public void TestSha1WithRsaEncapsulatedSubjectKeyID()
{
MemoryStream bOut = new MemoryStream();
IX509Store x509Certs = CmsTestUtil.MakeCertStore(OrigCert, SignCert);
CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator();
gen.AddSigner(OrigKP.Private,
CmsTestUtil.CreateSubjectKeyId(OrigCert.GetPublicKey()).GetKeyIdentifier(),
CmsSignedDataStreamGenerator.DigestSha1);
gen.AddCertificates(x509Certs);
byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage);
Stream sigOut = gen.Open(bOut, true);
sigOut.Write(testBytes, 0, testBytes.Length);
sigOut.Close();
CmsSignedDataParser sp = new CmsSignedDataParser(bOut.ToArray());
sp.GetSignedContent().Drain();
VerifySignatures(sp);
byte[] contentDigest = (byte[])gen.GetGeneratedDigests()[CmsSignedGenerator.DigestSha1];
ArrayList signers = new ArrayList(sp.GetSignerInfos().GetSigners());
AttributeTable table = ((SignerInformation)signers[0]).SignedAttributes;
Asn1.Cms.Attribute hash = table[CmsAttributes.MessageDigest];
Assert.IsTrue(Arrays.AreEqual(contentDigest, ((Asn1OctetString)hash.AttrValues[0]).GetOctets()));
//
// try using existing signer
//
gen = new CmsSignedDataStreamGenerator();
gen.AddSigners(sp.GetSignerInfos());
// gen.AddCertificatesAndCRLs(sp.GetCertificatesAndCrls("Collection", "BC"));
gen.AddCertificates(sp.GetCertificates("Collection"));
bOut.SetLength(0);
sigOut = gen.Open(bOut, true);
sigOut.Write(testBytes, 0, testBytes.Length);
sigOut.Close();
CmsSignedData sd = new CmsSignedData(new CmsProcessableByteArray(testBytes), bOut.ToArray());
Assert.AreEqual(1, sd.GetSignerInfos().GetSigners().Count);
VerifyEncodedData(bOut);
}
public static Stream ReplaceCertificatesAndCrls(Stream original, IX509Store x509Certs, IX509Store x509Crls, IX509Store x509AttrCerts, Stream outStr)
{
CmsSignedDataStreamGenerator cmsSignedDataStreamGenerator = new CmsSignedDataStreamGenerator();
CmsSignedDataParser cmsSignedDataParser = new CmsSignedDataParser(original);
cmsSignedDataStreamGenerator.AddDigests(cmsSignedDataParser.DigestOids);
CmsTypedStream signedContent = cmsSignedDataParser.GetSignedContent();
bool flag = signedContent != null;
Stream stream = cmsSignedDataStreamGenerator.Open(outStr, cmsSignedDataParser.SignedContentType.Id, flag);
if (flag)
{
Streams.PipeAll(signedContent.ContentStream, stream);
}
if (x509AttrCerts != null)
{
cmsSignedDataStreamGenerator.AddAttributeCertificates(x509AttrCerts);
}
if (x509Certs != null)
{
cmsSignedDataStreamGenerator.AddCertificates(x509Certs);
}
if (x509Crls != null)
{
cmsSignedDataStreamGenerator.AddCrls(x509Crls);
}
cmsSignedDataStreamGenerator.AddSigners(cmsSignedDataParser.GetSignerInfos());
Platform.Dispose(stream);
return(outStr);
}
public void TestSha1WithRsa()
{
MemoryStream bOut = new MemoryStream();
IX509Store x509Certs = CmsTestUtil.MakeCertStore(OrigCert, SignCert);
IX509Store x509Crls = CmsTestUtil.MakeCrlStore(SignCrl, OrigCrl);
CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator();
gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha1);
gen.AddCertificates(x509Certs);
gen.AddCrls(x509Crls);
Stream sigOut = gen.Open(bOut);
byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage);
sigOut.Write(testBytes, 0, testBytes.Length);
sigOut.Close();
CheckSigParseable(bOut.ToArray());
CmsSignedDataParser sp = new CmsSignedDataParser(
new CmsTypedStream(new MemoryStream(testBytes, false)), bOut.ToArray());
sp.GetSignedContent().Drain();
// compute expected content digest
byte[] hash = DigestUtilities.CalculateDigest("SHA1", testBytes);
VerifySignatures(sp, hash);
//
// try using existing signer
//
gen = new CmsSignedDataStreamGenerator();
gen.AddSigners(sp.GetSignerInfos());
gen.AddCertificates(sp.GetCertificates("Collection"));
gen.AddCrls(sp.GetCrls("Collection"));
bOut.SetLength(0);
sigOut = gen.Open(bOut, true);
sigOut.Write(testBytes, 0, testBytes.Length);
sigOut.Close();
VerifyEncodedData(bOut);
//
