/** * Replace the signerinformation store associated with the passed * in message contained in the stream original with the new one passed in. * You would probably only want to do this if you wanted to change the unsigned * attributes associated with a signer, or perhaps delete one. * <p> * The output stream is returned unclosed. * </p> * @param original the signed data stream to be used as a base. * @param signerInformationStore the new signer information store to use. * @param out the stream to Write the new signed data object to. * @return out. */ public static Stream ReplaceSigners( Stream original, SignerInformationStore signerInformationStore, Stream outStr) { // NB: SecureRandom would be ignored since using existing signatures only CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator(); CmsSignedDataParser parser = new CmsSignedDataParser(original); // gen.AddDigests(parser.DigestOids); gen.AddSigners(signerInformationStore); CmsTypedStream signedContent = parser.GetSignedContent(); bool encapsulate = (signedContent != null); Stream contentOut = gen.Open(outStr, parser.SignedContentType.Id, encapsulate); if (encapsulate) { Streams.PipeAll(signedContent.ContentStream, contentOut); } gen.AddAttributeCertificates(parser.GetAttributeCertificates("Collection")); gen.AddCertificates(parser.GetCertificates("Collection")); gen.AddCrls(parser.GetCrls("Collection")); // gen.AddSigners(parser.GetSignerInfos()); contentOut.Close(); return(outStr); }
public static Stream ReplaceSigners(Stream original, SignerInformationStore signerInformationStore, Stream outStr) { CmsSignedDataStreamGenerator cmsSignedDataStreamGenerator = new CmsSignedDataStreamGenerator(); CmsSignedDataParser cmsSignedDataParser = new CmsSignedDataParser(original); cmsSignedDataStreamGenerator.AddSigners(signerInformationStore); CmsTypedStream signedContent = cmsSignedDataParser.GetSignedContent(); bool flag = signedContent != null; Stream val = cmsSignedDataStreamGenerator.Open(outStr, cmsSignedDataParser.SignedContentType.Id, flag); if (flag) { Streams.PipeAll(signedContent.ContentStream, val); } cmsSignedDataStreamGenerator.AddAttributeCertificates(cmsSignedDataParser.GetAttributeCertificates("Collection")); cmsSignedDataStreamGenerator.AddCertificates(cmsSignedDataParser.GetCertificates("Collection")); cmsSignedDataStreamGenerator.AddCrls(cmsSignedDataParser.GetCrls("Collection")); Platform.Dispose(val); return(outStr); }
/** * Replace the signerinformation store associated with the passed * in message contained in the stream original with the new one passed in. * You would probably only want to do this if you wanted to change the unsigned * attributes associated with a signer, or perhaps delete one. * <p> * The output stream is returned unclosed. * </p> * @param original the signed data stream to be used as a base. * @param signerInformationStore the new signer information store to use. * @param out the stream to Write the new signed data object to. * @return out. */ public static Stream ReplaceSigners( Stream original, SignerInformationStore signerInformationStore, Stream outStr) { // NB: SecureRandom would be ignored since using existing signatures only CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator(); CmsSignedDataParser parser = new CmsSignedDataParser(original); // gen.AddDigests(parser.DigestOids); gen.AddSigners(signerInformationStore); CmsTypedStream signedContent = parser.GetSignedContent(); bool encapsulate = (signedContent != null); Stream contentOut = gen.Open(outStr, parser.SignedContentType.Id, encapsulate); if (encapsulate) { Streams.PipeAll(signedContent.ContentStream, contentOut); } gen.AddAttributeCertificates(parser.GetAttributeCertificates("Collection")); gen.AddCertificates(parser.GetCertificates("Collection")); gen.AddCrls(parser.GetCrls("Collection")); // gen.AddSigners(parser.GetSignerInfos()); contentOut.Close(); return outStr; }
