protected byte[] GenerateSignature(byte[] manifest, X509Certificate2 appleCert, X509Certificate2 passCert)
{
X509Certificate apple = DotNetUtilities.FromX509Certificate(appleCert);
X509Certificate cert = DotNetUtilities.FromX509Certificate(passCert);
var privateKey = DotNetUtilities.GetKeyPair(passCert.PrivateKey).Private;
var generator = new CmsSignedDataGenerator();
generator.AddSigner(privateKey, cert, CmsSignedGenerator.DigestSha1);
var list = new List <X509Certificate>();
list.Add(cert);
list.Add(apple);
X509CollectionStoreParameters storeParameters = new X509CollectionStoreParameters(list);
IX509Store store509 = X509StoreFactory.Create("CERTIFICATE/COLLECTION", storeParameters);
generator.AddCertificates(store509);
var content = new CmsProcessableByteArray(manifest);
var signature = generator.Generate(content, false).GetEncoded();
return(signature);
}
protected static byte[] SignWithSystem(byte[] data, AsymmetricKeyParameter key, X509Certificate cert, X509Certificate[] chain)
{
var generator = new CmsSignedDataGenerator();
// Add signing key
generator.AddSigner(
key,
cert,
"2.16.840.1.101.3.4.2.1"); // SHA256 digest ID
var storeCerts = new List <X509Certificate>();
storeCerts.Add(cert); // NOTE: Adding end certificate too
storeCerts.AddRange(chain); // I'm assuming the chain collection doesn't contain the end certificate already
// Construct a store from the collection of certificates and add to generator
var storeParams = new X509CollectionStoreParameters(storeCerts);
var certStore = X509StoreFactory.Create("CERTIFICATE/COLLECTION", storeParams);
generator.AddCertificates(certStore);
// Generate the signature
var signedData = generator.Generate(
new CmsProcessableByteArray(data),
false); // encapsulate = false for detached signature
return(signedData.GetEncoded());
}
private string SignMessage(string msg, bool isProd)
{
var gen = new CmsSignedDataGenerator();
X509Certificate2 certificate = GetCertificate(isProd);
var privKey = DotNetUtilities.GetRsaKeyPair(certificate.GetRSAPrivateKey()).Private;
var cert = DotNetUtilities.FromX509Certificate(certificate);
gen.AddSigner(privKey, cert, CmsSignedDataGenerator.DigestSha1);
var certX509 = DotNetUtilities.ToX509Certificate(cert.CertificateStructure);
var certList = new List <Org.BouncyCastle.X509.X509Certificate>();
certList.Add(cert);
X509CollectionStoreParameters PP = new X509CollectionStoreParameters(certList);
IX509Store st1 = X509StoreFactory.Create("CERTIFICATE/COLLECTION", PP);
gen.AddCertificates(st1);
Encoding EncodedMsg = Encoding.UTF8;
byte[] dataToSign = EncodedMsg.GetBytes(msg);
CmsProcessable data = new CmsProcessableByteArray(dataToSign);
CmsSignedData signed = gen.Generate(PkcsObjectIdentifiers.Pkcs7, data, true);
var result = signed.GetEncoded();
return(Convert.ToBase64String(result));
}
public bool Validate(Certificate cert)
{
PkixCertPathBuilder builder = new PkixCertPathBuilder();
try
{
// Separate root from itermediate
List <X509Certificate> intermediateCerts = new List <X509Certificate>();
HashSet rootCerts = new HashSet();
foreach (X509Certificate x509Cert in certs.Select(a => a.X509Certificate))
{
// Separate root and subordinate certificates
if (x509Cert.IssuerDN.Equivalent(x509Cert.SubjectDN))
{
rootCerts.Add(new TrustAnchor(x509Cert, null));
}
else
{
intermediateCerts.Add(x509Cert);
}
}
// Create chain for this certificate
X509CertStoreSelector holder = new X509CertStoreSelector();
holder.Certificate = cert.X509Certificate;
