public override IDictionary <DerObjectIdentifier, Asn1Encodable> GetSignedAttributes(SignatureParameters parameters)
{
var signedAttrs = base.GetSignedAttributes(parameters);
Attribute policy;
SignaturePolicyIdentifier sigPolicy;
switch (parameters.SignaturePolicy)
{
case SignaturePolicy.EXPLICIT:
{
sigPolicy = new SignaturePolicyIdentifier(
new SignaturePolicyId(new DerObjectIdentifier(parameters.SignaturePolicyID),
new OtherHashAlgAndValue(new AlgorithmIdentifier(new DerObjectIdentifier(DigestAlgorithm.GetByName(parameters.SignaturePolicyHashAlgo).OID)),
new DerOctetString(parameters.SignaturePolicyHashValue))));
policy = new Attribute(PkcsObjectIdentifiers.IdAAEtsSigPolicyID, new DerSet(sigPolicy));
signedAttrs.Add(PkcsObjectIdentifiers.IdAAEtsSigPolicyID, policy);
break;
}
case SignaturePolicy.IMPLICIT:
{
sigPolicy = new SignaturePolicyIdentifier();
policy = new Attribute(PkcsObjectIdentifiers.IdAAEtsSigPolicyID, new DerSet(sigPolicy));
signedAttrs.Add(PkcsObjectIdentifiers.IdAAEtsSigPolicyID, policy);
break;
}
case SignaturePolicy.NO_POLICY:
{
break;
}
}
return(signedAttrs);
}
/// <summary>
/// Método para crear el atributo que contiene la información sobre la politica de firma
/// </summary>
/// <param name="parameters"></param>
/// <returns></returns>
private BcCms.Attribute MakeSignaturePolicyAttribute(SignatureParameters parameters)
{
SignaturePolicyIdentifier sigPolicy = new SignaturePolicyIdentifier(new SignaturePolicyId(new DerObjectIdentifier
(parameters.SignaturePolicyInfo.PolicyIdentifier), new OtherHashAlgAndValue(new AlgorithmIdentifier(parameters.SignaturePolicyInfo.PolicyDigestAlgorithm.Oid),
new DerOctetString(System.Convert.FromBase64String(parameters.SignaturePolicyInfo.PolicyHash)))));
return(new BcCms.Attribute(PkcsObjectIdentifiers.IdAAEtsSigPolicyID, new DerSet(sigPolicy)));
}
//internal override IDictionary<DerObjectIdentifier, Asn1Encodable> GetSignedAttributes
internal override IDictionary GetSignedAttributes
(SignatureParameters parameters)
{
try
{
//IDictionary<DerObjectIdentifier, Asn1Encodable> signedAttrs = base.GetSignedAttributes(parameters);
IDictionary signedAttrs = base.GetSignedAttributes(parameters);
Attribute policy = null;
SignaturePolicyIdentifier sigPolicy = null;
switch (parameters.SignaturePolicy)
{
case SignaturePolicy.EXPLICIT:
{
sigPolicy = new SignaturePolicyIdentifier(new SignaturePolicyId(new DerObjectIdentifier
(parameters.SignaturePolicyID), new OtherHashAlgAndValue(new AlgorithmIdentifier
(DigestAlgorithm.GetByName(parameters.SignaturePolicyHashAlgo).GetOid()), new
DerOctetString(parameters.SignaturePolicyHashValue))));
policy = new Attribute(PkcsObjectIdentifiers.IdAAEtsSigPolicyID, new DerSet(sigPolicy
));
signedAttrs.Add(PkcsObjectIdentifiers.IdAAEtsSigPolicyID, policy);
break;
}
case SignaturePolicy.IMPLICIT:
{
sigPolicy = new SignaturePolicyIdentifier();
//sigPolicy.IsSignaturePolicyImplied(); TODO jbonilla - validar
policy = new Attribute(PkcsObjectIdentifiers.IdAAEtsSigPolicyID, new DerSet(sigPolicy
));
signedAttrs.Add(PkcsObjectIdentifiers.IdAAEtsSigPolicyID, policy);
break;
}
case SignaturePolicy.NO_POLICY:
{
break;
}
}
return(signedAttrs);
}
catch (NoSuchAlgorithmException ex)
{
throw new ProfileException(ex.Message);
}
}
public virtual void PadesEpesProfileTest01()
{
String notExistingSignaturePolicyOid = "2.16.724.631.3.1.124.2.29.9";
DerObjectIdentifier asn1PolicyOid = DerObjectIdentifier.GetInstance(new DerObjectIdentifier(notExistingSignaturePolicyOid
));
AlgorithmIdentifier hashAlg = new AlgorithmIdentifier(new DerObjectIdentifier(DigestAlgorithms.GetAllowedDigest
("SHA1")));
// indicate that the policy hash value is not known; see ETSI TS 101 733 V2.2.1, 5.8.1
byte[] zeroSigPolicyHash = new byte[] { 0 };
DerOctetString hash = new DerOctetString(zeroSigPolicyHash);
SignaturePolicyId signaturePolicyId = new SignaturePolicyId(asn1PolicyOid, new OtherHashAlgAndValue(hashAlg
, hash));
SignaturePolicyIdentifier sigPolicyIdentifier = new SignaturePolicyIdentifier(signaturePolicyId);
SignApproval(certsSrc + "signCertRsa01.p12", destinationFolder + "padesEpesProfileTest01.pdf", sigPolicyIdentifier
);
BasicCheckSignedDoc(destinationFolder + "padesEpesProfileTest01.pdf", "Signature1");
}
