IssuerSerial); break; case SubjectIdentifierType.SubjectKeyIdentifier: Debug.Assert(value is string); break; default: Debug.Fail($"Illegal type passed to SubjectIdentifier: {type}"); break; } #endif //DEBUG Type = type; Value = value; }
/// <summary> /// Initializes a new instance of the <see cref="MimeKit.Cryptography.CmsRecipient"/> class. /// </summary> /// <remarks> /// <para>Creates a new <see cref="CmsRecipient"/>, loading the certificate from the specified stream.</para> /// <para>The initial value of the <see cref="EncryptionAlgorithms"/> property will be set to /// the Triple-DES encryption algorithm, which should be safe to assume for all modern /// S/MIME v3.x client implementations.</para> /// </remarks> /// <param name="stream">The stream containing the recipient's certificate.</param> /// <param name="recipientIdentifierType">The recipient identifier type.</param> /// <exception cref="System.ArgumentNullException"> /// <paramref name="stream"/> is <c>null</c>. /// </exception> /// <exception cref="System.IO.IOException"> /// An I/O error occurred. /// </exception> public CmsRecipient(Stream stream, SubjectIdentifierType recipientIdentifierType = SubjectIdentifierType.IssuerAndSerialNumber) { if (stream == null) { throw new ArgumentNullException(nameof(stream)); } if (recipientIdentifierType == SubjectIdentifierType.IssuerAndSerialNumber) { RecipientIdentifierType = SubjectIdentifierType.IssuerAndSerialNumber; } else { RecipientIdentifierType = SubjectIdentifierType.SubjectKeyIdentifier; } var parser = new X509CertificateParser(); EncryptionAlgorithms = new EncryptionAlgorithm[] { EncryptionAlgorithm.TripleDes }; RecipientIdentifierType = SubjectIdentifierType.IssuerAndSerialNumber; Certificate = parser.ReadCertificate(stream); }
public static SubjectIdentifierOrKey ToSubjectIdentifierOrKey(this CERT_ID certId) { // // SubjectIdentifierOrKey is just a SubjectIdentifier with an (irrelevant here) "key" option thumbtacked onto it so // the easiest way is to subcontract the job to SubjectIdentifier. // SubjectIdentifier subjectIdentifier = certId.ToSubjectIdentifier(); SubjectIdentifierType subjectIdentifierType = subjectIdentifier.Type; switch (subjectIdentifierType) { case SubjectIdentifierType.IssuerAndSerialNumber: return(new SubjectIdentifierOrKey(SubjectIdentifierOrKeyType.IssuerAndSerialNumber, subjectIdentifier.Value !)); case SubjectIdentifierType.SubjectKeyIdentifier: return(new SubjectIdentifierOrKey(SubjectIdentifierOrKeyType.SubjectKeyIdentifier, subjectIdentifier.Value !)); default: Debug.Fail("Only the framework can construct SubjectIdentifier's so if we got a bad value here, that's our fault."); throw new CryptographicException(SR.Format(SR.Cryptography_Cms_Invalid_Subject_Identifier_Type, subjectIdentifierType)); } }
internal void Reset(SubjectIdentifierType type, object value) { switch (type) { case SubjectIdentifierType.Unknown: case SubjectIdentifierType.NoSignature: this.m_type = type; this.m_value = value; break; case SubjectIdentifierType.IssuerAndSerialNumber: if (value.GetType() != typeof(X509IssuerSerial)) { throw new CryptographicException(SecurityResources.GetResourceString("Cryptography_Cms_Invalid_Subject_Identifier_Type_Value_Mismatch"), value.GetType().ToString()); } else { goto case 0; } case SubjectIdentifierType.SubjectKeyIdentifier: if (!PkcsUtils.CmsSupported()) { throw new CryptographicException(SecurityResources.GetResourceString("Cryptography_Cms_Not_Supported")); } if (value.GetType() != typeof(string)) { throw new CryptographicException(SecurityResources.GetResourceString("Cryptography_Cms_Invalid_Subject_Identifier_Type_Value_Mismatch"), value.GetType().ToString()); } else { goto case 0; } default: throw new CryptographicException(SecurityResources.GetResourceString("Cryptography_Cms_Invalid_Subject_Identifier_Type"), ((object)type).ToString()); } }
public CmsSigner(SubjectIdentifierType signerIdentifierType, X509Certificate2 certificate) { switch (signerIdentifierType) { case SubjectIdentifierType.Unknown: this.SignerIdentifierType = SubjectIdentifierType.IssuerAndSerialNumber; this.IncludeOption = X509IncludeOption.ExcludeRoot; break; case SubjectIdentifierType.IssuerAndSerialNumber: this.SignerIdentifierType = signerIdentifierType; this.IncludeOption = X509IncludeOption.ExcludeRoot; break; case SubjectIdentifierType.SubjectKeyIdentifier: this.SignerIdentifierType = signerIdentifierType; this.IncludeOption = X509IncludeOption.ExcludeRoot; break; case SubjectIdentifierType.NoSignature: this.SignerIdentifierType = signerIdentifierType; this.IncludeOption = X509IncludeOption.None; break; default: this.SignerIdentifierType = SubjectIdentifierType.IssuerAndSerialNumber; this.IncludeOption = X509IncludeOption.ExcludeRoot; break; } this.Certificate = certificate; string oidValue = LocalAppContextSwitches.CmsUseInsecureHashAlgorithms ? CAPI.szOID_OIWSEC_sha1 : Sha256Oid; this.DigestAlgorithm = Oid.FromOidValue(oidValue, OidGroup.HashAlgorithm); m_signedAttributes = new CryptographicAttributeObjectCollection(); m_unsignedAttributes = new CryptographicAttributeObjectCollection(); m_certificates = new X509Certificate2Collection(); }
