public void TestSha1WithRsa() { IList certList = new ArrayList(); IList crlList = new ArrayList(); MemoryStream bOut = new MemoryStream(); certList.Add(OrigCert); certList.Add(SignCert); crlList.Add(SignCrl); crlList.Add(OrigCrl); IX509Store x509Certs = X509StoreFactory.Create( "Certificate/Collection", new X509CollectionStoreParameters(certList)); IX509Store x509Crls = X509StoreFactory.Create( "CRL/Collection", new X509CollectionStoreParameters(crlList)); CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator(); gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha1); gen.AddCertificates(x509Certs); gen.AddCrls(x509Crls); Stream sigOut = gen.Open(bOut); CmsCompressedDataStreamGenerator cGen = new CmsCompressedDataStreamGenerator(); Stream cOut = cGen.Open(sigOut, CmsCompressedDataStreamGenerator.ZLib); byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage); cOut.Write(testBytes, 0, testBytes.Length); cOut.Close(); sigOut.Close(); CheckSigParseable(bOut.ToArray()); // generate compressed stream MemoryStream cDataOut = new MemoryStream(); cOut = cGen.Open(cDataOut, CmsCompressedDataStreamGenerator.ZLib); cOut.Write(testBytes, 0, testBytes.Length); cOut.Close(); CmsSignedDataParser sp = new CmsSignedDataParser( new CmsTypedStream(new MemoryStream(cDataOut.ToArray(), false)), bOut.ToArray()); sp.GetSignedContent().Drain(); // // compute expected content digest // IDigest md = DigestUtilities.GetDigest("SHA1"); byte[] cDataOutBytes = cDataOut.ToArray(); md.BlockUpdate(cDataOutBytes, 0, cDataOutBytes.Length); byte[] hash = DigestUtilities.DoFinal(md); VerifySignatures(sp, hash); }
/// <summary> /// Verify the digital signatures of the specified content using the detached signatureData. /// </summary> /// <returns>A list of the digital signatures.</returns> /// <param name="content">The content.</param> /// <param name="signatureData">The detached signature data.</param> /// <exception cref="System.ArgumentNullException"> /// <para><paramref name="content"/> is <c>null</c>.</para> /// <para>-or-</para> /// <para><paramref name="signatureData"/> is <c>null</c>.</para> /// </exception> /// <exception cref="Org.BouncyCastle.Cms.CmsException"> /// An error occurred in the cryptographic message syntax subsystem. /// </exception> public override DigitalSignatureCollection Verify(Stream content, Stream signatureData) { if (content == null) throw new ArgumentNullException ("content"); if (signatureData == null) throw new ArgumentNullException ("signatureData"); var parser = new CmsSignedDataParser (new CmsTypedStream (content), signatureData); parser.GetSignedContent ().Drain (); return GetDigitalSignatures (parser); }
DigitalSignatureCollection GetDigitalSignatures(CmsSignedDataParser parser) { var certificates = parser.GetCertificates ("Collection"); var signatures = new List<IDigitalSignature> (); var crls = parser.GetCrls ("Collection"); var store = parser.GetSignerInfos (); foreach (X509Certificate certificate in certificates.GetMatches (null)) Import (certificate); foreach (X509Crl crl in crls.GetMatches (null)) Import (crl); foreach (SignerInformation signerInfo in store.GetSigners ()) { var certificate = GetCertificate (certificates, signerInfo.SignerID); var signature = new SecureMimeDigitalSignature (signerInfo); DateTime? signedDate = null; if (signerInfo.SignedAttributes != null) { Asn1EncodableVector vector = signerInfo.SignedAttributes.GetAll (CmsAttributes.SigningTime); foreach (Org.BouncyCastle.Asn1.Cms.Attribute attr in vector) { var signingTime = (DerUtcTime) ((DerSet) attr.AttrValues)[0]; signature.CreationDate = signingTime.ToAdjustedDateTime (); signedDate = signature.CreationDate; break; } } if (certificate != null) signature.SignerCertificate = new SecureMimeDigitalCertificate (certificate); var anchors = GetTrustedAnchors (); try { signature.Chain = BuildCertPath (anchors, certificates, crls, certificate, signedDate); } catch (Exception ex) { signature.ChainException = ex; } signatures.Add (signature); } return new DigitalSignatureCollection (signatures); }
public void TestCertOrdering2() { MemoryStream bOut = new MemoryStream(); IX509Store x509Certs = CmsTestUtil.MakeCertStore(SignCert, OrigCert); CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator(); gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha1); gen.AddCertificates(x509Certs); byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage); Stream sigOut = gen.Open(bOut, true); sigOut.Write(testBytes, 0, testBytes.Length); sigOut.Close(); CmsSignedDataParser sp = new CmsSignedDataParser(bOut.ToArray()); sp.GetSignedContent().Drain(); x509Certs = sp.GetCertificates("Collection"); ArrayList a = new ArrayList(x509Certs.GetMatches(null)); Assert.AreEqual(2, a.Count); Assert.AreEqual(SignCert, a[0]); Assert.AreEqual(OrigCert, a[1]); }
private void VerifySignatures( CmsSignedDataParser sp) { IX509Store x509Certs = sp.GetCertificates("Collection"); SignerInformationStore signers = sp.GetSignerInfos(); foreach (SignerInformation signer in signers.GetSigners()) { ICollection certCollection = x509Certs.GetMatches(signer.SignerID); IEnumerator certEnum = certCollection.GetEnumerator(); certEnum.MoveNext(); X509Certificate cert = (X509Certificate)certEnum.Current; Assert.IsTrue(signer.Verify(cert)); } }
