// This function is called by the Index method (see above). It contains examples of signature validation parameters. private static void setValidationParameters(PadesSignatureExplorer sigExplorer, int caseNumber) { switch (caseNumber) { /* * Example #1: accept any PAdES signature as long as the signer has an ICP-Brasil certificate (RECOMMENDED) * * These parameters will only accept signatures made with ICP-Brasil certificates that comply with the * minimal security features defined in the PAdES standard (ETSI TS 102 778). The signatures need not, however, * follow the extra requirements defined in the ICP-Brasil signature policy documentation (DOC-ICP-15.03). * * These are the recommended parameters for ICP-Brasil, since the PAdES policies, released on 2016-06-01, * are still in adoption phase by most implementors. */ case 1: // By omitting the accepted policies catalog and defining a default policy, we're telling Rest PKI to validate // all signatures in the file with the default policy -- even signatures with an explicit signature policy. sigExplorer.AcceptableExplicitPolicies = null; sigExplorer.DefaultSignaturePolicyId = StandardPadesSignaturePolicies.Basic; // The PAdES Basic policy requires us to choose a security context sigExplorer.SecurityContextId = StandardSecurityContexts.PkiBrazil; break; /* * Example #2: accept only 100%-compliant ICP-Brasil signatures */ case 2: // By specifying a catalog of acceptable policies and omitting the default signature policy, we're telling Rest PKI // that only the policies in the catalog should be accepted sigExplorer.AcceptableExplicitPolicies = SignaturePolicyCatalog.GetPkiBrazilPades(); sigExplorer.DefaultSignaturePolicyId = null; break; /* * Example #3: accept any PAdES signature as long as the signer is trusted by Windows * * Same case as example #1, but using the WindowsServer trust arbitrator */ case 3: sigExplorer.AcceptableExplicitPolicies = null; sigExplorer.DefaultSignaturePolicyId = StandardPadesSignaturePolicies.Basic; sigExplorer.SecurityContextId = StandardSecurityContexts.WindowsServer; break; /* * Example #4: accept only 100%-compliant ICP-Brasil signatures that provide signer certificate protection. * * "Signer certificate protection" means that a signature keeps its validity even after the signer certificate * is revoked or expires. On ICP-Brasil, this translates to policies AD-RT and up (not AD-RB). */ case 4: sigExplorer.AcceptableExplicitPolicies = SignaturePolicyCatalog.GetPkiBrazilPadesWithSignerCertificateProtection(); sigExplorer.DefaultSignaturePolicyId = null; break; } }
// GET: CheckCadesRest?c={id} public ActionResult Index(string c) { // On PrinterFriendlyVersionController, we stored the unformatted version of the verification // code (without hyphens) but used the formatted version (with hiphens) on the printer-friendly // PDF. Now, we remove the hyphens before looking it up. var verificationCode = AlphaCode.Parse(c); // Get document associated with verification code. var fileId = StorageMock.LookupVerificationCode(verificationCode); if (fileId == null) { // Invalid code give! // Small delay to slow down brute-force attacks (if you want to be extra careful you might // want to add a CAPTCHA to the process). Thread.Sleep(TimeSpan.FromSeconds(2)); // Return Not Found return(HttpNotFound()); } // Read document from storage. var fileContent = StorageMock.Read(fileId); // Get an instance of the CadesSignatureExplorer class, used to open/validate CAdES signatures. var sigExplorer = new CadesSignatureExplorer(Util.GetRestPkiClient()) { // Specify that we want to validate the signatures in the file, not only inspect them. Validate = true, // Specify the parameters for the signature validation: // Full compliance with ICP-Brasil as long as the signer has an ICP-Brasil certificate. AcceptableExplicitPolicies = SignaturePolicyCatalog.GetPkiBrazilCades(), // Specify the security context to be used to determine trust in the certificate chain. We // have encapsulated the security context choice on Util.cs. SecurityContextId = Util.GetSecurityContextId() }; // Set the CAdES file. sigExplorer.SetSignatureFile(fileContent); // Call the Open() method, which returns the signature file's information. var signature = sigExplorer.Open(); // Render the information (see file Check/Index.html for more information on // the information returned). return(View(new OpenCadesSignatureModel() { Signature = signature, File = fileId })); }