/// <summary> /// Note: Due to its use of X509Certificate2Collection.Find(), this returns a cloned certificate. So the caller should dispose it. /// </summary> public static X509Certificate2 TryFindMatchingCertificate(this X509Certificate2Collection certs, SubjectIdentifier recipientIdentifier) { SubjectIdentifierType recipientIdentifierType = recipientIdentifier.Type; switch (recipientIdentifierType) { case SubjectIdentifierType.IssuerAndSerialNumber: { X509IssuerSerial issuerSerial = (X509IssuerSerial)(recipientIdentifier.Value); using (ClonedCertificates matches1 = certs.FindCertificates(X509FindType.FindBySerialNumber, issuerSerial.SerialNumber)) { using (ClonedCertificates matches2 = matches1.FindCertificates(X509FindType.FindByIssuerDistinguishedName, issuerSerial.IssuerName)) { // Desktop compat: We do not complain about multiple matches. Just take the first one and ignore the rest. return(matches2.Any ? matches2.ClaimResult() : null); } } } case SubjectIdentifierType.SubjectKeyIdentifier: { string ski = (string)(recipientIdentifier.Value); using (ClonedCertificates matches = certs.FindCertificates(X509FindType.FindBySubjectKeyIdentifier, ski)) { // Desktop compat: We do not complain about multiple matches. Just take the first one and ignore the rest. return(matches.Any ? matches.ClaimResult() : null); } } default: // RecipientInfo's can only be created by this package so if this an invalid type, it's the package's fault. Debug.Fail($"Invalid recipientIdentifier type: {recipientIdentifierType}"); throw new CryptographicException(); } }
/// <summary> /// Initializes a new instance of the <see cref="MimeKit.Cryptography.CmsRecipient"/> class. /// </summary> /// <remarks> /// <para>Creates a new <see cref="CmsRecipient"/>, loading the certificate from the specified file.</para> /// <para>The initial value of the <see cref="EncryptionAlgorithms"/> property will be set to /// the Triple-DES encryption algorithm, which should be safe to assume for all modern /// S/MIME v3.x client implementations.</para> /// </remarks> /// <param name="fileName">The file containing the recipient's certificate.</param> /// <param name="recipientIdentifierType">The recipient identifier type.</param> /// <exception cref="System.ArgumentNullException"> /// <paramref name="fileName"/> is <c>null</c>. /// </exception> /// <exception cref="System.ArgumentException"> /// <paramref name="fileName"/> is a zero-length string, contains only white space, or /// contains one or more invalid characters as defined by /// <see cref="System.IO.Path.InvalidPathChars"/>. /// </exception> /// <exception cref="System.IO.DirectoryNotFoundException"> /// <paramref name="fileName"/> is an invalid file path. /// </exception> /// <exception cref="System.IO.FileNotFoundException"> /// The specified file path could not be found. /// </exception> /// <exception cref="System.UnauthorizedAccessException"> /// The user does not have access to read the specified file. /// </exception> /// <exception cref="System.IO.IOException"> /// An I/O error occurred. /// </exception> public CmsRecipient(string fileName, SubjectIdentifierType recipientIdentifierType = SubjectIdentifierType.IssuerAndSerialNumber) { if (fileName == null) { throw new ArgumentNullException(nameof(fileName)); } var parser = new X509CertificateParser(); if (recipientIdentifierType == SubjectIdentifierType.IssuerAndSerialNumber) { RecipientIdentifierType = SubjectIdentifierType.IssuerAndSerialNumber; } else { RecipientIdentifierType = SubjectIdentifierType.SubjectKeyIdentifier; } EncryptionAlgorithms = new EncryptionAlgorithm[] { EncryptionAlgorithm.TripleDes }; RecipientIdentifierType = SubjectIdentifierType.IssuerAndSerialNumber; using (var stream = File.OpenRead(fileName)) Certificate = parser.ReadCertificate(stream); }
private static KeyTransRecipientInfo EncodeKeyTransl(SubjectIdentifierType type = SubjectIdentifierType.IssuerAndSerialNumber) { ContentInfo contentInfo = new ContentInfo(new byte[] { 1, 2, 3 }); EnvelopedCms ecms = new EnvelopedCms(contentInfo); using (X509Certificate2 cert = Certificates.RSAKeyTransfer1.GetCertificate()) { CmsRecipient cmsRecipient = new CmsRecipient(type, cert); ecms.Encrypt(cmsRecipient); } byte[] encodedMessage = ecms.Encode(); EnvelopedCms ecms2 = new EnvelopedCms(); ecms2.Decode(encodedMessage); RecipientInfoCollection recipients = ecms2.RecipientInfos; Assert.Equal(1, recipients.Count); RecipientInfo recipientInfo = recipients[0]; Assert.IsType <KeyTransRecipientInfo>(recipientInfo); return((KeyTransRecipientInfo)recipientInfo); }
private static void CheckSignedEncrypted(byte[] docBytes, SubjectIdentifierType expectedType) { SignedCms signedCms = new SignedCms(); signedCms.Decode(docBytes); Assert.Equal(Oids.Pkcs7Enveloped, signedCms.ContentInfo.ContentType.Value); SignerInfoCollection signers = signedCms.SignerInfos; Assert.Equal(1, signers.Count); Assert.Equal(expectedType, signers[0].SignerIdentifier.Type); // Assert.NotThrows signedCms.CheckSignature(true); EnvelopedCms envelopedCms = new EnvelopedCms(); envelopedCms.Decode(signedCms.ContentInfo.Content); using (X509Certificate2 cert = Certificates.RSAKeyTransferCapi1.TryGetCertificateWithPrivateKey()) { envelopedCms.Decrypt(new X509Certificate2Collection(cert)); } Assert.Equal("42", envelopedCms.ContentInfo.Content.ByteArrayToHex()); }
public void Decode(byte[] encodedMessage) { PKCS7.ContentInfo ci = new PKCS7.ContentInfo(encodedMessage); if (ci.ContentType != PKCS7.Oid.signedData) { throw new Exception(""); } PKCS7.SignedData sd = new PKCS7.SignedData(ci.Content); SubjectIdentifierType type = SubjectIdentifierType.Unknown; object o = null; X509Certificate2 x509 = null; if (sd.SignerInfo.Certificate != null) { x509 = new X509Certificate2(sd.SignerInfo.Certificate.RawData); } else if ((sd.SignerInfo.IssuerName != null) && (sd.SignerInfo.SerialNumber != null)) { byte[] serial = sd.SignerInfo.SerialNumber; Array.Reverse(serial); // ??? type = SubjectIdentifierType.IssuerAndSerialNumber; X509IssuerSerial xis = new X509IssuerSerial(); xis.IssuerName = sd.SignerInfo.IssuerName; xis.SerialNumber = ToString(serial, true); o = xis; // TODO: move to a FindCertificate (issuer, serial, collection) foreach (Mono.Security.X509.X509Certificate x in sd.Certificates) { if (x.IssuerName == sd.SignerInfo.IssuerName) { if (ToString(x.SerialNumber, true) == xis.SerialNumber) { x509 = new X509Certificate2(x.RawData); break; } } } } else if (sd.SignerInfo.SubjectKeyIdentifier != null) { string ski = ToString(sd.SignerInfo.SubjectKeyIdentifier, false); type = SubjectIdentifierType.SubjectKeyIdentifier; o = (object)ski; // TODO: move to a FindCertificate (ski, collection) foreach (Mono.Security.X509.X509Certificate x in sd.Certificates) { if (ToString(GetKeyIdentifier(x), false) == ski) { x509 = new X509Certificate2(x.RawData); break; } } } SignerInfo si = new SignerInfo(sd.SignerInfo.HashName, x509, type, o, sd.SignerInfo.Version); // si.AuthenticatedAttributes // si.UnauthenticatedAttributes _info.Add(si); ASN1 content = sd.ContentInfo.Content; Oid oid = new Oid(sd.ContentInfo.ContentType); if (!