public static void CheckRevocation(PdfPKCS7 pkcs7, X509Certificate signCert, X509Certificate issuerCert, DateTime date) { List <BasicOcspResp> ocsps = new List <BasicOcspResp>(); if (pkcs7.Ocsp != null) { ocsps.Add(pkcs7.Ocsp); } OcspVerifier ocspVerifier = new OcspVerifier(null, ocsps); List <VerificationOK> verification = ocspVerifier.Verify(signCert, issuerCert, date); if (verification.Count == 0) { List <X509Crl> crls = new List <X509Crl>(); if (pkcs7.CRLs != null) { foreach (X509Crl crl in pkcs7.CRLs) { crls.Add(crl); } } CrlVerifier crlVerifier = new CrlVerifier(null, crls); verification.AddRange(crlVerifier.Verify(signCert, issuerCert, date)); } if (verification.Count == 0) { Console.WriteLine("The signing certificate couldn't be verified with the example"); } else { foreach (VerificationOK v in verification) { Console.WriteLine(v); } } //Code not in the example, added by me //This way, I can find out if the certificate is revoked or not (through CRL). Not sure if it's the right way though if (verification.Count == 0 && pkcs7.CRLs != null && pkcs7.CRLs.Count != 0) { bool revoked = false; foreach (X509Crl crl in pkcs7.CRLs) { revoked = crl.IsRevoked(pkcs7.SigningCertificate); if (revoked) { break; } } Console.WriteLine("Is certificate revoked?: " + revoked.ToString()); } }
private static bool CheckRevocation(PdfPKCS7 pkcs7, X509Certificate signCert, X509Certificate issuerCert, DateTime date) { List <BasicOcspResp> ocsps = new List <BasicOcspResp>(); if (pkcs7.Ocsp != null) { ocsps.Add(pkcs7.Ocsp); } OcspVerifier ocspVerifier = new OcspVerifier(null, ocsps); List <VerificationOK> verification = ocspVerifier.Verify(signCert, issuerCert, date); if (verification.Count == 0) { List <X509Crl> crls = new List <X509Crl>(); if (pkcs7.CRLs != null) { foreach (X509Crl crl in pkcs7.CRLs) { crls.Add(crl); } } if (crls.Count > 0) { CrlVerifier crlVerifier = new CrlVerifier(null, crls); verification.AddRange(crlVerifier.Verify(signCert, issuerCert, date)); } } if (verification.Count == 0) { return(false); } else { foreach (VerificationOK v in verification) { Console.WriteLine(v); } } return(verification.Count > 0); }
public static void CheckRevocation(PdfPKCS7 pkcs7, X509Certificate signCert, X509Certificate issuerCert, DateTime date) { List <BasicOcspResp> ocsps = new List <BasicOcspResp>(); if (pkcs7.Ocsp != null) { ocsps.Add(pkcs7.Ocsp); } OcspVerifier ocspVerifier = new OcspVerifier(null, ocsps); List <VerificationOK> verification = ocspVerifier.Verify(signCert, issuerCert, date); if (verification.Count == 0) { List <X509Crl> crls = new List <X509Crl>(); if (pkcs7.CRLs != null) { foreach (X509Crl crl in pkcs7.CRLs) { crls.Add(crl); } } CrlVerifier crlVerifier = new CrlVerifier(null, crls); verification.AddRange(crlVerifier.Verify(signCert, issuerCert, date)); } if (verification.Count == 0) { Console.WriteLine("The signing certificate couldn't be verified"); } else { foreach (VerificationOK v in verification) { Console.WriteLine(v); } } }
private SignaturesResult VerifyP7m(byte[] barr, string fileName) { //System.Diagnostics.Trace.WriteLine(string.Format("Verifica firme del file {0} ...", //System.IO.Path.GetFileName(fileName))); var result = new SignaturesResult(); result.SignatureInfos = new List <SignatureInfo>(); try { var estensione = System.IO.Path.GetExtension(fileName).ToLower(); var nomeFile = System.IO.Path.GetFileName(fileName); while (estensione == ".p7m") { Org.BouncyCastle.Cms.CmsSignedData cms = new CmsSignedData(barr); var certs = cms.GetCertificates("Collection"); var sis = cms.GetSignerInfos(); if (sis != null) { if (RecursiveP7m || ExtractSignedContent) { using (var ms = new MemoryStream()) { cms.SignedContent.Write(ms); barr = ms.ToArray(); } if (ExtractSignedContent) { result.SignedContent = barr; } } var signers = sis.GetSigners(); foreach (SignerInformation sign in signers) { var si = new SignatureInfo(); DateTime?dt = null; var aaa = sign.SignedAttributes[CmsAttributes.SigningTime]; if (aaa != null && aaa.AttrValues != null && aaa.AttrValues.Count > 0) { var st = aaa.AttrValues[0] as DerUtcTime; if (st != null) { dt = st.ToAdjustedDateTime(); } } if (dt == null) { throw new Exception("Impossibile ricavare SignDateTime."); } si.SignDateTime = dt.Value; //si.FilterSubtype= IList ccc = new ArrayList(certs.GetMatches(null)); List <Org.BouncyCastle.X509.X509Certificate> list = new List <Org.BouncyCastle.X509.X509Certificate>(); foreach (var c in ccc) { list.Add(c as Org.BouncyCastle.X509.X509Certificate); } var errors = iTextSharp.text.pdf.security.CertificateVerification.VerifyCertificates( list, keyStore, si.SignDateTime); if (errors.Count > 0) { si.ChainCertificatesNotValidAtSignedTime = true; } IList cs = new ArrayList(certs.GetMatches(sign.SignerID)); var cc = (Org.BouncyCastle.X509.X509Certificate)cs[0]; si.DigestAlgorithm = cc.SigAlgName; //si.EncryptionAlgorithm = sign.EncryptionAlgorithmID.ToString(); si.IntegrityValid = sign.Verify(cc); X509Certificate2 cert2 = new X509Certificate2(cc.GetEncoded()); si.Name = null; si.Signer = cert2.SubjectName.Name; si.Revision = sign.Version; if (CheckRevocation) { try { //si.CertificateRevocatedAtSignedTime = pkcs7.IsRevocationValid(); List <Org.BouncyCastle.Ocsp.BasicOcspResp> ocsps = new List <Org.BouncyCastle.Ocsp.BasicOcspResp>(); //if (cc.Ocsp != null) // ocsps.Add(pkcs7.Ocsp); iTextSharp.text.pdf.security.OcspVerifier ocspVerifier = new OcspVerifier(null, ocsps); var issueCert = keyStore.SingleOrDefault( c => c.SubjectDN.Equals(cc.IssuerDN)); if (issueCert == null) { throw new Exception("Issuer certificate not found."); } List <VerificationOK> verification = ocspVerifier.Verify( cc, issueCert, si.SignDateTime); if (verification.Count == 0) { var crls = new List <Org.BouncyCastle.X509.X509Crl>(); CrlVerifier crlVerifier = new CrlVerifier(null, crls); crlVerifier.OnlineCheckingAllowed = true; verification = crlVerifier.Verify(cc, issueCert, si.SignDateTime); } if (verification.Count == 0) { si.CertificateRevocatedAtSignedTime = null; } else { si.CertificateRevocatedAtSignedTime = false; foreach (var verificationOk in verification) { System.Diagnostics.Trace.WriteLine(verificationOk); } } } catch (Exception ex) { si.CertificateRevocatedAtSignedTime = true; // o null? System.Diagnostics.Trace.WriteLine( string.Format( "Si è verificato il seguente errore durante la verifica di revoca per la firma {2} del file {0} {1}", System.IO.Path.GetFileName(fileName), ex.Message, si.Revision)); } } si.SignatureValid = si.IntegrityValid && !si.ChainCertificatesNotValidAtSignedTime && (!CheckRevocation || !si.CertificateRevocatedAtSignedTime.GetValueOrDefault(true)); result.SignatureInfos.Add(si); } } if (!RecursiveP7m) { break; } nomeFile = System.IO.Path.GetFileNameWithoutExtension(nomeFile); estensione = System.IO.Path.GetExtension(nomeFile); } result.SignaturesValid = result.SignatureInfos.All(si => si.SignatureValid); //System.Diagnostics.Trace.WriteLine(string.Format( // "Verifica firme del file {0} completata con esito {1}", System.IO.Path.GetFileName(fileName), // result.SignaturesValid ? "Positivo" : "Negativo")); } catch (Exception exx) { System.Diagnostics.Trace.WriteLine( string.Format( "Si è verificato il seguente errore durante la verifica delle firme del file {0} {1}", System.IO.Path.GetFileName(fileName), exx.Message)); throw exx; } return(result); }
private SignaturesResult VerifyPdf(byte[] barr, string fileName) { //System.Diagnostics.Trace.WriteLine(string.Format("Verifica firme del file {0} ...", System.IO.Path.GetFileName(fileName))); var result = new SignaturesResult(); try { using (var reader = new PdfReader(barr)) { var fields = reader.AcroFields; var sInfos = fields.GetSignatureNames(); if (sInfos.Count > 0) // è firmato { //System.IO.Stream stream = fields.ExtractRevision(sInfos[0]); //using (var ms = new MemoryStream()) //{ // stream.CopyTo(ms); // result.Content = ms.ToArray(); //} result.SignatureInfos = new List <SignatureInfo>(); foreach (var sName in sInfos) { var