public static int CheckRevocation(PdfPKCS7 pkcs7, X509Certificate signCert, X509Certificate issuerCert, DateTime date)
{
List<BasicOcspResp> ocsps = new List<BasicOcspResp>();
if (pkcs7.Ocsp != null)
ocsps.Add(pkcs7.Ocsp);
OcspVerifier ocspVerifier = new OcspVerifier(null, ocsps);
List<VerificationOK> verification =
ocspVerifier.Verify(signCert, issuerCert, date);
if (verification.Count == 0)
{
List<X509Crl> crls = new List<X509Crl>();
if (pkcs7.CRLs != null)
foreach (X509Crl crl in pkcs7.CRLs)
crls.Add(crl);
CrlVerifier crlVerifier = new CrlVerifier(null, crls);
verification.AddRange(crlVerifier.Verify(signCert, issuerCert, date));
}
if (verification.Count == 0)
{
Console.WriteLine("No se pudo verificar estado de revocación del certificado por CRL ni OCSP");
return CER_STATUS_NOT_VERIFIED;
}
else
{
foreach (VerificationOK v in verification)
Console.WriteLine(v);
return 0;
}
}
public static void addLTV(String src, String dest, IOcspClient ocsp, ICrlClient crl, ITSAClient itsaClient)
{
PdfReader reader = new PdfReader(src);
PdfWriter writer = new PdfWriter(dest);
PdfDocument pdfDoc = new PdfDocument(reader, writer, new StampingProperties().UseAppendMode());
LtvVerification v = new LtvVerification(pdfDoc);
SignatureUtil signatureUtil = new SignatureUtil(pdfDoc);
IList <string> names = signatureUtil.GetSignatureNames();
String sigName = names[names.Count - 1];
PdfPKCS7 pkcs7 = signatureUtil.ReadSignatureData(sigName);
if (pkcs7.IsTsp())
{
v.AddVerification(sigName, ocsp, crl, LtvVerification.CertificateOption.WHOLE_CHAIN,
LtvVerification.Level.OCSP_CRL, LtvVerification.CertificateInclusion.NO);
}
else
{
foreach (var name in names)
{
v.AddVerification(name, ocsp, crl, LtvVerification.CertificateOption.WHOLE_CHAIN,
LtvVerification.Level.OCSP_CRL, LtvVerification.CertificateInclusion.NO);
}
}
v.Merge();
pdfDoc.Close();
}
public void AddLtv(String src, String dest, IOcspClient ocsp, ICrlClient crl, ITSAClient tsa)
{
PdfReader r = new PdfReader(src);
FileStream fos = new FileStream(dest, FileMode.Create);
PdfStamper stp = PdfStamper.CreateSignature(r, fos, '\0', null, true);
LtvVerification v = stp.LtvVerification;
AcroFields fields = stp.AcroFields;
List <String> names = fields.GetSignatureNames();
String sigName = names[names.Count - 1];
PdfPKCS7 pkcs7 = fields.VerifySignature(sigName);
if (pkcs7.IsTsp)
{
v.AddVerification(sigName, ocsp, crl, LtvVerification.CertificateOption.SIGNING_CERTIFICATE, LtvVerification.Level.OCSP_CRL, LtvVerification.CertificateInclusion.NO);
}
else
{
foreach (String name in names)
{
v.AddVerification(name, ocsp, crl, LtvVerification.CertificateOption.WHOLE_CHAIN, LtvVerification.Level.OCSP_CRL, LtvVerification.CertificateInclusion.NO);
}
}
PdfSignatureAppearance sap = stp.SignatureAppearance;
LtvTimestamp.Timestamp(sap, tsa, null);
}
/// <summary>
/// Method that will be called during the signing process
/// </summary>
/// <param name="data">Stream with the doc data that should be used in the hasing process</param>
/// <returns></returns>
public override byte[] Sign(Stream data)
{
// crea pdf pkcs7 for signing the document
var sgn = new PdfPKCS7(null,
_certificates.ToArray(),
DigestAlgorithms.SHA256,
false);
// get hash for document bytes
NakedHash = DigestAlgorithms.Digest(data, DigestAlgorithms.SHA256);
// get attributes
var docBytes = sgn.GetAuthenticatedAttributeBytes(NakedHash,
PdfSigner.CryptoStandard.CMS,
_ocspBytes?.ToList(),
_crlBytesCollection?.ToList());
// hash it again
using var hashMemoryStream = new MemoryStream(docBytes, false);
var docBytesHash = DigestAlgorithms.Digest(hashMemoryStream, DigestAlgorithms.SHA256);
//prepend sha256 prefix
var totalHash = new byte[_sha256SigPrefix.Length + docBytesHash.Length];
_sha256SigPrefix.CopyTo(totalHash, 0);
docBytesHash.CopyTo(totalHash, _sha256SigPrefix.Length);
HashToBeSignedByAma = totalHash;
return(Array.Empty <byte>());
