private static void ValidateCertificates(X509Certificate2 authSign, X509Certificate2 nonRepCert)
{
if (authSign == null)
{
throw new ArgumentNullException("authSign", "The authentication certificate must be provided");
}
if (!authSign.HasPrivateKey)
{
throw new ArgumentException("authSign", "The authentication certificate must have a private key");
}
BC::X509.X509Certificate bcAuthentication = DotNetUtilities.FromX509Certificate(authSign);
if (!bcAuthentication.GetKeyUsage()[0])
{
throw new ArgumentException("authSign", "The authentication certificate must have a key for signing");
}
if (nonRepCert != null)
{
if (!nonRepCert.HasPrivateKey)
{
throw new ArgumentException("nonRepCert", "The non-repudiation certificate must have a private key");
}
BC::X509.X509Certificate bcNonRepudiation = DotNetUtilities.FromX509Certificate(nonRepCert);
if (!bcNonRepudiation.GetKeyUsage()[1])
{
throw new ArgumentException("nonRepCert", "The non-repudiation certificate must have a key for non-Repudiation");
}
}
}
protected void SignDetached(Stream signed, Stream unsigned, X509Certificate2 selectedCert)
{
BC::X509.X509Certificate bcSelectedCert = DotNetUtilities.FromX509Certificate(selectedCert);
#if NETFRAMEWORK
trace.TraceEvent(TraceEventType.Information, 0, "Signing the message in name of {0}", selectedCert.Subject);
#else
logger.LogInformation("Signing the message in name of {0}", selectedCert.Subject);
#endif
BC.Crypto.ISignatureFactory sigFactory;
try
{
SignatureAlgorithm signAlgo = EteeActiveConfig.Seal.NativeSignatureAlgorithm;
BC::Crypto.AsymmetricCipherKeyPair keyPair = DotNetUtilities.GetKeyPair(selectedCert.PrivateKey);
sigFactory = new Asn1SignatureFactory(signAlgo.Algorithm.FriendlyName, keyPair.Private);
}
catch (CryptographicException)
{
SignatureAlgorithm signAlgo = EteeActiveConfig.Seal.WindowsSignatureAlgorithm;
sigFactory = new WinSignatureFactory(signAlgo.Algorithm, signAlgo.DigestAlgorithm, selectedCert.PrivateKey);
}
SignerInfoGenerator sigInfoGen = new SignerInfoGeneratorBuilder()
.Build(sigFactory, bcSelectedCert);
CmsSignedDataGenerator cmsSignedDataGen = new CmsSignedDataGenerator();
cmsSignedDataGen.AddSignerInfoGenerator(sigInfoGen);
CmsSignedData detachedSignature = cmsSignedDataGen.Generate(new CmsProcessableProxy(unsigned), false);
byte[] detachedSignatureBytes = detachedSignature.GetEncoded();
signed.Write(detachedSignatureBytes, 0, detachedSignatureBytes.Length);
}
protected void Encrypt(Stream cipher, Stream clear, ICollection <X509Certificate2> certs, SecretKey key, WebKey[] webKeys)
{
#if NETFRAMEWORK
trace.TraceEvent(TraceEventType.Information, 0, "Encrypting message for {0} known and {1} unknown recipient",
certs == null ? 0 : certs.Count, key == null ? 0 : 1);
#else
logger.LogInformation("Encrypting message for {0} known and {1} unknown recipient",
certs == null ? 0 : certs.Count, key == null ? 0 : 1);
#endif
CmsEnvelopedDataStreamGenerator encryptGenerator = new CmsEnvelopedDataStreamGenerator();
if (certs != null)
{
foreach (X509Certificate2 cert in certs)
{
BC::X509.X509Certificate bcCert = DotNetUtilities.FromX509Certificate(cert);
encryptGenerator.AddKeyTransRecipient(bcCert);
#if NETFRAMEWORK
trace.TraceEvent(TraceEventType.Verbose, 0, "Added known recipient: {0} ({1})", bcCert.SubjectDN.ToString(), bcCert.IssuerDN.ToString());
#else
logger.LogDebug("Added known recipient: {0} ({1})", bcCert.SubjectDN.ToString(), bcCert.IssuerDN.ToString());
#endif
}
}
if (key != null)
{
encryptGenerator.AddKekRecipient("AES", key.BCKey, key.Id);
#if NETFRAMEWORK
trace.TraceEvent(TraceEventType.Verbose, 0, "Added unknown recipient [Algorithm={0}, keyId={1}]", "AES", key.IdString);
#else
logger.LogDebug("Added unknown recipient [Algorithm={0}, keyId={1}]", "AES", key.IdString);
#endif
}
if (webKeys != null)
{
foreach (WebKey webKey in webKeys)
{
encryptGenerator.AddKeyTransRecipient(webKey.BCPublicKey, webKey.Id);
#if NETFRAMEWORK
trace.TraceEvent(TraceEventType.Verbose, 0, "Added web recipient [Algorithm={0}, keyId={1}]", "RSA", webKey.IdString);
#else
logger.LogDebug("Added web recipient [Algorithm={0}, keyId={1}]", "RSA", webKey.IdString);
#endif
}
}
Stream encryptingStream = encryptGenerator.Open(cipher, EteeActiveConfig.Seal.EncryptionAlgorithm.Value);
#if NETFRAMEWORK
trace.TraceEvent(TraceEventType.Verbose, 0, "Create encrypted message (still empty) [EncAlgo={0} ({1})]",
EteeActiveConfig.Seal.EncryptionAlgorithm.FriendlyName, EteeActiveConfig.Seal.EncryptionAlgorithm.Value);
#else
logger.LogDebug("Create encrypted message (still empty) [EncAlgo={0} ({1})]",
EteeActiveConfig.Seal.EncryptionAlgorithm.FriendlyName, EteeActiveConfig.Seal.EncryptionAlgorithm.Value);
#endif
try
{
clear.CopyTo(encryptingStream);
#if NETFRAMEWORK
trace.TraceEvent(TraceEventType.Verbose, 0, "Message encrypted");
#else
logger.LogDebug("Message encrypted");
#endif
}
finally
{
encryptingStream.Close();
#if NETFRAMEWORK
trace.TraceEvent(TraceEventType.Verbose, 0, "Recipient infos added");
#else
logger.LogDebug("Recipient infos added");
#endif
}
}
