/// <summary>
/// Creates a signature using a X509Certificate2. It supports smartcards without
/// exportable private keys.
/// </summary>
/// <param name="certificate">The certificate with the private key</param>
/// <param name="hashAlgorithm">The hash algorithm for the signature. As the Windows CAPI is used
/// to do the signature the only hash guaranteed to exist is SHA-1</param>
public X509Certificate2Signature(X509Certificate2 certificate, string hashAlgorithm)
{
if (!certificate.HasPrivateKey)
{
throw new ArgumentException("No private key.");
}
this.certificate = certificate;
this.hashAlgorithm = DigestAlgorithms.GetDigest(DigestAlgorithms.GetAllowedDigest(hashAlgorithm));
if (certificate.GetRSAPrivateKey() != null)
{
encryptionAlgorithm = "RSA";
}
else if (certificate.GetDSAPrivateKey() != null)
{
encryptionAlgorithm = "DSA";
}
else if (certificate.GetECDsaPrivateKey() != null)
{
encryptionAlgorithm = "ECDSA";
}
else
{
throw new ArgumentException("Unknown encryption algorithm " + certificate.GetKeyAlgorithm());
}
}
public byte[] GetTimeStampToken(byte[] imprint)
{
byte[] respBytes = null;
var tsqGenerator = new TimeStampRequestGenerator();
tsqGenerator.SetCertReq(true);
tsqGenerator.SetReqPolicy("2.16.76.1.6.6");
var nonce = BigInteger.ValueOf(DateTime.Now.Ticks + Environment.TickCount);
var request = tsqGenerator.Generate(DigestAlgorithms.GetAllowedDigest(this.digestAlgorithm), imprint, nonce);
var requestBytes = request.GetEncoded();
respBytes = this.GetTsaResponse(requestBytes);
var response = new TimeStampResponse(respBytes);
response.Validate(request);
var failure = response.GetFailInfo();
var value = (failure == null) ? 0 : failure.IntValue;
if (value != 0)
{
//// @todo: Translate value of 15 error codes defined by PKIFailureInfo to string
var mensagem = string.Format(
"invalid.tsa.1.response.code.2 {0} {1}",
this.url, response.GetStatusString());
throw new IOException(mensagem);
}
//// @todo: validate the time stap certificate chain (if we want assure we do not sign using an invalid timestamp).
var timeStampToken = response.TimeStampToken;
if (timeStampToken == null)
{
var mensagem = string.Format("tsa.1.failed.to.return.time.stamp.token.2 {0} {1}",
this.url, response.GetStatusString());
throw new IOException(mensagem);
}
var timeStampInfo = timeStampToken.TimeStampInfo;
var encoded = timeStampToken.GetEncoded();
Console.WriteLine("Timestamp generated: " + timeStampInfo.GenTime);
if (this.tsaInfo != null)
{
this.tsaInfo.InspectTimeStampTokenInfo(timeStampInfo);
}
this.tokenSizeEstimate = encoded.Length + 32;
return(encoded);
}
/// <exception cref="System.Exception"/>
public virtual byte[] GetTimeStampToken(byte[] imprint)
{
TimeStampRequestGenerator tsqGenerator = new TimeStampRequestGenerator();
tsqGenerator.SetCertReq(true);
BigInteger nonce = BigInteger.ValueOf(SystemUtil.GetTimeBasedSeed());
TimeStampRequest request = tsqGenerator.Generate(new DerObjectIdentifier(DigestAlgorithms.GetAllowedDigest
(DIGEST_ALG)), imprint, nonce);
return(new TestTimestampTokenBuilder(tsaCertificateChain, tsaPrivateKey).CreateTimeStampToken(request));
}
public X509Certificate2Signature(X509Certificate2 certificate, String hashAlgorithm)
{
if (!certificate.HasPrivateKey)
{
throw new ArgumentException("No private key.");
}
this.certificate = certificate;
this.hashAlgorithm = DigestAlgorithms.GetDigest(DigestAlgorithms.GetAllowedDigest(hashAlgorithm));
if (certificate.PrivateKey is RSACryptoServiceProvider)
{
encryptionAlgorithm = "RSA";
}
else if (certificate.PrivateKey is DSACryptoServiceProvider)
{
encryptionAlgorithm = "DSA";
}
else
{
throw new ArgumentException("Unknown encryption algorithm " + certificate.PrivateKey);
}
}
public byte[] GetTimeStampToken(byte[] imprint)
{
