/// <summary>
/// Create a new instance of the <see cref="HmacSigningHandler"/> class.
/// </summary>
/// <param name="secretRepository"></param>
/// <param name="representationBuilder"></param>
/// <param name="signatureCalculator"></param>
/// <param name="scheme"></param>
public HmacSigningHandler(ISecretRepository secretRepository, IMessageRepresentationBuilder representationBuilder, ISignatureCalculator signatureCalculator, string scheme = "SHA256")
{
this.secretRepository = secretRepository;
this.representationBuilder = representationBuilder;
this.signatureCalculator = signatureCalculator;
this.scheme = scheme;
}
/// <summary>
/// Instantiate a Pkcs10CertificationRequest object with the necessary credentials.
/// </summary>
///<param name="signatureCalculator">The signature calculator to sign the PKCS#10 request with.</param>
/// <param name="subject">X509Name of subject eg OU="My unit." O="My Organisatioin" C="au" </param>
/// <param name="publicKey">Public Key to be included in cert reqest.</param>
/// <param name="attributes">ASN1Set of Attributes.</param>
/// <param name="signingKey">Matching Private key for nominated (above) public key to be used to sign the request.</param>
public Pkcs10CertificationRequest(
ISignatureCalculator signatureCalculator,
X509Name subject,
AsymmetricKeyParameter publicKey,
Asn1Set attributes,
AsymmetricKeyParameter signingKey)
{
if (signatureCalculator == null)
{
throw new ArgumentNullException("signatureCalculator");
}
if (subject == null)
{
throw new ArgumentNullException("subject");
}
if (publicKey == null)
{
throw new ArgumentNullException("publicKey");
}
if (publicKey.IsPrivate)
{
throw new ArgumentException("expected public key", "publicKey");
}
if (!signingKey.IsPrivate)
{
throw new ArgumentException("key for signing must be private", "signingKey");
}
init(signatureCalculator, subject, publicKey, attributes, signingKey);
}
/// <summary>
/// Generate a new X.509 Attribute Certificate using the passed in SignatureCalculator.
/// </summary>
/// <param name="signatureCalculator">A signature calculator with the necessary algorithm details.</param>
/// <returns>An IX509AttributeCertificate.</returns>
public IX509AttributeCertificate Generate(ISignatureCalculator signatureCalculator)
{
if (!extGenerator.IsEmpty)
{
acInfoGen.SetExtensions(extGenerator.Generate());
}
AttributeCertificateInfo acInfo = acInfoGen.GenerateAttributeCertificateInfo();
byte[] encoded = acInfo.GetDerEncoded();
IStreamCalculator streamCalculator = signatureCalculator.CreateCalculator();
streamCalculator.Stream.Write(encoded, 0, encoded.Length);
streamCalculator.Stream.Close();
Asn1EncodableVector v = new Asn1EncodableVector();
v.Add(acInfo, (AlgorithmIdentifier)signatureCalculator.AlgorithmDetails);
try
{
v.Add(new DerBitString(((IBlockResult)streamCalculator.GetResult()).DoFinal()));
return(new X509V2AttributeCertificate(AttributeCertificate.GetInstance(new DerSequence(v))));
}
catch (Exception e)
{
// TODO
// throw new ExtCertificateEncodingException("constructed invalid certificate", e);
throw new CertificateEncodingException("constructed invalid certificate", e);
}
}
/// <summary>
/// Create a new instance of the <see cref="HmacSigningHandler"/> class.
/// </summary>
/// <param name="secretRepository"></param>
/// <param name="representationBuilder"></param>
/// <param name="signatureCalculator"></param>
public HmacSigningHandler(ISecretRepository secretRepository,
IMessageRepresentationBuilder representationBuilder,
ISignatureCalculator signatureCalculator)
{
this.secretRepository = secretRepository;
this.representationBuilder = representationBuilder;
this.signatureCalculator = signatureCalculator;
}
internal SignerInfoGenerator(SignerIdentifier sigId, ISignatureCalculator contentSigner, CmsAttributeTableGenerator signedGen, CmsAttributeTableGenerator unsignedGen)
{
this.sigId = sigId;
this.contentSigner = contentSigner;
this.signedGen = signedGen;
this.unsignedGen = unsignedGen;
this.isDirectSignature = false;
}
internal SignerInfoGenerator(SignerIdentifier sigId, ISignatureCalculator contentSigner, CmsAttributeTableGenerator signedGen, CmsAttributeTableGenerator unsignedGen)
{
this.sigId = sigId;
this.contentSigner = contentSigner;
this.signedGen = signedGen;
this.unsignedGen = unsignedGen;
this.isDirectSignature = false;
}
/**
* Build a generator with the passed in certHolder issuer and serial number as the signerIdentifier.
