// constructors
public CmsSigner ()
{
_signer = SubjectIdentifierType.IssuerAndSerialNumber;
_digest = new Oid ("1.3.14.3.2.26");
_options = X509IncludeOption.ExcludeRoot;
_signed = new CryptographicAttributeObjectCollection ();
_unsigned = new CryptographicAttributeObjectCollection ();
_coll = new X509Certificate2Collection ();
}
public KeyInfoX509Data(X509Certificate cert, X509IncludeOption includeOption)
{
if (cert == null)
{
throw new ArgumentNullException("cert");
}
X509Certificate2 certificate = new X509Certificate2(cert);
X509ChainElementCollection chainElements = null;
X509Chain chain = null;
switch (includeOption)
{
case X509IncludeOption.ExcludeRoot:
chain = new X509Chain();
chain.Build(certificate);
if ((chain.ChainStatus.Length > 0) && ((chain.ChainStatus[0].Status & X509ChainStatusFlags.PartialChain) == X509ChainStatusFlags.PartialChain))
{
throw new CryptographicException(-2146762486);
}
chainElements = chain.ChainElements;
for (int i = 0; i < (System.Security.Cryptography.X509Certificates.X509Utils.IsSelfSigned(chain) ? 1 : (chainElements.Count - 1)); i++)
{
this.AddCertificate(chainElements[i].Certificate);
}
return;
case X509IncludeOption.EndCertOnly:
this.AddCertificate(certificate);
return;
case X509IncludeOption.WholeChain:
{
chain = new X509Chain();
chain.Build(certificate);
if ((chain.ChainStatus.Length > 0) && ((chain.ChainStatus[0].Status & X509ChainStatusFlags.PartialChain) == X509ChainStatusFlags.PartialChain))
{
throw new CryptographicException(-2146762486);
}
X509ChainElementEnumerator enumerator = chain.ChainElements.GetEnumerator();
while (enumerator.MoveNext())
{
X509ChainElement current = enumerator.Current;
this.AddCertificate(current.Certificate);
}
return;
}
}
}
public KeyInfoX509Data (X509Certificate cert, X509IncludeOption includeOption)
{
if (cert == null)
throw new ArgumentNullException ("cert");
switch (includeOption) {
case X509IncludeOption.None:
case X509IncludeOption.EndCertOnly:
AddCertificate (cert);
break;
case X509IncludeOption.ExcludeRoot:
AddCertificatesChainFrom (cert, false);
break;
case X509IncludeOption.WholeChain:
AddCertificatesChainFrom (cert, true);
break;
}
}
public void ComputeSignature(X509Certificate2 certificate, X509IncludeOption includeOption, string id)
{
SigningKey = (RSACryptoServiceProvider)certificate.PrivateKey;
SignedInfo.CanonicalizationMethod = Saml2SignedXml.XmlDsigExcC14NTransformUrl;
//SignedInfo.SignatureMethod = SecurityAlgorithms.RsaSha256Signature;
var reference = new Reference("#" + id);
// reference.DigestMethod = SecurityAlgorithms.Sha1Digest;
reference.AddTransform(new XmlDsigEnvelopedSignatureTransform());
reference.AddTransform(new XmlDsigExcC14NTransform());
AddReference(reference);
ComputeSignature();
KeyInfo = new KeyInfo();
KeyInfo.AddClause(new KeyInfoX509Data(certificate, includeOption));
}
public static void Test(X509IncludeOption include)
{
cert = EndCert ;
X509Chain chain = new X509Chain() ;
chain.Build( cert ) ;
X509ChainElementCollection lmnts = chain.ChainElements ;
KeyInfoX509Data data = new KeyInfoX509Data( cert, include ) ;
ArrayList al = data.Certificates ;
if( al == null ) return ;
for( int i = 0 ; i < al.Count ; i++ )
{
rv = lmnts[i].Certificate.ToString(true) == ((X509Certificate) al[i]).ToString(true) ;
if( !rv )
Console.WriteLine( "i = " + i.ToString() + " and include=" + include.ToString() ) ;
}
Console.WriteLine( "*************************************************************" ) ;
}
internal CmiManifestSigner(AsymmetricAlgorithm strongNameKey, X509Certificate2 certificate)
{
if (strongNameKey == null)
throw new ArgumentNullException("strongNameKey");
RSA rsa = strongNameKey as RSA;
if (rsa == null)
throw new ArgumentNullException("strongNameKey");
_strongNameKey = strongNameKey;
_certificate = certificate;
_certificates = new X509Certificate2Collection();
_includeOption = X509IncludeOption.ExcludeRoot;
_signerFlag = CmiManifestSignerFlag.None;
}
public KeyInfoX509Data (X509Certificate cert, X509IncludeOption includeOption) {
if (cert == null)
throw new ArgumentNullException("cert");
X509Certificate2 certificate = new X509Certificate2(cert);
X509ChainElementCollection elements = null;
X509Chain chain = null;
switch (includeOption) {
case X509IncludeOption.ExcludeRoot:
// Build the certificate chain
chain = new X509Chain();
chain.Build(certificate);
// Can't honor the option if we only have a partial chain.