// WITHOUT THIS LINE BUILDER CANNOT BEGIN BUILDING THE CHAIN
intermediateCerts.Add(holder.Certificate);
PkixBuilderParameters builderParams = new PkixBuilderParameters(rootCerts, holder);
builderParams.IsRevocationEnabled = false;
X509CollectionStoreParameters intermediateStoreParameters = new X509CollectionStoreParameters(intermediateCerts);
builderParams.AddStore(X509StoreFactory.Create("Certificate/Collection", intermediateStoreParameters));
try
{
builder.Build(builderParams);
return(true);
}
catch (Exception)
{
return(false);
}
}
catch (Exception e)
{
throw new CryptoException($"Error validating certificate. {e.Message}");
}
}
BuildCertificateChainBC(
byte[] primary,
System.Collections.Generic.IEnumerable <byte[]> additional)
{
X509CertificateParser parser = new X509CertificateParser();
PkixCertPathBuilder builder = new PkixCertPathBuilder();
// Separate root from itermediate
System.Collections.Generic.List <Org.BouncyCastle.X509.X509Certificate> intermediateCerts =
new System.Collections.Generic.List <Org.BouncyCastle.X509.X509Certificate>();
Org.BouncyCastle.Utilities.Collections.HashSet rootCerts =
new Org.BouncyCastle.Utilities.Collections.HashSet();
foreach (byte[] cert in additional)
{
Org.BouncyCastle.X509.X509Certificate x509Cert = parser.ReadCertificate(cert);
// Separate root and subordinate certificates
if (x509Cert.IssuerDN.Equivalent(x509Cert.SubjectDN))
{
rootCerts.Add(new TrustAnchor(x509Cert, null));
}
else
{
intermediateCerts.Add(x509Cert);
}
}
// Create chain for this certificate
X509CertStoreSelector holder = new X509CertStoreSelector();
holder.Certificate = parser.ReadCertificate(primary);
// WITHOUT THIS LINE BUILDER CANNOT BEGIN BUILDING THE CHAIN
intermediateCerts.Add(holder.Certificate);
PkixBuilderParameters builderParams = new PkixBuilderParameters(rootCerts, holder);
builderParams.IsRevocationEnabled = false;
X509CollectionStoreParameters intermediateStoreParameters =
new X509CollectionStoreParameters(intermediateCerts);
builderParams.AddStore(X509StoreFactory.Create(
"Certificate/Collection", intermediateStoreParameters));
PkixCertPathBuilderResult result = builder.Build(builderParams);
return(System.Linq.Enumerable.Cast <Org.BouncyCastle.X509.X509Certificate>(result.CertPath.Certificates));
}
//jbonilla - Por algún motivo, no devuleve el certificado root.
public static X509Certificate[] BuildCertificateChainBC(X509Certificate checkCert, ICollection <X509Certificate> keystore)
{
PkixCertPathBuilder builder = new PkixCertPathBuilder();
// Separate root from itermediate
List <X509Certificate> intermediateCerts = new List <X509Certificate>();
HashSet rootCerts = new HashSet();
foreach (X509Certificate cert in keystore)
{
// Separate root and subordinate certificates
if (IsSelfSigned(cert))
{
rootCerts.Add(new TrustAnchor(cert, null));
}
else
{
intermediateCerts.Add(cert);
}
}
// Create chain for this certificate
X509CertStoreSelector holder = new X509CertStoreSelector();
holder.Certificate = checkCert;
// WITHOUT THIS LINE BUILDER CANNOT BEGIN BUILDING THE CHAIN
intermediateCerts.Add(holder.Certificate);
PkixBuilderParameters builderParams = new PkixBuilderParameters(rootCerts, holder);
builderParams.IsRevocationEnabled = false;
X509CollectionStoreParameters intermediateStoreParameters =
new X509CollectionStoreParameters(intermediateCerts);
builderParams.AddStore(X509StoreFactory.Create(
"Certificate/Collection", intermediateStoreParameters));
