protected byte[] GenerateSignature(byte[] manifest, X509Certificate2 appleCert, X509Certificate2 passCert) { X509Certificate apple = DotNetUtilities.FromX509Certificate(appleCert); X509Certificate cert = DotNetUtilities.FromX509Certificate(passCert); var privateKey = DotNetUtilities.GetKeyPair(passCert.PrivateKey).Private; var generator = new CmsSignedDataGenerator(); generator.AddSigner(privateKey, cert, CmsSignedGenerator.DigestSha1); var list = new List <X509Certificate>(); list.Add(cert); list.Add(apple); X509CollectionStoreParameters storeParameters = new X509CollectionStoreParameters(list); IX509Store store509 = X509StoreFactory.Create("CERTIFICATE/COLLECTION", storeParameters); generator.AddCertificates(store509); var content = new CmsProcessableByteArray(manifest); var signature = generator.Generate(content, false).GetEncoded(); return(signature); }
protected static byte[] SignWithSystem(byte[] data, AsymmetricKeyParameter key, X509Certificate cert, X509Certificate[] chain) { var generator = new CmsSignedDataGenerator(); // Add signing key generator.AddSigner( key, cert, "2.16.840.1.101.3.4.2.1"); // SHA256 digest ID var storeCerts = new List <X509Certificate>(); storeCerts.Add(cert); // NOTE: Adding end certificate too storeCerts.AddRange(chain); // I'm assuming the chain collection doesn't contain the end certificate already // Construct a store from the collection of certificates and add to generator var storeParams = new X509CollectionStoreParameters(storeCerts); var certStore = X509StoreFactory.Create("CERTIFICATE/COLLECTION", storeParams); generator.AddCertificates(certStore); // Generate the signature var signedData = generator.Generate( new CmsProcessableByteArray(data), false); // encapsulate = false for detached signature return(signedData.GetEncoded()); }
private string SignMessage(string msg, bool isProd) { var gen = new CmsSignedDataGenerator(); X509Certificate2 certificate = GetCertificate(isProd); var privKey = DotNetUtilities.GetRsaKeyPair(certificate.GetRSAPrivateKey()).Private; var cert = DotNetUtilities.FromX509Certificate(certificate); gen.AddSigner(privKey, cert, CmsSignedDataGenerator.DigestSha1); var certX509 = DotNetUtilities.ToX509Certificate(cert.CertificateStructure); var certList = new List <Org.BouncyCastle.X509.X509Certificate>(); certList.Add(cert); X509CollectionStoreParameters PP = new X509CollectionStoreParameters(certList); IX509Store st1 = X509StoreFactory.Create("CERTIFICATE/COLLECTION", PP); gen.AddCertificates(st1); Encoding EncodedMsg = Encoding.UTF8; byte[] dataToSign = EncodedMsg.GetBytes(msg); CmsProcessable data = new CmsProcessableByteArray(dataToSign); CmsSignedData signed = gen.Generate(PkcsObjectIdentifiers.Pkcs7, data, true); var result = signed.GetEncoded(); return(Convert.ToBase64String(result)); }
public bool Validate(Certificate cert) { PkixCertPathBuilder builder = new PkixCertPathBuilder(); try { // Separate root from itermediate List <X509Certificate> intermediateCerts = new List <X509Certificate>(); HashSet rootCerts = new HashSet(); foreach (X509Certificate x509Cert in certs.Select(a => a.X509Certificate)) { // Separate root and subordinate certificates if (x509Cert.IssuerDN.Equivalent(x509Cert.SubjectDN)) { rootCerts.Add(new TrustAnchor(x509Cert, null)); } else { intermediateCerts.Add(x509Cert); } } // Create chain for this certificate X509CertStoreSelector holder = new X509CertStoreSelector(); holder.Certificate = cert.X509Certificate; // WITHOUT THIS LINE BUILDER CANNOT BEGIN BUILDING THE CHAIN intermediateCerts.Add(holder.Certificate); PkixBuilderParameters builderParams = new PkixBuilderParameters(rootCerts, holder); builderParams.IsRevocationEnabled = false; X509CollectionStoreParameters intermediateStoreParameters = new X509CollectionStoreParameters(intermediateCerts); builderParams.AddStore(X509StoreFactory.Create("Certificate/Collection", intermediateStoreParameters)); try { builder.Build(builderParams); return(true); } catch (Exception) { return(false); } } catch (Exception e) { throw new CryptoException($"Error validating certificate. {e.Message}"); } }
BuildCertificateChainBC( byte[] primary, System.Collections.Generic.IEnumerable <byte[]> additional) { X509CertificateParser parser = new X509CertificateParser(); PkixCertPathBuilder builder = new PkixCertPathBuilder(); // Separate root from itermediate System.Collections.Generic.List <Org.BouncyCastle.X509.X509Certificate> intermediateCerts = new System.Collections.Generic.List <Org.BouncyCastle.X509.X509Certificate>(); Org.BouncyCastle.Utilities.Collections.HashSet rootCerts = new Org.BouncyCastle.Utilities.Collections.HashSet(); foreach (byte[] cert in additional) { Org.BouncyCastle.X509.X509Certificate x509Cert = parser.ReadCertificate(cert); // Separate root and subordinate certificates if (x509Cert.IssuerDN.Equivalent(x509Cert.SubjectDN)) { rootCerts.Add(new TrustAnchor(x509Cert, null)); } else { intermediateCerts.Add(x509Cert); } } // Create chain for this certificate X509CertStoreSelector holder = new X509CertStoreSelector(); holder.Certificate = parser.ReadCertificate(primary); // WITHOUT THIS LINE BUILDER CANNOT BEGIN BUILDING THE CHAIN intermediateCerts.Add(holder.Certificate); PkixBuilderParameters builderParams = new PkixBuilderParameters(rootCerts, holder); builderParams.IsRevocationEnabled = false; X509CollectionStoreParameters intermediateStoreParameters = new X509CollectionStoreParameters(intermediateCerts); builderParams.AddStore(X509StoreFactory.Create( "Certificate/Collection", intermediateStoreParameters)); PkixCertPathBuilderResult result = builder.Build(builderParams); return(System.Linq.Enumerable.Cast <Org.BouncyCastle.X509.X509Certificate>(result.CertPath.Certificates)); }
//jbonilla - Por algún motivo, no devuleve el certificado root. public static X509Certificate[] BuildCertificateChainBC(X509Certificate checkCert, ICollection <X509Certificate> keystore) { PkixCertPathBuilder builder = new PkixCertPathBuilder(); // Separate root from itermediate List <X509Certificate> intermediateCerts = new List <X509Certificate>(); HashSet rootCerts = new HashSet(); foreach (X509Certificate cert in keystore) { // Separate root and subordinate certificates if (IsSelfSigned(cert)) { rootCerts.Add(new TrustAnchor(cert, null)); } else { intermediateCerts.Add(cert); } } // Create chain for this certificate X509CertStoreSelector holder = new X509CertStoreSelector(); holder.Certificate = checkCert; // WITHOUT THIS LINE BUILDER CANNOT BEGIN BUILDING THE CHAIN intermediateCerts.Add(holder.Certificate); PkixBuilderParameters builderParams = new PkixBuilderParameters(rootCerts, holder); builderParams.IsRevocationEnabled = false; X509CollectionStoreParameters intermediateStoreParameters = new X509CollectionStoreParameters(intermediateCerts); builderParams.AddStore(X509StoreFactory.Create( "Certificate/Collection", intermediateStoreParameters)); PkixCertPathBuilderResult result = builder.Build(builderParams); List <X509Certificate> chain = new List <X509Certificate>(); foreach (X509Certificate cert in result.CertPath.Certificates) { chain.Add(cert); } return(chain.ToArray()); }