}
/* Updates the /ByteRange with the provided value */
private void UpdateByteRange(PdfPKCS7 pkcs7, PdfSignature signature)
{
PdfArray b = signature.GetByteRange();
RandomAccessFileOrArray rf = document.GetReader().GetSafeFile();
Stream rg = null;
try {
rg = new RASInputStream(new RandomAccessSourceFactory().CreateRanged(rf.CreateSourceView(), b.ToLongArray(
)));
byte[] buf = new byte[8192];
int rd;
while ((rd = rg.JRead(buf, 0, buf.Length)) > 0)
{
pkcs7.Update(buf, 0, rd);
}
}
catch (Exception e) {
throw new PdfException(e);
}
finally {
try {
if (rg != null)
{
rg.Dispose();
}
}
catch (System.IO.IOException e) {
// this really shouldn't ever happen - the source view we use is based on a Safe view, which is a no-op anyway
throw new PdfException(e);
}
}
}
private SignaturePermissions GetSignatureInfo(AcroFields fields, string name, SignaturePermissions perms, List <SignatureInfo> signatureInfoList)
{
var si = new SignatureInfo();
PdfPKCS7 pkcs7 = fields.VerifySignature(name);
X509Certificate cert = pkcs7.SigningCertificate;
PdfDictionary sigDict = fields.GetSignatureDictionary(name);
PdfString contact = sigDict.GetAsString(PdfName.CONTACTINFO);
if (contact != null)
{
Console.WriteLine("Contact info: " + contact);
}
si.Signer = CertificateInfo.GetSubjectFields(cert).GetField("CN");
si.SignedOn = pkcs7.SignDate;
si.Location = pkcs7.Location;
si.Issuer = cert.IssuerDN.ToString();
si.Subject = cert.SubjectDN.ToString();
si.CertValidFrom = cert.NotBefore;
si.CertValidTo = cert.NotAfter;
si.Reason = pkcs7.Reason;
si.IntegrityCheck = pkcs7.Verify();
signatureInfoList.Add(si);
perms = new SignaturePermissions(sigDict, perms);
return(perms);
}
private String calculateSigningContent(X509Certificate2 cert)
{
byte[] sh = null;
try
{
Org.BouncyCastle.X509.X509Certificate[] chain = GetCertChain(cert);
sgn = new PdfPKCS7(null, chain, "SHA-256", true);
hashValue = HashFile(sap.GetRangeStream());
List <ICrlClient> crlList = new List <ICrlClient>();
crlList.Add(new CrlClientOnline(chain));
ICollection <byte[]> crlBytes = null;
int i = 0;
while (crlBytes == null && i < chain.Length)
{
crlBytes = MakeSignature.ProcessCrl(chain[i++], null);
}
sh = sgn.getAuthenticatedAttributeBytes(hashValue, null, crlBytes /*crlbyte*/, CryptoStandard.CADES);
}
catch (Exception ex)
{
if (document != null)
{
document.Close();
}
if (pdfStamper != null)
{
pdfStamper.Close();
}
throw new Exception("getHash : " + ex.Message, ex);
}
return(System.Convert.ToBase64String(sh));
}
private string checkSignature(byte[] pdfContent)
{
PdfReader reader = new PdfReader(pdfContent);
AcroFields fields = reader.AcroFields;
List <String> names = fields.GetSignatureNames();
// Signature eklenmiş PDF dosyası buraya yollanmalı. Yoksa Verification Gerçekleşemez.
if (names.Count == 0)
{
return("İlgili PDF'e ait imza(lar) bulunamamıştır.");
}
string message = string.Empty;
for (int i = 1; i < names.Count + 1; i++)
{
string temp = string.Empty;
PdfPKCS7 pkcs7 = fields.VerifySignature(names[i - 1]);
var result = pkcs7.Verify();
if (result)
{
temp = string.Format("{0}.imza geçerli.", i);
}
else
{
temp = string.Format("{0}.imza geçersiz.", i);
}
message += temp;
}
reader.Close();
return(message);
}
public virtual void TestISAValidPdf()
{
String filePath = sourceFolder + "isaValidPdf.pdf";
String signatureName = "Signature1";
PdfDocument document = new PdfDocument(new PdfReader(filePath));
SignatureUtil sigUtil = new SignatureUtil(document);
PdfPKCS7 pdfPKCS7 = sigUtil.ReadSignatureData(signatureName);
NUnit.Framework.Assert.IsTrue(pdfPKCS7.VerifySignatureIntegrityAndAuthenticity());
NUnit.Framework.Assert.IsFalse(sigUtil.SignatureCoversWholeDocument(signatureName));
String textFromPage = PdfTextExtractor.GetTextFromPage(document.GetPage(1));
// We are working with the latest revision of the document, that's why we should get amended page text.