TimeStampRequestGenerator tsqGenerator = new TimeStampRequestGenerator();
tsqGenerator.SetCertReq(true);
BigInteger nonce = BigInteger.ValueOf((long)(new TimeSpan(DateTime.Now.Ticks)).TotalMilliseconds);
TimeStampRequest request = tsqGenerator.Generate(new DerObjectIdentifier(
DigestAlgorithms.GetAllowedDigest(DEFAULTHASHALGORITHM)),
imprint, nonce);
JObject time = Timestamp(baseURL, Hex.ToHexString(request.GetMessageImprintDigest()),
accessToken);
String tst = (String)time.GetValue("token");
byte[] token = Base64.Decode(tst);
CmsSignedData cms = new CmsSignedData(token);
TimeStampToken tstToken = new TimeStampToken(cms);
return(tstToken.GetEncoded());
}
public virtual void PadesEpesProfileTest01()
{
String notExistingSignaturePolicyOid = "2.16.724.631.3.1.124.2.29.9";
DerObjectIdentifier asn1PolicyOid = DerObjectIdentifier.GetInstance(new DerObjectIdentifier(notExistingSignaturePolicyOid
));
AlgorithmIdentifier hashAlg = new AlgorithmIdentifier(new DerObjectIdentifier(DigestAlgorithms.GetAllowedDigest
("SHA1")));
// indicate that the policy hash value is not known; see ETSI TS 101 733 V2.2.1, 5.8.1
byte[] zeroSigPolicyHash = new byte[] { 0 };
DerOctetString hash = new DerOctetString(zeroSigPolicyHash);
SignaturePolicyId signaturePolicyId = new SignaturePolicyId(asn1PolicyOid, new OtherHashAlgAndValue(hashAlg
, hash));
SignaturePolicyIdentifier sigPolicyIdentifier = new SignaturePolicyIdentifier(signaturePolicyId);
SignApproval(certsSrc + "signCertRsa01.p12", destinationFolder + "padesEpesProfileTest01.pdf", sigPolicyIdentifier
);
BasicCheckSignedDoc(destinationFolder + "padesEpesProfileTest01.pdf", "Signature1");
}
/// <exception cref="Org.BouncyCastle.Operator.OperatorCreationException"/>
/// <exception cref="Org.BouncyCastle.Tsp.TSPException"/>
/// <exception cref="System.IO.IOException"/>
/// <exception cref="Org.BouncyCastle.Security.Certificates.CertificateEncodingException"/>
public virtual byte[] CreateTimeStampToken(TimeStampRequest request)
{
// just a more or less random oid of timestamp policy
String policy = "1.3.6.1.4.1.45794.1.1";
TimeStampTokenGenerator tsTokGen = new TimeStampTokenGenerator((AsymmetricKeyParameter)tsaPrivateKey, tsaCertificateChain[0], DigestAlgorithms.GetAllowedDigest("SHA1"), policy);
tsTokGen.SetAccuracySeconds(1);
// TODO setting this is somewhat wrong. Acrobat and openssl recognize timestamp tokens generated with this line as corrupted
// openssl error message: 2304:error:2F09506F:time stamp routines:INT_TS_RESP_VERIFY_TOKEN:tsa name mismatch:ts_rsp_verify.c:476:
// tsTokGen.setTSA(new GeneralName(new X500Name(PrincipalUtil.getIssuerX509Principal(tsCertificate).getName())));
tsTokGen.SetCertificates(X509StoreFactory.Create("Certificate/Collection", new X509CollectionStoreParameters(tsaCertificateChain.ToList())));
// should be unique for every timestamp
BigInteger serialNumber = new BigInteger(SystemUtil.GetTimeBasedSeed().ToString());
DateTime genTime = DateTimeUtil.GetCurrentUtcTime();
TimeStampToken tsToken = tsTokGen.Generate(request, serialNumber, genTime);
return(tsToken.GetEncoded());
}
public Pkcs11Signature SetHashAlgorithm(String hashAlgorithm)
{
this.hashAlgorithm = DigestAlgorithms.GetDigest(DigestAlgorithms.GetAllowedDigest(hashAlgorithm));
return(this);
}
/// <summary>
/// Initializes a new instance of the <see cref="TokenSigner"/> class.
/// instance.
/// </summary>
/// <param name="pk">
/// A
/// <see cref="Org.BouncyCastle.Crypto.ICipherParameters"/>
/// object.
/// </param>
/// <param name="hashAlgorithm">
/// A hash algorithm (e.g. "SHA-1", "SHA-256",...).
/// </param>
public TokenSigner(AsymmetricAlgorithm pk, string hashAlgorithm)
{
this.m_pk = pk;
this.m_hashAlgorithm = DigestAlgorithms.GetDigest(DigestAlgorithms.GetAllowedDigest(hashAlgorithm));
this.m_encryptionAlgorithm = "RSA";
}