public void TestWithAttributeCertificate() { IX509Store x509Certs = CmsTestUtil.MakeCertStore(SignCert); CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator(); gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataGenerator.DigestSha1); gen.AddCertificates(x509Certs); IX509AttributeCertificate attrCert = CmsTestUtil.GetAttributeCertificate(); IX509Store store = CmsTestUtil.MakeAttrCertStore(attrCert); gen.AddAttributeCertificates(store); MemoryStream bOut = new MemoryStream(); byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage); Stream sigOut = gen.Open(bOut, true); sigOut.Write(testBytes, 0, testBytes.Length); sigOut.Close(); CmsSignedDataParser sp = new CmsSignedDataParser(bOut.ToArray()); sp.GetSignedContent().Drain(); Assert.AreEqual(4, sp.Version); store = sp.GetAttributeCertificates("Collection"); ArrayList coll = new ArrayList(store.GetMatches(null)); Assert.AreEqual(1, coll.Count); Assert.IsTrue(coll.Contains(attrCert)); }
public void TestEncapsulatedCertStoreReplacement() { MemoryStream bOut = new MemoryStream(); IX509Store x509Certs = CmsTestUtil.MakeCertStore(OrigDsaCert); CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator(); gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha1); gen.AddCertificates(x509Certs); Stream sigOut = gen.Open(bOut, true); byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage); sigOut.Write(testBytes, 0, testBytes.Length); sigOut.Close(); // // create new certstore with the right certificates // x509Certs = CmsTestUtil.MakeCertStore(OrigCert, SignCert); // // replace certs // MemoryStream original = new MemoryStream(bOut.ToArray(), false); MemoryStream newOut = new MemoryStream(); CmsSignedDataParser.ReplaceCertificatesAndCrls(original, x509Certs, null, null, newOut); CmsSignedDataParser sp = new CmsSignedDataParser(newOut.ToArray()); sp.GetSignedContent().Drain(); VerifySignatures(sp); }
private void VerifySignatures( CmsSignedDataParser sp) { VerifySignatures(sp, null); }
private void VerifyEncodedData( MemoryStream bOut) { CmsSignedDataParser sp = new CmsSignedDataParser(bOut.ToArray()); sp.GetSignedContent().Drain(); VerifySignatures(sp); sp.Close(); }
public void TestSha1AndMD5WithRsa() { IList certList = new ArrayList(); MemoryStream bOut = new MemoryStream(); certList.Add(OrigCert); certList.Add(SignCert); IX509Store x509Certs = X509StoreFactory.Create( "Certificate/Collection", new X509CollectionStoreParameters(certList)); CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator(); gen.AddDigests(CmsSignedDataStreamGenerator.DigestSha1, CmsSignedDataStreamGenerator.DigestMD5); Stream sigOut = gen.Open(bOut); byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage); sigOut.Write(testBytes, 0, testBytes.Length); gen.AddCertificates(x509Certs); gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha1); gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestMD5); sigOut.Close(); CheckSigParseable(bOut.ToArray()); CmsSignedDataParser sp = new CmsSignedDataParser( new CmsTypedStream(new MemoryStream(testBytes, false)), bOut.ToArray()); sp.GetSignedContent().Drain(); VerifySignatures(sp); }
public void TestSignerStoreReplacement() { IList certList = new ArrayList(); MemoryStream bOut = new MemoryStream(); byte[] data = Encoding.ASCII.GetBytes(TestMessage); certList.Add(OrigCert); certList.Add(SignCert); IX509Store x509Certs = X509StoreFactory.Create( "Certificate/Collection", new X509CollectionStoreParameters(certList)); CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator(); gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha1); gen.AddCertificates(x509Certs); Stream sigOut = gen.Open(bOut, false); sigOut.Write(data, 0, data.Length); sigOut.Close(); CheckSigParseable(bOut.ToArray()); // // create new Signer // MemoryStream original = new MemoryStream(bOut.ToArray(), false); bOut.SetLength(0); gen = new CmsSignedDataStreamGenerator(); gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha224); gen.AddCertificates(x509Certs); sigOut = gen.Open(bOut); sigOut.Write(data, 0, data.Length); sigOut.Close(); CheckSigParseable(bOut.ToArray()); CmsSignedData sd = new CmsSignedData(bOut.ToArray()); // // replace signer // MemoryStream newOut = new MemoryStream(); CmsSignedDataParser.ReplaceSigners(original, sd.GetSignerInfos(), newOut); sd = new CmsSignedData(new CmsProcessableByteArray(data), newOut.ToArray()); IEnumerator signerEnum = sd.GetSignerInfos().GetSigners().GetEnumerator(); signerEnum.MoveNext(); SignerInformation signer = (SignerInformation) signerEnum.Current; Assert.AreEqual(signer.DigestAlgOid, CmsSignedDataStreamGenerator.DigestSha224); CmsSignedDataParser sp = new CmsSignedDataParser(new CmsTypedStream( new MemoryStream(data, false)), newOut.ToArray()); sp.GetSignedContent().Drain(); VerifySignatures(sp); }