// However Signature shall be marked as not covering the complete document, indicating its invalidity
// for the current revision.
NUnit.Framework.Assert.AreEqual("This is manipulated malicious text, ha-ha!", textFromPage);
NUnit.Framework.Assert.AreEqual(2, sigUtil.GetTotalRevisions());
NUnit.Framework.Assert.AreEqual(1, sigUtil.GetRevision(signatureName));
Stream sigInputStream = sigUtil.ExtractRevision(signatureName);
PdfDocument sigRevDocument = new PdfDocument(new PdfReader(sigInputStream));
SignatureUtil sigRevUtil = new SignatureUtil(sigRevDocument);
PdfPKCS7 sigRevSignatureData = sigRevUtil.ReadSignatureData(signatureName);
NUnit.Framework.Assert.IsTrue(sigRevSignatureData.VerifySignatureIntegrityAndAuthenticity());
NUnit.Framework.Assert.IsTrue(sigRevUtil.SignatureCoversWholeDocument(signatureName));
sigRevDocument.Close();
document.Close();
}
/// <summary>Switches to the previous revision.</summary>
public virtual void SwitchToPreviousRevision()
{
LOGGER.Info("Switching to previous revision.");
latestRevision = false;
dss = document.GetCatalog().GetPdfObject().GetAsDictionary(PdfName.DSS);
DateTime cal = pkcs7.GetTimeStampDate();
if (cal == TimestampConstants.UNDEFINED_TIMESTAMP_DATE)
{
cal = pkcs7.GetSignDate();
}
// TODO: get date from signature
signDate = cal.ToUniversalTime();
IList <String> names = sgnUtil.GetSignatureNames();
if (names.Count > 1)
{
signatureName = names[names.Count - 2];
document = new PdfDocument(new PdfReader(sgnUtil.ExtractRevision(signatureName)), new DocumentProperties()
.SetEventCountingMetaInfo(metaInfo));
this.acroForm = PdfAcroForm.GetAcroForm(document, true);
this.sgnUtil = new SignatureUtil(document);
names = sgnUtil.GetSignatureNames();
signatureName = names[names.Count - 1];
pkcs7 = CoversWholeDocument();
LOGGER.Info(MessageFormatUtil.Format("Checking {0}signature {1}", pkcs7.IsTsp() ? "document-level timestamp "
: "", signatureName));
}
else
{
LOGGER.Info("No signatures in revision");
pkcs7 = null;
}
}
public SignaturePermissions InspectSignature(AcroFields fields, String name, SignaturePermissions perms)
{
IList <AcroFields.FieldPosition> fps = fields.GetFieldPositions(name);
if (fps != null && fps.Count > 0)
{
AcroFields.FieldPosition fp = fps[0];
Rectangle pos = fp.position;
if (pos.Width == 0 || pos.Height == 0)
{
Console.WriteLine("Invisible signature");
}
else
{
Console.WriteLine("Field on page {0}; llx: {1}, lly: {2}, urx: {3}; ury: {4}",
fp.page, pos.Left, pos.Bottom, pos.Right, pos.Top);
}
}
PdfPKCS7 pkcs7 = VerifySignature(fields, name);
Console.WriteLine("Digest algorithm: " + pkcs7.GetHashAlgorithm());
Console.WriteLine("Encryption algorithm: " + pkcs7.GetEncryptionAlgorithm());
Console.WriteLine("Filter subtype: " + pkcs7.GetFilterSubtype());
X509Certificate cert = pkcs7.SigningCertificate;
Console.WriteLine("Name of the signer: " + CertificateInfo.GetSubjectFields(cert).GetField("CN"));
if (pkcs7.SignName != null)
{
Console.WriteLine("Alternative name of the signer: " + pkcs7.SignName);
}
Console.WriteLine("Signed on: " + pkcs7.SignDate.ToString("yyyy-MM-dd HH:mm:ss.ff"));
if (!pkcs7.TimeStampDate.Equals(DateTime.MaxValue))
{
Console.WriteLine("TimeStamp: " + pkcs7.TimeStampDate.ToString("yyyy-MM-dd HH:mm:ss.ff"));
TimeStampToken ts = pkcs7.TimeStampToken;
Console.WriteLine("TimeStamp service: " + ts.TimeStampInfo.Tsa);
Console.WriteLine("Timestamp verified? " + pkcs7.VerifyTimestampImprint());
}
Console.WriteLine("Location: " + pkcs7.Location);
Console.WriteLine("Reason: " + pkcs7.Reason);
PdfDictionary sigDict = fields.GetSignatureDictionary(name);
PdfString contact = sigDict.GetAsString(PdfName.CONTACTINFO);
if (contact != null)
{
Console.WriteLine("Contact info: " + contact);
