/**
         * Call this method to have LTV information added to the {@link PdfStamper}
         * given in the constructor.
         */
        public void enable(IOcspClient ocspClient, ICrlClient crlClient)
        {
            AcroFields fields    = pdfStamper.AcroFields;
            bool       encrypted = pdfStamper.Reader.IsEncrypted();

            List <String> names = fields.GetSignatureNames();

            foreach (String name in names)
            {
                PdfPKCS7        pdfPKCS7            = fields.VerifySignature(name);
                PdfDictionary   signatureDictionary = fields.GetSignatureDictionary(name);
                X509Certificate certificate         = pdfPKCS7.SigningCertificate;
                addLtvForChain(certificate, ocspClient, crlClient, getSignatureHashKey(signatureDictionary, encrypted));
            }

            outputDss();
        }
        /// <summary>
        /// 
        /// </summary>
        /// <param name="src"></param>
        /// <param name="dest"></param>
        /// <param name="ocsp"></param>
        /// <param name="crl"></param>
        private static void AddLtv(byte[] src, String dest, IOcspClient ocsp, ICrlClient crl)
        {
            var r = new PdfReader(src);
            var fos = new FileStream(dest, FileMode.Create);
            var stp = new PdfStamper(r, fos, '\0', true);
            LtvVerification v = stp.LtvVerification;
            AcroFields fields = stp.AcroFields;
            List<String> names = fields.GetSignatureNames();
            String sigName = names[names.Count - 1];
            PdfPKCS7 pkcs7 = fields.VerifySignature(sigName);
            if (pkcs7.IsTsp)
                v.AddVerification(sigName, ocsp, crl, LtvVerification.CertificateOption.SIGNING_CERTIFICATE, LtvVerification.Level.OCSP_CRL, LtvVerification.CertificateInclusion.NO);
            else
                foreach (String name in names)
                    v.AddVerification(name, ocsp, crl, LtvVerification.CertificateOption.WHOLE_CHAIN, LtvVerification.Level.OCSP_CRL, LtvVerification.CertificateInclusion.NO);

            stp.Close();
        }
        //
        // the actual LTV enabling methods
        //
        void addLtvForChain(X509Certificate certificate, IOcspClient ocspClient, ICrlClient crlClient, PdfName key)
        {
            if (seenCertificates.Contains(certificate))
            {
                return;
            }
            seenCertificates.Add(certificate);
            ValidationData validationData = new ValidationData();

            while (certificate != null)
            {
                // Console.WriteLine(certificate.SubjectDN);
                X509Certificate issuer = getIssuerCertificate(certificate);
                validationData.certs.Add(certificate.GetEncoded());
                byte[] ocspResponse = ocspClient.GetEncoded(certificate, issuer, null);
                if (ocspResponse != null)
                {
                    // Console.WriteLine("  with OCSP response");
                    validationData.ocsps.Add(ocspResponse);
                    X509Certificate ocspSigner = getOcspSignerCertificate(ocspResponse);
                    ////if (ocspSigner != null)
                    ////{
                    ////    Console.WriteLine("  signed by {0}\n", ocspSigner.SubjectDN);
                    ////}
                    addLtvForChain(ocspSigner, ocspClient, crlClient, getOcspHashKey(ocspResponse));
                }
                else
                {
                    ICollection <byte[]> crl = crlClient.GetEncoded(certificate, null);
                    if (crl != null && crl.Count > 0)
                    {
                        //Console.WriteLine("  with {0} CRLs\n", crl.Count);
                        foreach (byte[] crlBytes in crl)
                        {
                            validationData.crls.Add(crlBytes);
                            addLtvForChain(null, ocspClient, crlClient, getCrlHashKey(crlBytes));
                        }
                    }
                }
                certificate = issuer;
            }

