private static X509Certificate LoadCertificate(string path, string password, out PrivateKey privateKey, out Provider provider)
{
X509Certificate certificate = null;
provider = null;
privateKey = null;
//Cargar certificado de fichero PFX
KeyStore ks = KeyStore.getInstance("PKCS12");
ks.load(new BufferedInputStream(new FileInputStream(path)), password.ToCharArray());
IPKStoreManager storeManager = new KSStore(ks, new PassStoreKS(password));
var certificates = storeManager.getSignCertificates();
//Si encontramos el certificado...
if (certificates.size() == 1)
{
certificate = (X509Certificate)certificates.get(0);
// Obtención de la clave privada asociada al certificado
privateKey = storeManager.getPrivateKey(certificate);
// Obtención del provider encargado de las labores criptográficas
provider = storeManager.getProvider(certificate);
}
return(certificate);
}
public static void Firmar(string origen, string destino, string rutaFirma, string contraseniaFirma)
{
PrivateKey privateKey;
Provider provider;
X509Certificate certificate = LoadCertificate(rutaFirma, contraseniaFirma, out privateKey, out provider);
//Si encontramos el certificado...
if (certificate != null)
{
//Política de firma (Con las librerías JAVA, esto se define en tiempo de ejecución)
TrustFactory.instance = TrustExtendFactory.newInstance();
TrustFactory.truster = MyPropsTruster.getInstance();
PoliciesManager.POLICY_SIGN = new Facturae31Manager();
PoliciesManager.POLICY_VALIDATION = new Facturae31Manager();
TrustFactory.instance = TrustFactory.newInstance();
TrustFactory.truster = PropsTruster.getInstance();
PoliciesManager.POLICY_SIGN = new Facturae31Manager();
PoliciesManager.POLICY_VALIDATION = new Facturae31Manager();
DataToSign dataToSign = new DataToSign();
dataToSign.setXadesFormat(EnumFormatoFirma.XAdES_BES);
dataToSign.setEsquema(XAdESSchemas.XAdES_132);
dataToSign.setXMLEncoding("UTF-8");
dataToSign.setEnveloped(true);
dataToSign.setParentSignNode("comprobante");
dataToSign.addObject(new ObjectToSign(new InternObjectToSign("comprobante"), "contenido comprobante", null, "text/xml", null));
dataToSign.setDocument(Erp90w(origen));
object[] objArray = (new FirmaXML()).signFile(certificate, dataToSign, privateKey, provider);
FileOutputStream fileOutputStream = new FileOutputStream(destino);
UtilidadTratarNodo.saveDocumentToOutputStream((Document)objArray[0], fileOutputStream, true);
fileOutputStream.close();
}
}
public override bool displayCertificates(X509Certificate[] certificates)
{
//todo did not find a way to show the chain in the case of self signed certs
X509Certificate2 cert = ConvertCertificate(certificates[0]);
X509Certificate2UI.DisplayCertificate(cert);
return true;
}
void org.apache.http.conn.ssl.X509HostnameVerifier.verify(java.lang.String arg0, java.security.cert.X509Certificate arg1)
{
global::MonoJavaBridge.JNIEnv @__env = global::MonoJavaBridge.JNIEnv.ThreadEnv;
if (!IsClrObject)
{
@__env.CallVoidMethod(this.JvmHandle, global::org.apache.http.conn.ssl.X509HostnameVerifier_._verify16436, global::MonoJavaBridge.JavaBridge.ConvertToValue(arg0), global::MonoJavaBridge.JavaBridge.ConvertToValue(arg1));
}
else
{
@__env.CallNonVirtualVoidMethod(this.JvmHandle, global::org.apache.http.conn.ssl.X509HostnameVerifier_.staticClass, global::org.apache.http.conn.ssl.X509HostnameVerifier_._verify16436, global::MonoJavaBridge.JavaBridge.ConvertToValue(arg0), global::MonoJavaBridge.JavaBridge.ConvertToValue(arg1));
}
}
public SslError(int arg0, java.security.cert.X509Certificate arg1) : base(global::MonoJavaBridge.JNIEnv.ThreadEnv)
{
global::MonoJavaBridge.JNIEnv @__env = global::MonoJavaBridge.JNIEnv.ThreadEnv;
global::MonoJavaBridge.JniLocalHandle handle = @__env.NewObject(android.net.http.SslError.staticClass, global::android.net.http.SslError._SslError5430, global::MonoJavaBridge.JavaBridge.ConvertToValue(arg0), global::MonoJavaBridge.JavaBridge.ConvertToValue(arg1));