_detached || _content == null) { if (content[0] == null) { throw new ArgumentException("ContentInfo has no content. Detached signature ?"); } _content = new ContentInfo(oid, content[0].Value); } foreach (Mono.Security.X509.X509Certificate x in sd.Certificates) { _certs.Add(new X509Certificate2(x.RawData)); } _version = sd.Version; }
private static void CustomBuild_CertMismatch( CertLoader loader, DateTimeOffset referenceTime, SigningCertificateOption v1Option, SigningCertificateOption v2Option, HashAlgorithmName v2AlgorithmName = default, X509IncludeOption includeOption = default, SubjectIdentifierType identifierType = SubjectIdentifierType.IssuerAndSerialNumber) { byte[] tokenBytes = BuildCustomToken( loader, referenceTime, v1Option, v2Option, v2AlgorithmName, includeOption, identifierType); Rfc3161TimestampToken token; bool willParse = includeOption == X509IncludeOption.None; if (willParse && identifierType == SubjectIdentifierType.IssuerAndSerialNumber) { // Because IASN matches against the ESSCertId(V2) directly it will reject the token. switch (v1Option) { case SigningCertificateOption.ValidHashWithInvalidName: case SigningCertificateOption.ValidHashWithInvalidSerial: case SigningCertificateOption.InvalidHashWithInvalidName: case SigningCertificateOption.InvalidHashWithInvalidSerial: willParse = false; break; } switch (v2Option) { case SigningCertificateOption.ValidHashWithInvalidName: case SigningCertificateOption.ValidHashWithInvalidSerial: case SigningCertificateOption.InvalidHashWithInvalidName: case SigningCertificateOption.InvalidHashWithInvalidSerial: willParse = false; break; } } if (willParse) { Assert.True(Rfc3161TimestampToken.TryDecode(tokenBytes, out token, out int bytesRead)); Assert.NotNull(token); Assert.Equal(tokenBytes.Length, bytesRead); using (X509Certificate2 cert = loader.GetCertificate()) { Assert.False( token.VerifySignatureForHash( token.TokenInfo.GetMessageHash().Span, token.TokenInfo.HashAlgorithmId, out X509Certificate2 signer, new X509Certificate2Collection(cert))); Assert.Null(signer); } } else { Assert.False(Rfc3161TimestampToken.TryDecode(tokenBytes, out token, out int bytesRead)); Assert.Null(token); Assert.Equal(0, bytesRead); } }
public CmsSigner (SubjectIdentifierType signerIdentifierType) : this (signerIdentifierType, null) {}
// // Internal methods. // internal void Reset (SubjectIdentifierType type, Object value) { switch (type) { case SubjectIdentifierType.NoSignature: case SubjectIdentifierType.Unknown: break; case SubjectIdentifierType.IssuerAndSerialNumber: if (value.GetType() != typeof(X509IssuerSerial)) { throw new CryptographicException(SecurityResources.GetResourceString("Cryptography_Cms_Invalid_Subject_Identifier_Type_Value_Mismatch"), value.GetType().ToString()); } break; case SubjectIdentifierType.SubjectKeyIdentifier: if (!PkcsUtils.CmsSupported()) { throw new CryptographicException(SecurityResources.GetResourceString("Cryptography_Cms_Not_Supported")); } if (value.GetType() != typeof(string)) { throw new CryptographicException(SecurityResources.GetResourceString("Cryptography_Cms_Invalid_Subject_Identifier_Type_Value_Mismatch"), value.GetType().ToString()); } break; default: throw new CryptographicException(SecurityResources.GetResourceString("Cryptography_Cms_Invalid_Subject_Identifier_Type"), type.ToString()); } m_type = type; m_value = value; }
public static void AddFirstSigner_ECDSA(SubjectIdentifierType identifierType, bool detached, string digestOid) { ContentInfo contentInfo = new ContentInfo(new byte[] { 9, 8, 7, 6, 5 }); SignedCms cms = new SignedCms(contentInfo, detached); using (X509Certificate2 signerCert = Certificates.ECDsaP256Win.TryGetCertificateWithPrivateKey()) { CmsSigner signer = new CmsSigner(identifierType, signerCert); signer.IncludeOption = X509IncludeOption.EndCertOnly; signer.DigestAlgorithm = new Oid(digestOid, digestOid); cms.ComputeSignature(signer); } Assert.Single(cms.SignerInfos); Assert.Single(cms.Certificates); int expectedVersion = identifierType == SubjectIdentifierType.SubjectKeyIdentifier ? 3 : 1; Assert.Equal(expectedVersion, cms.Version); SignerInfo firstSigner = cms.SignerInfos[0]; Assert.Equal(identifierType, firstSigner.SignerIdentifier.Type); Assert.NotNull(firstSigner.Certificate); Assert.NotSame(cms.Certificates[0], firstSigner.Certificate); Assert.Equal(cms.Certificates[0], firstSigner.Certificate); #if netcoreapp byte[] signature = firstSigner.GetSignature(); Assert.NotEmpty(signature); // ECDSA PKIX signature format is a DER SEQUENCE. Assert.Equal(0x30, signature[0]); // ECDSA Oids are all under 1.2.840.10045.4. Assert.StartsWith("1.2.840.10045.4.", firstSigner.SignatureAlgorithm.Value); #endif cms.CheckSignature(true); byte[] encoded = cms.Encode(); cms = new SignedCms(); cms.Decode(encoded); Assert.Single(cms.SignerInfos); Assert.Single(cms.Certificates); Assert.Equal(expectedVersion, cms.Version); Assert.Equal(identifierType, cms.SignerInfos[0].SignerIdentifier.Type); Assert.Equal(firstSigner.Certificate, cms.SignerInfos[0].Certificate); #if netcoreapp byte[] sig2 = cms.SignerInfos[0].GetSignature(); Assert.Equal(signature, sig2); #endif if (detached) { Assert.Throws <CryptographicException>(() => cms.CheckSignature(true)); cms = new SignedCms(contentInfo, detached); cms.Decode(encoded); } cms.CheckSignature(true); }