}
perms = new SignaturePermissions(sigDict, perms);
Console.WriteLine("Signature type: " + (perms.Certification ? "certification" : "approval"));
Console.WriteLine("Filling out fields allowed: " + perms.FillInAllowed);
Console.WriteLine("Adding annotations allowed: " + perms.AnnotationsAllowed);
foreach (SignaturePermissions.FieldLock Lock in perms.FieldLocks)
{
Console.WriteLine("Lock: " + Lock);
}
return(perms);
}
private static void SetSigText(PdfSignatureAppearance sigAppearance, IList <X509Certificate> chain)
{
sigAppearance.SignDate = DateTime.Now;
var signedBy = PdfPKCS7.GetSubjectFields(chain[0]).GetField("CN");
var signedOn = sigAppearance.SignDate;
sigAppearance.Layer2Text = String.Format(SigTextFormat, signedBy, signedOn);
}
/// <exception cref="Org.BouncyCastle.Security.GeneralSecurityException"/>
/// <exception cref="System.IO.IOException"/>
internal static void BasicCheckSignedDoc(String filePath, String signatureName)
{
PdfDocument outDocument = new PdfDocument(new PdfReader(filePath));
SignatureUtil sigUtil = new SignatureUtil(outDocument);
PdfPKCS7 pdfPKCS7 = sigUtil.VerifySignature(signatureName);
NUnit.Framework.Assert.IsTrue(pdfPKCS7.Verify());
outDocument.Close();
}
virtual public PdfPKCS7 VerifySignature(AcroFields fields, String name)
{
Console.WriteLine("Signature covers whole document: " + fields.SignatureCoversWholeDocument(name));
Console.WriteLine("Document revision: " + fields.GetRevision(name) + " of " + fields.TotalRevisions);
PdfPKCS7 pkcs7 = fields.VerifySignature(name);
Console.WriteLine("Integrity check OK? " + pkcs7.Verify());
return(pkcs7);
}
internal static void BasicCheckSignedDoc(String filePath, String signatureName)
{
PdfDocument outDocument = new PdfDocument(new PdfReader(filePath));
SignatureUtil sigUtil = new SignatureUtil(outDocument);
PdfPKCS7 signatureData = sigUtil.ReadSignatureData(signatureName);
NUnit.Framework.Assert.IsTrue(signatureData.VerifySignatureIntegrityAndAuthenticity());
outDocument.Close();
}
public ActionResult Complete(SignatureCompleteModel model)
{
byte[] signedPdf;
try {
// Recover session data from Index action
var sessionModel = Session["ITextSessionModel"] as ITextSessionModel;
if (sessionModel == null)
{
// This should not happen
return(RedirectToAction("Index"));
}
// Decode Certificate
var certificate = new X509CertificateParser().ReadCertificate(model.CertContent);
// Compute the external digest
var pkcs7 = new PdfPKCS7(null, new X509Certificate[] { certificate }, DigestAlgorithm, false);
pkcs7.SetExternalDigest(model.Signature, null, "RSA");
// Get a padded PKCS#7
byte[] pkcs7Encoded = pkcs7.GetEncodedPKCS7(sessionModel.RangeDigest);
if (pkcs7Encoded.Length > 8192) // It shouldn't happen
{
throw new InvalidOperationException("PKCS37 encoded shouldn't be bigger than the space reserved for it");
}
byte[] pkcs7Padded = new byte[8192];
pkcs7Encoded.CopyTo(pkcs7Padded, 0);
// Instanciate a PDF dictionary
var sigDictionary = new PdfDictionary();
// Write the PKCS#7 padded on the signature dictionary
sigDictionary.Put(PdfName.CONTENTS, new PdfString(pkcs7Padded).SetHexWriting(true));
// Finally, close the PDF appearance to finish the signature process
sessionModel.SignatureApperance.Close(sigDictionary);
// Receive the signed PDF bytes from the its stream, which was storage by the session variable
signedPdf = sessionModel.SignedPdfStream.ToArray();
// Close the signed PDF stream
sessionModel.SignedPdfStream.Close();
} catch (Exception ex) {
ModelState.AddModelError("", ex.ToString());
return(View());
} finally {
// Clear the object stored on the Session
Session.Remove("SignatureCompleteModel");
}
TempData["SignatureInfoModel"] = new SignatureInfoModel()
{