PkixCertPathBuilderResult result = builder.Build(builderParams);
List <X509Certificate> chain = new List <X509Certificate>();
foreach (X509Certificate cert in result.CertPath.Certificates)
{
chain.Add(cert);
}
return(chain.ToArray());
}
internal static IList <X509Certificate> BuildCertificateChain(X509Certificate primaryCertificate, IEnumerable <X509Certificate> additionalCertificates)
{
var parser = new X509CertificateParser();
var builder = new PkixCertPathBuilder();
// Separate root from itermediate
var intermediateCerts = new List <X509Certificate>();
var rootCerts = new BouncyCastle.Utilities.Collections.HashSet();
foreach (var cert in additionalCertificates)
{
// Separate root and subordinate certificates
if (cert.IssuerDN.Equivalent(cert.SubjectDN))
{
rootCerts.Add(new TrustAnchor(cert, null));
}
else
{
intermediateCerts.Add(cert);
}
}
// Create chain for this certificate
var holder = new X509CertStoreSelector();
holder.Certificate = primaryCertificate;
// WITHOUT THIS LINE BUILDER CANNOT BEGIN BUILDING THE CHAIN
intermediateCerts.Add(holder.Certificate);
PkixBuilderParameters builderParams = new PkixBuilderParameters(rootCerts, holder);
builderParams.IsRevocationEnabled = false;
X509CollectionStoreParameters intermediateStoreParameters =
new X509CollectionStoreParameters(intermediateCerts);
builderParams.AddStore(X509StoreFactory.Create(
"Certificate/Collection", intermediateStoreParameters));
PkixCertPathBuilderResult result = builder.Build(builderParams);
return(result.CertPath.Certificates.Cast <X509Certificate>().ToList());
}
/// <summary>
/// Signiert die Daten mit dem angegebenen Absender-Zertifikat
/// </summary>
/// <param name="data">Die zu signierenden Daten</param>
/// <param name="privateKey">Der private Schlüssel mit dem signiert werden soll (passend zum Zeritifikat <paramref name="cert"/>)</param>
/// <param name="cert">Das Absender-Zertifikat</param>
/// <param name="certs">Die Zertifikate, die zusätzlich im Ergebnis gespeichert werden sollen (z.B. für eine Zertifkatskette)</param>
/// <returns>Die signierten Daten</returns>
public static byte[] SignData(byte[] data, AsymmetricKeyParameter privateKey, X509Certificate cert, IEnumerable <X509Certificate> certs = null)
{
var gen = new CmsSignedDataGenerator();
var allCerts = new List <X509Certificate>();
if (certs != null)
{
allCerts.AddRange(certs);
}
var storeParams = new X509CollectionStoreParameters(allCerts);
var certStore = X509StoreFactory.Create("Certificate/Collection", storeParams);
gen.AddCertificates(certStore);
gen.AddSigner(privateKey, cert, NistObjectIdentifiers.IdSha256.Id);
var message = new CmsProcessableByteArray(data);
var signedData = gen.Generate(message, true);
return(signedData.GetEncoded());
}
private static IList BuildCertificateChainBC(byte[] primary, IEnumerable <byte[]> additional)
{
X509CertificateParser parser = new X509CertificateParser();
PkixCertPathBuilder builder = new PkixCertPathBuilder();
List <X509Certificate> intermediateCerts = new List <X509Certificate>();
HashSet rootCerts = new HashSet();
foreach (byte[] cert in additional)
{
X509Certificate x509Cert = parser.ReadCertificate(cert);
// Separate root and subordinate certificates
if (x509Cert.IssuerDN.Equivalent(x509Cert.SubjectDN))
{
rootCerts.Add(new TrustAnchor(x509Cert, null));
}
else
{
intermediateCerts.Add(x509Cert);
}
}
X509CertStoreSelector holder = new X509CertStoreSelector();
holder.Certificate = parser.ReadCertificate(primary);