public void TestSha1WithRsaNonData() { IList certList = new ArrayList(); IList crlList = new ArrayList(); MemoryStream bOut = new MemoryStream(); certList.Add(OrigCert); certList.Add(SignCert); crlList.Add(SignCrl); crlList.Add(OrigCrl); IX509Store x509Certs = X509StoreFactory.Create( "Certificate/Collection", new X509CollectionStoreParameters(certList)); IX509Store x509Crls = X509StoreFactory.Create( "CRL/Collection", new X509CollectionStoreParameters(crlList)); CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator(); gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha1); gen.AddCertificates(x509Certs); gen.AddCrls(x509Crls); Stream sigOut = gen.Open(bOut, "1.2.3.4", true); byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage); sigOut.Write(testBytes, 0, testBytes.Length); sigOut.Close(); CmsSignedDataParser sp = new CmsSignedDataParser(bOut.ToArray()); CmsTypedStream stream = sp.GetSignedContent(); Assert.AreEqual("1.2.3.4", stream.ContentType); stream.Drain(); // // compute expected content digest // IDigest md = DigestUtilities.GetDigest("SHA1"); md.BlockUpdate(testBytes, 0, testBytes.Length); byte[] hash = DigestUtilities.DoFinal(md); VerifySignatures(sp, hash); }
public void TestSha1WithRsa() { IList certList = new ArrayList(); IList crlList = new ArrayList(); MemoryStream bOut = new MemoryStream(); certList.Add(OrigCert); certList.Add(SignCert); crlList.Add(SignCrl); crlList.Add(OrigCrl); IX509Store x509Certs = X509StoreFactory.Create( "Certificate/Collection", new X509CollectionStoreParameters(certList)); IX509Store x509Crls = X509StoreFactory.Create( "CRL/Collection", new X509CollectionStoreParameters(crlList)); CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator(); gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha1); gen.AddCertificates(x509Certs); gen.AddCrls(x509Crls); Stream sigOut = gen.Open(bOut); byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage); sigOut.Write(testBytes, 0, testBytes.Length); sigOut.Close(); CheckSigParseable(bOut.ToArray()); CmsSignedDataParser sp = new CmsSignedDataParser( new CmsTypedStream(new MemoryStream(testBytes, false)), bOut.ToArray()); sp.GetSignedContent().Drain(); // // compute expected content digest // IDigest md = DigestUtilities.GetDigest("SHA1"); md.BlockUpdate(testBytes, 0, testBytes.Length); byte[] hash = DigestUtilities.DoFinal(md); VerifySignatures(sp, hash); // // try using existing signer // gen = new CmsSignedDataStreamGenerator(); gen.AddSigners(sp.GetSignerInfos()); gen.AddCertificates(sp.GetCertificates("Collection")); gen.AddCrls(sp.GetCrls("Collection")); bOut.SetLength(0); sigOut = gen.Open(bOut, true); sigOut.Write(testBytes, 0, testBytes.Length); sigOut.Close(); VerifyEncodedData(bOut); // // look for the CRLs // ArrayList col = new ArrayList(x509Crls.GetMatches(null)); Assert.AreEqual(2, col.Count); Assert.IsTrue(col.Contains(SignCrl)); Assert.IsTrue(col.Contains(OrigCrl)); }
public void TestCertStoreReplacement() { IList certList = new ArrayList(); MemoryStream bOut = new MemoryStream(); byte[] data = Encoding.ASCII.GetBytes(TestMessage); certList.Add(OrigDsaCert); IX509Store x509Certs = X509StoreFactory.Create( "Certificate/Collection", new X509CollectionStoreParameters(certList)); CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator(); gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha1); gen.AddCertificates(x509Certs); Stream sigOut = gen.Open(bOut); sigOut.Write(data, 0, data.Length); sigOut.Close(); CheckSigParseable(bOut.ToArray()); // // create new certstore with the right certificates // certList = new ArrayList(); certList.Add(OrigCert); certList.Add(SignCert); x509Certs = X509StoreFactory.Create( "Certificate/Collection", new X509CollectionStoreParameters(certList)); // // replace certs // MemoryStream original = new MemoryStream(bOut.ToArray(), false); MemoryStream newOut = new MemoryStream(); CmsSignedDataParser.ReplaceCertificatesAndCrls(original, x509Certs, null, null, newOut); CmsSignedDataParser sp = new CmsSignedDataParser(new CmsTypedStream(new MemoryStream(data, false)), newOut.ToArray()); sp.GetSignedContent().Drain(); VerifySignatures(sp); }
public void TestSha1WithRsaEncapsulatedSubjectKeyID() { MemoryStream bOut = new MemoryStream(); IX509Store x509Certs = CmsTestUtil.MakeCertStore(OrigCert, SignCert); CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator(); gen.AddSigner(OrigKP.Private, CmsTestUtil.CreateSubjectKeyId(OrigCert.GetPublicKey()).GetKeyIdentifier(), CmsSignedDataStreamGenerator.DigestSha1); gen.AddCertificates(x509Certs); byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage); Stream sigOut = gen.Open(bOut, true); sigOut.Write(testBytes, 0, testBytes.Length); sigOut.Close(); CmsSignedDataParser sp = new CmsSignedDataParser(bOut.ToArray()); sp.GetSignedContent().Drain(); VerifySignatures(sp); byte[] contentDigest = (byte[])gen.GetGeneratedDigests()[CmsSignedGenerator.DigestSha1]; ArrayList signers = new ArrayList(sp.GetSignerInfos().GetSigners()); AttributeTable table = ((SignerInformation) signers[0]).SignedAttributes; Asn1.Cms.Attribute hash = table[CmsAttributes.MessageDigest]; Assert.IsTrue(Arrays.AreEqual(contentDigest, ((Asn1OctetString)hash.AttrValues[0]).GetOctets())); // // try using existing signer // gen = new CmsSignedDataStreamGenerator(); gen.AddSigners(sp.GetSignerInfos()); // gen.AddCertificatesAndCRLs(sp.GetCertificatesAndCrls("Collection", "BC")); gen.AddCertificates(sp.GetCertificates("Collection")); bOut.SetLength(0); sigOut = gen.Open(bOut, true); sigOut.Write(testBytes, 0, testBytes.Length); sigOut.Close(); CmsSignedData sd = new CmsSignedData(new CmsProcessableByteArray(testBytes), bOut.ToArray()); Assert.AreEqual(1, sd.GetSignerInfos().GetSigners().Count); VerifyEncodedData(bOut); }