si = new SignatureInfo() { Name = sName }; result.SignatureInfos.Add(si); si.Revision = fields.GetRevision(sName); //si.SignCoverWholeDocument = fields.SignatureCoversWholeDocument(sName); var pkcs7 = fields.VerifySignature(sName); //si.Signer = pkcs7.SignName; si.Signer = new X509Certificate2(pkcs7.SigningCertificate.GetEncoded()).SubjectName.Name; si.SignDateTime = pkcs7.SignDate; si.IntegrityValid = pkcs7.Verify(); //TODO: DMP Settings? annotations? si.SignatureValid = si.IntegrityValid && !si.ChainCertificatesNotValidAtSignedTime && (!CheckRevocation || !si.CertificateRevocatedAtSignedTime.GetValueOrDefault(true)); si.DigestAlgorithm = pkcs7.GetDigestAlgorithm(); //si.EncryptionAlgorithm = pkcs7.GetEncryptionAlgorithm(); //si.FilterSubtype = pkcs7.GetFilterSubtype().Type; //si.TimeStamp = pkcs7.TimeStampDate; //si.TimeStampService = pkcs7.TimeStampToken.TimeStampInfo.Tsa.Name.; //si.TimeStampVerified = pkcs7.VerifyTimestampImprint(); //verifica certificati var errors = iTextSharp.text.pdf.security.CertificateVerification.VerifyCertificates( pkcs7.SignCertificateChain, keyStore, pkcs7.SignDate); if (errors.Count > 0) { si.ChainCertificatesNotValidAtSignedTime = true; } //foreach (var cert in pkcs7.SignCertificateChain) //{ // try // { // cert.CheckValidity(pkcs7.SignDate); // } // catch (Org.BouncyCastle.Security.Certificates.CertificateExpiredException ex1) // { // //si.ChainCertificatesExpiredAtSignedTime = true; // } // catch (Org.BouncyCastle.Security.Certificates.CertificateNotYetValidException ex2) // { // si.ChainCertificatesNotValidAtSignedTime = true; // } //} //verifica revocation if (CheckRevocation) { try { //si.CertificateRevocatedAtSignedTime = pkcs7.IsRevocationValid(); List <Org.BouncyCastle.Ocsp.BasicOcspResp> ocsps = new List <Org.BouncyCastle.Ocsp.BasicOcspResp>(); if (pkcs7.Ocsp != null) { ocsps.Add(pkcs7.Ocsp); } iTextSharp.text.pdf.security.OcspVerifier ocspVerifier = new OcspVerifier(null, ocsps); var issueCert = keyStore.SingleOrDefault( c => c.SubjectDN.Equals(pkcs7.SigningCertificate.IssuerDN)); if (issueCert == null) { throw new Exception("Issuer certificate not found."); } List <VerificationOK> verification = ocspVerifier.Verify( pkcs7.SigningCertificate, issueCert, pkcs7.SignDate); if (verification.Count == 0) { var crls = new List <Org.BouncyCastle.X509.X509Crl>(pkcs7.CRLs); CrlVerifier crlVerifier = new CrlVerifier(null, crls); crlVerifier.OnlineCheckingAllowed = true; verification = crlVerifier.Verify(pkcs7.SigningCertificate, issueCert, pkcs7.SignDate); } if (verification.Count == 0) { si.CertificateRevocatedAtSignedTime = null; } else { si.CertificateRevocatedAtSignedTime = false; foreach (var verificationOk in verification) { System.Diagnostics.Trace.WriteLine(verificationOk); } } } catch (Exception ex) { si.CertificateRevocatedAtSignedTime = true; // o null? System.Diagnostics.Trace.WriteLine( string.Format( "Si è verificato il seguente errore durante la verifica di revoca per la firma {2} del file {0} {1}", System.IO.Path.GetFileName(fileName), ex.Message, si.Revision)); } } } } reader.Close(); } //result.SignaturesValid = result.SignatureInfos.All(si => si.IntegrityValid // && // !si.ChainCertificatesNotValidAtSignedTime // && // (!CheckRevocation || !si.CertificateRevocatedAtSignedTime // .GetValueOrDefault(true))); //System.Diagnostics.Trace.WriteLine(string.Format("Verifica firme del file {0} completata con esito {1}", System.IO.Path.GetFileName(fileName),result.SignaturesValid?"Positivo":"Negativo")); return(result); } catch (InvalidPdfException ex) { System.Diagnostics.Trace.WriteLine(string.Format("Si è verificato il seguente errore durante la verifica delle firme del file {0} {1}", System.IO.Path.GetFileName(fileName), ex.Message)); throw ex; } catch (Exception exx) { System.Diagnostics.Trace.WriteLine(string.Format("Si è verificato il seguente errore durante la verifica delle firme del file {0} {1}", System.IO.Path.GetFileName(fileName), exx.Message)); throw exx; } }