            validated[key] = validationData;
        }
Esempio n. 4
0
 /**
  * Add verification for a particular signature
  * @param signatureName the signature to validate (it may be a timestamp)
  * @param ocsp the interface to get the OCSP
  * @param crl the interface to get the CRL
  * @param certOption
  * @param level the validation options to include
  * @param certInclude
  * @return true if a validation was generated, false otherwise
  * @throws Exception
  */
 virtual public bool AddVerification(String signatureName, IOcspClient ocsp, ICrlClient crl, CertificateOption certOption, Level level, CertificateInclusion certInclude) {
     if (used)
         throw new InvalidOperationException(MessageLocalization.GetComposedMessage("verification.already.output"));
     PdfPKCS7 pk = acroFields.VerifySignature(signatureName);
     LOGGER.Info("Adding verification for " + signatureName);
     X509Certificate[] xc = pk.Certificates;
     X509Certificate cert;
     X509Certificate signingCert = pk.SigningCertificate;
     ValidationData vd = new ValidationData();
     for (int k = 0; k < xc.Length; ++k) {
         cert = xc[k];
         LOGGER.Info("Certificate: " + cert.SubjectDN);
         if (certOption == CertificateOption.SIGNING_CERTIFICATE
             && !cert.Equals(signingCert)) {
             continue;
         }
         byte[] ocspEnc = null;
         if (ocsp != null && level != Level.CRL) {
             ocspEnc = ocsp.GetEncoded(cert, GetParent(cert, xc), null);
             if (ocspEnc != null) {
                 vd.ocsps.Add(BuildOCSPResponse(ocspEnc));
                 LOGGER.Info("OCSP added");
             }
         }
         if (crl != null && (level == Level.CRL || level == Level.OCSP_CRL || (level == Level.OCSP_OPTIONAL_CRL && ocspEnc == null))) {
             ICollection<byte[]> cims = crl.GetEncoded(xc[k], null);
             if (cims != null) {
                 foreach (byte[] cim in cims) {
                     bool dup = false;
                     foreach (byte[] b in vd.crls) {
                         if (Arrays.AreEqual(b, cim)) {
                             dup = true;
                             break;
                         }
                     }
                     if (!dup) {
                         vd.crls.Add(cim);
                         LOGGER.Info("CRL added");
                     }
                 }
             }
         }
         if (certInclude == CertificateInclusion.YES) {
             vd.certs.Add(xc[k].GetEncoded());
         }
     }
     if (vd.crls.Count == 0 && vd.ocsps.Count == 0)
         return false;
     validated[GetSignatureHashKey(signatureName)] = vd;
     return true;
 }
Esempio n. 5
0
        /**
         * Add verification for a particular signature
         * @param signatureName the signature to validate (it may be a timestamp)
         * @param ocsp the interface to get the OCSP
         * @param crl the interface to get the CRL
         * @param certOption
         * @param level the validation options to include
         * @param certInclude
         * @return true if a validation was generated, false otherwise
         * @throws Exception
         */
        public bool AddVerification(String signatureName, IOcspClient ocsp, ICrlClient crl, CertificateOption certOption, Level level, CertificateInclusion certInclude)
        {
            if (used)
            {
                throw new InvalidOperationException(MessageLocalization.GetComposedMessage("verification.already.output"));
            }
            PdfPKCS7 pk = acroFields.VerifySignature(signatureName);

            LOGGER.Info("Adding verification for " + signatureName);
            X509Certificate[] xc = pk.Certificates;
            X509Certificate   cert;
            X509Certificate   signingCert = pk.SigningCertificate;
            ValidationData    vd          = new ValidationData();

