public void TestSigProfiles(SignatureParams sigParams, SignatureVerificationResults sigResult) { var ca = new X509Name("CN=ca"); var caKeyPair = CryptoHelpers.GenerateRsaKeyPair(2048); var caCert = CryptoHelpers.GenerateCertificate(ca, ca, caKeyPair.Private, caKeyPair.Public); var notBefore = DateTime.Now; var notAfter = DateTime.Now.AddHours(1); if (!(sigParams.SignatureCertTimeValid ?? true)) { notBefore = DateTime.Now.AddHours(-2); notAfter = DateTime.Now.AddHours(-1); } var signingCertName = new X509Name("CN=singing_cert"); var signingKeyPair = CryptoHelpers.GenerateRsaKeyPair(2048); var signingCert = CryptoHelpers.GenerateCertificate(ca, signingCertName, caKeyPair.Private, signingKeyPair.Public, notBefore, notAfter); var cadesSettings = new CAdESServiceSettings(); if (sigParams.SignatureCertTrusted ?? true) { cadesSettings.TrustedCerts.Add(caCert); } if (sigParams.SignatureCertOCSP ?? true) { var fakeOcsp = unityContainer.Resolve <IOcspSource>() as FakeOnlineOcspSource; fakeOcsp.AddNotRevokedCert(signingCert, caCert); } if (sigParams.OCSPCertTrusted ?? true) { cadesSettings.TrustedCerts.Add(ocspCACert); } if ((sigParams.SignatureCertCRL ?? true)) { var fakeCrl = unityContainer.Resolve <ICrlSource>() as FakeOnlineCrlSource; fakeCrl.AddRevokedCert(!(sigParams.SignatureCertCRL ?? true) ? signingCert : null, caCert, caKeyPair); } if (sigParams.TSSignatureCertTrusted ?? true) { cadesSettings.TrustedCerts.Add(tspCACert); } var cadesService = unityContainer.Resolve <Func <ICAdESServiceSettings, IDocumentSignatureService> >()(cadesSettings); // to be signed var inputData = Encoding.UTF8.GetBytes("anydataanydataanydataanydataanydataanydataanydataanydata"); var inputDocument = new InMemoryDocument(inputData); var signingTime = DateTime.Now; var parameters = new SignatureParameters { SigningCertificate = signingCert, CertificateChain = new X509Certificate[] { signingCert }, SignaturePackaging = SignaturePackaging.DETACHED, SignatureProfile = sigParams.SignatureProfile, SigningDate = signingTime, DigestAlgorithmOID = DigestAlgorithm.SHA256.OID, EncriptionAlgorithmOID = Org.BouncyCastle.Asn1.Pkcs.PkcsObjectIdentifiers.RsaEncryption.Id }; var toBeSignedStream = cadesService.ToBeSigned(inputDocument, parameters); // sign ISigner signer = SignerUtilities.InitSigner(parameters.DigestWithEncriptionOID, true, signingKeyPair.Private, null); toBeSignedStream.Position = 0; toBeSignedStream.Seek(0, SeekOrigin.Begin); var b = Streams.ReadAll(toBeSignedStream); signer.BlockUpdate(b, 0, b.Length); var signatureValue = signer.GenerateSignature(); if (!(sigParams.SignatureValid ?? false)) { signatureValue[0] ^= 1; } // make pkcs7 var signedDocument = cadesService.GetSignedDocument(inputDocument, parameters, signatureValue); // validate var report = cadesService.ValidateDocument(signedDocument, true, inputDocument); var sigInfo = report.SignatureInformationList[0]; Assert.AreEqual(sigResult.SignatureVerification, sigInfo.SignatureVerification.SignatureVerificationResult.IsValid, "Signature value is invalid"); Assert.AreEqual(sigResult.CertPathVerification, sigInfo.CertPathRevocationAnalysis.Summary.IsValid, $"Cert path is invalid: {sigInfo.CertPathRevocationAnalysis.Summary.Description}"); if (sigResult.BESLevel.HasValue) { Assert.AreEqual(sigInfo.SignatureLevelAnalysis.LevelBES.LevelReached.IsValid, sigResult.BESLevel, "BES is not reached"); } if (sigResult.TLevel.HasValue) { Assert.AreEqual(sigResult.TLevel, sigInfo.SignatureLevelAnalysis.LevelT.LevelReached.IsValid, "T is not reached"); Assert.IsTrue(sigInfo.SignatureLevelAnalysis.LevelT.SignatureTimestampVerification.All(x => (sigResult.TSignatureVerifications ?? true) && x.SameDigest.IsValid || !