public SignedCms(SubjectIdentifierType signerIdentifierType, ContentInfo content, bool detached) : this(content, detached) { _type = signerIdentifierType; }
/// <summary> /// Initializes a new instance of the <see cref="MimeKit.Cryptography.CmsRecipient"/> class. /// </summary> /// <remarks> /// <para>Creates a new <see cref="CmsRecipient"/>, loading the certificate from the specified file.</para> /// <para>The initial value of the <see cref="EncryptionAlgorithms"/> property will be set to /// the Triple-DES encryption algorithm, which should be safe to assume for all modern /// S/MIME v3.x client implementations.</para> /// </remarks> /// <param name="fileName">The file containing the recipient's certificate.</param> /// <param name="recipientIdentifierType">The recipient identifier type.</param> /// <exception cref="System.ArgumentNullException"> /// <paramref name="fileName"/> is <c>null</c>. /// </exception> /// <exception cref="System.ArgumentException"> /// <paramref name="fileName"/> is a zero-length string, contains only white space, or /// contains one or more invalid characters as defined by /// <see cref="System.IO.Path.InvalidPathChars"/>. /// </exception> /// <exception cref="System.IO.DirectoryNotFoundException"> /// <paramref name="fileName"/> is an invalid file path. /// </exception> /// <exception cref="System.IO.FileNotFoundException"> /// The specified file path could not be found. /// </exception> /// <exception cref="System.UnauthorizedAccessException"> /// The user does not have access to read the specified file. /// </exception> /// <exception cref="System.IO.IOException"> /// An I/O error occurred. /// </exception> public CmsRecipient (string fileName, SubjectIdentifierType recipientIdentifierType = SubjectIdentifierType.IssuerAndSerialNumber) { if (fileName == null) throw new ArgumentNullException (nameof (fileName)); var parser = new X509CertificateParser (); if (recipientIdentifierType == SubjectIdentifierType.IssuerAndSerialNumber) RecipientIdentifierType = SubjectIdentifierType.IssuerAndSerialNumber; else RecipientIdentifierType = SubjectIdentifierType.SubjectKeyIdentifier; EncryptionAlgorithms = new EncryptionAlgorithm[] { EncryptionAlgorithm.TripleDes }; RecipientIdentifierType = SubjectIdentifierType.IssuerAndSerialNumber; using (var stream = File.OpenRead (fileName)) Certificate = parser.ReadCertificate (stream); }
public CmsSigner (SubjectIdentifierType signerIdentifierType, X509Certificate2 certificate) : this (signerIdentifierType) { _certificate = certificate; }
public SignedCms(SubjectIdentifierType signerIdentifierType, ContentInfo contentInfo) : this(signerIdentifierType, contentInfo, false) { }
private static KeyTransRecipientInfo FixedValueKeyTrans1(SubjectIdentifierType type = SubjectIdentifierType.IssuerAndSerialNumber) { byte[] encodedMessage; switch (type) { case SubjectIdentifierType.IssuerAndSerialNumber: encodedMessage = s_KeyTransEncodedMessage; break; case SubjectIdentifierType.SubjectKeyIdentifier: encodedMessage = s_KeyTransEncodedMessage_Ski; break; default: throw new Exception("Bad SubjectIdentifierType."); } EnvelopedCms ecms = new EnvelopedCms(); ecms.Decode(encodedMessage); RecipientInfoCollection recipients = ecms.RecipientInfos; Assert.Equal(1, recipients.Count); RecipientInfo recipientInfo = recipients[0]; Assert.True(recipientInfo is KeyTransRecipientInfo); return (KeyTransRecipientInfo)recipientInfo; }
private static KeyTransRecipientInfo EncodeKeyTransl(SubjectIdentifierType type = SubjectIdentifierType.IssuerAndSerialNumber) { ContentInfo contentInfo = new ContentInfo(new byte[] { 1, 2, 3 }); EnvelopedCms ecms = new EnvelopedCms(contentInfo); using (X509Certificate2 cert = Certificates.RSAKeyTransfer1.GetCertificate()) { CmsRecipient cmsRecipient = new CmsRecipient(type, cert); ecms.Encrypt(cmsRecipient); } byte[] encodedMessage = ecms.Encode(); EnvelopedCms ecms2 = new EnvelopedCms(); ecms2.Decode(encodedMessage); RecipientInfoCollection recipients = ecms2.RecipientInfos; Assert.Equal(1, recipients.Count); RecipientInfo recipientInfo = recipients[0]; Assert.True(recipientInfo is KeyTransRecipientInfo); return (KeyTransRecipientInfo)recipientInfo; }
public SignedCms(SubjectIdentifierType signerIdentifierType) : this() { _type = signerIdentifierType; }
public CmsSigner(SubjectIdentifierType signerIdentifierType, X509Certificate2 certificate) : this(signerIdentifierType, certificate, null) { }
public SignedCms(SubjectIdentifierType signerIdentifierType, ContentInfo content) : this(content, false) { _type = signerIdentifierType; }
/// <summary> /// Initialize a new instance of the <see cref="CmsSigner"/> class. /// </summary> /// <remarks> /// <para>The initial value of the <see cref="DigestAlgorithm"/> will be set to /// <see cref="DigestAlgorithm.Sha256"/> and both the /// <see cref="SignedAttributes"/> and <see cref="UnsignedAttributes"/> properties /// will be initialized to empty tables.</para> /// </remarks> /// <param name="chain">The chain of certificates starting with the signer's certificate back to the root.</param> /// <param name="key">The signer's private key.</param> /// <param name="signerIdentifierType">The scheme used for identifying the signer certificate.</param> /// <exception cref="System.ArgumentNullException"> /// <para><paramref name="chain"/> is <c>null</c>.</para> /// <para>-or-</para> /// <para><paramref name="key"/> is <c>null</c>.</para> /// </exception> /// <exception cref="System.ArgumentException"> /// <para><paramref name="chain"/> did not contain any certificates.</para> /// <para>-or-</para> /// <para>The certificate cannot be used for signing.