/// <summary>
/// Checks a list of signatures.
/// </summary>
/// <param name="signatureElems">Signature elements.</param>
/// <param name="certificateVerifier">Certificate verifier.</param>
public void Check(IList <XmlElement> signatureElems,
ICertificateVerifier certificateVerifier)
{
ArgumentUtils.CheckNotNullNorEmpty(signatureElems, "signatureElems");
ArgumentUtils.CheckNotNull(certificateVerifier, "certificateVerifier");
// Check each signature
foreach (XmlElement signatureElem in signatureElems)
{
if (!XmlUtils.CheckElement(signatureElem, SignatureElement,
SignedXml.XmlDsigNamespaceUrl))
{
throw new XspException("Element is not a 'ds:Signature' element");
}
// Get the certificate from the 'KeyInfo' of the signature
X509Certificate2 certificate = GetCertificate(signatureElem);
// Verify the signature
if (!XmlSecurityUtils.Verify(signatureElem, certificate))
{
throw new XspException("Could not validate the signature");
}
// Verify the certificate
certificateVerifier.Verify(certificate);
}
}
/// <summary>
/// Checks a signature.
/// </summary>
/// <param name="signatureElem">Signature element.</param>
/// <param name="certificateVerifier">Certificate verifier.</param>
public void Check(XmlElement signatureElem,
ICertificateVerifier certificateVerifier)
{
ArgumentUtils.CheckNotNull(signatureElem, "signatureElem");
ArgumentUtils.CheckNotNull(certificateVerifier, "certificateVerifier");
IList <XmlElement> signatureElems = new List <XmlElement>();
signatureElems.Add(signatureElem);
Check(signatureElems, certificateVerifier);
}
/// <summary>
/// Verify a signed XML document.
/// </summary>
/// <param name="signedDocument">The signed XML document to verify.</param>
/// <param name="certificateVerifier">An ICertificateVerifier implementation which will verify the certificate in the signed XML document.</param>
/// <returns>A value to indicate if the document is verified successfully.</returns>
public static bool XspVerifySignature(this XmlDocument signedDocument, ICertificateVerifier certificateVerifier)
{
Validation.ValidateArgumentRequired("signedDocument", signedDocument);
Validation.ValidateArgumentRequired("certificateVerifier", certificateVerifier);
ISignedContainerProfileService signedContainerService = XspFactory.Instance.GetSignedContainerProfileService(XspVersion.V_2010);
signedContainerService.Check(signedDocument, certificateVerifier);
return(true);
}
public CertificateValidationMessageHandler(
ICertificateStore certificateStore,
ICertificateValidationService certificateValidationService,
ICertificateVerifier certificateVerifier,
ILogger <CertificateValidationMessageHandler> logger,
int maximumValidationFailures = CertificateValidationService.DefaultMaximumValidationFailures)
{
_certificateStore = certificateStore ?? throw new ArgumentNullException(nameof(certificateStore));
_certificateValidationService = certificateValidationService ?? throw new ArgumentNullException(nameof(certificateValidationService));
_certificateVerifier = certificateVerifier ?? throw new ArgumentNullException(nameof(certificateVerifier));
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
_maximumValidationFailures = maximumValidationFailures;
}
/// <summary>
/// Checks the signatures in a signed payload container and also verifies the
/// certificates with the certificate verifier callback.
/// </summary>
/// <param name="containerDoc">Signed payload container.</param>
/// <param name="certificateVerifier">Certificate verifier.</param>
/// <exception cref="XspException">Thrown on error.</exception>
public void Check(XmlDocument containerDoc,
ICertificateVerifier certificateVerifier)
{
ArgumentUtils.CheckNotNull(containerDoc, "containerDoc");
ArgumentUtils.CheckNotNull(certificateVerifier, "certificateVerifier");
// Check the container is valid
CheckSignedContainer(containerDoc);
// Get all the signatures in the container
IList <XmlElement> signatureElems = XPathUtils.GetElements(containerDoc,
"/sp:signedPayload/sp:signatures/ds:Signature",
CreateXmlNamespaceManager(containerDoc));
// Check all the signatures verify
this.signedProfileService.Check(signatureElems, certificateVerifier);
}
/// <summary>
/// Verify server certificate within returned HttpResponse to prevent MITM attack.