Init(@__env, handle);
}
/// <summary>
// RFC2818 - HTTP Over TLS, Section 3.1
// http://www.ietf.org/rfc/rfc2818.txt
//
// 1. if present MUST use subjectAltName dNSName as identity
// 1.1. if multiples entries a match of any one is acceptable
// 1.2. wildcard * is acceptable
// 2. URI may be an IP address -> subjectAltName.iPAddress
// 2.1. exact match is required
// 3. Use of the most specific Common Name (CN=) in the Subject
// 3.1 Existing practice but DEPRECATED
/// </summary>
/// <param name="javaCert"></param>
/// <param name="cert"></param>
/// <param name="targetHost"></param>
/// <returns></returns>
///todo We should get rid of the java certificate parameter. Means to find an easy way to get the subjectAltNames (see http://www.java2s.com/Open-Source/CSharp/2.6.4-mono-.net-core/System.Net/System/Net/ServicePointManager.cs.htm)
public static bool CheckServerIdentity(X509Certificate javaCert,
X509Certificate2 cert, string targetHost)
{
try
{
/*
* SubjectAltName ::= GeneralNames
*
* GeneralNames :: = SEQUENCE SIZE (1..MAX) OF GeneralName
*
* GeneralName ::= CHOICE {
* otherName [0] OtherName,
* rfc822Name [1] IA5String,
* dNSName [2] IA5String,
* x400Address [3] ORAddress,
* directoryName [4] Name,
* ediPartyName [5] EDIPartyName,
* uniformResourceIdentifier [6] IA5String,
* iPAddress [7] OCTET STRING,
* registeredID [8] OBJECT IDENTIFIER}
*
* SubjectAltName is of form \"rfc822Name=<email>,
* dNSName=<host name>, uri=<http://host.com/>,
* ipaddress=<address>, guid=<globally unique id>
*
*/
java.util.Collection ext = javaCert.getSubjectAlternativeNames();
// subjectAltName
if (null != ext && ext.size() > 0)
{
for (Iterator i = ext.iterator(); i.hasNext();)
{
List item = (List)i.next();
Integer type = (Integer)item.get(0);
switch (type.intValue())
{
case 0:
continue; // SubjectAltName of type OtherName not
case 1:
continue; // rfc822Name
case 2:
if (Match(targetHost, (String)item.get(1))) //dNSName
{
return(true);
}
break;
case 3:
continue; // x400Address
case 4:
continue; // directoryName
case 5:
continue; // ediPartyName
case 6:
//todo shouldn't we handle uri as well? check spec.
continue; // uri
case 7:
if (targetHost.Equals((String)item.get(1))) // ipaddress, exact match required
{
return(true);
}
break;
default:
continue;
}
}
}
// Common Name (CN=)
return(Match(GetCommonName(cert), targetHost));
}
catch (Exception e)
{
Log.error("ERROR processing certificate: {0}", e);
return(false);
}
}
public static X509Certificate2 ConvertCertificate(X509Certificate certificate)
{
return(new X509Certificate2(certificate.getEncoded()));
}
public static X509Certificate2 ConvertCertificate(X509Certificate certificate)
{
return new X509Certificate2(certificate.getEncoded());
}
/// <summary>
// RFC2818 - HTTP Over TLS, Section 3.1
// http://www.ietf.org/rfc/rfc2818.txt
//
// 1. if present MUST use subjectAltName dNSName as identity
// 1.1. if multiples entries a match of any one is acceptable
// 1.2. wildcard * is acceptable
// 2. URI may be an IP address -> subjectAltName.iPAddress
// 2.1. exact match is required
// 3. Use of the most specific Common Name (CN=) in the Subject
// 3.1 Existing practice but DEPRECATED
/// </summary>
/// <param name="javaCert"></param>
/// <param name="cert"></param>
/// <param name="targetHost"></param>
/// <returns></returns>
///todo We should get rid of the java certificate parameter. Means to find an easy way to get the subjectAltNames (see http://www.java2s.com/Open-Source/CSharp/2.6.4-mono-.net-core/System.Net/System/Net/ServicePointManager.cs.htm)
public static bool CheckServerIdentity(X509Certificate javaCert,
X509Certificate2 cert, string targetHost)
{
try
{
/*
SubjectAltName ::= GeneralNames
GeneralNames :: = SEQUENCE SIZE (1..MAX) OF GeneralName