            for (int k = 0; k < xc.Length; ++k)
            {
                cert = xc[k];
                LOGGER.Info("Certificate: " + cert.SubjectDN);
                if (certOption == CertificateOption.SIGNING_CERTIFICATE &&
                    !cert.Equals(signingCert))
                {
                    continue;
                }
                byte[] ocspEnc = null;
                if (ocsp != null && level != Level.CRL)
                {
                    ocspEnc = ocsp.GetEncoded(cert, GetParent(cert, xc), null);
                    if (ocspEnc != null)
                    {
                        vd.ocsps.Add(BuildOCSPResponse(ocspEnc));
                        LOGGER.Info("OCSP added");
                    }
                }
                if (crl != null && (level == Level.CRL || level == Level.OCSP_CRL || (level == Level.OCSP_OPTIONAL_CRL && ocspEnc == null)))
                {
                    ICollection <byte[]> cims = crl.GetEncoded(xc[k], null);
                    if (cims != null)
                    {
                        foreach (byte[] cim in cims)
                        {
                            bool dup = false;
                            foreach (byte[] b in vd.crls)
                            {
                                if (Arrays.AreEqual(b, cim))
                                {
                                    dup = true;
                                    break;
                                }
                            }
                            if (!dup)
                            {
                                vd.crls.Add(cim);
                                LOGGER.Info("CRL added");
                            }
                        }
                    }
                }
                if (certInclude == CertificateInclusion.YES)
                {
                    vd.certs.Add(xc[k].GetEncoded());
                }
            }
            if (vd.crls.Count == 0 && vd.ocsps.Count == 0)
            {
                return(false);
            }
            validated[GetSignatureHashKey(signatureName)] = vd;
            return(true);
        }
Esempio n. 6
0
 /**
  * Add verification for a particular signature
  * @param signatureName the signature to validate (it may be a timestamp)
  * @param ocsp the interface to get the OCSP
  * @param crl the interface to get the CRL
  * @param certOption
  * @param level the validation options to include
  * @param certInclude
  * @return true if a validation was generated, false otherwise
  * @throws Exception
  */
 public bool AddVerification(String signatureName, IOcspClient ocsp, ICrlClient crl, CertificateOption certOption, Level level, CertificateInclusion certInclude) {
     if (used)
         throw new InvalidOperationException(MessageLocalization.GetComposedMessage("verification.already.output"));
     PdfPKCS7 pk = acroFields.VerifySignature(signatureName);
     X509Certificate[] xc = pk.SignCertificateChain;
     ValidationData vd = new ValidationData();
     for (int k = 0; k < xc.Length; ++k) {
         byte[] ocspEnc = null;
         if (ocsp != null && level != Level.CRL && k < xc.Length - 1) {
             ocspEnc = ocsp.GetEncoded(xc[k], xc[k + 1], null);
             if (ocspEnc != null)
                 vd.ocsps.Add(BuildOCSPResponse(ocspEnc));
         }
         if (crl != null && (level == Level.CRL || level == Level.OCSP_CRL || (level == Level.OCSP_OPTIONAL_CRL && ocspEnc == null))) {
             byte[] cim = crl.GetEncoded(xc[k], null);
             if (cim != null) {
                 bool dup = false;
                 foreach (byte[] b in vd.crls) {
                     if (Arrays.AreEqual(b, cim)) {
                         dup = true;
                         break;
                     }
                 }
                 if (!dup)
                     vd.crls.Add(cim);
             }
         }
         if (certOption == CertificateOption.SIGNING_CERTIFICATE)
             break;
     }
     if (vd.crls.Count == 0 && vd.ocsps.Count == 0)
         return false;
     if (certInclude == CertificateInclusion.YES) {
         foreach (X509Certificate c in xc) {
             vd.certs.Add(c.GetEncoded());
         }
     }
     validated[GetSignatureHashKey(signatureName)] = vd;
     return true;
 }
Esempio n. 7
0
        /**
         * Add verification for a particular signature
         * @param signatureName the signature to validate (it may be a timestamp)
         * @param ocsp the interface to get the OCSP
         * @param crl the interface to get the CRL
         * @param certOption
         * @param level the validation options to include
         * @param certInclude
         * @return true if a validation was generated, false otherwise
         * @throws Exception
         */
        public bool AddVerification(String signatureName, IOcspClient ocsp, ICrlClient crl, CertificateOption certOption, Level level, CertificateInclusion certInclude)
        {
            if (used)
            {
                throw new InvalidOperationException(MessageLocalization.GetComposedMessage("verification.already.output"));
            }
            PdfPKCS7 pk = acroFields.VerifySignature(signatureName);

            X509Certificate[] xc = pk.SignCertificateChain;
            ValidationData    vd = new ValidationData();

            for (int k = 0; k < xc.Length; ++k)
            {
                byte[] ocspEnc = null;
                if (ocsp != null && level != Level.CRL && k < xc.Length - 1)
                {
                    ocspEnc = ocsp.GetEncoded(xc[k], xc[k + 1], null);
                    if (ocspEnc != null)
                    {
                        vd.ocsps.Add(BuildOCSPResponse(ocspEnc));
                    }
                }
                if (crl != null && (level == Level.CRL || level == Level.OCSP_CRL || (level == Level.OCSP_OPTIONAL_CRL && ocspEnc == null)))
                {
                    ICollection <byte[]> cims = crl.GetEncoded((X509Certificate)xc[k], null);
                    if (cims != null)
                    {
                        foreach (byte[] cim in cims)
                        {
                            bool dup = false;
                            foreach (byte[] b in vd.crls)
                            {
                                if (Arrays.AreEqual(b, cim))
                                {
                                    dup = true;
                                    break;
                                }
                            }
                            if (!dup)
                            {
                                vd.crls.Add(cim);
                            }
                        }
                    }
                }
                if (certOption == CertificateOption.SIGNING_CERTIFICATE)
                {
                    break;
                }
            }
            if (vd.crls.Count == 0 && vd.ocsps.Count == 0)
            {
                return(false);
            }
            if (certInclude == CertificateInclusion.YES)
            {
                foreach (X509Certificate c in xc)
                {
                    vd.certs.Add(c.GetEncoded());
                }
            }
            validated[GetSignatureHashKey(signatureName)] = vd;
            return(true);
        }
Esempio n. 8
0
        /// <summary>Add verification for a particular signature.</summary>
        /// <param name="signatureName">the signature to validate (it may be a timestamp)</param>
        /// <param name="ocsp">the interface to get the OCSP</param>
        /// <param name="crl">the interface to get the CRL</param>
        /// <param name="certOption">options as to how many certificates to include</param>
        /// <param name="level">the validation options to include</param>
        /// <param name="certInclude">certificate inclusion options</param>
        /// <returns>true if a validation was generated, false otherwise</returns>
        /// <exception cref="Org.BouncyCastle.Security.GeneralSecurityException"/>
        /// <exception cref="System.IO.IOException"/>
        public virtual bool AddVerification(String signatureName, IOcspClient ocsp, ICrlClient crl, LtvVerification.CertificateOption
                                            certOption, LtvVerification.Level level, LtvVerification.CertificateInclusion certInclude)
        {
            if (used)
            {
                throw new InvalidOperationException(PdfException.VerificationAlreadyOutput);
            }
            PdfPKCS7 pk = sgnUtil.VerifySignature(signatureName);