/// </summary>
/// <param name="httpRequestMessage">The httpRequestMessage returned.</param>
/// <param name="serverCertVerifier">The server certificate.</param>
/// <param name="chain">The X509Chain.</param>
/// <param name="policyErrors">SslPolicyErrors.</param>
/// <param name="clientCertVerifier">Client certificate.</param>
/// <returns>Returns true when server certificate is valid.</returns>
public bool VerifyServerCertificate(HttpRequestMessage httpRequestMessage, ICertificateVerifier serverCertVerifier, X509Chain chain, SslPolicyErrors policyErrors, ICertificateVerifier clientCertVerifier)
{
Arguments.IsNotNull(clientCertVerifier, nameof(clientCertVerifier));
X509Certificate2 serverCert = serverCertVerifier.Certificate;
logger?.LogDebug("Server certification custom validation callback.");
logger?.LogTrace(httpRequestMessage?.ToString());
logger?.LogTrace(chain?.ToString());
logger?.LogTrace(policyErrors.ToString());
logger?.LogTrace("ServerCert:" + Environment.NewLine + serverCert);
try
{
// Verify Issuer. Issuer field is case-insensitive.
if (!string.Equals(clientCertVerifier.Issuer, serverCertVerifier.Issuer, StringComparison.OrdinalIgnoreCase))
{
logger?.LogError(Invariant($"Issuer are different for server certificate and the client certificate. Server Certificate Issuer: {clientCertVerifier.Issuer}, Client Certificate Issuer: {serverCertVerifier.Issuer}"));
return(false);
}
else
{
logger?.LogDebug(Invariant($"Issuer validation passed: {serverCertVerifier.Issuer}"));
}
// Server certificate is not expired.
DateTime now = DateTime.Now;
if (serverCertVerifier.NotBefore > now || serverCertVerifier.NotAfter.AddDays(1) <= now)
{
logger?.LogError(Invariant($"Server certification is not in valid period from {serverCertVerifier.NotBefore.ToString(DateTimeFormatInfo.InvariantInfo)} until {serverCertVerifier.NotAfter.ToString(DateTimeFormatInfo.InvariantInfo)}"));
return(false);
}
else
{
logger?.LogDebug("Server certificate validate date verification passed.");
}
}
catch (Exception ex)
{
logger?.LogError(ex.ToString());
return(false);
}
logger?.LogDebug("Server certification custom validation successed.");
return(true);
}
///// <param>
///// the tspSource to set
///// </param>
//public ITspSource TspSource { get; set; }
///// <param>
///// the verifier to set
///// </param>
//public ICertificateVerifier Verifier { get; set; }
//public ISignedDocumentValidator Validator { get; }
public CAdESService(ITspSource tspSource, ICertificateVerifier verifier, ISignedDocumentValidator validator)
{
this.tspSource = tspSource;
this.verifier = verifier;
this.validator = validator;
}
internal void SetCertificateVerifier(ICertificateVerifier verifier) => _verifier = verifier;
/// <summary> /// Establish the certificate verifier object. This must be /// done before any connections are established. /// </summary> /// <param name="verifier">The certificate verifier.</param> public void SetCertificateVerifier(ICertificateVerifier verifier) => _engine.SetCertificateVerifier(verifier);
public SignedDocumentValidator(ICertificateVerifier certificateVerifier, Func <ICAdESLogger> loggerFactory)
{
CertificateVerifier = certificateVerifier;
this.loggerFactory = loggerFactory;
}
