/** * Generic validate function. Validates known types of xml signature. * @param fileName name of the signature file to be validated */ public static void validate(String fileName) { Context context = new Context(Conn.ROOT_DIR + "efatura\\config\\"); // add external resolver to resolve policies context.addExternalResolver(getPolicyResolver()); XMLSignature signature = XMLSignature.parse( new FileDocument(new FileInfo(fileName)), context); ECertificate cert = signature.SigningCertificate; ValidationSystem vs; if (cert.isMaliMuhurCertificate()) { ValidationPolicy policy = new ValidationPolicy(); String policyPath = Conn.ROOT_DIR + "efatura\\config\\certval-policy-malimuhur.xml"; policy = PolicyReader.readValidationPolicy(policyPath); vs = CertificateValidation.createValidationSystem(policy); context.setCertValidationSystem(vs); } else { ValidationPolicy policy = new ValidationPolicy(); String policyPath = Conn.ROOT_DIR + "efatura\\config\\certval-policy.xml"; policy = PolicyReader.readValidationPolicy(policyPath); vs = CertificateValidation.createValidationSystem(policy); context.setCertValidationSystem(vs); } // no params, use the certificate in key info ValidationResult result = signature.verify(); String sonuc = result.toXml(); Console.WriteLine(result.toXml()); // Assert.True(result.Type == ValidationResultType.VALID,"Cant verify " + fileName); UnsignedSignatureProperties usp = signature.QualifyingProperties.UnsignedSignatureProperties; if (usp != null) { IList <XMLSignature> counterSignatures = usp.AllCounterSignatures; foreach (XMLSignature counterSignature in counterSignatures) { ValidationResult counterResult = signature.verify(); Console.WriteLine(counterResult.toXml()); //Assert.True(counterResult.Type == ValidationResultType.VALID, // "Cant verify counter signature" + fileName + " : "+counterSignature.Id); } } }
/* **************************************************************************** * reset() **************************************************************************** */ /** * Resets the internal state of this obj */ public void reset() { msXmlID = ""; msIssueInstant = ""; moElem = null; moIssuer = null; moSignature = null; moSubject = null; moConditions = null; moAttrStatement = null; }
/* **************************************************************************** * fromDOM() **************************************************************************** */ /** * This method populates the obj from DOM. It does not keep a * copy of the DOM around. Whitespace information is lost in this process. */ public void fromDOM(XmlElement oElem) { reset(); // get the id attribute if (oElem.hasAttributeNS(null, Tags.ATTR_ID_CAP)) { msXmlID = oElem.getAttributeNS(null, Tags.ATTR_ID_CAP); } if (oElem.hasAttributeNS(null, Tags.ATTR_ISSUEINSTANT)) { msIssueInstant = oElem.getAttributeNS(null, Tags.ATTR_ISSUEINSTANT); } for ( XmlNode oChild = oElem.FirstChild; oChild != null; oChild = oChild.NextSibling) { if (oChild.LocalName.Equals(Tags.TAG_ISSUER)) { // only accept the first XRIAuthority if (moIssuer == null) { moIssuer = new NameID((XmlElement) oChild); } } else if (oChild.LocalName.Equals(Tags.TAG_SIGNATURE)) { // only accept the first XRIAuthority if (moSignature == null) { try { XmlDocument oDoc = new XmlDocument(); XmlElement oChildCopy = (XmlElement) oDoc.ImportNode(oChild, true); moSignature = new XMLSignature(oChildCopy, null); } catch (Exception oEx) { soLog.Warn( "Caught exception while parsing Signature", oEx); } } } else if (oChild.LocalName.Equals(Tags.TAG_SUBJECT)) { // only accept the first XRIAuthority if (moSubject == null) { moSubject = new Subject((XmlElement) oChild); } } else if (oChild.LocalName.Equals(Tags.TAG_CONDITIONS)) { // only accept the first XRIAuthority if (moConditions == null) { moConditions = new Conditions((XmlElement) oChild); } } else if (oChild.LocalName.Equals(Tags.TAG_ATTRIBUTESTATEMENT)) { // only accept the first XRIAuthority if (moAttrStatement == null) { moAttrStatement = new AttributeStatement((XmlElement) oChild); } } } }