GeneralName ::= CHOICE {
otherName [0] OtherName,
rfc822Name [1] IA5String,
dNSName [2] IA5String,
x400Address [3] ORAddress,
directoryName [4] Name,
ediPartyName [5] EDIPartyName,
uniformResourceIdentifier [6] IA5String,
iPAddress [7] OCTET STRING,
registeredID [8] OBJECT IDENTIFIER}
SubjectAltName is of form \"rfc822Name=<email>,
dNSName=<host name>, uri=<http://host.com/>,
ipaddress=<address>, guid=<globally unique id>
*/
Collection ext = javaCert.getSubjectAlternativeNames();
// subjectAltName
if (null != ext && ext.size() > 0)
{
for (Iterator i = ext.iterator(); i.hasNext();)
{
List item = (List) i.next();
Integer type = (Integer) item.get(0);
switch (type.intValue())
{
case 0:
continue; // SubjectAltName of type OtherName not
case 1:
continue; // rfc822Name
case 2:
if (Match(targetHost, (String) item.get(1))) //dNSName
{
return true;
}
break;
case 3:
continue; // x400Address
case 4:
continue; // directoryName
case 5:
continue; // ediPartyName
case 6:
//todo shouldn't we handle uri as well? check spec.
continue; // uri
case 7:
if (targetHost.Equals((String) item.get(1))) // ipaddress, exact match required
{
return true;
}
break;
default:
continue;
}
}
}
// Common Name (CN=)
return Match(GetCommonName(cert), targetHost);
}
catch (Exception e)
{
Log.error("ERROR processing certificate: {0}", e);
return false;
}
}
public override bool isTrusted(String hostName, X509Certificate[] certs)
{
X509Certificate2 serverCert = ConvertCertificate(certs[0]);
X509Chain chain = new X509Chain();
//todo Online revocation check. Preference.
chain.ChainPolicy.RevocationMode = X509RevocationMode.Offline; // | X509RevocationMode.Online
chain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(0, 0, 0, 10); // set timeout to 10 seconds
chain.ChainPolicy.VerificationFlags = X509VerificationFlags.NoFlag;
for (int index = 1; index < certs.Length; index++)
{
chain.ChainPolicy.ExtraStore.Add(ConvertCertificate(certs[index]));
}
chain.Build(serverCert);
bool isException = CheckForException(hostName, serverCert);
if (isException)
{
// Exceptions always have precendence
return true;
}
string errorFromChainStatus = GetErrorFromChainStatus(chain, hostName);
bool certError = null != errorFromChainStatus;
bool hostnameMismatch = !HostnameVerifier.CheckServerIdentity(certs[0], serverCert, hostName);
// check if host name matches
if (null == errorFromChainStatus && hostnameMismatch)
{
errorFromChainStatus = Locale.localizedString(
"The certificate for this server is invalid. You might be connecting to a server that is pretending to be “%@” which could put your confidential information at risk. Would you like to connect to the server anyway?",
"Keychain").Replace("%@", hostName);
}
if (null != errorFromChainStatus)
{
while (true)
{
TaskDialog d = new TaskDialog();
DialogResult r =
d.ShowCommandBox(Locale.localizedString("This certificate is not valid", "Keychain"),
Locale.localizedString("This certificate is not valid", "Keychain"),
errorFromChainStatus,
null,
null,
Locale.localizedString("Always Trust", "Keychain"),
String.Format("{0}|{1}|{2}",
Locale.localizedString("Continue", "Credentials"),
Locale.localizedString("Disconnect"),
Locale.localizedString("Show Certificate", "Keychain")),
false,
SysIcons.Warning, SysIcons.Information);
if (r == DialogResult.OK)
{
if (d.CommandButtonResult == 0)
{
if (d.VerificationChecked)
{
if (certError)
{
//todo can we use the Trusted People and Third Party Certificate Authority Store? Currently X509Chain is the problem.
AddCertificate(serverCert, StoreName.Root);
}
Preferences.instance().setProperty(hostName + ".certificate.accept",
serverCert.SubjectName.Name);
}
return true;
}
if (d.CommandButtonResult == 1)
{
return false;
}
if (d.CommandButtonResult == 2)
{
X509Certificate2UI.DisplayCertificate(serverCert);
}
}
}
}
return true;
}