</para> /// <para>-or-</para> /// <para><paramref name="key"/> is not a private key.</para> /// </exception> public CmsSigner(IEnumerable <X509Certificate> chain, AsymmetricKeyParameter key, SubjectIdentifierType signerIdentifierType = SubjectIdentifierType.IssuerAndSerialNumber) : this() { if (chain == null) { throw new ArgumentNullException(nameof(chain)); } if (key == null) { throw new ArgumentNullException(nameof(key)); } CertificateChain = new X509CertificateChain(chain); if (CertificateChain.Count == 0) { throw new ArgumentException("The certificate chain was empty.", nameof(chain)); } CheckCertificateCanBeUsedForSigning(CertificateChain[0]); if (!key.IsPrivate) { throw new ArgumentException("The key must be a private key.", nameof(key)); } if (signerIdentifierType != SubjectIdentifierType.SubjectKeyIdentifier) { SignerIdentifierType = SubjectIdentifierType.IssuerAndSerialNumber; } else { SignerIdentifierType = SubjectIdentifierType.SubjectKeyIdentifier; } Certificate = CertificateChain[0]; PrivateKey = key; }
public static void AddFirstSigner_DSA(SubjectIdentifierType identifierType, bool detached) { ContentInfo contentInfo = new ContentInfo(new byte[] { 9, 8, 7, 6, 5 }); SignedCms cms = new SignedCms(contentInfo, detached); using (X509Certificate2 signerCert = Certificates.Dsa1024.TryGetCertificateWithPrivateKey()) { CmsSigner signer = new CmsSigner(identifierType, signerCert); signer.IncludeOption = X509IncludeOption.EndCertOnly; // Best compatibility for DSA is SHA-1 (FIPS 186-2) signer.DigestAlgorithm = new Oid(Oids.Sha1, Oids.Sha1); cms.ComputeSignature(signer); } Assert.Single(cms.SignerInfos); Assert.Single(cms.Certificates); int expectedVersion = identifierType == SubjectIdentifierType.SubjectKeyIdentifier ? 3 : 1; Assert.Equal(expectedVersion, cms.Version); SignerInfo firstSigner = cms.SignerInfos[0]; Assert.Equal(identifierType, firstSigner.SignerIdentifier.Type); Assert.NotNull(firstSigner.Certificate); Assert.NotSame(cms.Certificates[0], firstSigner.Certificate); Assert.Equal(cms.Certificates[0], firstSigner.Certificate); #if netcoreapp byte[] signature = firstSigner.GetSignature(); Assert.NotEmpty(signature); // DSA PKIX signature format is a DER SEQUENCE. Assert.Equal(0x30, signature[0]); #endif cms.CheckSignature(true); byte[] encoded = cms.Encode(); cms = new SignedCms(); cms.Decode(encoded); Assert.Single(cms.SignerInfos); Assert.Single(cms.Certificates); Assert.Equal(expectedVersion, cms.Version); Assert.Equal(identifierType, cms.SignerInfos[0].SignerIdentifier.Type); Assert.Equal(firstSigner.Certificate, cms.SignerInfos[0].Certificate); #if netcoreapp byte[] sig2 = cms.SignerInfos[0].GetSignature(); Assert.Equal(signature, sig2); #endif if (detached) { Assert.Throws <CryptographicException>(() => cms.CheckSignature(true)); cms = new SignedCms(contentInfo, detached); cms.Decode(encoded); } cms.CheckSignature(true); }
internal unsafe SubjectIdentifier (CAPI.CRYPTOAPI_BLOB issuer, CAPI.CRYPTOAPI_BLOB serialNumber) { // If serial number is 0, then it is the special SKI encoding or NoSignature bool isSKIorHashOnly = true; byte * pb = (byte *) serialNumber.pbData; for (uint i = 0; i < serialNumber.cbData; i++) { if (*pb++ != (byte) 0) { isSKIorHashOnly = false; break; } } if (isSKIorHashOnly) { byte[] issuerBytes = new byte[issuer.cbData]; Marshal.Copy(issuer.pbData, issuerBytes, 0, issuerBytes.Length); X500DistinguishedName dummyName = new X500DistinguishedName(issuerBytes); if (String.Compare(CAPI.DummySignerCommonName, dummyName.Name, StringComparison.OrdinalIgnoreCase) == 0) { Reset(SubjectIdentifierType.NoSignature, null); return; } } if (isSKIorHashOnly) { // Decode disguised SKI in issuer field (See WinCrypt.h for more info). Note that some certificates may contain // an all-zero serial number but not be encoded with an szOID_KEYID_RDN. In order to allow use of signatures created // using these certificates, we will first try to find the szOID_KEYID_RDN, but if it does not exist, fall back to just // decoding the incoming issuer and serial number. m_type = SubjectIdentifierType.SubjectKeyIdentifier; m_value = String.Empty; uint cbCertNameInfo = 0; SafeLocalAllocHandle pbCertNameInfo = SafeLocalAllocHandle.InvalidHandle; if (CAPI.DecodeObject(new IntPtr(CAPI.X509_NAME), issuer.pbData, issuer.cbData, out pbCertNameInfo, out cbCertNameInfo)) { using (pbCertNameInfo) { checked { CAPI.CERT_NAME_INFO certNameInfo = (CAPI.CERT_NAME_INFO) Marshal.PtrToStructure(pbCertNameInfo.DangerousGetHandle(), typeof(CAPI.CERT_NAME_INFO)); for (uint i = 0; i < certNameInfo.cRDN; i++) { CAPI.CERT_RDN certRdn = (CAPI.CERT_RDN) Marshal.PtrToStructure(new IntPtr((long) certNameInfo.rgRDN + (long) (i * Marshal.SizeOf(typeof(CAPI.CERT_RDN)))), typeof(CAPI.CERT_RDN)); for (uint j = 0; j < certRdn.cRDNAttr; j++) { CAPI.CERT_RDN_ATTR certRdnAttr = (CAPI.CERT_RDN_ATTR)Marshal.PtrToStructure(new IntPtr((long)certRdn.rgRDNAttr + (long)(j * Marshal.SizeOf(typeof(CAPI.CERT_RDN_ATTR)))), typeof(CAPI.CERT_RDN_ATTR)); if (String.Compare(CAPI.szOID_KEYID_RDN, certRdnAttr.pszObjId, StringComparison.OrdinalIgnoreCase) == 0) { if (certRdnAttr.dwValueType == CAPI.CERT_RDN_OCTET_STRING) { byte[] ski = new byte[certRdnAttr.Value.cbData]; Marshal.Copy(certRdnAttr.Value.pbData, ski, 0, ski.Length); Reset(SubjectIdentifierType.SubjectKeyIdentifier, X509Utils.EncodeHexString(ski)); return; } } } } } } } } CAPI.CERT_ISSUER_SERIAL_NUMBER IssuerAndSerial; IssuerAndSerial.Issuer = issuer; IssuerAndSerial.SerialNumber = serialNumber; X509IssuerSerial issuerSerial = PkcsUtils.DecodeIssuerSerial(IssuerAndSerial); Reset(SubjectIdentifierType.IssuerAndSerialNumber, issuerSerial); }