*
* @param contentSigner operator for generating the final signature in the SignerInfo with.
* @param certHolder carrier for the X.509 certificate related to the contentSigner.
* @return a SignerInfoGenerator
* @throws OperatorCreationException if the generator cannot be built.
*/
public SignerInfoGenerator Build(ISignatureCalculator contentSigner, X509Certificate certificate)
{
SignerIdentifier sigId = new SignerIdentifier(new IssuerAndSerialNumber(certificate.IssuerDN, new DerInteger(certificate.SerialNumber)));
SignerInfoGenerator sigInfoGen = CreateGenerator(contentSigner, sigId);
sigInfoGen.setAssociatedCertificate(certificate);
return(sigInfoGen);
}
/// <summary>
/// Creates a new instance of the <see cref="HmacSignatureValidator"/> class.
/// </summary>
/// <param name="signatureCalculator"></param>
/// <param name="representationBuilder"></param>
/// <param name="secretRepository"></param>
/// <param name="objectCache"></param>
/// <param name="validityPeriod"></param>
/// <param name="clockDrift"></param>
public HmacSignatureValidator(ISignatureCalculator signatureCalculator,
IMessageRepresentationBuilder representationBuilder,
ISecretRepository secretRepository,
ICache objectCache,
int validityPeriod,
int clockDrift)
{
this.secretRepository = secretRepository;
this.representationBuilder = representationBuilder;
this.signatureCalculator = signatureCalculator;
this.objectCache = objectCache;
ValidityPeriod = validityPeriod;
ClockDrift = clockDrift;
}
internal SignerInfoGenerator(SignerIdentifier sigId, ISignatureCalculator contentSigner, bool isDirectSignature)
{
this.sigId = sigId;
this.contentSigner = contentSigner;
this.isDirectSignature = isDirectSignature;
if (this.isDirectSignature)
{
this.signedGen = null;
this.unsignedGen = null;
}
else
{
this.signedGen = new DefaultSignedAttributeTableGenerator();
this.unsignedGen = null;
}
}
internal SignerInfoGenerator(SignerIdentifier sigId, ISignatureCalculator contentSigner, bool isDirectSignature)
{
this.sigId = sigId;
this.contentSigner = contentSigner;
this.isDirectSignature = isDirectSignature;
if (this.isDirectSignature)
{
this.signedGen = null;
this.unsignedGen = null;
}
else
{
this.signedGen = new DefaultSignedAttributeTableGenerator();
this.unsignedGen = null;
}
}
/// <summary>
/// Generate a new X509Certificate using the passed in SignatureCalculator.