//throws XMLSecurityException /** * This will sign the XRD using the provided Private Key. The * signature will be kept in DOM. DOM will be created if it doesn't exist * already. * @param oKey - The private key to sign the descriptor with. * @throws XMLSecurityException */ public void sign(PrivateKey oKey) { // build up the DOM (stored in moElem for future use) getDOM(); // before signing, make sure that the document is properly normalized // this is separate from the XMLDSig canonicalization and is more for attributes, namespaces, etc. moElem.OwnerDocument.Normalize(); XmlElement oAssertionElem = DOMUtils.getFirstChildElement( moElem, Tags.NS_SAML, Tags.TAG_ASSERTION); if (oAssertionElem == null) { throw new XMLSecurityException( "Cannot create signature. No SAML Assertion attached to descriptor."); } XmlElement oSubjectElem = DOMUtils.getFirstChildElement( oAssertionElem, Tags.NS_SAML, Tags.TAG_SUBJECT); if (oSubjectElem == null) { throw new XMLSecurityException( "Cannot create signature. SAML Assertion has no subject."); } // make sure the id attribute is present string sID = moElem.getAttributeNS(Tags.NS_XML, Tags.ATTR_ID_LOW); if ((sID == null) || (sID.Equals(""))) { throw new XMLSecurityException( "Cannot create signature. ID is missing for " + moElem.LocalName); } // Set the DOM so that it can be signed DOM3Utils.bestEffortSetIDAttr(moElem, Tags.NS_XML, Tags.ATTR_ID_LOW); // Build the empty signature. XmlDocument oDoc = moElem.getOwnerDocument(); XMLSignature oSig = new XMLSignature( oDoc, null, XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1, Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS); // add all the transforms to the signature string[] oTransforms = new string[] { Transforms.TRANSFORM_ENVELOPED_SIGNATURE, Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS }; Transforms oTrans = new Transforms(oSig.getDocument()); for (int i = 0; i < oTransforms.Length; i++) { oTrans.addTransform(oTransforms[i]); } oSig.addDocument("#" + sID, oTrans); // now finally sign the thing oSig.sign(oKey); // now sub in this element XmlElement oSigElem = oSig.getElement(); // insert the signature in the right place oAssertionElem.InsertBefore(oSigElem, oSubjectElem); }
//throws XMLSecurityException /** * This will verify the XRD against the given public key. DOM * must already be associated with this descriptor. * @param oPubKey * @throws XMLSecurityException */ public void verifySignature(PublicKey oPubKey) { if (moElem == null) { throw new XMLSecurityException( "Cannot verify the signature. No DOM stored for XRD"); } // make sure the ID attribute is present string sIDAttr = Tags.ATTR_ID_LOW; string sIDAttrNS = Tags.NS_XML; string sID = moElem.getAttributeNS(sIDAttrNS, sIDAttr); if ((sID == null) || (sID.Equals(""))) { throw new XMLSecurityException( "Cannot verify the signature. ID is missing for " + moElem.LocalName); } string sRef = "#" + sID; // Set the DOM so that it can be verified DOM3Utils.bestEffortSetIDAttr(moElem, sIDAttrNS, sIDAttr); XmlElement oAssertionElem = DOMUtils.getFirstChildElement( moElem, Tags.NS_SAML, Tags.TAG_ASSERTION); if (oAssertionElem == null) { throw new XMLSecurityException( "Cannot verify the signature. No Assertion in XRD"); } XmlElement oSigElem = DOMUtils.getFirstChildElement( oAssertionElem, Tags.NS_XMLDSIG, Tags.TAG_SIGNATURE); if (oSigElem == null) { throw new XMLSecurityException( "Cannot verify the signature. No signature in Assertion"); } // create the signature element to verify XMLSignature oSig = null; oSig = new XMLSignature(oSigElem, null); // Validate the signature content by checking the references string sFailedRef = null; SignedInfo oSignedInfo = oSig.getSignedInfo(); if (oSignedInfo.getLength() != 1) { throw new XMLSecurityException( "Cannot verify the signature. Expected 1 reference, got " + oSignedInfo.getLength()); } // make sure it references the correct element Reference oRef = oSignedInfo.item(0); string sURI = oRef.getURI(); if (!sRef.Equals(sURI)) { throw new XMLSecurityException( "Cannot verify the signature. Reference Uri did not match ID"); } // check that the transforms are ok bool bEnvelopedFound = false; Transforms oTransforms = oRef.getTransforms(); for (int i = 0; i < oTransforms.getLength(); i++) { string sTransform = oTransforms.item(i).getURI(); if (Transforms.TRANSFORM_ENVELOPED_SIGNATURE.Equals(sTransform)) { // mark that we got the required transform bEnvelopedFound = true; } else if ( !Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS.Equals( sTransform)) { // bonk if we don't have one of the two acceptable transforms throw new XMLSecurityException( "Unexpected transform in signature"); } } if (!bEnvelopedFound) { throw new XMLSecurityException( "Could not find expected " + Transforms.TRANSFORM_ENVELOPED_SIGNATURE + " transform in signature"); } // finally check the signature if (!oSig.checkSignatureValue(oPubKey)) { throw new RuntimeException("Signature failed to verify."); } }
public static bool createEnvelopedBes(string pinNo, string signXML, String outXML, bool bInTest) { bool res = false; cardPinNo = pinNo; TestEnvelopedSignatureInitialize(); try { // here is our custom envelope xml // XmlDocument envelopeDoc = newEnvelope("edefter.xml"); XmlDocument envelopeDoc = Conn.newEnvelope(signXML); XmlElement exts = (XmlElement)envelopeDoc.GetElementsByTagName("ext:UBLExtensions").Item(0); XmlElement ext = (XmlElement)exts.GetElementsByTagName("ext:UBLExtension").Item(0); XmlElement extContent = (XmlElement)ext.GetElementsByTagName("ext:ExtensionContent").Item(0); UriBuilder ub = new UriBuilder(Conn.ROOT_DIR + "efatura\\config\\"); // create context with working dir Context context = new Context(ub.Uri); //UriBuilder ub2 = new UriBuilder(Conn.ROOT_DIR + "efatura\\config\\xmlsignature-config.xml"); context.Config = new Config(Conn.ROOT_DIR + "efatura\\config\\xmlsignature-config.xml"); // define where signature belongs to context.Document = envelopeDoc; // create signature according to context, // with default type (XADES_BES) XMLSignature signature = new XMLSignature(context, false); String setID = "Signature_" + envelopeDoc.GetElementsByTagName("cbc:ID").Item(0).InnerText; signature.Id = setID; signature.SigningTime = DateTime.Now; // attach signature to envelope //envelopeDoc.DocumentElement.AppendChild(signature.Element); extContent.AppendChild(signature.Element); //add transforms for efatura Transforms transforms = new Transforms(context); transforms.addTransform(new Transform(context, TransformType.ENVELOPED.Url)); // add document as reference, //signature.addDocument("#data1", "text/xml", false); signature.addDocument("", "text/xml", transforms, DigestMethod.SHA_256, false); ECertificate certificate = SmartCardManager.getInstance().getEInvoiceCertificate(cardPinNo);// getSignatureCertificate(true, false); if (certificate.isMaliMuhurCertificate()) { ValidationPolicy policy = new ValidationPolicy(); String policyPath = Conn.ROOT_DIR + "efatura\\config\\certval-policy-malimuhur.xml"; policy = PolicyReader.readValidationPolicy(policyPath); ValidationSystem vs = CertificateValidation.createValidationSystem(policy); context.setCertValidationSystem(vs); } else { ValidationPolicy policy = new ValidationPolicy(); String policyPath = Conn.ROOT_DIR + "efatura\\config\\certval-policy.xml"; policy = PolicyReader.readValidationPolicy(policyPath); ValidationSystem vs = CertificateValidation.createValidationSystem(policy); context.setCertValidationSystem(vs); } if (CertValidation.validateCertificate(certificate) || bInTest) { BaseSigner signer = SmartCardManager.getInstance().getSigner(cardPinNo, certificate); X509Certificate2 msCert = certificate.asX509Certificate2(); signature.addKeyInfo(msCert.PublicKey.Key); signature.addKeyInfo(certificate); KeyInfo keyInfo = signature.createOrGetKeyInfo(); int elementCount = keyInfo.ElementCount; for (int k = 0; k < elementCount; k++) { KeyInfoElement kiElement = keyInfo.get(k); if (kiElement.GetType().IsAssignableFrom(typeof(X509Data))) { X509Data x509Data = (X509Data)kiElement; X509SubjectName x509SubjectName = new X509SubjectName(context, certificate.getSubject().stringValue()); x509Data.add(x509SubjectName); break; } } //signature.addKeyInfo(certificate); signature.SignedInfo.CanonicalizationMethod = C14nMethod.EXCLUSIVE_WITH_COMMENTS; signature.sign(signer); // this time we dont use signature.write because we need to write // whole document instead of signature using (Stream s = new FileStream(outXML, FileMode.Create)) { try { envelopeDoc.Save(s); s.Flush(); s.Close(); res = true; } catch (Exception e) { res = false; MessageBox.Show("Dosya kaydedilirken hata oluştu " + e.Message.ToString()); s.Close(); } } } } catch (Exception e) { res = false; MessageBox.Show("Hata Oluştu \r\n" + e.Message.ToString()); } return(res); }
