/// <summary>
/// 对待签名数据签名
/// </summary>
/// <param name="inData">在操作过程中请勿对流进行关闭</param>
/// <param name="propertyInfo">签章属性信息</param>
/// <returns></returns>
public override byte[] Sign(Stream inData, string propertyInfo)
{
//原文杂凑值计算
GeneralDigest digest = GetDigest();
byte[] block = inData.ToArray();
digest.BlockUpdate(block, 0, block.Length);
byte[] outBytes = new byte[32];
digest.DoFinal(outBytes, 0);
//计算杂凑值
DerUtcTime signTime = new DerUtcTime(DateTime.Now);
TbsSign tbsSign = new TbsSign
{
Version = new DerInteger(1),
EsSeal = _seal,
TimeInfo = new DerBitString(signTime),
DataHash = new DerBitString(outBytes),
PropertyInfo = new DerIA5String(propertyInfo),
Cert = new DerOctetString(_certificate.GetEncoded()),
SignatureAlgorithm = GetSignAlgOId()
};
ISigner signer = SignerUtilities.GetSigner(GMObjectIdentifiers.sm2sign_with_sm3);
signer.Init(true, _privateKey);
byte[] signBytes = tbsSign.GetDerEncoded();
signer.BlockUpdate(signBytes, 0, signBytes.Length);
byte[] sign = signer.GenerateSignature();
SesSignature sesSignature = new SesSignature(tbsSign, new DerBitString(sign));
return(sesSignature.GetDerEncoded());
}
/// <summary>
/// 对待签名数据签名
/// </summary>
/// <param name="inData">在操作过程中请勿对流进行关闭</param>
/// <param name="propertyInfo">签章属性信息</param>
/// <returns></returns>
public override byte[] Sign(Stream inData, string propertyInfo)
{
GeneralDigest md = GetDigest();
byte[] input = inData.ToArray();
md.BlockUpdate(input, 0, input.Length);
byte[] output = new byte[32];
md.DoFinal(output, 0);
TbsSign tbsSign = new TbsSign
{
Version = SesHeader.V4,
EsSeal = _seal,
TimeInfo = new DerGeneralizedTime(DateTime.Now),
DataHash = new DerBitString(output),
PropertyInfo = new DerIA5String(propertyInfo)
};
ISigner signer = SignerUtilities.GetSigner(GMObjectIdentifiers.sm2sign_with_sm3);
signer.Init(true, _privateKey);
byte[] toSign = tbsSign.GetDerEncoded();
signer.BlockUpdate(toSign, 0, toSign.Length);
byte[] signed = signer.GenerateSignature();
SesSignature sesSignature = new SesSignature(tbsSign, new DerOctetString(_certificate.GetEncoded()), GMObjectIdentifiers.sm2sign_with_sm3, new DerBitString(signed));
return(sesSignature.GetDerEncoded());
}
/// <summary>
/// 签名数据验证
/// </summary>
/// <param name="type">电子签名类型</param>
/// <param name="tbsContent">待签章内容</param>
/// <param name="signedValue">电子签章数据或签名值(SignedValue.xml文件内容)</param>
public override VerifyResult Validate(SigType type, byte[] tbsContent, byte[] signedValue)
{
if (type == SigType.Sign)
{
throw new ArgumentOutOfRangeException(nameof(type), "签名类型(type)必须是 Seal,不支持电子印章验证");
}
//计算原文摘要
SM3Digest md = new SM3Digest();
md.BlockUpdate(tbsContent, 0, tbsContent.Length);
byte[] output = new byte[32];
md.DoFinal(output, 0);
SesSignature sesSignature = SesSignature.GetInstance(signedValue);
TbsSign toSign = sesSignature.TbsSign;
byte[] exceptHash = toSign.DataHash.GetOctets();
if (!Arrays.AreEqual(output, exceptHash))
{
return(VerifyResult.SignedNotMatch);
}
//加载证书
byte[] certDer = sesSignature.Cert.GetOctets();
X509CertificateParser parser = new X509CertificateParser();
X509Certificate cert = parser.ReadCertificate(certDer);
//判断证书是否过期
if (!cert.IsValid(DateTime.Now))
{
return(VerifyResult.SealOutdated);
}
//获取签名验证对象
ISigner signer = SignerUtilities.GetSigner(sesSignature.SignatureAlgId);
AsymmetricKeyParameter p = cert.GetPublicKey();
signer.Init(false, p);
byte[] buf = toSign.GetDerEncoded();
signer.BlockUpdate(buf, 0, buf.Length);
//预期的电子签章数据,签章值
byte[] expect = sesSignature.Signature.GetOctets();
//验证签名
bool result = signer.VerifySignature(expect);
return(result ? VerifyResult.Success : VerifyResult.SealTampered);
}
public override VerifyResult Validate(SigType type, byte[] tbsContent, byte[] signedValue)
{
if (type == SigType.Sign)
{
throw new ArgumentOutOfRangeException(nameof(type), "签名类型(type)必须是 Seal,不支持电子印章验证");
}
// 计算原文摘要
GeneralDigest md = new SM3Digest();
md.BlockUpdate(tbsContent, 0, tbsContent.Length);
byte[] expect = new byte[32];
md.DoFinal(expect, 0);
SesSignature sesSignature = SesSignature.GetInstance(signedValue);