private void CheckSigParseable(byte[] sig) { CmsSignedDataParser sp = new CmsSignedDataParser(sig); sp.Version.ToString(); CmsTypedStream sc = sp.GetSignedContent(); if (sc != null) { sc.Drain(); } sp.GetAttributeCertificates("Collection"); sp.GetCertificates("Collection"); sp.GetCrls("Collection"); sp.GetSignerInfos(); sp.Close(); }
public void TestAttributeGenerators() { MemoryStream bOut = new MemoryStream(); IX509Store x509Certs = CmsTestUtil.MakeCertStore(OrigCert, SignCert); CmsAttributeTableGenerator signedGen = new SignedGenAttributeTableGenerator(); CmsAttributeTableGenerator unsignedGen = new UnsignedGenAttributeTableGenerator(); CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator(); gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha1, signedGen, unsignedGen); gen.AddCertificates(x509Certs); byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage); Stream sigOut = gen.Open(bOut, true); sigOut.Write(testBytes, 0, testBytes.Length); sigOut.Close(); CmsSignedDataParser sp = new CmsSignedDataParser(bOut.ToArray()); sp.GetSignedContent().Drain(); VerifySignatures(sp); // // check attributes // SignerInformationStore signers = sp.GetSignerInfos(); foreach (SignerInformation signer in signers.GetSigners()) { CheckAttribute(signer.GetContentDigest(), signer.SignedAttributes[dummyOid1]); CheckAttribute(signer.GetSignature(), signer.UnsignedAttributes[dummyOid2]); } }
public void TestSha1EncapsulatedSignature() { byte[] encapSigData = Base64.Decode( "MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEH" + "AaCAJIAEDEhlbGxvIFdvcmxkIQAAAAAAAKCCBGIwggINMIIBdqADAgECAgEF" + "MA0GCSqGSIb3DQEBBAUAMCUxFjAUBgNVBAoTDUJvdW5jeSBDYXN0bGUxCzAJ" + "BgNVBAYTAkFVMB4XDTA1MDgwNzA2MjU1OVoXDTA1MTExNTA2MjU1OVowJTEW" + "MBQGA1UEChMNQm91bmN5IENhc3RsZTELMAkGA1UEBhMCQVUwgZ8wDQYJKoZI" + "hvcNAQEBBQADgY0AMIGJAoGBAI1fZGgH9wgC3QiK6yluH6DlLDkXkxYYL+Qf" + "nVRszJVYl0LIxZdpb7WEbVpO8fwtEgFtoDsOdxyqh3dTBv+L7NVD/v46kdPt" + "xVkSNHRbutJVY8Xn4/TC/CDngqtbpbniMO8n0GiB6vs94gBT20M34j96O2IF" + "73feNHP+x8PkJ+dNAgMBAAGjTTBLMB0GA1UdDgQWBBQ3XUfEE6+D+t+LIJgK" + "ESSUE58eyzAfBgNVHSMEGDAWgBQ3XUfEE6+D+t+LIJgKESSUE58eyzAJBgNV" + "HRMEAjAAMA0GCSqGSIb3DQEBBAUAA4GBAFK3r1stYOeXYJOlOyNGDTWEhZ+a" + "OYdFeFaS6c+InjotHuFLAy+QsS8PslE48zYNFEqYygGfLhZDLlSnJ/LAUTqF" + "01vlp+Bgn/JYiJazwi5WiiOTf7Th6eNjHFKXS3hfSGPNPIOjvicAp3ce3ehs" + "uK0MxgLAaxievzhFfJcGSUMDMIICTTCCAbagAwIBAgIBBzANBgkqhkiG9w0B" + "AQQFADAlMRYwFAYDVQQKEw1Cb3VuY3kgQ2FzdGxlMQswCQYDVQQGEwJBVTAe" + "Fw0wNTA4MDcwNjI1NTlaFw0wNTExMTUwNjI1NTlaMGUxGDAWBgNVBAMTD0Vy" + "aWMgSC4gRWNoaWRuYTEkMCIGCSqGSIb3DQEJARYVZXJpY0Bib3VuY3ljYXN0" + "bGUub3JnMRYwFAYDVQQKEw1Cb3VuY3kgQ2FzdGxlMQswCQYDVQQGEwJBVTCB" + "nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAgHCJyfwV6/V3kqSu2SOU2E/K" + "I+N0XohCMUaxPLLNtNBZ3ijxwaV6JGFz7siTgZD/OGfzir/eZimkt+L1iXQn" + "OAB+ZChivKvHtX+dFFC7Vq+E4Uy0Ftqc/wrGxE6DHb5BR0hprKH8wlDS8wSP" + "zxovgk4nH0ffUZOoDSuUgjh3gG8CAwEAAaNNMEswHQYDVR0OBBYEFLfY/4EG" + "mYrvJa7Cky+K9BJ7YmERMB8GA1UdIwQYMBaAFDddR8QTr4P634sgmAoRJJQT" + "nx7LMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQEEBQADgYEADIOmpMd6UHdMjkyc" + "mIE1yiwfClCsGhCK9FigTg6U1G2FmkBwJIMWBlkeH15uvepsAncsgK+Cn3Zr" + "dZMb022mwtTJDtcaOM+SNeuCnjdowZ4i71Hf68siPm6sMlZkhz49rA0Yidoo" + "WuzYOO+dggzwDsMldSsvsDo/ARyCGOulDOAxggEvMIIBKwIBATAqMCUxFjAU" + "BgNVBAoTDUJvdW5jeSBDYXN0bGUxCzAJBgNVBAYTAkFVAgEHMAkGBSsOAwIa" + "BQCgXTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEP" + "Fw0wNTA4MDcwNjI1NTlaMCMGCSqGSIb3DQEJBDEWBBQu973mCM5UBOl9XwQv" + "lfifHCMocTANBgkqhkiG9w0BAQEFAASBgGxnBl2qozYKLgZ0ygqSFgWcRGl1" + "LgNuE587LtO+EKkgoc3aFqEdjXlAyP8K7naRsvWnFrsB6pUpnrgI9Z8ZSKv8" + "98IlpsSSJ0jBlEb4gzzavwcBpYbr2ryOtDcF+kYmKIpScglyyoLzm+KPXOoT" + "n7MsJMoKN3Kd2Vzh6s10PFgeAAAAAAAA"); CmsSignedDataParser sp = new CmsSignedDataParser(encapSigData); sp.GetSignedContent().Drain(); VerifySignatures(sp); }
public void TestEncapsulatedSignerStoreReplacement() { MemoryStream bOut = new MemoryStream(); IX509Store x509Certs = CmsTestUtil.MakeCertStore(OrigCert, SignCert); CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator(); gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha1); gen.AddCertificates(x509Certs); byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage); Stream sigOut = gen.Open(bOut, true); sigOut.Write(testBytes, 0, testBytes.Length); sigOut.Close(); // // create new Signer // MemoryStream original = new MemoryStream(bOut.ToArray(), false); bOut.SetLength(0); gen = new CmsSignedDataStreamGenerator(); gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha224); gen.AddCertificates(x509Certs); sigOut = gen.Open(bOut, true); sigOut.Write(testBytes, 0, testBytes.Length); sigOut.Close(); CmsSignedData sd = new CmsSignedData(bOut.ToArray()); // // replace signer // MemoryStream newOut = new MemoryStream(); CmsSignedDataParser.ReplaceSigners(original, sd.GetSignerInfos(), newOut); sd = new CmsSignedData(newOut.ToArray()); IEnumerator signerEnum = sd.GetSignerInfos().GetSigners().GetEnumerator(); signerEnum.MoveNext(); SignerInformation signer = (SignerInformation) signerEnum.Current; Assert.AreEqual(signer.DigestAlgOid, CmsSignedDataStreamGenerator.DigestSha224); CmsSignedDataParser sp = new CmsSignedDataParser(newOut.ToArray()); sp.GetSignedContent().Drain(); VerifySignatures(sp); }