// look for the CRLs
//
ArrayList col = new ArrayList(x509Crls.GetMatches(null));
Assert.AreEqual(2, col.Count);
Assert.IsTrue(col.Contains(SignCrl));
Assert.IsTrue(col.Contains(OrigCrl));
}
IList <IDigitalSignature> GetDigitalSignatures(CmsSignedDataParser parser)
{
var certificates = parser.GetCertificates("Collection");
var signatures = new List <IDigitalSignature> ();
var store = parser.GetSignerInfos();
foreach (SignerInformation signerInfo in store.GetSigners())
{
var certificate = GetCertificate(certificates, signerInfo.SignerID);
var signature = new SecureMimeDigitalSignature(signerInfo);
Asn1EncodableVector vector = signerInfo.UnsignedAttributes.GetAll(CmsAttributes.SigningTime);
foreach (Org.BouncyCastle.Asn1.Cms.Attribute attr in vector)
{
Time time = (Time)((DerSet)attr.AttrValues)[0];
signature.CreationDate = time.Date;
break;
}
if (certificate != null)
{
signature.SignerCertificate = new SecureMimeDigitalCertificate(certificate);
}
// FIXME: verify the certificate chain with what we have in our local store
// var chain = new X509Chain ();
// chain.ChainPolicy.UrlRetrievalTimeout = OnlineCertificateRetrievalTimeout;
// chain.ChainPolicy.RevocationMode = AllowOnlineCertificateRetrieval ? X509RevocationMode.Online : X509RevocationMode.Offline;
// chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain;
// //if (AllowSelfSignedCertificates)
// // chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
// chain.ChainPolicy.VerificationTime = DateTime.Now;
//
// if (!chain.Build (signerInfo.Certificate)) {
// for (int i = 0; i < chain.ChainStatus.Length; i++) {
// if (chain.ChainStatus[i].Status.HasFlag (X509ChainStatusFlags.Revoked)) {
// signature.Errors |= DigitalSignatureError.CertificateRevoked;
// signature.Status = DigitalSignatureStatus.Error;
// }
//
// certificate.ChainStatus |= chain.ChainStatus[i].Status;
// }
// }
signatures.Add(signature);
}
return(signatures);
}
public void Test4_4()
{
byte[] data = GetRfc4134Data("4.4.bin");
byte[] counterSigCert = GetRfc4134Data("AliceRSASignByCarl.cer");
CmsSignedData signedData = new CmsSignedData(data);
VerifySignatures(signedData, sha1);
VerifySignerInfo4_4(GetFirstSignerInfo(signedData.GetSignerInfos()), counterSigCert);
CmsSignedDataParser parser = new CmsSignedDataParser(data);
VerifySignatures(parser);
VerifySignerInfo4_4(GetFirstSignerInfo(parser.GetSignerInfos()), counterSigCert);
}
public void Test4_4()
{
byte[] data = GetRfc4134Data("4.4.bin");
byte[] counterSigCert = GetRfc4134Data("AliceRSASignByCarl.cer");
CmsSignedData signedData = new CmsSignedData(data);
VerifySignatures(signedData, sha1);
VerifySignerInfo4_4(GetFirstSignerInfo(signedData.GetSignerInfos()), counterSigCert);
CmsSignedDataParser parser = new CmsSignedDataParser(data);
VerifySignatures(parser);
VerifySignerInfo4_4(GetFirstSignerInfo(parser.GetSignerInfos()), counterSigCert);
}
private void CheckSigParseable(byte[] sig)
{
CmsSignedDataParser sp = new CmsSignedDataParser(sig);
sp.Version.ToString();
CmsTypedStream sc = sp.GetSignedContent();
if (sc != null)
{
sc.Drain();
}
sp.GetAttributeCertificates("Collection");
sp.GetCertificates("Collection");
sp.GetCrls("Collection");
sp.GetSignerInfos();
sp.Close();
}
private SignerInformation ExtractSignerInfo(CmsSignedDataParser parser)
{
//Extract the signer info
SignerInformationStore signerInfoStore = parser.GetSignerInfos();
if (signerInfoStore.Count != 1)
{
#if NETFRAMEWORK
trace.TraceEvent(TraceEventType.Error, 0, "The message to complete does not contain a single signature");
#else
logger.LogError("The message to complete does not contain a single signature");
#endif
throw new InvalidMessageException("The message does not contain a single signature");
}
return(signerInfoStore.GetSigners().Cast <SignerInformation>().First());
}
/// <summary>
/// Imports certificates (as from a certs-only application/pkcs-mime part)
/// from the specified stream.