TbsSign toSign = sesSignature.ToSign;
byte[] expectDataHash = toSign.DataHash.GetOctets();
// 比较原文摘要
if (!Arrays.AreEqual(expect, expectDataHash))
{
return(VerifyResult.SignedTampered);
}
// 预期的电子签章数据,签章值
byte[] expSigVal = sesSignature.Signature.GetOctets();
ISigner sg = SignerUtilities.GetSigner(toSign.SignatureAlgorithm);
byte[] certDer = toSign.Cert.GetOctets();
// 构造证书对象
X509Certificate x509Certificate = new X509CertificateParser().ReadCertificate(certDer);
AsymmetricKeyParameter p = x509Certificate.GetPublicKey();
sg.Init(false, p);
byte[] input = toSign.GetDerEncoded();
sg.BlockUpdate(input, 0, input.Length);
if (!sg.VerifySignature(expSigVal))
{
return(VerifyResult.SignedTampered);
}
return(VerifyResult.Success);
}
/// <summary>
/// 检查印章匹配[可选-存在Seal.esl则验证,不存在不验证]
/// 验证文件:Doc_0\Signs\Sign_0\Seal.esl、Doc_0\Signs\Sign_0\SignedValue.dat
/// </summary>
private static VerifyResult CheckSealMatch(OfdReader reader, Signature signature)
{
if (signature.SignedInfo.Seal == null)
{
return(VerifyResult.Success);
}
byte[] sesSignatureBin = reader.ReadContent(signature.SignedValue);
SesVersionHolder holder = VersionParser.ParseSignatureVersion(sesSignatureBin);
if (holder.Version == SesVersion.V4)
{
SesSignature v4Signature = SesSignature.GetInstance(holder.Sequence);
SeSeal seal = v4Signature.TbsSign.EsSeal;
byte[] expect = seal.GetDerEncoded();
byte[] sealBytes = reader.ReadContent(signature.SignedInfo.Seal.BaseLoc.Value);
if (!Arrays.AreEqual(expect, sealBytes))
{
return(VerifyResult.SealNotMatch);
}
}
return(VerifyResult.Success);
}
public override void Validate(SigType type, string signAlgName, byte[] tbsContent, byte[] signedValue)
{
if (type == SigType.Sign)
{
throw new ArgumentOutOfRangeException(nameof(type), "签名类型(type)必须是 Seal,不支持电子印章验证");
}
// 计算原文摘要
GeneralDigest md = new SM3Digest();
md.BlockUpdate(tbsContent, 0, tbsContent.Length);
byte[] expect = new byte[32];
md.DoFinal(expect, 0);
SesSignature sesSignature = SesSignature.GetInstance(signedValue);
TbsSign toSign = sesSignature.ToSign;
byte[] expectDataHash = toSign.DataHash.GetOctets();
// 比较原文摘要
if (!Arrays.AreEqual(expect, expectDataHash))
{
//throw new InvalidSignedValueException("Signature.xml 文件被篡改,电子签章失效。("+ toSign.getPropertyInfo().getString() + ")");
}
//sg.initVerify(signCert);
//sg.update(toSign.getEncoded("DER"));
//if (!sg.verify(expSigVal))
//{
// throw new InvalidSignedValueException("电子签章数据签名值不匹配,电子签章数据失效。");
//}
// 预期的电子签章数据,签章值
byte[] expSigVal = sesSignature.Signature.GetOctets();
//Signature sg = Signature(toSign.getSignatureAlgorithm().getId(),new BouncyCastleProvider());
ISigner sg = SignerUtilities.GetSigner(GMObjectIdentifiers.sm2encrypt_with_sm3);
byte[] certDER = toSign.Cert.GetOctets();
//new X509V1CertificateGenerator().Generate()
// 构造证书对象
//Certificate signCert = new CertificateFactory().engineGenerateCertificate(new ByteArrayInputStream(certDER));
//X509Certificate x509Certificate = new X509Certificate(new X509CertificateStructure(TbsCertificateStructure.GetInstance(certDER), null, new DerBitString(certDER)));
X509Certificate x509Certificate = new X509CertificateParser().ReadCertificate(certDER);
//x509Certificate.Verify();
AsymmetricKeyParameter p = x509Certificate.GetPublicKey();
sg.Init(false, p);
//System.Security.Cryptography.X509Certificates.X509Certificate x509 = new System.Security.Cryptography.X509Certificates.X509Certificate(certDER);
//sg.Init(false,new ECPublicKeyParameters());
// 获取一条SM2曲线参数
X9ECParameters sm2EcParameters = GMNamedCurves.GetByName("sm2p256v1");
// 构造domain参数
ECDomainParameters domainParameters = new ECDomainParameters(sm2EcParameters.Curve, sm2EcParameters.G, sm2EcParameters.N);
//提取公钥点
ECPoint pukPoint = sm2EcParameters.Curve.DecodePoint(certDER);
// 公钥前面的02或者03表示是压缩公钥,04表示未压缩公钥, 04的时候,可以去掉前面的04
ECPublicKeyParameters publicKeyParameters = new ECPublicKeyParameters(pukPoint, domainParameters);
sg.Init(false, publicKeyParameters);
byte[] input = toSign.GetDerEncoded();
sg.BlockUpdate(input, 0, input.Length);
bool pass = sg.VerifySignature(expSigVal);
if (!pass)
{
throw new Exception();
}
}