public static void EnsureDataIsolation_NewDocument(bool detached) { byte[] contentBytes = { 9, 8, 7, 6, 5 }; ContentInfo contentInfo = new ContentInfo(contentBytes); SignedCms cms = new SignedCms(contentInfo, detached); SubjectIdentifierType firstType = SubjectIdentifierType.IssuerAndSerialNumber; SubjectIdentifierType secondType = SubjectIdentifierType.SubjectKeyIdentifier; using (X509Certificate2 signerCert = Certificates.RSA2048SignatureOnly.TryGetCertificateWithPrivateKey()) { CmsSigner signer = new CmsSigner(firstType, signerCert); signer.SignedAttributes.Add(new Pkcs9SigningTime()); cms.ComputeSignature(signer); } // CheckSignature doesn't read the public mutable data contentInfo.Content[0] ^= 0xFF; contentInfo.ContentType.Value = Oids.Pkcs7Hashed; cms.CheckSignature(true); using (X509Certificate2 signerCert = Certificates.RSA2048SignatureOnly.TryGetCertificateWithPrivateKey()) { CmsSigner signer = new CmsSigner(secondType, signerCert); signer.SignedAttributes.Add(new Pkcs9SigningTime()); // A second ComputeSignature uses the content value from the first one. cms.ComputeSignature(signer); } // They should have the same content digests. AsnEncodedData firstDigest = cms.SignerInfos[0].SignedAttributes .OfType <CryptographicAttributeObject>().First(cao => cao.Oid.Value == Oids.MessageDigest).Values[0]; AsnEncodedData secondDigest = cms.SignerInfos[1].SignedAttributes .OfType <CryptographicAttributeObject>().First(cao => cao.Oid.Value == Oids.MessageDigest).Values[0]; Assert.Equal(firstDigest.RawData.ByteArrayToHex(), secondDigest.RawData.ByteArrayToHex()); byte[] encoded = cms.Encode(); if (detached) { cms.Decode(encoded); // Because Decode leaves ContentInfo alone, and Decode resets the // "known" content, this will fail due to the tampered content. Assert.Throws <CryptographicException>(() => cms.CheckSignature(true)); // So put it back. cms.ContentInfo.Content[0] ^= 0xFF; } cms.Decode(encoded); if (detached) { // And break it again. cms.ContentInfo.Content[0] ^= 0xFF; } // Destroy the content that just got decoded. encoded.AsSpan().Fill(0x55); cms.CheckSignature(true); }
internal SubjectIdentifier(SubjectIdentifierType type, object value) { _type = type; _value = value; }
internal SubjectIdentifier (SubjectIdentifierType type, Object value) { Reset(type, value); }
private static byte[] BuildCustomToken( CertLoader cert, DateTimeOffset timestamp, SigningCertificateOption v1Option, SigningCertificateOption v2Option, HashAlgorithmName v2DigestAlg = default, X509IncludeOption includeOption = X509IncludeOption.ExcludeRoot, SubjectIdentifierType identifierType = SubjectIdentifierType.IssuerAndSerialNumber) { long accuracyMicroSeconds = (long)(TimeSpan.FromMinutes(1).TotalMilliseconds * 1000); byte[] serialNumber = BitConverter.GetBytes(DateTimeOffset.UtcNow.Ticks); Array.Reverse(serialNumber); Rfc3161TimestampTokenInfo info = new Rfc3161TimestampTokenInfo( new Oid("0.0", "0.0"), new Oid(Oids.Sha384), new byte[384 / 8], serialNumber, timestamp, accuracyMicroSeconds, isOrdering: true); ContentInfo contentInfo = new ContentInfo(new Oid(Oids.TstInfo, Oids.TstInfo), info.Encode()); SignedCms cms = new SignedCms(contentInfo); using (X509Certificate2 tsaCert = cert.TryGetCertificateWithPrivateKey()) { CmsSigner signer = new CmsSigner(identifierType, tsaCert) { IncludeOption = includeOption }; if (v1Option != SigningCertificateOption.Omit) { ExpandOption(v1Option, out bool validHash, out bool skipIssuerSerial, out bool validName, out bool validSerial); // simple SigningCertificate byte[] signingCertificateV1Bytes = "301A3018301604140000000000000000000000000000000000000000".HexToByteArray(); if (validHash) { byte[] hash = SHA1.HashData(tsaCert.RawData); Buffer.BlockCopy( hash, 0, signingCertificateV1Bytes, signingCertificateV1Bytes.Length - hash.Length, hash.Length); } if (!skipIssuerSerial) { byte[] footer = BuildIssuerAndSerialNumber(tsaCert, validName, validSerial); signingCertificateV1Bytes[1] += (byte)footer.Length; signingCertificateV1Bytes[3] += (byte)footer.Length; signingCertificateV1Bytes[5] += (byte)footer.Length; Assert.InRange(signingCertificateV1Bytes[1], 0, 127); signingCertificateV1Bytes = signingCertificateV1Bytes.Concat(footer).ToArray(); } signer.SignedAttributes.Add( new AsnEncodedData("1.2.840.113549.1.9.16.2.12", signingCertificateV1Bytes)); } if (v2Option != SigningCertificateOption.Omit) { byte[] attrBytes; byte[] algBytes = Array.Empty <byte>(); byte[] hashBytes; byte[] issuerNameBytes = Array.Empty <byte>(); if (v2DigestAlg != default) { switch (v2DigestAlg.Name) { case "MD5": algBytes = "300C06082A864886F70D02050500".HexToByteArray(); break; case "SHA1": algBytes = "300906052B0E03021A0500".HexToByteArray(); break; case "SHA256": // Invalid under DER, because it's the default. algBytes = "300D06096086480165030402010500".HexToByteArray(); break; case "SHA384": algBytes = "300D06096086480165030402020500".HexToByteArray(); break; case "SHA512": algBytes = "300D06096086480165030402030500".HexToByteArray(); break; default: throw new NotSupportedException(v2DigestAlg.Name); } } else { v2DigestAlg = HashAlgorithmName.SHA256; } hashBytes = tsaCert.GetCertHash(v2DigestAlg); ExpandOption(v2Option, out bool validHash, out bool skipIssuerSerial, out bool validName, out bool validSerial); if (!validHash) { hashBytes[0] ^= 0xFF; } if (!skipIssuerSerial) { issuerNameBytes = BuildIssuerAndSerialNumber(tsaCert, validName, validSerial); } // hashBytes hasn't been wrapped in an OCTET STRING yet, so add 2 more. int payloadSize = algBytes.Length + hashBytes.Length + issuerNameBytes.Length + 2; Assert.InRange(payloadSize, 0, 123); attrBytes = new byte[payloadSize + 6]; int index = 0; // SEQUENCE (SigningCertificateV2) attrBytes[index++] = 0x30; attrBytes[index++] = (byte)(payloadSize + 4); // SEQUENCE OF => certs attrBytes[index++] = 0x30; attrBytes[index++] = (byte)(payloadSize + 2); // SEQUENCE (ESSCertIdV2) attrBytes[index++] = 0x30; attrBytes[index++] = (byte)payloadSize; Buffer.BlockCopy(algBytes, 0, attrBytes, index, algBytes.Length); index += algBytes.Length; // OCTET STRING (Hash) attrBytes[index++] = 0x04; attrBytes[index++] = (byte)hashBytes.Length; Buffer.BlockCopy(hashBytes, 0, attrBytes, index, hashBytes.Length); index += hashBytes.Length; Buffer.BlockCopy(issuerNameBytes, 0, attrBytes, index, issuerNameBytes.Length); signer.SignedAttributes.Add( new AsnEncodedData("1.2.840.113549.1.9.16.2.47", attrBytes)); } cms.ComputeSignature(signer); } return(cms.Encode()); }