public void TestSha1WithRsa() { MemoryStream bOut = new MemoryStream(); IX509Store x509Certs = CmsTestUtil.MakeCertStore(OrigCert, SignCert); IX509Store x509Crls = CmsTestUtil.MakeCrlStore(SignCrl, OrigCrl); CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator(); gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha1); gen.AddCertificates(x509Certs); gen.AddCrls(x509Crls); Stream sigOut = gen.Open(bOut); byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage); sigOut.Write(testBytes, 0, testBytes.Length); sigOut.Close(); CheckSigParseable(bOut.ToArray()); CmsSignedDataParser sp = new CmsSignedDataParser( new CmsTypedStream(new MemoryStream(testBytes, false)), bOut.ToArray()); sp.GetSignedContent().Drain(); // compute expected content digest byte[] hash = DigestUtilities.CalculateDigest("SHA1", testBytes); VerifySignatures(sp, hash); // // try using existing signer // gen = new CmsSignedDataStreamGenerator(); gen.AddSigners(sp.GetSignerInfos()); gen.AddCertificates(sp.GetCertificates("Collection")); gen.AddCrls(sp.GetCrls("Collection")); bOut.SetLength(0); sigOut = gen.Open(bOut, true); sigOut.Write(testBytes, 0, testBytes.Length); sigOut.Close(); VerifyEncodedData(bOut); // // look for the CRLs // ArrayList col = new ArrayList(x509Crls.GetMatches(null)); Assert.AreEqual(2, col.Count); Assert.IsTrue(col.Contains(SignCrl)); Assert.IsTrue(col.Contains(OrigCrl)); }
private void VerifySignatures( CmsSignedDataParser sp, byte[] contentDigest) { IX509Store certStore = sp.GetCertificates("Collection"); SignerInformationStore signers = sp.GetSignerInfos(); foreach (SignerInformation signer in signers.GetSigners()) { ICollection certCollection = certStore.GetMatches(signer.SignerID); IEnumerator certEnum = certCollection.GetEnumerator(); certEnum.MoveNext(); X509Certificate cert = (X509Certificate) certEnum.Current; Assert.IsTrue(signer.Verify(cert)); if (contentDigest != null) { Assert.IsTrue(Arrays.AreEqual(contentDigest, signer.GetContentDigest())); } } }
public void TestSha1WithRsaNonData() { MemoryStream bOut = new MemoryStream(); IX509Store x509Certs = CmsTestUtil.MakeCertStore(OrigCert, SignCert); IX509Store x509Crls = CmsTestUtil.MakeCrlStore(SignCrl, OrigCrl); CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator(); gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha1); gen.AddCertificates(x509Certs); gen.AddCrls(x509Crls); byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage); Stream sigOut = gen.Open(bOut, "1.2.3.4", true); sigOut.Write(testBytes, 0, testBytes.Length); sigOut.Close(); CmsSignedDataParser sp = new CmsSignedDataParser(bOut.ToArray()); CmsTypedStream stream = sp.GetSignedContent(); Assert.AreEqual("1.2.3.4", stream.ContentType); stream.Drain(); // compute expected content digest byte[] hash = DigestUtilities.CalculateDigest("SHA1", testBytes); VerifySignatures(sp, hash); }
public void TestSignerStoreReplacement() { IList certList = new ArrayList(); CmsProcessable msg = new CmsProcessableByteArray(Encoding.ASCII.GetBytes("Hello World!")); certList.Add(OrigCert); certList.Add(SignCert); IX509Store x509Certs = X509StoreFactory.Create( "Certificate/Collection", new X509CollectionStoreParameters(certList)); CmsSignedDataGenerator gen = new CmsSignedDataGenerator(); gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataGenerator.DigestSha1); gen.AddCertificates(x509Certs); CmsSignedData original = gen.Generate(msg, true); // // create new Signer // gen = new CmsSignedDataGenerator(); gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataGenerator.DigestSha224); gen.AddCertificates(x509Certs); CmsSignedData newSD = gen.Generate(msg, true); // // replace signer // CmsSignedData sd = CmsSignedData.ReplaceSigners(original, newSD.GetSignerInfos()); IEnumerator signerEnum = sd.GetSignerInfos().GetSigners().GetEnumerator(); signerEnum.MoveNext(); SignerInformation signer = (SignerInformation) signerEnum.Current; Assert.AreEqual(CmsSignedDataGenerator.DigestSha224, signer.DigestAlgOid); // we use a parser here as it requires the digests to be correct in the digest set, if it // isn't we'll get a NullPointerException CmsSignedDataParser sp = new CmsSignedDataParser(sd.GetEncoded()); sp.GetSignedContent().Drain(); VerifySignatures(sp); }
public void TestSha1AndMD5WithRsa() { MemoryStream bOut = new MemoryStream(); IX509Store x509Certs = CmsTestUtil.MakeCertStore(OrigCert, SignCert); CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator(); gen.AddDigests(CmsSignedDataStreamGenerator.DigestSha1, CmsSignedDataStreamGenerator.DigestMD5); byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage); Stream sigOut = gen.Open(bOut); sigOut.Write(testBytes, 0, testBytes.Length); gen.AddCertificates(x509Certs); gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha1); gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestMD5); sigOut.Close(); CheckSigParseable(bOut.ToArray()); CmsSignedDataParser sp = new CmsSignedDataParser( new CmsTypedStream(new MemoryStream(testBytes, false)), bOut.ToArray()); sp.GetSignedContent().Drain(); VerifySignatures(sp); }
