public byte[] GetCertHash()
 {
     if (certID == null)
     {
         return(certIDv2.GetCertHash());
     }
     return(certID.GetCertHash());
 }
 public byte[] GetCertHash()
 {
     return(certID != null
                             ?       certID.GetCertHash()
                             :       certIDv2.GetCertHash());
 }
Esempio n. 3
0
        private void ReadInformation()
        {
            if (_signerInformation.SignedAttributes[PkcsObjectIdentifiers.Pkcs9AtSigningTime] != null)
            {
                _signingDate = DerUtcTime.GetInstance(_signerInformation.SignedAttributes[PkcsObjectIdentifiers.Pkcs9AtSigningTime].AttrValues[0]).ToDateTime().ToLocalTime();
            }

            if (_signerInformation.SignedAttributes[PkcsObjectIdentifiers.IdAAEtsSignerAttr] != null)
            {
                var signerAttr = SignerAttribute.GetInstance(_signerInformation.SignedAttributes[PkcsObjectIdentifiers.IdAAEtsSignerAttr].AttrValues[0]);

                List <string> claimedRoles = new List <string>();

                foreach (BcCms.Attribute claimedAttr in signerAttr.ClaimedAttributes)
                {
                    foreach (var value in claimedAttr.AttrValues)
                    {
                        claimedRoles.Add(DerUtf8String.GetInstance(value).GetString());
                    }
                }

                _signerRoles = claimedRoles;
            }

            if (_signerInformation.UnsignedAttributes != null &&
                _signerInformation.UnsignedAttributes[PkcsObjectIdentifiers.IdAASignatureTimeStampToken] != null)
            {
                _timeStamp = new TimeStampToken(new CmsSignedData(_signerInformation.UnsignedAttributes[PkcsObjectIdentifiers.IdAASignatureTimeStampToken].AttrValues[0].GetEncoded()));
            }

            // Se leen las contrafirmas
            var signers = _signerInformation.GetCounterSignatures().GetSigners();

            _counterSignatures = new List <SignerInfoNode>();

            foreach (var signer in signers)
            {
                SignerInfoNode node = new SignerInfoNode((SignerInformation)signer, _sigDocument);

                _counterSignatures.Add(node);
            }

            // Se intenta identificar el certificado empleado para la firma, esto quizás se pueda mejorar
            byte[]       certHash     = null;
            IssuerSerial issuerSerial = null;

            if (_signerInformation.DigestAlgOid == DigestMethod.SHA1.Oid)
            {
                BcCms.Attribute    attr = _signerInformation.SignedAttributes[PkcsObjectIdentifiers.IdAASigningCertificate];
                SigningCertificate sc   = SigningCertificate.GetInstance(attr.AttrValues[0]);
                EssCertID          ecid = sc.GetCerts()[0];
                issuerSerial = ecid.IssuerSerial;
                certHash     = ecid.GetCertHash();
            }
            else
            {
                BcCms.Attribute      attr = _signerInformation.SignedAttributes[PkcsObjectIdentifiers.IdAASigningCertificateV2];
                SigningCertificateV2 sc2  = SigningCertificateV2.GetInstance(attr.AttrValues[0]);
                EssCertIDv2          ecid = sc2.GetCerts()[0];
                issuerSerial = ecid.IssuerSerial;
                certHash     = ecid.GetCertHash();
            }

            DigestMethod digestMethod = DigestMethod.GetByOid(_signerInformation.DigestAlgOid);

            foreach (X509CertificateStructure cs in _sigDocument.Certificates)
            {
                if (issuerSerial == null || cs.TbsCertificate.SerialNumber.Equals(issuerSerial.Serial))
                {
                    byte[] currentCertHash = digestMethod.CalculateDigest(cs.GetEncoded());

                    if (certHash.SequenceEqual(currentCertHash))
                    {
                        _certificate = new X509Certificate(cs);
                        break;
                    }
                }
            }
        }
        /**
         * Validate the time stamp token.
         * <p>
         * To be valid the token must be signed by the passed in certificate and
         * the certificate must be the one referred to by the SigningCertificate
         * attribute included in the the hashed attributes of the token. The
         * certificate must also have the ExtendedKeyUsageExtension with only
         * KeyPurposeID.IdKPTimeStamping and have been valid at the time the
         * timestamp was created.
         * </p>
         * <p>
         * A successful call to validate means all the above are true.
         * </p>
         */
        public void Validate(
            X509Certificate cert)
        {
            IDigest digest;

            try
            {
                digest = DigestUtilities.GetDigest("SHA-1");
            }
            catch (SecurityUtilityException e)
            {
                throw new TspException("cannot find algorithm: " + e.Message, e);
            }

            try
            {
                byte[] certEncoded = cert.GetEncoded();
                digest.BlockUpdate(certEncoded, 0, certEncoded.Length);
                byte[] hash = DigestUtilities.DoFinal(digest);

                if (!Arrays.AreEqual(certID.GetCertHash(), hash))
                {
                    throw new TspValidationException("certificate hash does not match certID hash.");
                }

                if (certID.IssuerSerial != null)
                {
                    if (!certID.IssuerSerial.Serial.Value.Equals(cert.SerialNumber))
                    {
                        throw new TspValidationException("certificate serial number does not match certID for signature.");
                    }

                    GeneralName[] names     = certID.IssuerSerial.Issuer.GetNames();
                    X509Name      principal = PrincipalUtilities.GetIssuerX509Principal(cert);
                    bool          found     = false;

                    for (int i = 0; i != names.Length; i++)
                    {
                        if (names[i].TagNo == 4 &&
                            X509Name.GetInstance(names[i].Name).Equals(principal))
                        {
                            found = true;
                            break;
                        }
                    }

                    if (!found)
                    {
                        throw new TspValidationException("certificate name does not match certID for signature. ");
                    }
                }

                TspUtil.ValidateCertificate(cert);

                cert.CheckValidity(tstInfo.GenTime);

                if (!tsaSignerInfo.Verify(cert))
                {
                    throw new TspValidationException("signature not created by certificate.");
                }
            }
            catch (CmsException e)
            {
                if (e.InnerException != null)
                {
                    throw new TspException(e.Message, e.InnerException);
                }

                throw new TspException("CMS exception: " + e, e);
            }
            catch (CertificateEncodingException e)
            {
                throw new TspException("problem processing certificate: " + e, e);
            }
        }