/// <summary> /// Checks a list of signatures. /// </summary> /// <param name="signatureElems">Signature elements.</param> /// <param name="certificateVerifier">Certificate verifier.</param> public void Check(IList <XmlElement> signatureElems, ICertificateVerifier certificateVerifier) { ArgumentUtils.CheckNotNullNorEmpty(signatureElems, "signatureElems"); ArgumentUtils.CheckNotNull(certificateVerifier, "certificateVerifier"); // Check each signature foreach (XmlElement signatureElem in signatureElems) { if (!XmlUtils.CheckElement(signatureElem, SignatureElement, SignedXml.XmlDsigNamespaceUrl)) { throw new XspException("Element is not a 'ds:Signature' element"); } // Get the certificate from the 'KeyInfo' of the signature X509Certificate2 certificate = GetCertificate(signatureElem); // Verify the signature if (!XmlSecurityUtils.Verify(signatureElem, certificate)) { throw new XspException("Could not validate the signature"); } // Verify the certificate certificateVerifier.Verify(certificate); } }
/// <summary> /// Checks a signature. /// </summary> /// <param name="signatureElem">Signature element.</param> /// <param name="certificateVerifier">Certificate verifier.</param> public void Check(XmlElement signatureElem, ICertificateVerifier certificateVerifier) { ArgumentUtils.CheckNotNull(signatureElem, "signatureElem"); ArgumentUtils.CheckNotNull(certificateVerifier, "certificateVerifier"); IList <XmlElement> signatureElems = new List <XmlElement>(); signatureElems.Add(signatureElem); Check(signatureElems, certificateVerifier); }
/// <summary> /// Verify a signed XML document. /// </summary> /// <param name="signedDocument">The signed XML document to verify.</param> /// <param name="certificateVerifier">An ICertificateVerifier implementation which will verify the certificate in the signed XML document.</param> /// <returns>A value to indicate if the document is verified successfully.</returns> public static bool XspVerifySignature(this XmlDocument signedDocument, ICertificateVerifier certificateVerifier) { Validation.ValidateArgumentRequired("signedDocument", signedDocument); Validation.ValidateArgumentRequired("certificateVerifier", certificateVerifier); ISignedContainerProfileService signedContainerService = XspFactory.Instance.GetSignedContainerProfileService(XspVersion.V_2010); signedContainerService.Check(signedDocument, certificateVerifier); return(true); }
public CertificateValidationMessageHandler( ICertificateStore certificateStore, ICertificateValidationService certificateValidationService, ICertificateVerifier certificateVerifier, ILogger <CertificateValidationMessageHandler> logger, int maximumValidationFailures = CertificateValidationService.DefaultMaximumValidationFailures) { _certificateStore = certificateStore ?? throw new ArgumentNullException(nameof(certificateStore)); _certificateValidationService = certificateValidationService ?? throw new ArgumentNullException(nameof(certificateValidationService)); _certificateVerifier = certificateVerifier ?? throw new ArgumentNullException(nameof(certificateVerifier)); _logger = logger ?? throw new ArgumentNullException(nameof(logger)); _maximumValidationFailures = maximumValidationFailures; }
/// <summary> /// Checks the signatures in a signed payload container and also verifies the /// certificates with the certificate verifier callback. /// </summary> /// <param name="containerDoc">Signed payload container.</param> /// <param name="certificateVerifier">Certificate verifier.</param> /// <exception cref="XspException">Thrown on error.</exception> public void Check(XmlDocument containerDoc, ICertificateVerifier certificateVerifier) { ArgumentUtils.CheckNotNull(containerDoc, "containerDoc"); ArgumentUtils.CheckNotNull(certificateVerifier, "certificateVerifier"); // Check the container is valid CheckSignedContainer(containerDoc); // Get all the signatures in the container IList <XmlElement> signatureElems = XPathUtils.GetElements(containerDoc, "/sp:signedPayload/sp:signatures/ds:Signature", CreateXmlNamespaceManager(containerDoc)); // Check all the signatures verify this.signedProfileService.Check(signatureElems, certificateVerifier); }
/// <summary> /// Verify server certificate within returned HttpResponse to prevent MITM attack. /// </summary> /// <param name="httpRequestMessage">The httpRequestMessage returned.</param> /// <param name="serverCertVerifier">The server certificate.</param> /// <param name="chain">The X509Chain.</param> /// <param name="policyErrors">SslPolicyErrors.</param> /// <param name="clientCertVerifier">Client certificate.</param> /// <returns>Returns true when server certificate is valid.</returns> public bool VerifyServerCertificate(HttpRequestMessage httpRequestMessage, ICertificateVerifier serverCertVerifier, X509Chain chain, SslPolicyErrors policyErrors, ICertificateVerifier clientCertVerifier) { Arguments.IsNotNull(clientCertVerifier, nameof(clientCertVerifier)); X509Certificate2 serverCert = serverCertVerifier.Certificate; logger?.LogDebug("Server certification custom validation callback."); logger?.LogTrace(httpRequestMessage?.ToString()); logger?.LogTrace(chain?.ToString()); logger?.LogTrace(policyErrors.ToString()); logger?.LogTrace("ServerCert:" + Environment.NewLine + serverCert); try { // Verify Issuer. Issuer field is case-insensitive. if (!string.Equals(clientCertVerifier.Issuer, serverCertVerifier.Issuer, StringComparison.OrdinalIgnoreCase)) { logger?.LogError(Invariant($"Issuer are different for server certificate and the client certificate. Server Certificate Issuer: {clientCertVerifier.Issuer}, Client Certificate Issuer: {serverCertVerifier.Issuer}")); return(false); } else { logger?.LogDebug(Invariant($"Issuer validation passed: {serverCertVerifier.Issuer}")); } // Server certificate is not expired. DateTime now = DateTime.Now; if (serverCertVerifier.NotBefore > now || serverCertVerifier.NotAfter.AddDays(1) <= now) { logger?.LogError(Invariant($"Server certification is not in valid period from {serverCertVerifier.NotBefore.ToString(DateTimeFormatInfo.InvariantInfo)} until {serverCertVerifier.NotAfter.ToString(DateTimeFormatInfo.InvariantInfo)}")); return(false); } else { logger?.LogDebug("Server certificate validate date verification passed."); } } catch (Exception ex) { logger?.LogError(ex.ToString()); return(false); } logger?.LogDebug("Server certification custom validation successed."); return(true); }
///// <param> ///// the tspSource to set ///// </param> //public ITspSource TspSource { get; set; } ///// <param> ///// the verifier to set ///// </param> //public ICertificateVerifier Verifier { get; set; } //public ISignedDocumentValidator Validator { get; } public CAdESService(ITspSource tspSource, ICertificateVerifier verifier, ISignedDocumentValidator validator) { this.tspSource = tspSource; this.verifier = verifier; this.validator = validator; }
internal void SetCertificateVerifier(ICertificateVerifier verifier) => _verifier = verifier;
/// <summary> /// Establish the certificate verifier object. This must be /// done before any connections are established. /// </summary> /// <param name="verifier">The certificate verifier.</param> public void SetCertificateVerifier(ICertificateVerifier verifier) => _engine.SetCertificateVerifier(verifier);
public SignedDocumentValidator(ICertificateVerifier certificateVerifier, Func <ICAdESLogger> loggerFactory) { CertificateVerifier = certificateVerifier; this.loggerFactory = loggerFactory; }