/// </summary>
/// <param name="signatureCalculator">A signature calculator with the necessary algorithm details.</param>
/// <returns>An X509Certificate.</returns>
public X509Certificate Generate(ISignatureCalculator signatureCalculator)
{
tbsGen.SetSignature((AlgorithmIdentifier)signatureCalculator.AlgorithmDetails);
TbsCertificateStructure tbsCert = tbsGen.GenerateTbsCertificate();
IStreamCalculator streamCalculator = signatureCalculator.CreateCalculator();
byte[] encoded = tbsCert.GetDerEncoded();
streamCalculator.Stream.Write(encoded, 0, encoded.Length);
streamCalculator.Stream.Close();
return(GenerateJcaObject(tbsCert, (AlgorithmIdentifier)signatureCalculator.AlgorithmDetails, ((IBlockResult)streamCalculator.GetResult()).DoFinal()));
}
internal SignerInf(
CmsSignedGenerator outer,
ISignatureCalculator sigCalc,
SignerIdentifier signerIdentifier,
CmsAttributeTableGenerator sAttr,
CmsAttributeTableGenerator unsAttr,
Asn1.Cms.AttributeTable baseSignedTable)
{
this.outer = outer;
this.sigCalc = sigCalc;
this.signerIdentifier = signerIdentifier;
this.digestOID = new DefaultDigestAlgorithmIdentifierFinder().find((AlgorithmIdentifier)sigCalc.AlgorithmDetails).Algorithm.Id;
this.encOID = ((AlgorithmIdentifier)sigCalc.AlgorithmDetails).Algorithm.Id;
this.sAttr = sAttr;
this.unsAttr = unsAttr;
this.baseSignedTable = baseSignedTable;
}
internal SignerInf(
CmsSignedGenerator outer,
ISignatureCalculator sigCalc,
SignerIdentifier signerIdentifier,
CmsAttributeTableGenerator sAttr,
CmsAttributeTableGenerator unsAttr,
Asn1.Cms.AttributeTable baseSignedTable)
{
this.outer = outer;
this.sigCalc = sigCalc;
this.signerIdentifier = signerIdentifier;
this.digestOID = new DefaultDigestAlgorithmIdentifierFinder().find((AlgorithmIdentifier)sigCalc.AlgorithmDetails).Algorithm.Id;
this.encOID = ((AlgorithmIdentifier)sigCalc.AlgorithmDetails).Algorithm.Id;
this.sAttr = sAttr;
this.unsAttr = unsAttr;
this.baseSignedTable = baseSignedTable;
}
private SignerInfoGenerator CreateGenerator(ISignatureCalculator contentSigner, SignerIdentifier sigId)
{
if (directSignature)
{
return(new SignerInfoGenerator(sigId, contentSigner, true));
}
if (signedGen != null || unsignedGen != null)
{
if (signedGen == null)
{
signedGen = new DefaultSignedAttributeTableGenerator();
}
return(new SignerInfoGenerator(sigId, contentSigner, signedGen, unsignedGen));
}
return(new SignerInfoGenerator(sigId, contentSigner));
}
internal SignerInf(
CmsSignedGenerator outer,
AsymmetricKeyParameter key,
SignerIdentifier signerIdentifier,
string digestOID,
string encOID,
CmsAttributeTableGenerator sAttr,
CmsAttributeTableGenerator unsAttr,
Asn1.Cms.AttributeTable baseSignedTable)
{
string digestName = Helper.GetDigestAlgName(digestOID);
string signatureName = digestName + "with" + Helper.GetEncryptionAlgName(encOID);
this.outer = outer;
this.sigCalc = new Asn1SignatureCalculator(signatureName, key);
this.signerIdentifier = signerIdentifier;
this.digestOID = digestOID;
this.encOID = encOID;
this.sAttr = sAttr;
this.unsAttr = unsAttr;
this.baseSignedTable = baseSignedTable;
}
internal SignerInf(
CmsSignedGenerator outer,
AsymmetricKeyParameter key,
SignerIdentifier signerIdentifier,
string digestOID,
string encOID,
CmsAttributeTableGenerator sAttr,
CmsAttributeTableGenerator unsAttr,
Asn1.Cms.AttributeTable baseSignedTable)
{
string digestName = Helper.GetDigestAlgName(digestOID);
string signatureName = digestName + "with" + Helper.GetEncryptionAlgName(encOID);
this.outer = outer;
this.sigCalc = new Asn1SignatureCalculator(signatureName, key);
this.signerIdentifier = signerIdentifier;
this.digestOID = digestOID;
this.encOID = encOID;
this.sAttr = sAttr;
this.unsAttr = unsAttr;
this.baseSignedTable = baseSignedTable;
}
private void init(
ISignatureCalculator signatureCalculator,
X509Name subject,
AsymmetricKeyParameter publicKey,
Asn1Set attributes,
AsymmetricKeyParameter signingKey)
{
this.sigAlgId = (AlgorithmIdentifier)signatureCalculator.AlgorithmDetails;
SubjectPublicKeyInfo pubInfo = SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(publicKey);
this.reqInfo = new CertificationRequestInfo(subject, pubInfo, attributes);
IStreamCalculator streamCalculator = signatureCalculator.CreateCalculator();
byte[] reqInfoData = reqInfo.GetDerEncoded();
streamCalculator.Stream.Write(reqInfoData, 0, reqInfoData.Length);
streamCalculator.Stream.Close();
// Generate Signature.
sigBits = new DerBitString(((IBlockResult)streamCalculator.GetResult()).DoFinal());
}
/// <summary>
/// Generate the signed response using the passed in signature calculator.