internal static IList <X509Certificate> BuildCertificateChain(X509Certificate primaryCertificate, IEnumerable <X509Certificate> additionalCertificates) { var parser = new X509CertificateParser(); var builder = new PkixCertPathBuilder(); // Separate root from itermediate var intermediateCerts = new List <X509Certificate>(); var rootCerts = new BouncyCastle.Utilities.Collections.HashSet(); foreach (var cert in additionalCertificates) { // Separate root and subordinate certificates if (cert.IssuerDN.Equivalent(cert.SubjectDN)) { rootCerts.Add(new TrustAnchor(cert, null)); } else { intermediateCerts.Add(cert); } } // Create chain for this certificate var holder = new X509CertStoreSelector(); holder.Certificate = primaryCertificate; // WITHOUT THIS LINE BUILDER CANNOT BEGIN BUILDING THE CHAIN intermediateCerts.Add(holder.Certificate); PkixBuilderParameters builderParams = new PkixBuilderParameters(rootCerts, holder); builderParams.IsRevocationEnabled = false; X509CollectionStoreParameters intermediateStoreParameters = new X509CollectionStoreParameters(intermediateCerts); builderParams.AddStore(X509StoreFactory.Create( "Certificate/Collection", intermediateStoreParameters)); PkixCertPathBuilderResult result = builder.Build(builderParams); return(result.CertPath.Certificates.Cast <X509Certificate>().ToList()); }
/// <summary> /// Signiert die Daten mit dem angegebenen Absender-Zertifikat /// </summary> /// <param name="data">Die zu signierenden Daten</param> /// <param name="privateKey">Der private Schlüssel mit dem signiert werden soll (passend zum Zeritifikat <paramref name="cert"/>)</param> /// <param name="cert">Das Absender-Zertifikat</param> /// <param name="certs">Die Zertifikate, die zusätzlich im Ergebnis gespeichert werden sollen (z.B. für eine Zertifkatskette)</param> /// <returns>Die signierten Daten</returns> public static byte[] SignData(byte[] data, AsymmetricKeyParameter privateKey, X509Certificate cert, IEnumerable <X509Certificate> certs = null) { var gen = new CmsSignedDataGenerator(); var allCerts = new List <X509Certificate>(); if (certs != null) { allCerts.AddRange(certs); } var storeParams = new X509CollectionStoreParameters(allCerts); var certStore = X509StoreFactory.Create("Certificate/Collection", storeParams); gen.AddCertificates(certStore); gen.AddSigner(privateKey, cert, NistObjectIdentifiers.IdSha256.Id); var message = new CmsProcessableByteArray(data); var signedData = gen.Generate(message, true); return(signedData.GetEncoded()); }
private static IList BuildCertificateChainBC(byte[] primary, IEnumerable <byte[]> additional) { X509CertificateParser parser = new X509CertificateParser(); PkixCertPathBuilder builder = new PkixCertPathBuilder(); List <X509Certificate> intermediateCerts = new List <X509Certificate>(); HashSet rootCerts = new HashSet(); foreach (byte[] cert in additional) { X509Certificate x509Cert = parser.ReadCertificate(cert); // Separate root and subordinate certificates if (x509Cert.IssuerDN.Equivalent(x509Cert.SubjectDN)) { rootCerts.Add(new TrustAnchor(x509Cert, null)); } else { intermediateCerts.Add(x509Cert); } } X509CertStoreSelector holder = new X509CertStoreSelector(); holder.Certificate = parser.ReadCertificate(primary); intermediateCerts.Add(holder.Certificate); PkixBuilderParameters builderParams = new PkixBuilderParameters(rootCerts, holder); builderParams.IsRevocationEnabled = false; X509CollectionStoreParameters intermediateStoreParameters = new X509CollectionStoreParameters(intermediateCerts); builderParams.AddStore(X509StoreFactory.Create( "Certificate/Collection", intermediateStoreParameters)); PkixCertPathBuilderResult result = builder.Build(builderParams); return(result.CertPath.Certificates); }