            LOGGER.Info("Adding verification for " + signatureName);
            X509Certificate[] xc = pk.GetCertificates();
            X509Certificate   cert;
            X509Certificate   signingCert = pk.GetSigningCertificate();

            LtvVerification.ValidationData vd = new LtvVerification.ValidationData();
            for (int k = 0; k < xc.Length; ++k)
            {
                cert = (X509Certificate)xc[k];
                LOGGER.Info("Certificate: " + cert.SubjectDN);
                if (certOption == LtvVerification.CertificateOption.SIGNING_CERTIFICATE && !cert.Equals(signingCert))
                {
                    continue;
                }
                byte[] ocspEnc = null;
                if (ocsp != null && level != LtvVerification.Level.CRL)
                {
                    ocspEnc = ocsp.GetEncoded(cert, GetParent(cert, xc), null);
                    if (ocspEnc != null)
                    {
                        vd.ocsps.Add(BuildOCSPResponse(ocspEnc));
                        LOGGER.Info("OCSP added");
                    }
                }
                if (crl != null && (level == LtvVerification.Level.CRL || level == LtvVerification.Level.OCSP_CRL || (level
                                                                                                                      == LtvVerification.Level.OCSP_OPTIONAL_CRL && ocspEnc == null)))
                {
                    ICollection <byte[]> cims = crl.GetEncoded(cert, null);
                    if (cims != null)
                    {
                        foreach (byte[] cim in cims)
                        {
                            bool dup = false;
                            foreach (byte[] b in vd.crls)
                            {
                                if (JavaUtil.ArraysEquals(b, cim))
                                {
                                    dup = true;
                                    break;
                                }
                            }
                            if (!dup)
                            {
                                vd.crls.Add(cim);
                                LOGGER.Info("CRL added");
                            }
                        }
                    }
                }
                if (certInclude == LtvVerification.CertificateInclusion.YES)
                {
                    vd.certs.Add(cert.GetEncoded());
                }
            }
            if (vd.crls.Count == 0 && vd.ocsps.Count == 0)
            {
                return(false);
            }
            validated.Put(GetSignatureHashKey(signatureName), vd);
            return(true);
        }
        static void addLTVToStream(Stream source, Stream destination, IOcspClient ocsp, ICrlClient crl,
                                   LtvVerification.Level timestampLevel, LtvVerification.Level signatureLevel)
        {
            PdfDocument pdfDoc = new PdfDocument(new PdfReader(source),
                                                 new PdfWriter(destination),
                                                 new StampingProperties().UseAppendMode());

            LtvVerification v             = new LtvVerification(pdfDoc);
            SignatureUtil   signatureUtil = new SignatureUtil(pdfDoc);

            IList <string> names   = signatureUtil.GetSignatureNames();
            String         sigName = names[(names.Count - 1)];

            PdfPKCS7 pkcs7 = signatureUtil.ReadSignatureData(sigName);

            if (pkcs7.IsTsp())
            {
                v.AddVerification(sigName, ocsp, crl, LtvVerification.CertificateOption.WHOLE_CHAIN,
                                  timestampLevel, LtvVerification.CertificateInclusion.YES);
            }
            else
            {
                foreach (String name in names)
                {
                    v.AddVerification(name, ocsp, crl, LtvVerification.CertificateOption.WHOLE_CHAIN,
                                      signatureLevel, LtvVerification.CertificateInclusion.YES);
                }
            }

            v.Merge();
            pdfDoc.Close();
        }