internal unsafe SubjectIdentifier(System.Security.Cryptography.CAPI.CRYPTOAPI_BLOB issuer, System.Security.Cryptography.CAPI.CRYPTOAPI_BLOB serialNumber) { System.Security.Cryptography.CAPI.CERT_ISSUER_SERIAL_NUMBER cert_issuer_serial_number; bool flag = true; byte *pbData = (byte *)serialNumber.pbData; for (uint i = 0; i < serialNumber.cbData; i++) { pbData++; if (pbData[0] != 0) { flag = false; break; } } if (flag) { byte[] destination = new byte[issuer.cbData]; Marshal.Copy(issuer.pbData, destination, 0, destination.Length); X500DistinguishedName name = new X500DistinguishedName(destination); if (string.Compare("CN=Dummy Signer", name.Name, StringComparison.OrdinalIgnoreCase) == 0) { this.Reset(SubjectIdentifierType.NoSignature, null); return; } } if (flag) { this.m_type = SubjectIdentifierType.SubjectKeyIdentifier; this.m_value = string.Empty; uint cbDecodedValue = 0; System.Security.Cryptography.SafeLocalAllocHandle invalidHandle = System.Security.Cryptography.SafeLocalAllocHandle.InvalidHandle; if (!System.Security.Cryptography.CAPI.DecodeObject(new IntPtr(7L), issuer.pbData, issuer.cbData, out invalidHandle, out cbDecodedValue)) { throw new CryptographicException(Marshal.GetLastWin32Error()); } using (invalidHandle) { System.Security.Cryptography.CAPI.CERT_NAME_INFO cert_name_info = (System.Security.Cryptography.CAPI.CERT_NAME_INFO)Marshal.PtrToStructure(invalidHandle.DangerousGetHandle(), typeof(System.Security.Cryptography.CAPI.CERT_NAME_INFO)); for (uint j = 0; j < cert_name_info.cRDN; j++) { System.Security.Cryptography.CAPI.CERT_RDN cert_rdn = (System.Security.Cryptography.CAPI.CERT_RDN)Marshal.PtrToStructure(new IntPtr(((long)cert_name_info.rgRDN) + (j * Marshal.SizeOf(typeof(System.Security.Cryptography.CAPI.CERT_RDN)))), typeof(System.Security.Cryptography.CAPI.CERT_RDN)); for (uint k = 0; k < cert_rdn.cRDNAttr; k++) { System.Security.Cryptography.CAPI.CERT_RDN_ATTR cert_rdn_attr = (System.Security.Cryptography.CAPI.CERT_RDN_ATTR)Marshal.PtrToStructure(new IntPtr(((long)cert_rdn.rgRDNAttr) + (k * Marshal.SizeOf(typeof(System.Security.Cryptography.CAPI.CERT_RDN_ATTR)))), typeof(System.Security.Cryptography.CAPI.CERT_RDN_ATTR)); if ((string.Compare("1.3.6.1.4.1.311.10.7.1", cert_rdn_attr.pszObjId, StringComparison.OrdinalIgnoreCase) == 0) && (cert_rdn_attr.dwValueType == 2)) { byte[] buffer2 = new byte[cert_rdn_attr.Value.cbData]; Marshal.Copy(cert_rdn_attr.Value.pbData, buffer2, 0, buffer2.Length); this.Reset(SubjectIdentifierType.SubjectKeyIdentifier, System.Security.Cryptography.X509Certificates.X509Utils.EncodeHexString(buffer2)); return; } } } } throw new CryptographicException(-2146889715); } cert_issuer_serial_number.Issuer = issuer; cert_issuer_serial_number.SerialNumber = serialNumber; X509IssuerSerial serial = PkcsUtils.DecodeIssuerSerial(cert_issuer_serial_number); this.Reset(SubjectIdentifierType.IssuerAndSerialNumber, serial); }
public CmsRecipientCollection(SubjectIdentifierType recipientIdentifierType, System.Security.Cryptography.X509Certificates.X509Certificate2Collection certificates) { }
public CmsSigner(SubjectIdentifierType signerIdentifierType) : this(signerIdentifierType, null) { }
internal unsafe SubjectIdentifier(CAPI.CRYPTOAPI_BLOB issuer, CAPI.CRYPTOAPI_BLOB serialNumber) { // If serial number is 0, then it is the special SKI encoding or NoSignature bool isSKIorHashOnly = true; byte *pb = (byte *)serialNumber.pbData; for (uint i = 0; i < serialNumber.cbData; i++) { if (*pb++ != (byte)0) { isSKIorHashOnly = false; break; } } if (isSKIorHashOnly) { byte[] issuerBytes = new byte[issuer.cbData]; Marshal.Copy(issuer.pbData, issuerBytes, 0, issuerBytes.Length); X500DistinguishedName dummyName = new X500DistinguishedName(issuerBytes); if (String.Compare(CAPI.DummySignerCommonName, dummyName.Name, StringComparison.OrdinalIgnoreCase) == 0) { Reset(SubjectIdentifierType.NoSignature, null); return; } } if (isSKIorHashOnly) { // Decode disguised SKI in issuer field (See WinCrypt.h for more info). Note that some certificates may contain // an all-zero serial number but not be encoded with an szOID_KEYID_RDN. In order to allow use of signatures created // using these certificates, we will first try to find the szOID_KEYID_RDN, but if it does not exist, fall back to just // decoding the incoming issuer and serial number. m_type = SubjectIdentifierType.SubjectKeyIdentifier; m_value = String.Empty; uint cbCertNameInfo = 0; SafeLocalAllocHandle pbCertNameInfo = SafeLocalAllocHandle.InvalidHandle; if (CAPI.DecodeObject(new IntPtr(CAPI.X509_NAME), issuer.pbData, issuer.cbData, out pbCertNameInfo, out cbCertNameInfo)) { using (pbCertNameInfo) { checked { CAPI.CERT_NAME_INFO certNameInfo = (CAPI.CERT_NAME_INFO)Marshal.PtrToStructure(pbCertNameInfo.DangerousGetHandle(), typeof(CAPI.CERT_NAME_INFO)); for (uint i = 0; i < certNameInfo.cRDN; i++) { CAPI.CERT_RDN certRdn = (CAPI.CERT_RDN)Marshal.PtrToStructure(new IntPtr((long)certNameInfo.rgRDN + (long)(i * Marshal.SizeOf(typeof(CAPI.CERT_RDN)))), typeof(CAPI.CERT_RDN)); for (uint j = 0; j < certRdn.cRDNAttr; j++) { CAPI.CERT_RDN_ATTR certRdnAttr = (CAPI.CERT_RDN_ATTR)Marshal.PtrToStructure(new IntPtr((long)certRdn.rgRDNAttr + (long)(j * Marshal.SizeOf(typeof(CAPI.CERT_RDN_ATTR)))), typeof(CAPI.CERT_RDN_ATTR)); if (String.Compare(CAPI.szOID_KEYID_RDN, certRdnAttr.pszObjId, StringComparison.OrdinalIgnoreCase) == 0) { if (certRdnAttr.dwValueType == CAPI.CERT_RDN_OCTET_STRING) { byte[] ski = new byte[certRdnAttr.Value.cbData]; Marshal.Copy(certRdnAttr.Value.pbData, ski, 0, ski.Length); Reset(SubjectIdentifierType.SubjectKeyIdentifier, X509Utils.EncodeHexString(ski)); return; } } } } } } } } CAPI.CERT_ISSUER_SERIAL_NUMBER IssuerAndSerial; IssuerAndSerial.Issuer = issuer; IssuerAndSerial.SerialNumber = serialNumber; X509IssuerSerial issuerSerial = PkcsUtils.DecodeIssuerSerial(IssuerAndSerial); Reset(SubjectIdentifierType.IssuerAndSerialNumber, issuerSerial); }