File = Storage.StoreFile(signedPdf, ".pdf")
};
return(RedirectToAction("SignatureInfo"));
}
public PdfPKCS7 VerifySignature(SignatureUtil signUtil, String name)
{
PdfPKCS7 pkcs7 = signUtil.ReadSignatureData(name);
Console.Out.WriteLine("Signature covers whole document: " + signUtil.SignatureCoversWholeDocument(name));
Console.Out.WriteLine("Document revision: " + signUtil.GetRevision(name) + " of "
+ signUtil.GetTotalRevisions());
Console.Out.WriteLine("Integrity check OK? " + pkcs7.VerifySignatureIntegrityAndAuthenticity());
return(pkcs7);
}
public static void CheckRevocation(PdfPKCS7 pkcs7, X509Certificate signCert, X509Certificate issuerCert, DateTime date)
{
List <BasicOcspResp> ocsps = new List <BasicOcspResp>();
if (pkcs7.Ocsp != null)
{
ocsps.Add(pkcs7.Ocsp);
}
OcspVerifier ocspVerifier = new OcspVerifier(null, ocsps);
List <VerificationOK> verification =
ocspVerifier.Verify(signCert, issuerCert, date);
if (verification.Count == 0)
{
List <X509Crl> crls = new List <X509Crl>();
if (pkcs7.CRLs != null)
{
foreach (X509Crl crl in pkcs7.CRLs)
{
crls.Add(crl);
}
}
CrlVerifier crlVerifier = new CrlVerifier(null, crls);
verification.AddRange(crlVerifier.Verify(signCert, issuerCert, date));
}
if (verification.Count == 0)
{
Console.WriteLine("The signing certificate couldn't be verified with the example");
}
else
{
foreach (VerificationOK v in verification)
{
Console.WriteLine(v);
}
}
//Code not in the example, added by me
//This way, I can find out if the certificate is revoked or not (through CRL). Not sure if it's the right way though
if (verification.Count == 0 && pkcs7.CRLs != null && pkcs7.CRLs.Count != 0)
{
bool revoked = false;
foreach (X509Crl crl in pkcs7.CRLs)
{
revoked = crl.IsRevoked(pkcs7.SigningCertificate);
if (revoked)
{
break;
}
}
Console.WriteLine("Is certificate revoked?: " + revoked.ToString());
}
}
private void AssertSignatureDetails(string signatureName,
string expectedSignName, string expectedLocation, string expectedReason)
{
AcroFields fields = this.pdfReader.AcroFields;
PdfPKCS7 pk = fields.VerifySignature(signatureName);
Assert.AreEqual(expectedSignName, CertificateInfo.GetSubjectFields(pk.SigningCertificate).GetField("CN"));
Assert.AreEqual(expectedLocation, pk.Location);
Assert.AreEqual(expectedReason, pk.Reason);
Assert.That(pk.SignDate, Is.EqualTo(DateTime.Now).Within(1).Minutes);
}
public static (PdfPKCS7, FileDetailsModel) VerifySignature(FileDetailsModel model, SignatureUtil signUtil, String name)
{
PdfPKCS7 pkcs7 = signUtil.ReadSignatureData(name);
logger.Error("Signature covers whole document: " + signUtil.SignatureCoversWholeDocument(name));
logger.Error("Document revision: " + signUtil.GetRevision(name) + " of "
+ signUtil.GetTotalRevisions());
logger.Error("Integrity check OK? " + pkcs7.VerifySignatureIntegrityAndAuthenticity());
model.Integrity = pkcs7.VerifySignatureIntegrityAndAuthenticity() == true?"OK":"NOT OK";
return(pkcs7, model);
}
public virtual void TestSWA01()
{
String filePath = sourceFolder + "siwa.pdf";
String signatureName = "Signature1";
PdfDocument document = new PdfDocument(new PdfReader(filePath));
SignatureUtil sigUtil = new SignatureUtil(document);
PdfPKCS7 pdfPKCS7 = sigUtil.ReadSignatureData(signatureName);
NUnit.Framework.Assert.IsTrue(pdfPKCS7.VerifySignatureIntegrityAndAuthenticity());
NUnit.Framework.Assert.IsFalse(sigUtil.SignatureCoversWholeDocument(signatureName));
document.Close();
}
public PdfPKCS7 VerifySignature(SignatureUtil signUtil, String name)
{
PdfPKCS7 pkcs7 = GetSignatureData(signUtil, name);
X509Certificate[] certs = pkcs7.GetSignCertificateChain();
// Timestamp is a secure source of signature creation time,
// because it's based on Time Stamping Authority service.