(sigResult.TSignatureVerifications ?? true) && !x.SameDigest.IsValid), "T timestamps are not valid"); Assert.IsTrue(sigInfo.SignatureLevelAnalysis.LevelT.SignatureTimestampVerification.All(x => (sigResult.TCertPathVerifications ?? true) && x.CertPathVerification.IsValid || !(sigResult.TCertPathVerifications ?? true) && !x.CertPathVerification.IsValid), "T cert paths are not valid"); } if (sigResult.CLevel.HasValue) { Assert.AreEqual(sigResult.CLevel, sigInfo.SignatureLevelAnalysis.LevelC.LevelReached.IsValid, "C is not reached"); Assert.AreEqual(sigResult.CCertRefs, sigInfo.SignatureLevelAnalysis.LevelC.CertificateRefsVerification.IsValid, "C cert refs are not valid"); Assert.AreEqual(sigResult.CRevocationRefs, sigInfo.SignatureLevelAnalysis.LevelC.RevocationRefsVerification.IsValid, "C cert revocations refs are not valid"); } if (sigResult.XLLevel.HasValue) { Assert.AreEqual(sigResult.XLLevel, sigInfo.SignatureLevelAnalysis.LevelXL.LevelReached.IsValid, "XL is not reached"); Assert.AreEqual(sigResult.CCertValues, sigInfo.SignatureLevelAnalysis.LevelXL.CertificateValuesVerification.IsValid, "XL cert values are not valid"); Assert.AreEqual(sigResult.CRevocationRefs, sigInfo.SignatureLevelAnalysis.LevelXL.RevocationValuesVerification.IsValid, "XL cert revocations values are not valid"); } if (sigResult.XType1Level.HasValue) { Assert.AreEqual(sigResult.XType1Level, sigInfo.SignatureLevelAnalysis.LevelX.LevelReached.IsValid, "XType1 is not reached"); Assert.AreEqual(sigResult.CLevel, sigInfo.SignatureLevelAnalysis.LevelC.LevelReached.IsValid, "C is not reached"); Assert.IsTrue(sigInfo.SignatureLevelAnalysis.LevelX.SignatureAndRefsTimestampsVerification.All(x => (sigResult.XType1SignatureVerifications ?? true) && x.SameDigest.IsValid || !(sigResult.XType1SignatureVerifications ?? true) && !x.SameDigest.IsValid), "XType1 timestamps are not valid"); Assert.IsTrue(sigInfo.SignatureLevelAnalysis.LevelX.SignatureAndRefsTimestampsVerification.All(x => (sigResult.XType1CertPathVerifications ?? true) && x.CertPathVerification.IsValid || !(sigResult.XType1CertPathVerifications ?? true) && !x.CertPathVerification.IsValid), "XType1 cert paths are not valid"); } if (sigResult.XType2Level.HasValue) { Assert.AreEqual(sigResult.XType2Level, sigInfo.SignatureLevelAnalysis.LevelX.LevelReached.IsValid, "XType2 is not reached"); Assert.AreEqual(sigResult.CLevel, sigInfo.SignatureLevelAnalysis.LevelC.LevelReached.IsValid, "C is not reached"); Assert.IsTrue(sigInfo.SignatureLevelAnalysis.LevelX.ReferencesTimestampsVerification.All(x => (sigResult.XType2SignatureVerifications ?? true) && x.SameDigest.IsValid || !(sigResult.XType2SignatureVerifications ?? true) && !x.SameDigest.IsValid), "XType2 timestamps are not valid"); Assert.IsTrue(sigInfo.SignatureLevelAnalysis.LevelX.ReferencesTimestampsVerification.All(x => (sigResult.XType2CertPathVerifications ?? true) && x.CertPathVerification.IsValid || !