public virtual void ToSignaturePolicyIdentifierTest()
{
SignaturePolicyIdentifier actual = new SignaturePolicyInfo(POLICY_IDENTIFIER, POLICY_HASH, POLICY_DIGEST_ALGORITHM
, POLICY_URI).ToSignaturePolicyIdentifier();
DerIA5String deria5String = new DerIA5String(POLICY_URI);
SigPolicyQualifierInfo sigPolicyQualifierInfo = new SigPolicyQualifierInfo(Org.BouncyCastle.Asn1.Pkcs.PkcsObjectIdentifiers.IdSpqEtsUri
, deria5String);
DerOctetString derOctetString = new DerOctetString(POLICY_HASH);
String algId = DigestAlgorithms.GetAllowedDigest(POLICY_DIGEST_ALGORITHM);
DerObjectIdentifier asn1ObjectIdentifier = new DerObjectIdentifier(algId);
AlgorithmIdentifier algorithmIdentifier = new AlgorithmIdentifier(asn1ObjectIdentifier);
OtherHashAlgAndValue otherHashAlgAndValue = new OtherHashAlgAndValue(algorithmIdentifier, derOctetString);
DerObjectIdentifier derObjectIdentifier = new DerObjectIdentifier(POLICY_IDENTIFIER);
DerObjectIdentifier derObjectIdentifierInstance = DerObjectIdentifier.GetInstance(derObjectIdentifier);
SignaturePolicyId signaturePolicyId = new SignaturePolicyId(derObjectIdentifierInstance, otherHashAlgAndValue
, SignUtils.CreateSigPolicyQualifiers(sigPolicyQualifierInfo));
SignaturePolicyIdentifier expected = new SignaturePolicyIdentifier(signaturePolicyId);
NUnit.Framework.Assert.AreEqual(expected.ToAsn1Object(), actual.ToAsn1Object());
}
internal virtual SignaturePolicyIdentifier ToSignaturePolicyIdentifier()
{
String algId = DigestAlgorithms.GetAllowedDigest(this.policyDigestAlgorithm);
if (algId == null || algId.Length == 0)
{
throw new ArgumentException("Invalid policy hash algorithm");
}
SignaturePolicyIdentifier signaturePolicyIdentifier = null;
SigPolicyQualifierInfo spqi = null;
if (this.policyUri != null && this.policyUri.Length > 0)
{
spqi = new SigPolicyQualifierInfo(Org.BouncyCastle.Asn1.Pkcs.PkcsObjectIdentifiers.IdSpqEtsUri, new DerIA5String
(this.policyUri));
}
signaturePolicyIdentifier = new SignaturePolicyIdentifier(new SignaturePolicyId(DerObjectIdentifier.GetInstance
(new DerObjectIdentifier(this.policyIdentifier.Replace("urn:oid:", ""))), new OtherHashAlgAndValue(new
AlgorithmIdentifier(new DerObjectIdentifier(algId)), new DerOctetString(this.policyHash)), SignUtils.CreateSigPolicyQualifiers
(spqi)));
return(signaturePolicyIdentifier);
}
protected internal SignaturePolicyIdentifier ToSignaturePolicyIdentifier()
{
string algId = DigestAlgorithms.GetAllowedDigests(this.PolicyDigestAlgorithm);
if (string.IsNullOrEmpty(algId))
{
throw new ArgumentException("Invalid policy hash algorithm");
}
SignaturePolicyIdentifier signaturePolicyIdentifier = null;
SigPolicyQualifierInfo spqi = null;
if (!string.IsNullOrEmpty(this.PolicyUri))
{
spqi = new SigPolicyQualifierInfo(PkcsObjectIdentifiers.IdSpqEtsUri, new DerIA5String(this.PolicyUri));
}
signaturePolicyIdentifier = new SignaturePolicyIdentifier(new SignaturePolicyId(
DerObjectIdentifier.GetInstance(new DerObjectIdentifier(this.PolicyIdentifier.Replace("urn:oid:", ""))),
new OtherHashAlgAndValue(new AlgorithmIdentifier(algId), new DerOctetString(this.PolicyHash)), spqi));
return(signaturePolicyIdentifier);
}
private void SignApproval(String signCertFileName, String outFileName, SignaturePolicyIdentifier sigPolicyInfo
)
{
String srcFileName = sourceFolder + "helloWorldDoc.pdf";
X509Certificate[] signChain = Pkcs12FileHelper.ReadFirstChain(signCertFileName, password);
ICipherParameters signPrivateKey = Pkcs12FileHelper.ReadFirstKey(signCertFileName, password, password);
IExternalSignature pks = new PrivateKeySignature(signPrivateKey, DigestAlgorithms.SHA256);
PdfSigner signer = new PdfSigner(new PdfReader(srcFileName), new FileStream(outFileName, FileMode.Create),
new StampingProperties());
signer.SetFieldName("Signature1");
signer.GetSignatureAppearance().SetPageRect(new Rectangle(50, 650, 200, 100)).SetReason("Test").SetLocation
("TestCity").SetLayer2Text("Approval test signature.\nCreated by iText7.");
if (sigPolicyInfo == null)
{
signer.SignDetached(pks, signChain, null, null, null, 0, PdfSigner.CryptoStandard.CADES);
}
else
{
signer.SignDetached(pks, signChain, null, null, null, 0, PdfSigner.CryptoStandard.CADES, sigPolicyInfo);
}
}
/**
* Signs the document using the detached mode, CMS or CAdES equivalent.