DateTime cal = pkcs7.GetTimeStampDate();
// If there is no timestamp, use the current date
if (TimestampConstants.UNDEFINED_TIMESTAMP_DATE == cal)
{
cal = new DateTime();
}
// Check if the certificate chain, presented in the PDF, can be verified against
// the created key store.
IList <VerificationException> errors = CertificateVerification.VerifyCertificates(certs, ks, cal);
if (errors.Count == 0)
{
OUT_STREAM.WriteLine("Certificates verified against the KeyStore");
}
else
{
OUT_STREAM.WriteLine(errors);
}
// Find out if certificates were valid on the signing date, and if they are still valid today
for (int i = 0; i < certs.Length; i++)
{
X509Certificate cert = (X509Certificate)certs[i];
OUT_STREAM.WriteLine("=== Certificate " + i + " ===");
ShowCertificateInfo(cert, cal.ToUniversalTime());
}
// Take the signing certificate
X509Certificate signCert = (X509Certificate)certs[0];
// Take the certificate of the issuer of that certificate (or null if it was self-signed).
X509Certificate issuerCert = (certs.Length > 1 ? (X509Certificate)certs[1] : null);
OUT_STREAM.WriteLine("=== Checking validity of the document at the time of signing ===");
CheckRevocation(pkcs7, signCert, issuerCert, cal.ToUniversalTime());
OUT_STREAM.WriteLine("=== Checking validity of the document today ===");
CheckRevocation(pkcs7, signCert, issuerCert, new DateTime());
return(pkcs7);
}
/// <exception cref="Org.BouncyCastle.Security.GeneralSecurityException"/>
protected internal virtual void InitLtvVerifier(PdfDocument document)
{
this.document = document;
this.acroForm = PdfAcroForm.GetAcroForm(document, true);
this.sgnUtil = new SignatureUtil(document);
IList <String> names = sgnUtil.GetSignatureNames();
signatureName = names[names.Count - 1];
this.signDate = DateTimeUtil.GetCurrentUtcTime();
pkcs7 = CoversWholeDocument();
LOGGER.Info(MessageFormatUtil.Format("Checking {0}signature {1}", pkcs7.IsTsp() ? "document-level timestamp "
: "", signatureName));
}
private Nenshkrim MerrNenshkrimInfo(AcroFields af, string name)
{
PdfPKCS7 pkcs7 = af.VerifySignature(name);
var certificate = new X509Certificate2();
var cert = (Org.BouncyCastle.X509.X509Certificate)pkcs7.Certificates[0];
certificate.Import(cert.GetEncoded());
Nenshkrim nenshkruesi = new Nenshkrim();
nenshkruesi.Nenshkruesi = CertificateInfo.GetSubjectFields(cert).GetField("CN");
string issuer = certificate.Issuer;
nenshkruesi.IssuerCN = GetIssuer(issuer, "CN=");
nenshkruesi.IssuerOU = GetIssuer(issuer, "OU=");
nenshkruesi.IssuerO = GetIssuer(issuer, "O=");
nenshkruesi.IssuerC = GetIssuer(issuer, "C=");
if (nenshkruesi.IssuerC == "KS")
{
//largimi i [EMAIL] prej cn
nenshkruesi.Nenshkruesi = nenshkruesi.Nenshkruesi.Substring(8);
}
nenshkruesi.Emri = CertificateInfo.GetSubjectFields(cert).GetField("GIVENNAME");
nenshkruesi.Mbiemri = CertificateInfo.GetSubjectFields(cert).GetField("SURNAME");
//algoritmi hash
nenshkruesi.AlgoritmiHash = pkcs7.GetHashAlgorithm();
//algoritmi hash
nenshkruesi.AlgoritmiEnkriptimit = pkcs7.GetEncryptionAlgorithm();
//data e nenshrimit
nenshkruesi.DataNenshkrimit = pkcs7.SignDate;
//certifikata valide prej, deri
nenshkruesi.CertifikataValidePrej = certificate.GetEffectiveDateString();
nenshkruesi.CertifikataValideDeri = certificate.GetExpirationDateString();
nenshkruesi.SerialNumber = certificate.SerialNumber;
//verifikimi
if (pkcs7.Verify())
{
nenshkruesi.Valid = true;
}
else
{
nenshkruesi.Valid = false;
}
return(nenshkruesi);
}
public PdfSignInfo(PdfPKCS7 pkcs7)
{
SignType = SignTypes.PAdES.ToString();
SignDate = pkcs7.SignDate;
Reason = pkcs7.Reason;
try
{
IsVerified = pkcs7.Verify();
}
catch (Exception ex)
{