intermediateCerts.Add(holder.Certificate);
PkixBuilderParameters builderParams = new PkixBuilderParameters(rootCerts, holder);
builderParams.IsRevocationEnabled = false;
X509CollectionStoreParameters intermediateStoreParameters =
new X509CollectionStoreParameters(intermediateCerts);
builderParams.AddStore(X509StoreFactory.Create(
"Certificate/Collection", intermediateStoreParameters));
PkixCertPathBuilderResult result = builder.Build(builderParams);
return(result.CertPath.Certificates);
}
public byte[] Sign(Stream data)
{
CmsProcessable msg = new CmsProcessableInputStream(data);
CmsSignedDataGenerator gen = new CmsSignedDataGenerator();
SignerInfoGenerator signerInfoGenerator = new SignerInfoGeneratorBuilder()
.WithSignedAttributeGenerator(new DefaultSignedAttributeTableGenerator())
.Build(new Asn1SignatureFactory(algorithm, key), chain[0]);
gen.AddSignerInfoGenerator(signerInfoGenerator);
X509CollectionStoreParameters collectionStoreParameters = new X509CollectionStoreParameters(new List <X509Certificate>(chain));
IX509Store collectionStore = X509StoreFactory.Create("CERTIFICATE/COLLECTION", collectionStoreParameters);
gen.AddCertificates(collectionStore);
CmsSignedData sigData = gen.Generate(msg, false);
return(sigData.GetEncoded());
}
public static IX509Store Create(string type, IX509StoreParameters parameters)
{
if (type == null)
{
throw new ArgumentNullException("type");
}
string[] array = Platform.ToUpperInvariant(type).Split('/');
if (array.Length < 2)
{
throw new ArgumentException("type");
}
if (array[1] != "COLLECTION")
{
throw new NoSuchStoreException("X.509 store type '" + type + "' not available.");
}
X509CollectionStoreParameters x509CollectionStoreParameters = (X509CollectionStoreParameters)parameters;
ICollection collection = x509CollectionStoreParameters.GetCollection();
switch (array[0])
{
case "ATTRIBUTECERTIFICATE":
checkCorrectType(collection, typeof(IX509AttributeCertificate));
break;
case "CERTIFICATE":
checkCorrectType(collection, typeof(X509Certificate));
break;
case "CERTIFICATEPAIR":
checkCorrectType(collection, typeof(X509CertificatePair));
break;
case "CRL":
checkCorrectType(collection, typeof(X509Crl));
break;
default:
throw new NoSuchStoreException("X.509 store type '" + type + "' not available.");
}
return(new X509CollectionStore(collection));
}
private byte[] SignWithCertificate(byte[] bytesToSign)
{
var generator = new CmsSignedDataGenerator();
var privKey = _gatewayKeyProvider.SigningPrivateKey;
var certificate = _gatewayKeyProvider.SigningCertificate;
var certificates = new List <Org.BouncyCastle.X509.X509Certificate>();
certificates.Add(certificate);
var storeParameters = new X509CollectionStoreParameters(certificates);
IX509Store store = X509StoreFactory.Create("Certificate/Collection", storeParameters);
generator.AddSigner(privKey, certificate, CmsSignedGenerator.EncryptionRsa, CmsSignedGenerator.DigestSha256);
generator.AddCertificates(store);
var message = new CmsProcessableByteArray(bytesToSign);
CmsSignedData signedData = generator.Generate(message, false);
return(signedData.GetEncoded());
}
static void Main(string[] args)
{
byte[] entradaArray = File.ReadAllBytes(@"certificado/arquivoTeste.txt");
AsymmetricKeyParameter chavePrivada;
X509Certificate certificadoX509 = getCertificadoX509(@"certificado/certificado.p12", "123!@#", out chavePrivada);
SHA512Managed hashSHA512 = new SHA512Managed();
SHA256Managed hashSHA256 = new SHA256Managed();