/// <summary> /// Imports certificates (as from a certs-only application/pkcs-mime part) /// from the specified stream. /// </summary> /// <param name="stream">The raw key data.</param> /// <exception cref="System.ArgumentNullException"> /// <paramref name="stream"/> is <c>null</c>. /// </exception> /// <exception cref="Org.BouncyCastle.Cms.CmsException"> /// An error occurred in the cryptographic message syntax subsystem. /// </exception> public override void Import(Stream stream) { if (stream == null) throw new ArgumentNullException ("stream"); var parser = new CmsSignedDataParser (stream); var certificates = parser.GetCertificates ("Collection"); foreach (X509Certificate certificate in certificates.GetMatches (null)) Import (certificate); var crls = parser.GetCrls ("Collection"); foreach (X509Crl crl in crls.GetMatches (null)) Import (crl); }
public void TestSha1WithRsaEncapsulatedBufferedStream() { MemoryStream bOut = new MemoryStream(); IX509Store x509Certs = CmsTestUtil.MakeCertStore(OrigCert, SignCert); // // find unbuffered length // CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator(); gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha1); gen.AddCertificates(x509Certs); Stream sigOut = gen.Open(bOut, true); for (int i = 0; i != 2000; i++) { sigOut.WriteByte((byte)(i & 0xff)); } sigOut.Close(); CmsSignedDataParser sp = new CmsSignedDataParser(bOut.ToArray()); sp.GetSignedContent().Drain(); VerifySignatures(sp); int unbufferedLength = bOut.ToArray().Length; // // find buffered length with buffered stream - should be equal // bOut.SetLength(0); gen = new CmsSignedDataStreamGenerator(); gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha1); gen.AddCertificates(x509Certs); sigOut = gen.Open(bOut, true); byte[] data = new byte[2000]; for (int i = 0; i != 2000; i++) { data[i] = (byte)(i & 0xff); } Streams.PipeAll(new MemoryStream(data, false), sigOut); sigOut.Close(); VerifyEncodedData(bOut); Assert.AreEqual(unbufferedLength, bOut.ToArray().Length); }
/// <summary> /// Verify the digital signatures of the specified signedData and extract the original content. /// </summary> /// <returns>The list of digital signatures.</returns> /// <param name="signedData">The signed data.</param> /// <param name="entity">The unencapsulated entity.</param> /// <exception cref="System.ArgumentNullException"> /// <paramref name="signedData"/> is <c>null</c>. /// </exception> /// <exception cref="Org.BouncyCastle.Cms.CmsException"> /// An error occurred in the cryptographic message syntax subsystem. /// </exception> public DigitalSignatureCollection Verify(Stream signedData, out MimeEntity entity) { if (signedData == null) throw new ArgumentNullException ("signedData"); var parser = new CmsSignedDataParser (signedData); var signed = parser.GetSignedContent (); entity = MimeEntity.Load (signed.ContentStream); return GetDigitalSignatures (parser); }
public void TestSha1WithRsaEncapsulatedBuffered() { MemoryStream bOut = new MemoryStream(); IX509Store x509Certs = CmsTestUtil.MakeCertStore(OrigCert, SignCert); // // find unbuffered length // CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator(); gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha1); gen.AddCertificates(x509Certs); Stream sigOut = gen.Open(bOut, true); for (int i = 0; i != 2000; i++) { sigOut.WriteByte((byte)(i & 0xff)); } sigOut.Close(); CmsSignedDataParser sp = new CmsSignedDataParser(bOut.ToArray()); sp.GetSignedContent().Drain(); VerifySignatures(sp); int unbufferedLength = bOut.ToArray().Length; // // find buffered length - buffer size less than default // bOut.SetLength(0); gen = new CmsSignedDataStreamGenerator(); gen.SetBufferSize(300); gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha1); gen.AddCertificates(x509Certs); sigOut = gen.Open(bOut, true); for (int i = 0; i != 2000; i++) { sigOut.WriteByte((byte)(i & 0xff)); } sigOut.Close(); VerifyEncodedData(bOut); Assert.IsTrue(unbufferedLength < bOut.ToArray().Length); }
/** * Replace the certificate and CRL information associated with this * CMSSignedData object with the new one passed in. * <p> * The output stream is returned unclosed. * </p> * @param original the signed data stream to be used as a base. * @param certsAndCrls the new certificates and CRLs to be used. * @param out the stream to Write the new signed data object to. * @return out. * @exception CmsException if there is an error processing the CertStore */ public static Stream ReplaceCertificatesAndCrls( Stream original, IX509Store x509Certs, IX509Store x509Crls, IX509Store x509AttrCerts, Stream outStr) { // NB: SecureRandom would be ignored since using existing signatures only CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator(); CmsSignedDataParser parser = new CmsSignedDataParser(original); gen.AddDigests(parser.DigestOids); CmsTypedStream signedContent = parser.GetSignedContent(); bool encapsulate = (signedContent != null); Stream contentOut = gen.Open(outStr, parser.SignedContentType.Id, encapsulate); if (encapsulate) { Streams.PipeAll(signedContent.ContentStream, contentOut); } // gen.AddAttributeCertificates(parser.GetAttributeCertificates("Collection")); // gen.AddCertificates(parser.GetCertificates("Collection")); // gen.AddCrls(parser.GetCrls("Collection")); if (x509AttrCerts != null) gen.AddAttributeCertificates(x509AttrCerts); if (x509Certs != null) gen.AddCertificates(x509Certs); if (x509Crls != null) gen.AddCrls(x509Crls); gen.AddSigners(parser.GetSignerInfos()); contentOut.Close(); return outStr; }