/// <summary> /// /// </summary> /// <param name="signedXml">İmzası kontrol edilecek XML içeriği</param> /// <param name="unQaulifiedDigestAlgoritmList">Geçersiz signature.SignedInfo.SignatureMethod.Url /// <example>http://www.w3.org/2000/09/xmldsig#sha1</example></param> /// <param name="checkForEnvelopedSignature">Eğer true set edilirse İmzanın Enveloped yapısında olduğu kontrolü yapılır. Envelped yapısına olmayan İmzalarda Doğrulama sonucu başarısız döner.</param> /// <returns></returns> public static SignedDocumentValidationResult ValidateSignatureFromXml(string signedXml) { LicenseUtil.setLicenseXml(new MemoryStream(System.IO.File.ReadAllBytes(System.AppDomain.CurrentDomain.BaseDirectory + "/SignatureValidationConfig/Lisans/lisans.xml"))); var context = new Context(); context.Config = new tr.gov.tubitak.uekae.esya.api.xmlsignature.config.Config(System.AppDomain.CurrentDomain.BaseDirectory + "/SignatureValidationConfig/xmlsignature-config.xml"); var file = System.IO.Path.GetTempFileName(); System.IO.File.WriteAllText(file, signedXml); var sdvr = new SignedDocumentValidationResult(); var signature = XMLSignature.parse(new FileDocument(new FileInfo(file)), context); var result = signature.verify(); try { System.IO.File.Delete(file); } finally { } sdvr.Certificate = signature.SigningCertificate.asX509Certificate2(); sdvr.CertificateValidationResult = new CertificateValidationResult(); sdvr.SignatureInfo = new SignatureInfo(); sdvr.SignatureInfo.SigningTime = signature.SigningTime; sdvr.CertificateValidationResult.ValidationResultList = new List <SignatureValidator.DataTransferObject.ValidationResult>(); // var nodeList = signature.Document.GetElementsByTagName("UBLVersionID", "urn:oasis:names:specification:ubl:schema:xsd:CommonBasicComponents-2"); if (nodeList != null && nodeList.Count > 0) { sdvr.SignatureInfo.UBLVersionID = nodeList.Item(0).InnerText; } if (context.ValidationResult != null && context.ValidationResult.getDetails() != null) { foreach (var item in context.ValidationResult.getDetails()) { var vr = new SignatureValidator.DataTransferObject.ValidationResult(); vr.Successful = item.isSuccessful(); vr.Result = vr.Successful ? tr.gov.tubitak.uekae.esya.api.signature.ValidationResultType.VALID.ToString() : tr.gov.tubitak.uekae.esya.api.signature.ValidationResultType.INVALID.ToString(); vr.CheckText = item.getCheckText(); vr.ResultText = item.getResultText(); sdvr.CertificateValidationResult.ValidationResultList.Add(vr); } sdvr.CertificateValidationResult.Successful = !sdvr.CertificateValidationResult.ValidationResultList.Exists(x => x.Successful.Equals(false)); } sdvr.SignatureValidationResult = new SignatureValidator.DataTransferObject.SignatureValidationResult(); sdvr.SignatureValidationResult.Successful = result.getResultType() == tr.gov.tubitak.uekae.esya.api.signature.ValidationResultType.VALID; sdvr.SignatureValidationResult.ResultText = result.getMessage() + Environment.NewLine + result.getResultType(); sdvr.SignatureValidationResult.ValidationResultList = new List <SignatureValidator.DataTransferObject.ValidationResult>(); foreach (var item in result.getDetails <tr.gov.tubitak.uekae.esya.api.xmlsignature.ValidationResult>()) { var vr = new SignatureValidator.DataTransferObject.ValidationResult(); vr.Successful = item.getResultType() == tr.gov.tubitak.uekae.esya.api.signature.ValidationResultType.VALID; vr.Result = item.getResultType().ToString(); vr.CheckText = item.getCheckMessage(); vr.ResultText = item.getCheckResult(); sdvr.SignatureValidationResult.ValidationResultList.Add(vr); } return(sdvr); }