/**
         * Validate the timestamp request, checking the digest to see if it is of an
         * accepted type and whether it is of the correct length for the algorithm specified.
         *
         * @param algorithms a set of string OIDS giving accepted algorithms.
         * @param policies if non-null a set of policies we are willing to sign under.
         * @param extensions if non-null a set of extensions we are willing to accept.
         * @throws TspException if the request is invalid, or processing fails.
         */
        public void Validate(
            IList algorithms,
            IList policies,
            IList extensions)
        {
            if (!algorithms.Contains(this.MessageImprintAlgOid))
            {
                throw new TspValidationException("request contains unknown algorithm.", PkiFailureInfo.BadAlg);
            }

            if (policies != null && this.ReqPolicy != null && !policies.Contains(this.ReqPolicy))
            {
                throw new TspValidationException("request contains unknown policy.", PkiFailureInfo.UnacceptedPolicy);
            }

            if (this.Extensions != null && extensions != null)
            {
                foreach (DerObjectIdentifier oid in this.Extensions.ExtensionOids)
                {
                    if (!extensions.Contains(oid.Id))
                    {
                        throw new TspValidationException("request contains unknown extension.",
                                                         PkiFailureInfo.UnacceptedExtension);
                    }
                }
            }

            int digestLength = TspUtil.GetDigestLength(this.MessageImprintAlgOid);

            if (digestLength != this.GetMessageImprintDigest().Length)
            {
                throw new TspValidationException("imprint digest the wrong length.",
                                                 PkiFailureInfo.BadDataFormat);
            }
        }
        /**
         * create with a signer with extra signed/unsigned attributes.
         */
        public TimeStampTokenGenerator(
            AsymmetricKeyParameter key,
            X509Certificate cert,
            string digestOID,
            string tsaPolicyOID,
            Asn1.Cms.AttributeTable signedAttr,
            Asn1.Cms.AttributeTable unsignedAttr)
        {
            this.key          = key;
            this.cert         = cert;
            this.digestOID    = digestOID;
            this.tsaPolicyOID = tsaPolicyOID;
            this.unsignedAttr = unsignedAttr;

            TspUtil.ValidateCertificate(cert);

            //
            // Add the ESSCertID attribute
            //
            IDictionary signedAttrs;

            if (signedAttr != null)
            {
                signedAttrs = signedAttr.ToDictionary();
            }
            else
            {
                signedAttrs = Platform.CreateHashtable();
            }

            try
            {
                byte[] hash = DigestUtilities.CalculateDigest("SHA-1", cert.GetEncoded());

                EssCertID essCertid = new EssCertID(hash);

                Asn1.Cms.Attribute attr = new Asn1.Cms.Attribute(
                    PkcsObjectIdentifiers.IdAASigningCertificate,
                    new DerSet(new SigningCertificate(essCertid)));

                signedAttrs[attr.AttrType] = attr;
            }
            catch (CertificateEncodingException e)
            {
                throw new TspException("Exception processing certificate.", e);
            }
            catch (SecurityUtilityException e)
            {
                throw new TspException("Can't find a SHA-1 implementation.", e);
            }

            this.signedAttr = new Asn1.Cms.AttributeTable(signedAttrs);
        }
Exemple #3
0
        /**
         * Validate the time stamp token.
         * <p>
         * To be valid the token must be signed by the passed in certificate and
         * the certificate must be the one referred to by the SigningCertificate
         * attribute included in the hashed attributes of the token. The
         * certificate must also have the ExtendedKeyUsageExtension with only
         * KeyPurposeID.IdKPTimeStamping and have been valid at the time the
         * timestamp was created.
         * </p>
         * <p>
         * A successful call to validate means all the above are true.
         * </p>
         */
        public void Validate(
            X509Certificate cert)
        {
            try
            {
                byte[] hash = DigestUtilities.CalculateDigest(
                    certID.GetHashAlgorithm(), cert.GetEncoded());

                if (!Arrays.ConstantTimeAreEqual(certID.GetCertHash(), hash))
                {
                    throw new TspValidationException("certificate hash does not match certID hash.");
                }

                if (certID.IssuerSerial != null)
                {
                    if (!certID.IssuerSerial.Serial.Value.Equals(cert.SerialNumber))
                    {
                        throw new TspValidationException("certificate serial number does not match certID for signature.");
                    }

                    GeneralName[] names     = certID.IssuerSerial.Issuer.GetNames();
                    X509Name      principal = PrincipalUtilities.GetIssuerX509Principal(cert);
                    bool          found     = false;

                    for (int i = 0; i != names.Length; i++)
                    {
                        if (names[i].TagNo == 4 &&
                            X509Name.GetInstance(names[i].Name).Equivalent(principal))
                        {
                            found = true;
                            break;
                        }
                    }

                    if (!found)
                    {
                        throw new TspValidationException("certificate name does not match certID for signature. ");
                    }
                }

                TspUtil.ValidateCertificate(cert);

                cert.CheckValidity(tstInfo.GenTime);

                if (!tsaSignerInfo.Verify(cert))
                {
                    throw new TspValidationException("signature not created by certificate.");
                }
            }
            catch (CmsException e)
            {
                if (e.InnerException != null)
                {
                    throw new TspException(e.Message, e.InnerException);
                }

                throw new TspException("CMS exception: " + e, e);
            }
            catch (CertificateEncodingException e)
            {
                throw new TspException("problem processing certificate: " + e, e);
            }
            catch (SecurityUtilityException e)
            {
                throw new TspException("cannot find algorithm: " + e.Message, e);
            }
        }