private void TestSimpleDecrypt_RoundTrip(CertLoader certLoader, ContentInfo contentInfo, string algorithmOidValue, SubjectIdentifierType type, ContentInfo expectedContentInfo = null) { // Deep-copy the contentInfo since the real ContentInfo doesn't do this. This defends against a bad implementation changing // our "expectedContentInfo" to match what it produces. expectedContentInfo = expectedContentInfo ?? new ContentInfo(new Oid(contentInfo.ContentType), (byte[])(contentInfo.Content.Clone())); string certSubjectName; byte[] encodedMessage; byte[] originalCopy = (byte[])(contentInfo.Content.Clone()); using (X509Certificate2 certificate = certLoader.GetCertificate()) { certSubjectName = certificate.Subject; AlgorithmIdentifier alg = new AlgorithmIdentifier(new Oid(algorithmOidValue)); EnvelopedCms ecms = new EnvelopedCms(contentInfo, alg); CmsRecipient cmsRecipient = new CmsRecipient(type, certificate); ecms.Encrypt(cmsRecipient); Assert.Equal(originalCopy.ByteArrayToHex(), ecms.ContentInfo.Content.ByteArrayToHex()); encodedMessage = ecms.Encode(); } // We don't pass "certificate" down because it's expected that the certificate used for encrypting doesn't have a private key (part of the purpose of this test is // to ensure that you don't need the recipient's private key to encrypt.) The decrypt phase will have to locate the matching cert with the private key. VerifySimpleDecrypt(encodedMessage, certLoader, expectedContentInfo); }
/// <summary> /// Initializes a new instance of the <see cref="MimeKit.Cryptography.CmsRecipient"/> class. /// </summary> /// <remarks> /// <para>Creates a new <see cref="CmsRecipient"/>, loading the certificate from the specified stream.</para> /// <para>The initial value of the <see cref="EncryptionAlgorithms"/> property will be set to /// the Triple-DES encryption algorithm, which should be safe to assume for all modern /// S/MIME v3.x client implementations.</para> /// </remarks> /// <param name="stream">The stream containing the recipient's certificate.</param> /// <param name="recipientIdentifierType">The recipient identifier type.</param> /// <exception cref="System.ArgumentNullException"> /// <paramref name="stream"/> is <c>null</c>. /// </exception> /// <exception cref="System.IO.IOException"> /// An I/O error occurred. /// </exception> public CmsRecipient (Stream stream, SubjectIdentifierType recipientIdentifierType = SubjectIdentifierType.IssuerAndSerialNumber) { if (stream == null) throw new ArgumentNullException (nameof (stream)); if (recipientIdentifierType == SubjectIdentifierType.IssuerAndSerialNumber) RecipientIdentifierType = SubjectIdentifierType.IssuerAndSerialNumber; else RecipientIdentifierType = SubjectIdentifierType.SubjectKeyIdentifier; var parser = new X509CertificateParser (); EncryptionAlgorithms = new EncryptionAlgorithm[] { EncryptionAlgorithm.TripleDes }; RecipientIdentifierType = SubjectIdentifierType.IssuerAndSerialNumber; Certificate = parser.ReadCertificate (stream); }
public static void AddCounterSigner_ECDSA(SubjectIdentifierType identifierType, string digestOid) { SignedCms cms = new SignedCms(); cms.Decode(SignedDocuments.RsaPkcs1OneSignerIssuerAndSerialNumber); Assert.Single(cms.Certificates); SignerInfo firstSigner = cms.SignerInfos[0]; Assert.Empty(firstSigner.CounterSignerInfos); Assert.Empty(firstSigner.UnsignedAttributes); using (X509Certificate2 signerCert = Certificates.ECDsaP256Win.TryGetCertificateWithPrivateKey()) { CmsSigner signer = new CmsSigner(identifierType, signerCert); signer.IncludeOption = X509IncludeOption.EndCertOnly; signer.DigestAlgorithm = new Oid(digestOid, digestOid); firstSigner.ComputeCounterSignature(signer); } Assert.Empty(firstSigner.CounterSignerInfos); Assert.Empty(firstSigner.UnsignedAttributes); SignerInfo firstSigner2 = cms.SignerInfos[0]; Assert.Single(firstSigner2.CounterSignerInfos); Assert.Single(firstSigner2.UnsignedAttributes); Assert.Single(cms.SignerInfos); Assert.Equal(2, cms.Certificates.Count); SignerInfo counterSigner = firstSigner2.CounterSignerInfos[0]; int expectedVersion = identifierType == SubjectIdentifierType.IssuerAndSerialNumber ? 1 : 3; Assert.Equal(expectedVersion, counterSigner.Version); // On NetFx there will be two attributes, because Windows emits the // content-type attribute even for counter-signers. int expectedCount = 1; #if netfx expectedCount = 2; #endif Assert.Equal(expectedCount, counterSigner.SignedAttributes.Count); Assert.Equal(Oids.MessageDigest, counterSigner.SignedAttributes[expectedCount - 1].Oid.Value); Assert.NotEqual(firstSigner2.Certificate, counterSigner.Certificate); Assert.Equal(2, cms.Certificates.Count); #if netcoreapp byte[] signature = counterSigner.GetSignature(); Assert.NotEmpty(signature); // DSA PKIX signature format is a DER SEQUENCE. Assert.Equal(0x30, signature[0]); // ECDSA Oids are all under 1.2.840.10045.4. Assert.StartsWith("1.2.840.10045.4.", counterSigner.SignatureAlgorithm.Value); #endif cms.CheckSignature(true); byte[] encoded = cms.Encode(); cms.Decode(encoded); cms.CheckSignature(true); }
internal SubjectIdentifier(SubjectIdentifierType type, object value) { this.Reset(type, value); }