* @param sap the PdfSignatureAppearance
* @param externalSignature the interface providing the actual signing
* @param chain the certificate chain
* @param crlList the CRL list
* @param ocspClient the OCSP client
* @param tsaClient the Timestamp client
* @param provider the provider or null
* @param estimatedSize the reserved size for the signature. It will be estimated if 0
* @param cades true to sign CAdES equivalent PAdES-BES, false to sign CMS
* @param signaturePolicy the signature policy (for EPES signatures)
* @throws DocumentException
* @throws IOException
* @throws GeneralSecurityException
* @throws NoSuchAlgorithmException
* @throws Exception
*/
public static void SignDetached(PdfSignatureAppearance sap, IExternalSignature externalSignature, ICollection <X509Certificate> chain, ICollection <ICrlClient> crlList, IOcspClient ocspClient,
ITSAClient tsaClient, int estimatedSize, CryptoStandard sigtype, SignaturePolicyIdentifier signaturePolicy)
{
List <X509Certificate> certa = new List <X509Certificate>(chain);
ICollection <byte[]> crlBytes = null;
int i = 0;
while (crlBytes == null && i < certa.Count)
{
crlBytes = ProcessCrl(certa[i++], crlList);
}
if (estimatedSize == 0)
{
estimatedSize = 8192;
if (crlBytes != null)
{
foreach (byte[] element in crlBytes)
{
estimatedSize += element.Length + 10;
}
}
if (ocspClient != null)
{
estimatedSize += 4192;
}
if (tsaClient != null)
{
estimatedSize += 4192;
}
}
sap.Certificate = certa[0];
if (sigtype == CryptoStandard.CADES)
{
sap.AddDeveloperExtension(PdfDeveloperExtension.ESIC_1_7_EXTENSIONLEVEL2);
}
PdfSignature dic = new PdfSignature(PdfName.ADOBE_PPKLITE, sigtype == CryptoStandard.CADES ? PdfName.ETSI_CADES_DETACHED : PdfName.ADBE_PKCS7_DETACHED);
dic.Reason = sap.Reason;
dic.Location = sap.Location;
dic.SignatureCreator = sap.SignatureCreator;
dic.Contact = sap.Contact;
dic.Date = new PdfDate(sap.SignDate); // time-stamp will over-rule this
sap.CryptoDictionary = dic;
Dictionary <PdfName, int> exc = new Dictionary <PdfName, int>();
exc[PdfName.CONTENTS] = estimatedSize * 2 + 2;
sap.PreClose(exc);
String hashAlgorithm = externalSignature.GetHashAlgorithm();
PdfPKCS7 sgn = new PdfPKCS7(null, chain, hashAlgorithm, false);
if (signaturePolicy != null)
{
sgn.SetSignaturePolicy(signaturePolicy);
}
IDigest messageDigest = DigestUtilities.GetDigest(hashAlgorithm);
Stream data = sap.GetRangeStream();
byte[] hash = DigestAlgorithms.Digest(data, hashAlgorithm);
byte[] ocsp = null;
if (chain.Count >= 2 && ocspClient != null)
{
ocsp = ocspClient.GetEncoded(certa[0], certa[1], null);
}
byte[] sh = sgn.getAuthenticatedAttributeBytes(hash, ocsp, crlBytes, sigtype);
byte[] extSignature = externalSignature.Sign(sh);
sgn.SetExternalDigest(extSignature, null, externalSignature.GetEncryptionAlgorithm());
byte[] encodedSig = sgn.GetEncodedPKCS7(hash, tsaClient, ocsp, crlBytes, sigtype);
if (estimatedSize < encodedSig.Length)
{
throw new IOException("Not enough space");
}
byte[] paddedSig = new byte[estimatedSize];
System.Array.Copy(encodedSig, 0, paddedSig, 0, encodedSig.Length);
PdfDictionary dic2 = new PdfDictionary();
dic2.Put(PdfName.CONTENTS, new PdfString(paddedSig).SetHexWriting(true));
sap.Close(dic2);
}
public virtual void SetSignaturePolicy(SignaturePolicyIdentifier signaturePolicy);