if ((chain.ChainStatus.Length > 0) &&
((chain.ChainStatus[0].Status & X509ChainStatusFlags.PartialChain) == X509ChainStatusFlags.PartialChain))
throw new CryptographicException(CAPI.CERT_E_CHAINING);
elements = (X509ChainElementCollection) chain.ChainElements;
for (int index = 0; index < (X509Utils.IsSelfSigned(chain) ? 1 : elements.Count - 1); index++) {
AddCertificate(elements[index].Certificate);
}
break;
case X509IncludeOption.EndCertOnly:
AddCertificate(certificate);
break;
case X509IncludeOption.WholeChain:
// Build the certificate chain
chain = new X509Chain();
chain.Build(certificate);
// Can't honor the option if we only have a partial chain.
if ((chain.ChainStatus.Length > 0) &&
((chain.ChainStatus[0].Status & X509ChainStatusFlags.PartialChain) == X509ChainStatusFlags.PartialChain))
throw new CryptographicException(CAPI.CERT_E_CHAINING);
elements = (X509ChainElementCollection) chain.ChainElements;
foreach (X509ChainElement element in elements) {
AddCertificate(element.Certificate);
}
break;
}
}
/// <summary>
/// Initializes a new instance of the <see cref="X509ChainWrap"/> class.
/// </summary>
private void Initialize(IX509Certificate certificate,
X509IncludeOption option)
{
this.KeyInfoX509DataInstance = new KeyInfoX509Data(certificate.GetCertificate(), option);
}
/// <summary>
/// Initializes a new instance of the <see cref="X509ChainWrap"/> class.
/// </summary>
public KeyInfoX509DataWrap(IX509Certificate certificate,
X509IncludeOption option)
{
this.Initialize(certificate, option);
}
internal CmiManifestSigner2(AsymmetricAlgorithm strongNameKey, X509Certificate2 certificate, bool useSha256)
{
if (strongNameKey == null)
throw new ArgumentNullException("strongNameKey");
#if (true) //
RSA rsa = strongNameKey as RSA;
if (rsa == null)
throw new ArgumentNullException("strongNameKey");
#endif
m_strongNameKey = strongNameKey;
m_certificate = certificate;
m_certificates = new X509Certificate2Collection();
m_includeOption = X509IncludeOption.ExcludeRoot;
m_signerFlag = CmiManifestSignerFlag.None;
m_useSha256 = useSha256;
}
private static void CustomBuild_CertMismatch(
CertLoader loader,
DateTimeOffset referenceTime,
SigningCertificateOption v1Option,
SigningCertificateOption v2Option,
HashAlgorithmName v2AlgorithmName = default,
X509IncludeOption includeOption = default,
SubjectIdentifierType identifierType = SubjectIdentifierType.IssuerAndSerialNumber)
{
byte[] tokenBytes = BuildCustomToken(
loader,
referenceTime,
v1Option,
v2Option,
v2AlgorithmName,
includeOption,
identifierType);
Rfc3161TimestampToken token;
bool willParse = includeOption == X509IncludeOption.None;
if (willParse && identifierType == SubjectIdentifierType.IssuerAndSerialNumber)
{
// Because IASN matches against the ESSCertId(V2) directly it will reject the token.
switch (v1Option)
{
case SigningCertificateOption.ValidHashWithInvalidName:
case SigningCertificateOption.ValidHashWithInvalidSerial:
case SigningCertificateOption.InvalidHashWithInvalidName:
case SigningCertificateOption.InvalidHashWithInvalidSerial:
willParse = false;
break;
}
switch (v2Option)
{
case SigningCertificateOption.ValidHashWithInvalidName:
case SigningCertificateOption.ValidHashWithInvalidSerial:
case SigningCertificateOption.InvalidHashWithInvalidName:
case SigningCertificateOption.InvalidHashWithInvalidSerial:
willParse = false;
break;
}
}
if (willParse)
{
Assert.True(Rfc3161TimestampToken.TryDecode(tokenBytes, out token, out int bytesRead));
Assert.NotNull(token);
Assert.Equal(tokenBytes.Length, bytesRead);
using (X509Certificate2 cert = loader.GetCertificate())
{
Assert.False(
token.VerifySignatureForHash(
token.TokenInfo.GetMessageHash().Span,
token.TokenInfo.HashAlgorithmId,
out X509Certificate2 signer,
new X509Certificate2Collection(cert)));
Assert.Null(signer);
}
}
else
{
Assert.False(Rfc3161TimestampToken.TryDecode(tokenBytes, out token, out int bytesRead));
Assert.Null(token);
Assert.Equal(0, bytesRead);
}
}