public async Task <ActionResult> Index(string userfile) { // Our action only works if a userfile is given to work with. string userfilePath; if (!StorageMock.TryGetFile(userfile, out userfilePath)) { return(HttpNotFound()); } // Get an instance of the CadesSignatureExplorer class, used to open/validate CAdES // signatures. var sigExplorer = new CadesSignatureExplorer(Util.GetRestPkiClient()) { // Specify that we want to validate the signatures in the file, not only inspect them. Validate = true, // Specify the parameters for the signature validation: // Full compliance with ICP-Brasil as long as the signer has an ICP-Brasil certificate. AcceptableExplicitPolicies = SignaturePolicyCatalog.GetPkiBrazilCades(), // Specify the security context to be used to determine trust in the certificate chain. We // have encapsulated the security context choice on Util.cs. SecurityContextId = Util.GetSecurityContextId(), }; // Set the CAdES signature file. sigExplorer.SetSignatureFile(userfilePath); // Call the OpenAndExtractContent() method, which returns the signature file's information and the encapsulated content. var data = await sigExplorer.OpenAndExtractContentAsync(); var signature = data.Signature; var encapsulatedContent = data.Signature.HasEncapsulatedContent ? data.EncapsulatedContent : null; // Render the information (see file OpenCadesSignature/Index.html for more information on // the information returned). return(View(new OpenCadesSignatureModel() { Signature = signature, // WARNING: this sample always consider the encapsulated content type as pdf, so the downloadable file uses pdf extension File = encapsulatedContent != null ? StorageMock.Store(encapsulatedContent.GetContent(), ".pdf") : "" })); }
// This function is called by the Index method (see above). It contains examples of signature validation parameters. private static void setValidationParameters(CadesSignatureExplorer sigExplorer, int caseNumber) { switch (caseNumber) { /* * Example #1: accept only 100%-compliant ICP-Brasil signatures */ case 1: // By specifying a catalog of acceptable policies and omitting the default signature policy, we're telling Rest PKI // that only the policies in the catalog should be accepted sigExplorer.AcceptableExplicitPolicies = SignaturePolicyCatalog.GetPkiBrazilCades(); sigExplorer.DefaultSignaturePolicyId = null; break; /* * Example #2: accept any CAdES signature as long as the signer has an ICP-Brasil certificate * * These parameters will only accept signatures made with ICP-Brasil certificates that comply with the * minimal security features defined in the CAdES standard (ETSI TS 101 733). The signatures need not, however, * follow the extra requirements defined in the ICP-Brasil signature policy documentation (DOC-ICP-15.03). * * These parameters are less restrictive than the parameters from example #1 */ case 2: // By omitting the accepted policies catalog and defining a default policy, we're telling Rest PKI to validate // all signatures in the file with the default policy -- even signatures with an explicit signature policy. sigExplorer.AcceptableExplicitPolicies = null; sigExplorer.DefaultSignaturePolicyId = StandardCadesSignaturePolicies.CadesBes; // The CadesBes policy requires us to choose a security context sigExplorer.SecurityContextId = StandardSecurityContexts.PkiBrazil; break; /* * Example #3: accept any CAdES signature as long as the signer is trusted by Windows * * Same case as example #2, but using the WindowsServer trust arbitrator */ case 3: sigExplorer.AcceptableExplicitPolicies = null; sigExplorer.DefaultSignaturePolicyId = StandardCadesSignaturePolicies.CadesBes; sigExplorer.SecurityContextId = StandardSecurityContexts.WindowsServer; break; /* * Example #4: accept only 100%-compliant ICP-Brasil signatures that provide signer certificate protection. * * "Signer certificate protection" means that a signature keeps its validity even after the signer certificate * is revoked or expires. On ICP-Brasil, this translates to policies AD-RT and up (but not AD-RB). */ case 4: sigExplorer.AcceptableExplicitPolicies = SignaturePolicyCatalog.GetPkiBrazilCadesWithSignerCertificateProtection(); sigExplorer.DefaultSignaturePolicyId = null; break; /* * Example #5: accept only 100%-compliant ICP-Brasil signatures that provide CA certificate protection (besides signer * certificate protection). * * "CA certificate protection" means that a signature keeps its validity even after either the signer certificate or * its Certification Authority (CA) certificate expires or is revoked. On ICP-Brasil, this translates to policies * AD-RC/AD-RV and up (but not AD-RB nor AD-RT). */ case 5: sigExplorer.AcceptableExplicitPolicies = SignaturePolicyCatalog.GetPkiBrazilCadesWithCACertificateProtection(); sigExplorer.DefaultSignaturePolicyId = null; break; } }