public byte[] Sign(Stream data) { CmsProcessable msg = new CmsProcessableInputStream(data); CmsSignedDataGenerator gen = new CmsSignedDataGenerator(); SignerInfoGenerator signerInfoGenerator = new SignerInfoGeneratorBuilder() .WithSignedAttributeGenerator(new DefaultSignedAttributeTableGenerator()) .Build(new Asn1SignatureFactory(algorithm, key), chain[0]); gen.AddSignerInfoGenerator(signerInfoGenerator); X509CollectionStoreParameters collectionStoreParameters = new X509CollectionStoreParameters(new List <X509Certificate>(chain)); IX509Store collectionStore = X509StoreFactory.Create("CERTIFICATE/COLLECTION", collectionStoreParameters); gen.AddCertificates(collectionStore); CmsSignedData sigData = gen.Generate(msg, false); return(sigData.GetEncoded()); }
public static IX509Store Create(string type, IX509StoreParameters parameters) { if (type == null) { throw new ArgumentNullException("type"); } string[] array = Platform.ToUpperInvariant(type).Split('/'); if (array.Length < 2) { throw new ArgumentException("type"); } if (array[1] != "COLLECTION") { throw new NoSuchStoreException("X.509 store type '" + type + "' not available."); } X509CollectionStoreParameters x509CollectionStoreParameters = (X509CollectionStoreParameters)parameters; ICollection collection = x509CollectionStoreParameters.GetCollection(); switch (array[0]) { case "ATTRIBUTECERTIFICATE": checkCorrectType(collection, typeof(IX509AttributeCertificate)); break; case "CERTIFICATE": checkCorrectType(collection, typeof(X509Certificate)); break; case "CERTIFICATEPAIR": checkCorrectType(collection, typeof(X509CertificatePair)); break; case "CRL": checkCorrectType(collection, typeof(X509Crl)); break; default: throw new NoSuchStoreException("X.509 store type '" + type + "' not available."); } return(new X509CollectionStore(collection)); }
private byte[] SignWithCertificate(byte[] bytesToSign) { var generator = new CmsSignedDataGenerator(); var privKey = _gatewayKeyProvider.SigningPrivateKey; var certificate = _gatewayKeyProvider.SigningCertificate; var certificates = new List <Org.BouncyCastle.X509.X509Certificate>(); certificates.Add(certificate); var storeParameters = new X509CollectionStoreParameters(certificates); IX509Store store = X509StoreFactory.Create("Certificate/Collection", storeParameters); generator.AddSigner(privKey, certificate, CmsSignedGenerator.EncryptionRsa, CmsSignedGenerator.DigestSha256); generator.AddCertificates(store); var message = new CmsProcessableByteArray(bytesToSign); CmsSignedData signedData = generator.Generate(message, false); return(signedData.GetEncoded()); }