/// </summary>
/// <param name="signatureCalculator">Implementation of signing calculator.</param>
/// <param name="chain">The certificate chain associated with the response signer.</param>
/// <param name="producedAt">"produced at" date.</param>
/// <returns></returns>
public BasicOcspResp Generate(
ISignatureCalculator signatureCalculator,
X509Certificate[] chain,
DateTime producedAt)
{
if (signatureCalculator == null)
{
throw new ArgumentException("no signature calculator specified");
}
return GenerateResponse(signatureCalculator, chain, producedAt);
}
/**
* Build a generator with the passed in subjectKeyIdentifier as the signerIdentifier. If used you should
* try to follow the calculation described in RFC 5280 section 4.2.1.2.
*
* @param contentSigner operator for generating the final signature in the SignerInfo with.
* @param subjectKeyIdentifier key identifier to identify the public key for verifying the signature.
* @return a SignerInfoGenerator
* @throws OperatorCreationException if the generator cannot be built.
*/
public SignerInfoGenerator Build(ISignatureCalculator contentSigner, byte[] subjectKeyIdentifier)
{
SignerIdentifier sigId = new SignerIdentifier(new DerOctetString(subjectKeyIdentifier));
return(CreateGenerator(contentSigner, sigId));
}
/**
* Build a generator with the passed in subjectKeyIdentifier as the signerIdentifier. If used you should
* try to follow the calculation described in RFC 5280 section 4.2.1.2.
*
* @param contentSigner operator for generating the final signature in the SignerInfo with.
* @param subjectKeyIdentifier key identifier to identify the public key for verifying the signature.
* @return a SignerInfoGenerator
* @throws OperatorCreationException if the generator cannot be built.
*/
public SignerInfoGenerator Build(ISignatureCalculator contentSigner, byte[] subjectKeyIdentifier)
{
SignerIdentifier sigId = new SignerIdentifier(new DerOctetString(subjectKeyIdentifier));
return CreateGenerator(contentSigner, sigId);
}
private void init(
ISignatureCalculator signatureCalculator,
X509Name subject,
AsymmetricKeyParameter publicKey,
Asn1Set attributes,
AsymmetricKeyParameter signingKey)
{
this.sigAlgId = (AlgorithmIdentifier)signatureCalculator.AlgorithmDetails;
SubjectPublicKeyInfo pubInfo = SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(publicKey);
this.reqInfo = new CertificationRequestInfo(subject, pubInfo, attributes);
Stream sigStream = signatureCalculator.GetSignatureUpdater();
byte[] reqInfoData = reqInfo.GetDerEncoded();
sigStream.Write(reqInfoData, 0, reqInfoData.Length);
// Generate Signature.
sigBits = new DerBitString(signatureCalculator.Signature());
}
/// <summary>
/// Instantiate a Pkcs10CertificationRequest object with the necessary credentials.
/// </summary>
///<param name="signatureCalculator">The signature calculator to sign the PKCS#10 request with.</param>
/// <param name="subject">X509Name of subject eg OU="My unit." O="My Organisatioin" C="au" </param>
/// <param name="publicKey">Public Key to be included in cert reqest.</param>
/// <param name="attributes">ASN1Set of Attributes.</param>
/// <param name="signingKey">Matching Private key for nominated (above) public key to be used to sign the request.</param>
public Pkcs10CertificationRequest(
ISignatureCalculator signatureCalculator,
X509Name subject,
AsymmetricKeyParameter publicKey,
Asn1Set attributes,
AsymmetricKeyParameter signingKey)
{
if (signatureCalculator == null)
throw new ArgumentNullException("signatureCalculator");
if (subject == null)
throw new ArgumentNullException("subject");
if (publicKey == null)
throw new ArgumentNullException("publicKey");
if (publicKey.IsPrivate)
throw new ArgumentException("expected public key", "publicKey");
if (!signingKey.IsPrivate)
throw new ArgumentException("key for signing must be private", "signingKey");
init(signatureCalculator, subject, publicKey, attributes, signingKey);
}
/// <summary>
/// Generate a new X509Crl using the passed in SignatureCalculator.