Console.WriteLine(string.Format("Verifica validità fallita: {0}", ex.Message));
}
Certificate = new SigningCertificate()
{
SerialNumber = pkcs7.SigningCertificate.SerialNumber.IntValue.ToString("X"),
NotBefore = pkcs7.SigningCertificate.NotBefore,
NotAfter = pkcs7.SigningCertificate.NotAfter
};
var issuerFields = CertificateInfo.GetIssuerFields(pkcs7.SigningCertificate);
Certificate.Issuer = new IssuerDN()
{
SerialNumber = issuerFields.GetField("SN"),
Organization = issuerFields.GetField("O"),
OrganizationUnit = issuerFields.GetField("OU")
};
var subjectFields = CertificateInfo.GetSubjectFields(pkcs7.SigningCertificate);
Certificate.Subject = new SubjectDN()
{
SerialNumber = subjectFields.GetField("SN"),
GivenName = subjectFields.GetField("GIVENNAME"),
Surname = subjectFields.GetField("SURNAME"),
CommonName = subjectFields.GetField("CN"),
Organization = subjectFields.GetField("O")
};
if (pkcs7.TimeStampToken != null)
{
Children = new List <SignInfo>()
{
new TsSignInfo(pkcs7)
}
}
;
}
}
/// <summary>
/// Verifies integrity of all PDF signatures
/// </summary>
/// <param name="path">Path to the PDF document that should be verified</param>
/// <returns>Number of PDF signatures verified</returns>
private static int VerifySignatureIntegrity(string path)
{
using (PdfReader reader = new PdfReader(path))
{
List <string> signatureNames = reader.AcroFields.GetSignatureNames();
foreach (string signatureName in signatureNames)
{
PdfPKCS7 pdfPkcs7 = reader.AcroFields.VerifySignature(signatureName);
Assert.IsTrue(pdfPkcs7.Verify());
}
return(signatureNames.Count);
}
}
public byte[] Sign(Stream data)
{
PrivateKeySignature signature = new PrivateKeySignature(pk.Key, "SHA256");
String hashAlgorithm = signature.GetHashAlgorithm();
PdfPKCS7 sgn = new PdfPKCS7(null, chain, hashAlgorithm, false);
byte[] hash = DigestAlgorithms.Digest(data, hashAlgorithm);
DateTime signingTime = DateTime.Now;
byte[] sh = sgn.getAuthenticatedAttributeBytes(hash, signingTime, null, null, CryptoStandard.CMS);
byte[] extSignature = signature.Sign(sh);
sgn.SetExternalDigest(extSignature, null, signature.GetEncryptionAlgorithm());
return(sgn.GetEncodedPKCS7(hash, signingTime, null, null, null, CryptoStandard.CMS));
}
static byte[] GetCertificateChainOCSP(X509Certificate[] certificateChain)
{
byte[] ocsp = null;
if (certificateChain.Length >= 2)
{
String url = PdfPKCS7.GetOCSPURL(certificateChain[0]);
if (url != null && url.Length > 0)
{
ocsp = new OcspClientBouncyCastle(certificateChain[0], certificateChain[1], url).GetEncoded();
}
}
return(ocsp);
}
/// <summary>
/// Prepares an
/// <see cref="PdfPKCS7"/>
/// instance for the given signature.
/// This method handles signature parsing and might throw an exception if
/// signature is malformed.
/// <p>
/// The returned
/// <see cref="PdfPKCS7"/>
/// can be used to fetch additional info about the signature
/// and also to perform integrity check of data signed by the given signature field.
/// </p>
/// Prepared
/// <see cref="PdfPKCS7"/>
/// instance calculates digest based on signature's /ByteRange entry.
/// In order to check that /ByteRange is properly defined and given signature indeed covers the current PDF document
/// revision please use
/// <see cref="SignatureCoversWholeDocument(System.String)"/>
/// method.
/// </summary>
/// <param name="signatureFieldName">the signature field name</param>
/// <param name="securityProvider">the security provider or null for the default provider</param>
/// <returns>
/// a
/// <see cref="PdfPKCS7"/>
/// instance which can be used to fetch additional info about the signature
/// and also to perform integrity check of data signed by the given signature field.