byte[] certificadoX509Hash = hashSHA256.ComputeHash(certificadoX509.GetEncoded());
byte[] EntradaHash = hashSHA512.ComputeHash(entradaArray);
CmsSignedDataGenerator geradorCms = new CmsSignedDataGenerator();
//
//atributos
//
Asn1EncodableVector atributosAssinados = new Asn1EncodableVector();
//1.2.840.113549.1.9.3 -> ContentType
//1.2.840.113549.1.7.1 -> RSA Security Data Inc
atributosAssinados.Add(new Org.BouncyCastle.Asn1.Cms.Attribute(CmsAttributes.ContentType, new DerSet(new DerObjectIdentifier("1.2.840.113549.1.7.1"))));
//1.2.840.113549.1.9.5 -> Signing Time
atributosAssinados.Add(new Org.BouncyCastle.Asn1.Cms.Attribute(CmsAttributes.SigningTime, new DerSet(new DerUtcTime(DateTime.Now))));
//1.2.840.113549.1.9.4 -> messageDigest
atributosAssinados.Add(new Org.BouncyCastle.Asn1.Cms.Attribute(CmsAttributes.MessageDigest, new DerSet(new DerOctetString(EntradaHash))));
//2.16.840.1.101.3.4.2.3 -> SHA-512
//2.16.840.1.101.3.4.2.1 -> SHA-256
//1.2.840.113549.1.9.16.5.1 -> sigPolicyQualifier-spuri
DerObjectIdentifier identificadorPolicyID = new DerObjectIdentifier("1.2.840.113549.1.9.16.2.15");
byte[] policyHASH = System.Text.Encoding.ASCII.GetBytes("0F6FA2C6281981716C95C79899039844523B1C61C2C962289CDAC7811FEEE29E");
List <SigPolicyQualifierInfo> sigPolicyQualifierInfos = new List <SigPolicyQualifierInfo>();
Org.BouncyCastle.Asn1.X509.AlgorithmIdentifier algoritmoIdentificador = new Org.BouncyCastle.Asn1.X509.AlgorithmIdentifier("2.16.840.1.101.3.4.2.3");
SigPolicyQualifierInfo bcSigPolicyQualifierInfo = new SigPolicyQualifierInfo(new DerObjectIdentifier("1.2.840.113549.1.9.16.5.1"), new DerIA5String("http://politicas.icpbrasil.gov.br/PA_AD_RB_v2_2.der"));
sigPolicyQualifierInfos.Add(bcSigPolicyQualifierInfo);
SignaturePolicyId signaturePolicyId = new SignaturePolicyId(DerObjectIdentifier.GetInstance(new DerObjectIdentifier("2.16.76.1.7.1.6.2.2")), new OtherHashAlgAndValue(algoritmoIdentificador, new DerOctetString(policyHASH)), sigPolicyQualifierInfos);
atributosAssinados.Add(new Org.BouncyCastle.Asn1.Cms.Attribute(identificadorPolicyID, new DerSet(signaturePolicyId)));
//1.2.840.113549.1.9.16.2.47 -> id-aa-signingCertificateV2
Org.BouncyCastle.Asn1.Ess.EssCertIDv2 essCertIDv2;
essCertIDv2 = new Org.BouncyCastle.Asn1.Ess.EssCertIDv2(certificadoX509Hash);
atributosAssinados.Add(new Org.BouncyCastle.Asn1.Cms.Attribute(new DerObjectIdentifier("1.2.840.113549.1.9.16.2.47"), new DerSet(essCertIDv2)));
AttributeTable atributosAssinadosTabela = new AttributeTable(atributosAssinados);
//geradorCms.AddSigner(chavePrivada, certificadoX509, CmsSignedDataGenerator.DigestSha256, new DefaultSignedAttributeTableGenerator(atributosAssinadosTabela), null);
geradorCms.AddSigner(chavePrivada, certificadoX509, CmsSignedDataGenerator.DigestSha512, new DefaultSignedAttributeTableGenerator(atributosAssinadosTabela), null);
List <X509Certificate> certificadoX509Lista = new List <X509Certificate>();
certificadoX509Lista.Add(certificadoX509);
//storeCerts.AddRange(chain);
X509CollectionStoreParameters parametrosArmazem = new X509CollectionStoreParameters(certificadoX509Lista);
IX509Store armazemCertificado = X509StoreFactory.Create("CERTIFICATE/COLLECTION", parametrosArmazem);
geradorCms.AddCertificates(armazemCertificado);
var dadosAssinado = geradorCms.Generate(new CmsProcessableByteArray(entradaArray), true); // encapsulate = false for detached signature
Console.WriteLine("Codificado => " + Convert.ToBase64String(dadosAssinado.GetEncoded()));
}