(sigResult.XType2CertPathVerifications ?? true) && !x.CertPathVerification.IsValid), "XType2 cert paths are not valid"); } if (sigResult.XLType1Level.HasValue) { Assert.AreEqual(sigResult.XLType1Level, sigInfo.SignatureLevelAnalysis.LevelXL.LevelReached.IsValid, "XLType1 is not reached"); Assert.IsTrue(sigInfo.SignatureLevelAnalysis.LevelX.SignatureAndRefsTimestampsVerification.All(x => (sigResult.XType1SignatureVerifications ?? true) && x.SameDigest.IsValid || !(sigResult.XType1SignatureVerifications ?? true) && !x.SameDigest.IsValid), "XType1 timestamps are not valid"); Assert.IsTrue(sigInfo.SignatureLevelAnalysis.LevelX.SignatureAndRefsTimestampsVerification.All(x => (sigResult.XType1CertPathVerifications ?? true) && x.CertPathVerification.IsValid || !(sigResult.XType1CertPathVerifications ?? true) && !x.CertPathVerification.IsValid), "XType1 cert paths are not valid"); } if (sigResult.XLType2Level.HasValue) { Assert.AreEqual(sigResult.XLType2Level, sigInfo.SignatureLevelAnalysis.LevelXL.LevelReached.IsValid, "XLType2 is not reached"); Assert.IsTrue(sigInfo.SignatureLevelAnalysis.LevelX.ReferencesTimestampsVerification.All(x => (sigResult.XType2SignatureVerifications ?? true) && x.SameDigest.IsValid || !(sigResult.XType2SignatureVerifications ?? true) && !x.SameDigest.IsValid), "XType2 timestamps are not valid"); Assert.IsTrue(sigInfo.SignatureLevelAnalysis.LevelX.ReferencesTimestampsVerification.All(x => (sigResult.XType2CertPathVerifications ?? true) && x.CertPathVerification.IsValid || !(sigResult.XType2CertPathVerifications ?? true) && !x.CertPathVerification.IsValid), "XType2 cert paths are not valid"); } if (sigResult.ALevel.HasValue) { Assert.AreEqual(sigResult.ALevel, sigInfo.SignatureLevelAnalysis.LevelA.LevelReached.IsValid, "A is not reached"); Assert.IsTrue(sigInfo.SignatureLevelAnalysis.LevelA.ArchiveTimestampsVerification.All(x => (sigResult.ASignatureVerifications ?? true) && x.SameDigest.IsValid || !(sigResult.ASignatureVerifications ?? true) && !x.SameDigest.IsValid), "A timestamps are not valid"); Assert.IsTrue(sigInfo.SignatureLevelAnalysis.LevelA.ArchiveTimestampsVerification.All(x => (sigResult.ACertPathVerifications ?? true) && x.CertPathVerification.IsValid || !(sigResult.ACertPathVerifications ?? true) && !x.CertPathVerification.IsValid), "A cert paths are not valid"); } }
public void Setup() { { var ocspCA = new X509Name("CN=ocspCA"); ocspCAKeyPair = CryptoHelpers.GenerateRsaKeyPair(2048); ocspCACert = CryptoHelpers.GenerateCertificate(ocspCA, ocspCA, ocspCAKeyPair.Private, ocspCAKeyPair.Public); var ocsp = new X509Name("CN=ocsp"); ocspKeyPair = CryptoHelpers.GenerateRsaKeyPair(2048); ocspCert = CryptoHelpers.GenerateCertificate(ocspCA, ocsp, ocspCAKeyPair.Private, ocspKeyPair.Public); } { var crlCA = new X509Name("CN=crlCA"); crlCAKeyPair = CryptoHelpers.GenerateRsaKeyPair(2048); crlCACert = CryptoHelpers.GenerateCertificate(crlCA, crlCA, crlCAKeyPair.Private, crlCAKeyPair.Public); var crl = new X509Name("CN=crl"); crlKeyPair = CryptoHelpers.GenerateRsaKeyPair(2048); crlCert = CryptoHelpers.GenerateCertificate(crlCA, crl, crlCAKeyPair.Private, crlKeyPair.Public); } { var tspCA = new X509Name("CN=tspCA"); tspCAKeyPair = CryptoHelpers.GenerateRsaKeyPair(2048); tspCACert = CryptoHelpers.GenerateCertificate(tspCA, tspCA, tspCAKeyPair.Private, tspCAKeyPair.Public); var tsp = new X509Name("CN=tsp"); tspKeyPair = CryptoHelpers.GenerateRsaKeyPair(2048); tspCert = CryptoHelpers.GenerateCertificate(tspCA, tsp, tspCAKeyPair.Private, tspKeyPair.Public); } var fakeOnlineOCSPSource = new FakeOnlineOcspSource(ocspCert, ocspKeyPair); var fakeOnlineCrlSource = new FakeOnlineCrlSource(crlCert, crlKeyPair); var fakeOnlineTspSource = new FakeOnlineTspSource(tspCert, tspKeyPair); unityContainer = new UnityContainer(); unityContainer .RegisterFactory <Func <ICAdESServiceSettings, IDocumentSignatureService> >(c => new Func <ICAdESServiceSettings, IDocumentSignatureService>( (settings) => new CAdESService(c.Resolve <Func <ICAdESServiceSettings, ITspSource> >()(settings), c.Resolve <Func <ICAdESServiceSettings, ICertificateVerifier> >()(settings), c.Resolve <Func <ICAdESServiceSettings, ISignedDocumentValidator> >()(settings)) )) .RegisterFactory <Func <ICAdESServiceSettings, ICertificateVerifier> >(c => new Func <ICAdESServiceSettings, ICertificateVerifier>((settings) => new TrustedListCertificateVerifier(c.Resolve <Func <ICAdESServiceSettings, Func <X509Certificate, DateTime, ICAdESLogger, IValidationContext> > >()(settings)))) .RegisterFactory <Func <ICAdESServiceSettings, ISignedDocumentValidator> >(c => new Func <ICAdESServiceSettings, ISignedDocumentValidator>((settings) => new SignedDocumentValidator(c.Resolve <Func <ICAdESServiceSettings, ICertificateVerifier> >()(settings), c.Resolve <Func <ICAdESLogger> >()))) .RegisterType <ICAdESLogger, CAdESLogger>(new TransientLifetimeManager()) // for testing purposes .RegisterFactory <IOcspSource>(c => fakeOnlineOCSPSource) // for testing purposes .RegisterFactory <ICrlSource>(c => fakeOnlineCrlSource) .RegisterFactory <Func <ICAdESServiceSettings, ITspSource> >(c => new Func <ICAdESServiceSettings, ITspSource>((settings) => fakeOnlineTspSource)) .RegisterFactory <Func <ICAdESServiceSettings, IOcspSource> >(c => new Func <ICAdESServiceSettings, IOcspSource>((settings) => fakeOnlineOCSPSource)) .RegisterFactory <Func <ICAdESServiceSettings, ICrlSource> >(c => new Func <ICAdESServiceSettings, ICrlSource>((settings) => fakeOnlineCrlSource)) .RegisterFactory <Func <ICAdESServiceSettings, ICertificateSource> >(c => new Func <ICAdESServiceSettings, ICertificateSource>((settings) => new ListCertificateSourceWithSetttings(settings))) .RegisterType <ICertificateSourceFactory, FakeAIACertificateFactoryImpl>(new TransientLifetimeManager()) .RegisterFactory <Func <ICAdESServiceSettings, Func <X509Certificate, DateTime, ICAdESLogger, IValidationContext> > >(c => new Func <ICAdESServiceSettings, Func <X509Certificate, DateTime, ICAdESLogger, IValidationContext> >( (settings) => (cert, date, logger) => new ValidationContext(cert, date, logger, c.Resolve <Func <ICAdESServiceSettings, IOcspSource> >()(settings), c.Resolve <Func <ICAdESServiceSettings, ICrlSource> >()(settings), c.Resolve <Func <ICAdESServiceSettings, ICertificateSource> >()(settings), c.Resolve <Func <IOcspSource, ICrlSource, ICertificateStatusVerifier> >(), c.Resolve <Func <CertificateAndContext, CertificateToken> >())) ) .RegisterFactory <Func <IOcspSource, ICrlSource, ICertificateStatusVerifier> >(c => new Func <IOcspSource, ICrlSource, ICertificateStatusVerifier>((ocspVerifier, crlVerifier) => new OCSPAndCRLCertificateVerifier(new OCSPCertificateVerifier(ocspVerifier), new CRLCertificateVerifier(crlVerifier))) ) .RegisterFactory <Func <CertificateAndContext, CertificateToken> >(c => new Func <CertificateAndContext, CertificateToken>((context) => new CertificateToken(context, c.Resolve <ICertificateSourceFactory>())) ) ; }