protected void Complete(Level level, Stream embedded, Stream signed, X509Certificate2 providedSigner, out TimemarkKey timemarkKey) { trace.TraceEvent(TraceEventType.Information, 0, "Completing the message with of {0} bytes to level {1}", signed.Length, level); //Prepare generator, parser and time-mark Key CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator(); CmsSignedDataParser parser = new CmsSignedDataParser(signed); timemarkKey = new TimemarkKey(); //preset the digests so we can add the signers afterwards gen.AddDigests(parser.DigestOids); //Copy the content CmsTypedStream signedContent = parser.GetSignedContent(); Stream contentOut = gen.Open(embedded, parser.SignedContentType.Id, true); signedContent.ContentStream.CopyTo(contentOut); //Extract the signer info SignerInformationStore signerInfoStore = parser.GetSignerInfos(); IEnumerator signerInfos = signerInfoStore.GetSigners().GetEnumerator(); if (!signerInfos.MoveNext()) { trace.TraceEvent(TraceEventType.Error, 0, "The message to complete does not contain a signature"); throw new InvalidMessageException("The message does not contain a signature"); } SignerInformation signerInfo = (SignerInformation)signerInfos.Current; if (signerInfos.MoveNext()) { trace.TraceEvent(TraceEventType.Error, 0, "The message to complete does not contain more then one signature"); throw new InvalidMessageException("The message does contain multiple signatures, which isn't supported"); } //Extract the signing key timemarkKey.SignatureValue = signerInfo.GetSignature(); //Extract the unsigned attributes & signing time bool hasSigningTime; IDictionary unsignedAttributes = signerInfo.UnsignedAttributes != null ? signerInfo.UnsignedAttributes.ToDictionary() : new Hashtable(); BC::Asn1.Cms.Attribute singingTimeAttr = signerInfo.SignedAttributes != null ? signerInfo.SignedAttributes[CmsAttributes.SigningTime] : null; if (singingTimeAttr == null) { trace.TraceEvent(TraceEventType.Warning, 0, "The message to complete does not contain a signing time"); hasSigningTime = false; timemarkKey.SigningTime = DateTime.UtcNow; } else { hasSigningTime = false; timemarkKey.SigningTime = new BC::Asn1.Cms.Time(((DerSet)singingTimeAttr.AttrValues)[0].ToAsn1Object()).Date; } //Extract the signer, if available IX509Store embeddedCerts = parser.GetCertificates("Collection"); if (embeddedCerts != null && embeddedCerts.GetMatches(null).Count > 0) { //Embedded certs found, we use that IEnumerator signerCerts = embeddedCerts.GetMatches(signerInfo.SignerID).GetEnumerator(); if (!signerCerts.MoveNext()) { trace.TraceEvent(TraceEventType.Error, 0, "The message does contains certificates, but the signing certificate is missing"); throw new InvalidMessageException("The message does not contain the signer certificate"); } timemarkKey.Signer = new X509Certificate2(((BC::X509.X509Certificate)signerCerts.Current).GetEncoded()); trace.TraceEvent(TraceEventType.Verbose, 0, "The message contains certificates, of which {0} is the signer", timemarkKey.Signer.Subject); //Add the certs to the new message gen.AddCertificates(embeddedCerts); } else { //No embedded certs, lets construct it. if (providedSigner == null) { trace.TraceEvent(TraceEventType.Error, 0, "The provided message does not contain any embedded certificates"); throw new InvalidMessageException("The message does not contain any embedded certificates"); } timemarkKey.Signer = providedSigner; trace.TraceEvent(TraceEventType.Verbose, 0, "The message does not contains certificates, adding the chain of {0}", timemarkKey.Signer.Subject); //Construct the chain of certificates Chain chain = timemarkKey.Signer.BuildBasicChain(timemarkKey.SigningTime, extraStore); if (chain.ChainStatus.Count(x => x.Status != X509ChainStatusFlags.NoError) > 0) { trace.TraceEvent(TraceEventType.Error, 0, "The certification chain of {0} failed with errors", chain.ChainElements[0].Certificate.Subject); throw new InvalidMessageException(string.Format("The certificate chain of the signer {0} fails basic validation", timemarkKey.Signer.Subject)); } List<BC::X509.X509Certificate> senderChainCollection = new List<BC::X509.X509Certificate>(); foreach (ChainElement ce in chain.ChainElements) { trace.TraceEvent(TraceEventType.Verbose, 0, "Adding the certificate {0} to the message", ce.Certificate.Subject); senderChainCollection.Add(DotNetUtilities.FromX509Certificate(ce.Certificate)); } embeddedCerts = X509StoreFactory.Create("CERTIFICATE/COLLECTION", new X509CollectionStoreParameters(senderChainCollection)); //Add the certificates to the new message gen.AddCertificates(embeddedCerts); } //Getting any existing time stamps TimeStampToken tst = null; BC::Asn1.Cms.Attribute timestampAttr = (BC::Asn1.Cms.Attribute)unsignedAttributes[PkcsObjectIdentifiers.IdAASignatureTimeStampToken]; if (timestampAttr == null || ((DerSet)timestampAttr.AttrValues).Count == 0) { //there is no TST if ((level & Level.T_Level) == Level.T_Level && timestampProvider != null) { //There should be a TST if (DateTime.UtcNow > (timemarkKey.SigningTime + EteeActiveConfig.ClockSkewness + Settings.Default.TimestampGracePeriod)) { trace.TraceEvent(TraceEventType.Error, 0, "The message was created on {0}, which is beyond the allows period of {2} to time-stamp", timemarkKey.SigningTime, Settings.Default.TimestampGracePeriod); throw new InvalidMessageException("The message it to old to add a time-stamp"); } SHA256 sha = SHA256.Create(); byte[] signatureHash = sha.ComputeHash(timemarkKey.SignatureValue); trace.TraceEvent(TraceEventType.Verbose, 