/// </summary>
/// <param name="signatureCalculator">A signature calculator with the necessary algorithm details.</param>
/// <returns>An X509Crl.</returns>
public X509Crl Generate(ISignatureCalculator signatureCalculator)
{
tbsGen.SetSignature((AlgorithmIdentifier)signatureCalculator.AlgorithmDetails);
TbsCertificateList tbsCertList = GenerateCertList();
IStreamCalculator streamCalculator = signatureCalculator.CreateCalculator();
byte[] encoded = tbsCertList.GetDerEncoded();
streamCalculator.Stream.Write(encoded, 0, encoded.Length);
streamCalculator.Stream.Close();
return GenerateJcaObject(tbsCertList, (AlgorithmIdentifier)signatureCalculator.AlgorithmDetails, ((IBlockResult)streamCalculator.GetResult()).DoFinal());
}
private SignerInfoGenerator CreateGenerator(ISignatureCalculator contentSigner, SignerIdentifier sigId)
{
if (directSignature)
{
return new SignerInfoGenerator(sigId, contentSigner, true);
}
if (signedGen != null || unsignedGen != null)
{
if (signedGen == null)
{
signedGen = new DefaultSignedAttributeTableGenerator();
}
return new SignerInfoGenerator(sigId, contentSigner, signedGen, unsignedGen);
}
return new SignerInfoGenerator(sigId, contentSigner);
}
/**
* Build a generator with the passed in certHolder issuer and serial number as the signerIdentifier.
*
* @param contentSigner operator for generating the final signature in the SignerInfo with.
* @param certHolder carrier for the X.509 certificate related to the contentSigner.
* @return a SignerInfoGenerator
* @throws OperatorCreationException if the generator cannot be built.
*/
public SignerInfoGenerator Build(ISignatureCalculator contentSigner, X509Certificate certificate)
{
SignerIdentifier sigId = new SignerIdentifier(new IssuerAndSerialNumber(certificate.IssuerDN, new DerInteger(certificate.SerialNumber)));
SignerInfoGenerator sigInfoGen = CreateGenerator(contentSigner, sigId);
sigInfoGen.setAssociatedCertificate(certificate);
return sigInfoGen;
}
internal SignerInfoGenerator(SignerIdentifier sigId, ISignatureCalculator contentSigner) : this(sigId, contentSigner, false)
{
}
/// <summary>
/// Create a new instance of the <see cref="HmacSha256SigningHandler"/> class.
/// </summary>
/// <param name="secretRepository"></param>
/// <param name="representationBuilder"></param>
/// <param name="signatureCalculator"></param>
public HmacSha256SigningHandler(ISecretRepository secretRepository, IMessageRepresentationBuilder representationBuilder, ISignatureCalculator signatureCalculator) : base(secretRepository, representationBuilder, signatureCalculator, "SHA256")
{
}
public InstanceSignatureBuilder(ISignatureCalculator calculator)
{
_calculator = calculator;
}
internal SignerInfoGenerator(SignerIdentifier sigId, ISignatureCalculator contentSigner): this(sigId, contentSigner, false)
{
}
/// <summary>
/// Generate a new X509Crl using the passed in SignatureCalculator.
/// </summary>
/// <param name="signatureCalculator">A signature calculator with the necessary algorithm details.</param>
/// <returns>An X509Crl.</returns>
public X509Crl Generate(ISignatureCalculator signatureCalculator)
{
tbsGen.SetSignature((AlgorithmIdentifier)signatureCalculator.AlgorithmDetails);
TbsCertificateList tbsCertList = GenerateCertList();
Stream sigStream = signatureCalculator.GetSignatureUpdater();
byte[] encoded = tbsCertList.GetDerEncoded();
sigStream.Write(encoded, 0, encoded.Length);
sigStream.Close();
return GenerateJcaObject(tbsCertList, (AlgorithmIdentifier)signatureCalculator.AlgorithmDetails, signatureCalculator.Signature());
}
/// <summary>
/// Generate a new X.509 Attribute Certificate using the passed in SignatureCalculator.