/// </summary>
/// <param name="stream">The raw key data.</param>
/// <exception cref="System.ArgumentNullException">
/// <paramref name="stream"/> is <c>null</c>.
/// </exception>
/// <exception cref="System.NotSupportedException">
/// Importing keys is not supported by this cryptography context.
/// </exception>
public override void Import(Stream stream)
{
if (stream == null)
{
throw new ArgumentNullException("stream");
}
var parser = new CmsSignedDataParser(stream);
var certs = parser.GetCertificates("Collection");
var store = parser.GetSignerInfos();
foreach (SignerInformation signerInfo in store.GetSigners())
{
var matches = certs.GetMatches(signerInfo.SignerID);
foreach (X509Certificate certificate in matches)
{
certificates.Add(certificate);
}
}
}
public certificate Validate(byte[] data, byte[] signature)
{
using (var dataStream = new MemoryStream(data))
using (var signatureStream = new MemoryStream(signature))
{
var cmsTypedStream = new CmsTypedStream(dataStream);
var cmsSignedDataParser = new CmsSignedDataParser(cmsTypedStream, signatureStream);
var store = cmsSignedDataParser.GetCertificates("Collection");
var signerInfos = cmsSignedDataParser.GetSignerInfos();
var signerInfo = signerInfos.GetSigners().OfType <SignerInformation>().First();
var certificate = store?.GetMatches(signerInfo?.SignerID)
.OfType <X509Certificate>().FirstOrDefault();
if (certificate == null)
{
return(null);
}
Logger.Debug(
CultureInfo.CurrentCulture,
"Certificate found in signature {dn}",
certificate.SubjectDN.ToString());
var now = DateTime.Now;
if (now < certificate.NotBefore || now > certificate.NotAfter)
{
Logger.Info(
CultureInfo.CurrentCulture,
"The certificate is not valid right now as it is only valid between {startTime}-{endTime}",
certificate.NotBefore,
certificate.NotAfter);
}
return(new certificate
{
subject = certificate.SubjectDN.ToString(),
certificate1 = certificate.GetEncoded()
});
}
}
public virtual bool CheckIntegrity(Document detachedDocument)
{
//TODO jbonilla Verifier?
//JcaSimpleSignerInfoVerifierBuilder verifier = new JcaSimpleSignerInfoVerifierBuilder
// ();
try
{
bool ret = false;
SignerInformation si = null;
if (detachedDocument != null)
{
// Recreate a SignerInformation with the content using a CMSSignedDataParser
CmsSignedDataParser sp = new CmsSignedDataParser(new CmsTypedStream(detachedDocument
.OpenStream()), cmsSignedData.GetEncoded());
sp.GetSignedContent().Drain();
si = sp.GetSignerInfos().GetFirstSigner(signerInformation.SignerID);
}
else
{
si = this.signerInformation;
}
//ret = si.Verify(verifier.Build(GetSigningCertificate()));
ret = si.Verify(GetSigningCertificate());
return(ret);
}
/*catch (OperatorCreationException)
* {
* return false;
* }*/
catch (CmsException)
{
return(false);
}
catch (IOException)
{
return(false);
}
}
/// <summary>
/// The method used to verify signature.