0, "SHA-256 hashed the signature value from {0} to {1}", Convert.ToBase64String(timemarkKey.SignatureValue), Convert.ToBase64String(signatureHash)); byte[] rawTst = timestampProvider.GetTimestampFromDocumentHash(signatureHash, "http://www.w3.org/2001/04/xmlenc#sha256"); tst = rawTst.ToTimeStampToken(); if (!tst.IsMatch(new MemoryStream(timemarkKey.SignatureValue))) { trace.TraceEvent(TraceEventType.Error, 0, "The time-stamp does not correspond to the signature value {0}", Convert.ToBase64String(timemarkKey.SignatureValue)); throw new InvalidOperationException("The time-stamp authority did not return a matching time-stamp"); } //Don't verify the time-stamp, it is done later //embed TST BC::Asn1.Cms.Attribute signatureTstAttr = new BC::Asn1.Cms.Attribute(PkcsObjectIdentifiers.IdAASignatureTimeStampToken, new DerSet(Asn1Object.FromByteArray(rawTst))); unsignedAttributes[signatureTstAttr.AttrType] = signatureTstAttr; trace.TraceEvent(TraceEventType.Verbose, 0, "Added the time-stamp: {0}", Convert.ToBase64String(rawTst)); //The certs are part of the TST, so no need to add them to the CMS } } else { //There is one, extract it we need it later DerSet rawTsts = (DerSet)timestampAttr.AttrValues; if (rawTsts.Count > 1) { trace.TraceEvent(TraceEventType.Error, 0, "There are {0} signature timestamps present", rawTsts.Count); throw new NotSupportedException("The library does not support more then one time-stamp"); } tst = rawTsts[0].GetEncoded().ToTimeStampToken(); if (!hasSigningTime) { trace.TraceEvent(TraceEventType.Information, 0, "Implicit signing time {0} is replaced with time-stamp time {1}", timemarkKey.SigningTime, tst.TimeStampInfo.GenTime); timemarkKey.SigningTime = tst.TimeStampInfo.GenTime; } if (tst.TimeStampInfo.GenTime > (timemarkKey.SigningTime + EteeActiveConfig.ClockSkewness + Settings.Default.TimestampGracePeriod)) { trace.TraceEvent(TraceEventType.Error, 0, "The message was time-stamped on {0}, which is beyond the allows period of {2} from the signing time {1}", tst.TimeStampInfo.GenTime, timemarkKey.SigningTime, Settings.Default.TimestampGracePeriod); throw new InvalidMessageException("The message wasn't timestamped on time"); } } if ((level & Level.L_Level) == Level.L_Level) { //Add revocation info IList<CertificateList> crls = null; IList<BasicOcspResponse> ocsps = null; BC::Asn1.Cms.Attribute revocationAttr = (BC::Asn1.Cms.Attribute)unsignedAttributes[PkcsObjectIdentifiers.IdAAEtsRevocationValues]; if (revocationAttr != null) { DerSet revocationInfoSet = (DerSet) revocationAttr.AttrValues; if (revocationInfoSet == null || revocationInfoSet.Count == 0) { RevocationValues revocationInfo = RevocationValues.GetInstance(revocationInfoSet[0]); crls = new List<CertificateList>(revocationInfo.GetCrlVals()); trace.TraceEvent(TraceEventType.Verbose, 0, "Found {1} CRL's in the message", crls.Count); ocsps = new List<BasicOcspResponse>(revocationInfo.GetOcspVals()); trace.TraceEvent(TraceEventType.Verbose, 0, "Found {1} OCSP's in the message", ocsps.Count); } } if (crls == null) crls = new List<CertificateList>(); if (ocsps == null) ocsps = new List<BasicOcspResponse>(); //Add the message certificate chain revocation info + check if successful var extraStore = new X509Certificate2Collection(); foreach (Org.BouncyCastle.X509.X509Certificate cert in embeddedCerts.GetMatches(null)) { extraStore.Add(new X509Certificate2(cert.GetEncoded())); } Chain chain = timemarkKey.Signer.BuildChain(timemarkKey.SigningTime, extraStore, ref crls, ref ocsps); if (chain.ChainStatus.Count(x => x.Status != X509ChainStatusFlags.NoError) > 0) { trace.TraceEvent(TraceEventType.Error, 0, "The certificate chain of the signer {0} failed with {1} issues: {2}, {3}", timemarkKey.Signer.Subject, chain.ChainStatus.Count, chain.ChainStatus[0].Status, chain.ChainStatus[0].StatusInformation); throw new InvalidMessageException(string.Format("The certificate chain of the signer {0} fails revocation validation", timemarkKey.Signer.Subject)); } //Add the time-stamp certificate chain revocation info + check if successful if (tst != null) { Timestamp ts = tst.Validate(ref crls, ref ocsps); if (ts.TimestampStatus.Count(x => x.Status != X509ChainStatusFlags.NoError) > 0) { trace.TraceEvent(TraceEventType.Error, 0, "The certificate chain of the time-stamp signer {0} failed with {1} issues: {2}, {3}", ts.CertificateChain.ChainElements[0].Certificate.Subject, ts.TimestampStatus.Count, ts.TimestampStatus[0].Status, ts.TimestampStatus[0].StatusInformation); throw new InvalidMessageException("The embedded time-stamp fails validation"); } } //Embed revocation info RevocationValues revocationValues = new RevocationValues(crls, ocsps, null); revocationAttr = new BC::Asn1.Cms.Attribute(PkcsObjectIdentifiers.IdAAEtsRevocationValues, new DerSet(revocationValues.ToAsn1Object())); unsignedAttributes[revocationAttr.AttrType] = revocationAttr; trace.TraceEvent(TraceEventType.Verbose, 0, "Added {0} OCSP's and {1} CRL's to the message", ocsps.Count, crls.Count); } //Update the unsigned attributes of the signer info signerInfo = SignerInformation.ReplaceUnsignedAttributes(signerInfo, new BC::Asn1.Cms.AttributeTable(unsignedAttributes)); //Copy the signer gen.AddSigners(new SignerInformationStore(new SignerInformation[] { signerInfo })); contentOut.Close(); }