private static void ValidateCertificates(X509Certificate2 authSign, X509Certificate2 nonRepCert) { if (authSign == null) { throw new ArgumentNullException("authSign", "The authentication certificate must be provided"); } if (!authSign.HasPrivateKey) { throw new ArgumentException("authSign", "The authentication certificate must have a private key"); } BC::X509.X509Certificate bcAuthentication = DotNetUtilities.FromX509Certificate(authSign); if (!bcAuthentication.GetKeyUsage()[0]) { throw new ArgumentException("authSign", "The authentication certificate must have a key for signing"); } if (nonRepCert != null) { if (!nonRepCert.HasPrivateKey) { throw new ArgumentException("nonRepCert", "The non-repudiation certificate must have a private key"); } BC::X509.X509Certificate bcNonRepudiation = DotNetUtilities.FromX509Certificate(nonRepCert); if (!bcNonRepudiation.GetKeyUsage()[1]) { throw new ArgumentException("nonRepCert", "The non-repudiation certificate must have a key for non-Repudiation"); } } }
protected void SignDetached(Stream signed, Stream unsigned, X509Certificate2 selectedCert) { BC::X509.X509Certificate bcSelectedCert = DotNetUtilities.FromX509Certificate(selectedCert); #if NETFRAMEWORK trace.TraceEvent(TraceEventType.Information, 0, "Signing the message in name of {0}", selectedCert.Subject); #else logger.LogInformation("Signing the message in name of {0}", selectedCert.Subject); #endif BC.Crypto.ISignatureFactory sigFactory; try { SignatureAlgorithm signAlgo = EteeActiveConfig.Seal.NativeSignatureAlgorithm; BC::Crypto.AsymmetricCipherKeyPair keyPair = DotNetUtilities.GetKeyPair(selectedCert.PrivateKey); sigFactory = new Asn1SignatureFactory(signAlgo.Algorithm.FriendlyName, keyPair.Private); } catch (CryptographicException) { SignatureAlgorithm signAlgo = EteeActiveConfig.Seal.WindowsSignatureAlgorithm; sigFactory = new WinSignatureFactory(signAlgo.Algorithm, signAlgo.DigestAlgorithm, selectedCert.PrivateKey); } SignerInfoGenerator sigInfoGen = new SignerInfoGeneratorBuilder() .Build(sigFactory, bcSelectedCert); CmsSignedDataGenerator cmsSignedDataGen = new CmsSignedDataGenerator(); cmsSignedDataGen.AddSignerInfoGenerator(sigInfoGen); CmsSignedData detachedSignature = cmsSignedDataGen.Generate(new CmsProcessableProxy(unsigned), false); byte[] detachedSignatureBytes = detachedSignature.GetEncoded(); signed.Write(detachedSignatureBytes, 0, detachedSignatureBytes.Length); }
protected void Encrypt(Stream cipher, Stream clear, ICollection <X509Certificate2> certs, SecretKey key, WebKey[] webKeys) { #if NETFRAMEWORK trace.TraceEvent(TraceEventType.Information, 0, "Encrypting message for {0} known and {1} unknown recipient", certs == null ? 0 : certs.Count, key == null ? 0 : 1); #else logger.LogInformation("Encrypting message for {0} known and {1} unknown recipient", certs == null ? 0 : certs.Count, key == null ? 0 : 1); #endif CmsEnvelopedDataStreamGenerator encryptGenerator = new CmsEnvelopedDataStreamGenerator(); if (certs != null) { foreach (X509Certificate2 cert in certs) { BC::X509.X509Certificate bcCert = DotNetUtilities.FromX509Certificate(cert); encryptGenerator.AddKeyTransRecipient(bcCert); #if NETFRAMEWORK trace.TraceEvent(TraceEventType.Verbose, 0, "Added known recipient: {0} ({1})", bcCert.SubjectDN.ToString(), bcCert.IssuerDN.ToString()); #else logger.LogDebug("Added known recipient: {0} ({1})", bcCert.SubjectDN.ToString(), bcCert.IssuerDN.ToString()); #endif } } if (key != null) { encryptGenerator.AddKekRecipient("AES", key.BCKey, key.Id); #if NETFRAMEWORK trace.TraceEvent(TraceEventType.Verbose, 0, "Added unknown recipient [Algorithm={0}, keyId={1}]", "AES", key.IdString); #else logger.LogDebug("Added unknown recipient [Algorithm={0}, keyId={1}]", "AES", key.IdString); #endif } if (webKeys != null) { foreach (WebKey webKey in webKeys) { encryptGenerator.AddKeyTransRecipient(webKey.BCPublicKey, webKey.Id); #if NETFRAMEWORK trace.TraceEvent(TraceEventType.Verbose, 0, "Added web recipient [Algorithm={0}, keyId={1}]", "RSA", webKey.IdString); #else logger.LogDebug("Added web recipient [Algorithm={0}, keyId={1}]", "RSA", webKey.IdString); #endif } } Stream encryptingStream = encryptGenerator.Open(cipher, EteeActiveConfig.Seal.EncryptionAlgorithm.Value); #if NETFRAMEWORK trace.TraceEvent(TraceEventType.Verbose, 0, "Create encrypted message (still empty) [EncAlgo={0} ({1})]", EteeActiveConfig.Seal.EncryptionAlgorithm.FriendlyName, EteeActiveConfig.Seal.EncryptionAlgorithm.Value); #else logger.LogDebug("Create encrypted message (still empty) [EncAlgo={0} ({1})]", EteeActiveConfig.Seal.EncryptionAlgorithm.FriendlyName, EteeActiveConfig.Seal.EncryptionAlgorithm.Value); #endif try { clear.CopyTo(encryptingStream); #if NETFRAMEWORK trace.TraceEvent(TraceEventType.Verbose, 0, "Message encrypted"); #else logger.LogDebug("Message encrypted"); #endif } finally { encryptingStream.Close(); #if NETFRAMEWORK trace.TraceEvent(TraceEventType.Verbose, 0, "Recipient infos added"); #else logger.LogDebug("Recipient infos added"); #endif } }