/// </summary>
/// <param name="sp"></param>
/// <returns></returns>
public static bool VerifySignatures(CmsSignedDataParser sp)
{
List <bool> result = new List <bool>();
IX509Store x509Certs = sp.GetCertificates("Collection");
SignerInformationStore signerInfos = sp.GetSignerInfos();
var signers = signerInfos.GetSigners();
foreach (SignerInformation signer in signers)
{
ICollection certCollection = x509Certs.GetMatches(signer.SignerID);
foreach (Org.BouncyCastle.X509.X509Certificate cert in certCollection)
{
var isValid = signer.Verify(cert);
if (!isValid)
{
throw new Exception("Certificate verification error, the signer could not be verified.");
}
result.Add(isValid);
}
}
return(result.TrueForAll(m => m == true));
}
private void VerifySignatures(CmsSignedDataParser sp)
{
CmsTypedStream sc = sp.GetSignedContent();
if (sc != null)
{
sc.Drain();
}
IX509Store x509Certs = sp.GetCertificates("Collection");
SignerInformationStore signers = sp.GetSignerInfos();
foreach (SignerInformation signer in signers.GetSigners())
{
ICollection certCollection = x509Certs.GetMatches(signer.SignerID);
IEnumerator certEnum = certCollection.GetEnumerator();
certEnum.MoveNext();
X509Certificate cert = (X509Certificate)certEnum.Current;
VerifySigner(signer, cert);
}
}
public void TestSha1WithRsa()
{
IList certList = new ArrayList();
IList crlList = new ArrayList();
MemoryStream bOut = new MemoryStream();
certList.Add(OrigCert);
certList.Add(SignCert);
crlList.Add(SignCrl);
crlList.Add(OrigCrl);
IX509Store x509Certs = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(certList));
IX509Store x509Crls = X509StoreFactory.Create(
"CRL/Collection",
new X509CollectionStoreParameters(crlList));
CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator();
gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha1);
gen.AddCertificates(x509Certs);
gen.AddCrls(x509Crls);
Stream sigOut = gen.Open(bOut);
byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage);
sigOut.Write(testBytes, 0, testBytes.Length);
sigOut.Close();
CheckSigParseable(bOut.ToArray());
CmsSignedDataParser sp = new CmsSignedDataParser(
new CmsTypedStream(new MemoryStream(testBytes, false)), bOut.ToArray());
sp.GetSignedContent().Drain();
//
// compute expected content digest
//
IDigest md = DigestUtilities.GetDigest("SHA1");
md.BlockUpdate(testBytes, 0, testBytes.Length);
byte[] hash = DigestUtilities.DoFinal(md);
VerifySignatures(sp, hash);
//
// try using existing signer
//
gen = new CmsSignedDataStreamGenerator();
gen.AddSigners(sp.GetSignerInfos());
gen.AddCertificates(sp.GetCertificates("Collection"));
gen.AddCrls(sp.GetCrls("Collection"));
bOut.SetLength(0);
sigOut = gen.Open(bOut, true);
sigOut.Write(testBytes, 0, testBytes.Length);
sigOut.Close();
VerifyEncodedData(bOut);
//
// look for the CRLs
//
ArrayList col = new ArrayList(x509Crls.GetMatches(null));
Assert.AreEqual(2, col.Count);
Assert.IsTrue(col.Contains(SignCrl));
Assert.IsTrue(col.Contains(OrigCrl));
}
private void VerifySignatures(CmsSignedDataParser sp)
{
CmsTypedStream sc = sp.GetSignedContent();
if (sc != null)
{
sc.Drain();
}
IX509Store x509Certs = sp.GetCertificates("Collection");
SignerInformationStore signers = sp.GetSignerInfos();
foreach (SignerInformation signer in signers.GetSigners())
{
ICollection certCollection = x509Certs.GetMatches(signer.SignerID);
IEnumerator certEnum = certCollection.GetEnumerator();
certEnum.MoveNext();
X509Certificate cert = (X509Certificate)certEnum.Current;
VerifySigner(signer, cert);
}
}
public static SignerInformation GetSigner(CmsSignedDataParser cms, SignerID id) => GetSignerInfoByEnumeration(cms.GetSignerInfos(), id) ?? GetSignerInfoByGetFirst(cms.GetSignerInfos(), id);