/// </summary>
/// <param name="signatureCalculator">A signature calculator with the necessary algorithm details.</param>
/// <returns>An IX509AttributeCertificate.</returns>
public IX509AttributeCertificate Generate(ISignatureCalculator signatureCalculator)
{
if (!extGenerator.IsEmpty)
{
acInfoGen.SetExtensions(extGenerator.Generate());
}
AttributeCertificateInfo acInfo = acInfoGen.GenerateAttributeCertificateInfo();
byte[] encoded = acInfo.GetDerEncoded();
IStreamCalculator streamCalculator = signatureCalculator.CreateCalculator();
streamCalculator.Stream.Write(encoded, 0, encoded.Length);
streamCalculator.Stream.Close();
Asn1EncodableVector v = new Asn1EncodableVector();
v.Add(acInfo, (AlgorithmIdentifier)signatureCalculator.AlgorithmDetails);
try
{
v.Add(new DerBitString(((IBlockResult)streamCalculator.GetResult()).DoFinal()));
return new X509V2AttributeCertificate(AttributeCertificate.GetInstance(new DerSequence(v)));
}
catch (Exception e)
{
// TODO
// throw new ExtCertificateEncodingException("constructed invalid certificate", e);
throw new CertificateEncodingException("constructed invalid certificate", e);
}
}
/// <summary>
/// Generate a new X509Certificate using the passed in SignatureCalculator.
/// </summary>
/// <param name="signatureCalculator">A signature calculator with the necessary algorithm details.</param>
/// <returns>An X509Certificate.</returns>
public X509Certificate Generate(ISignatureCalculator signatureCalculator)
{
tbsGen.SetSignature ((AlgorithmIdentifier)signatureCalculator.AlgorithmDetails);
if (!extGenerator.IsEmpty)
{
tbsGen.SetExtensions(extGenerator.Generate());
}
TbsCertificateStructure tbsCert = tbsGen.GenerateTbsCertificate();
IStreamCalculator streamCalculator = signatureCalculator.CreateCalculator();
byte[] encoded = tbsCert.GetDerEncoded();
streamCalculator.Stream.Write (encoded, 0, encoded.Length);
streamCalculator.Stream.Close ();
return GenerateJcaObject(tbsCert, (AlgorithmIdentifier)signatureCalculator.AlgorithmDetails, ((IBlockResult)streamCalculator.GetResult()).DoFinal());
}
private BasicOcspResp GenerateResponse(
ISignatureCalculator signatureCalculator,
X509Certificate[] chain,
DateTime producedAt)
{
AlgorithmIdentifier signingAlgID = (AlgorithmIdentifier)signatureCalculator.AlgorithmDetails;
DerObjectIdentifier signingAlgorithm = signingAlgID.Algorithm;
Asn1EncodableVector responses = new Asn1EncodableVector();
foreach (ResponseObject respObj in list)
{
try
{
responses.Add(respObj.ToResponse());
}
catch (Exception e)
{
throw new OcspException("exception creating Request", e);
}
}
ResponseData tbsResp = new ResponseData(responderID.ToAsn1Object(), new DerGeneralizedTime(producedAt), new DerSequence(responses), responseExtensions);
DerBitString bitSig = null;
try
{
IStreamCalculator streamCalculator = signatureCalculator.CreateCalculator();
byte[] encoded = tbsResp.GetDerEncoded();
streamCalculator.Stream.Write(encoded, 0, encoded.Length);
streamCalculator.Stream.Close();
bitSig = new DerBitString(((IBlockResult)streamCalculator.GetResult()).DoFinal());
}
catch (Exception e)
{
throw new OcspException("exception processing TBSRequest: " + e, e);
}
AlgorithmIdentifier sigAlgId = OcspUtilities.GetSigAlgID(signingAlgorithm);
DerSequence chainSeq = null;
if (chain != null && chain.Length > 0)
{
Asn1EncodableVector v = new Asn1EncodableVector();
try
{
for (int i = 0; i != chain.Length; i++)
{
v.Add(
X509CertificateStructure.GetInstance(
Asn1Object.FromByteArray(chain[i].GetEncoded())));
}
}
catch (IOException e)
{
throw new OcspException("error processing certs", e);
}
catch (CertificateEncodingException e)
{
throw new OcspException("error encoding certs", e);
}
chainSeq = new DerSequence(v);
}
return new BasicOcspResp(new BasicOcspResponse(tbsResp, sigAlgId, bitSig, chainSeq));
}