static void Main(string[] args) { byte[] entradaArray = File.ReadAllBytes(@"certificado/arquivoTeste.txt"); AsymmetricKeyParameter chavePrivada; X509Certificate certificadoX509 = getCertificadoX509(@"certificado/certificado.p12", "123!@#", out chavePrivada); SHA512Managed hashSHA512 = new SHA512Managed(); SHA256Managed hashSHA256 = new SHA256Managed(); byte[] certificadoX509Hash = hashSHA256.ComputeHash(certificadoX509.GetEncoded()); byte[] EntradaHash = hashSHA512.ComputeHash(entradaArray); CmsSignedDataGenerator geradorCms = new CmsSignedDataGenerator(); // //atributos // Asn1EncodableVector atributosAssinados = new Asn1EncodableVector(); //1.2.840.113549.1.9.3 -> ContentType //1.2.840.113549.1.7.1 -> RSA Security Data Inc atributosAssinados.Add(new Org.BouncyCastle.Asn1.Cms.Attribute(CmsAttributes.ContentType, new DerSet(new DerObjectIdentifier("1.2.840.113549.1.7.1")))); //1.2.840.113549.1.9.5 -> Signing Time atributosAssinados.Add(new Org.BouncyCastle.Asn1.Cms.Attribute(CmsAttributes.SigningTime, new DerSet(new DerUtcTime(DateTime.Now)))); //1.2.840.113549.1.9.4 -> messageDigest atributosAssinados.Add(new Org.BouncyCastle.Asn1.Cms.Attribute(CmsAttributes.MessageDigest, new DerSet(new DerOctetString(EntradaHash)))); //2.16.840.1.101.3.4.2.3 -> SHA-512 //2.16.840.1.101.3.4.2.1 -> SHA-256 //1.2.840.113549.1.9.16.5.1 -> sigPolicyQualifier-spuri DerObjectIdentifier identificadorPolicyID = new DerObjectIdentifier("1.2.840.113549.1.9.16.2.15"); byte[] policyHASH = System.Text.Encoding.ASCII.GetBytes("0F6FA2C6281981716C95C79899039844523B1C61C2C962289CDAC7811FEEE29E"); List <SigPolicyQualifierInfo> sigPolicyQualifierInfos = new List <SigPolicyQualifierInfo>(); Org.BouncyCastle.Asn1.X509.AlgorithmIdentifier algoritmoIdentificador = new Org.BouncyCastle.Asn1.X509.AlgorithmIdentifier("2.16.840.1.101.3.4.2.3"); SigPolicyQualifierInfo bcSigPolicyQualifierInfo = new SigPolicyQualifierInfo(new DerObjectIdentifier("1.2.840.113549.1.9.16.5.1"), new DerIA5String("http://politicas.icpbrasil.gov.br/PA_AD_RB_v2_2.der")); sigPolicyQualifierInfos.Add(bcSigPolicyQualifierInfo); SignaturePolicyId signaturePolicyId = new SignaturePolicyId(DerObjectIdentifier.GetInstance(new DerObjectIdentifier("2.16.76.1.7.1.6.2.2")), new OtherHashAlgAndValue(algoritmoIdentificador, new DerOctetString(policyHASH)), sigPolicyQualifierInfos); atributosAssinados.Add(new Org.BouncyCastle.Asn1.Cms.Attribute(identificadorPolicyID, new DerSet(signaturePolicyId))); //1.2.840.113549.1.9.16.2.47 -> id-aa-signingCertificateV2 Org.BouncyCastle.Asn1.Ess.EssCertIDv2 essCertIDv2; essCertIDv2 = new Org.BouncyCastle.Asn1.Ess.EssCertIDv2(certificadoX509Hash); atributosAssinados.Add(new Org.BouncyCastle.Asn1.Cms.Attribute(new DerObjectIdentifier("1.2.840.113549.1.9.16.2.47"), new DerSet(essCertIDv2))); AttributeTable atributosAssinadosTabela = new AttributeTable(atributosAssinados); //geradorCms.AddSigner(chavePrivada, certificadoX509, CmsSignedDataGenerator.DigestSha256, new DefaultSignedAttributeTableGenerator(atributosAssinadosTabela), null); geradorCms.AddSigner(chavePrivada, certificadoX509, CmsSignedDataGenerator.DigestSha512, new DefaultSignedAttributeTableGenerator(atributosAssinadosTabela), null); List <X509Certificate> certificadoX509Lista = new List <X509Certificate>(); certificadoX509Lista.Add(certificadoX509); //storeCerts.AddRange(chain); X509CollectionStoreParameters parametrosArmazem = new X509CollectionStoreParameters(certificadoX509Lista); IX509Store armazemCertificado = X509StoreFactory.Create("CERTIFICATE/COLLECTION", parametrosArmazem); geradorCms.AddCertificates(armazemCertificado); var dadosAssinado = geradorCms.Generate(new CmsProcessableByteArray(entradaArray), true); // encapsulate = false for detached signature Console.WriteLine("Codificado => " + Convert.ToBase64String(dadosAssinado.GetEncoded())); }