/// </returns>
public virtual PdfPKCS7 ReadSignatureData(String signatureFieldName)
{
PdfSignature signature = GetSignature(signatureFieldName);
if (signature == null)
{
return(null);
}
try {
PdfName sub = signature.GetSubFilter();
PdfString contents = signature.GetContents();
PdfPKCS7 pk = null;
if (sub.Equals(PdfName.Adbe_x509_rsa_sha1))
{
PdfString cert = signature.GetPdfObject().GetAsString(PdfName.Cert);
if (cert == null)
{
cert = signature.GetPdfObject().GetAsArray(PdfName.Cert).GetAsString(0);
}
pk = new PdfPKCS7(PdfEncodings.ConvertToBytes(contents.GetValue(), null), cert.GetValueBytes());
}
else
{
pk = new PdfPKCS7(PdfEncodings.ConvertToBytes(contents.GetValue(), null), sub);
}
UpdateByteRange(pk, signature);
PdfString date = signature.GetDate();
if (date != null)
{
pk.SetSignDate(PdfDate.Decode(date.ToString()));
}
String signName = signature.GetName();
pk.SetSignName(signName);
String reason = signature.GetReason();
if (reason != null)
{
pk.SetReason(reason);
}
String location = signature.GetLocation();
if (location != null)
{
pk.SetLocation(location);
}
return(pk);
}
catch (Exception e) {
throw new PdfException(e);
}
}
static public string GetIssuerFields(byte[] cert, string field)
{
Org.BouncyCastle.X509.X509CertificateParser cp = new Org.BouncyCastle.X509.X509CertificateParser();
Org.BouncyCastle.X509.X509Certificate[] chain = new Org.BouncyCastle.X509.X509Certificate[]
{
cp.ReadCertificate(cert)
};
if (chain[0] != null)
{
return(PdfPKCS7.GetIssuerFields(chain[0]).GetField(field));
}
return(string.Empty);
}
private void VerifySignatures(SignatureUtil signUtil, IList <String> names)
{
foreach (String name in names)
{
PdfPKCS7 pkcs7 = signUtil.ReadSignatureData(name);
// verify signature integrity
if (!pkcs7.VerifySignatureIntegrityAndAuthenticity())
{
AddError(String.Format("\"{0}\" signature integrity is invalid\n", name));
}
VerifyCertificates(pkcs7);
}
}
public static void CheckRevocation(PdfPKCS7 pkcs7, X509Certificate signCert, X509Certificate issuerCert, DateTime date) {
List<BasicOcspResp> ocsps = new List<BasicOcspResp>();
if (pkcs7.Ocsp != null)
ocsps.Add(pkcs7.Ocsp);
OcspVerifier ocspVerifier = new OcspVerifier(null, ocsps);
List<VerificationOK> verification =
ocspVerifier.Verify(signCert, issuerCert, date);
if (verification.Count == 0) {
List<X509Crl> crls = new List<X509Crl>();
if (pkcs7.CRLs != null)
foreach (X509Crl crl in pkcs7.CRLs)
crls.Add(crl);
CrlVerifier crlVerifier = new CrlVerifier(null, crls);
verification.AddRange(crlVerifier.Verify(signCert, issuerCert, date));
}
if (verification.Count == 0)
Console.WriteLine("The signing certificate couldn't be verified");
else
foreach (VerificationOK v in verification)
Console.WriteLine(v);
}
private static bool CheckRevocation(PdfPKCS7 pkcs7, X509Certificate signCert, X509Certificate issuerCert, DateTime date)
{
List<BasicOcspResp> ocsps = new List<BasicOcspResp>();
if (pkcs7.Ocsp != null)
ocsps.Add(pkcs7.Ocsp);
OcspVerifier ocspVerifier = new OcspVerifier(null, ocsps);
List<VerificationOK> verification =
ocspVerifier.Verify(signCert, issuerCert, date);
if (verification.Count == 0)
{
List<X509Crl> crls = new List<X509Crl>();
if (pkcs7.CRLs != null)
foreach (X509Crl crl in pkcs7.CRLs)
crls.Add(crl);
if (crls.Count > 0)
{
CrlVerifier crlVerifier = new CrlVerifier(null, crls);
verification.AddRange(crlVerifier.Verify(signCert, issuerCert, date));
}
}
if (verification.Count == 0)
return false;
else
foreach (VerificationOK v in verification)
Console.WriteLine(v);
return (verification.Count > 0);
}