DigitalSignatureCollection GetDigitalSignatures(CmsSignedDataParser parser) { var certificates = parser.GetCertificates ("Collection"); var signatures = new List<IDigitalSignature> (); var crls = parser.GetCrls ("Collection"); var store = parser.GetSignerInfos (); foreach (X509Certificate certificate in certificates.GetMatches (null)) Import (certificate); foreach (X509Crl crl in crls.GetMatches (null)) Import (crl); foreach (SignerInformation signerInfo in store.GetSigners ()) { var certificate = GetCertificate (certificates, signerInfo.SignerID); var signature = new SecureMimeDigitalSignature (signerInfo); DateTime? signedDate = null; if (signerInfo.SignedAttributes != null) { Asn1EncodableVector vector = signerInfo.SignedAttributes.GetAll (CmsAttributes.SigningTime); foreach (Org.BouncyCastle.Asn1.Cms.Attribute attr in vector) { var signingTime = (DerUtcTime) ((DerSet) attr.AttrValues)[0]; signature.CreationDate = signingTime.ToAdjustedDateTime (); signedDate = signature.CreationDate; break; } } if (certificate != null) signature.SignerCertificate = new SecureMimeDigitalCertificate (certificate); var anchors = GetTrustedAnchors (); try { signature.Chain = BuildCertPath (anchors, certificates, crls, certificate, signedDate); } catch (Exception ex) { signature.ChainException = ex; } signatures.Add (signature); } return new DigitalSignatureCollection (signatures); }
/// <summary> /// Imports certificates (as from a certs-only application/pkcs-mime part) /// from the specified stream. /// </summary> /// <param name="stream">The raw key data.</param> /// <exception cref="System.ArgumentNullException"> /// <paramref name="stream"/> is <c>null</c>. /// </exception> /// <exception cref="Org.BouncyCastle.Cms.CmsException"> /// An error occurred in the cryptographic message syntax subsystem. /// </exception> public override void Import(Stream stream) { if (stream == null) throw new ArgumentNullException ("stream"); var parser = new CmsSignedDataParser (stream); var certificates = parser.GetCertificates ("Collection"); foreach (X509Certificate certificate in certificates.GetMatches (null)) Import (certificate); var crls = parser.GetCrls ("Collection"); foreach (X509Crl crl in crls.GetMatches (null)) Import (crl); }
private void VerifySignatures( CmsSignedDataParser sp) { IX509Store x509Certs = sp.GetCertificates("Collection"); SignerInformationStore signers = sp.GetSignerInfos(); foreach (SignerInformation signer in signers.GetSigners()) { ICollection certCollection = x509Certs.GetMatches(signer.SignerID); IEnumerator certEnum = certCollection.GetEnumerator(); certEnum.MoveNext(); X509Certificate cert = (X509Certificate)certEnum.Current; Assert.IsTrue(signer.Verify(cert)); } }
public void TestCertOrdering2() { MemoryStream bOut = new MemoryStream(); IX509Store x509Certs = CmsTestUtil.MakeCertStore(SignCert, OrigCert); CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator(); gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha1); gen.AddCertificates(x509Certs); byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage); Stream sigOut = gen.Open(bOut, true); sigOut.Write(testBytes, 0, testBytes.Length); sigOut.Close(); CmsSignedDataParser sp = new CmsSignedDataParser(bOut.ToArray()); sp.GetSignedContent().Drain(); x509Certs = sp.GetCertificates("Collection"); ArrayList a = new ArrayList(x509Certs.GetMatches(null)); Assert.AreEqual(2, a.Count); Assert.AreEqual(SignCert, a[0]); Assert.AreEqual(OrigCert, a[1]); }
private void VerifySignatures( CmsSignedDataParser sp, byte[] contentDigest) { IX509Store certStore = sp.GetCertificates("Collection"); SignerInformationStore signers = sp.GetSignerInfos(); foreach (SignerInformation signer in signers.GetSigners()) { ICollection certCollection = certStore.GetMatches(signer.SignerID); IEnumerator certEnum = certCollection.GetEnumerator(); certEnum.MoveNext(); X509Certificate cert = (X509Certificate) certEnum.Current; Assert.IsTrue(signer.Verify(cert)); if (contentDigest != null) { Assert.IsTrue(Arrays.AreEqual(contentDigest, signer.GetContentDigest())); } } }
public void TestSha1WithRsaEncapsulatedSubjectKeyID() { MemoryStream bOut = new MemoryStream(); IX509Store x509Certs = CmsTestUtil.MakeCertStore(OrigCert, SignCert); CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator(); gen.AddSigner(OrigKP.Private, CmsTestUtil.CreateSubjectKeyId(OrigCert.GetPublicKey()).GetKeyIdentifier(), CmsSignedDataStreamGenerator.DigestSha1); gen.AddCertificates(x509Certs); byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage); Stream sigOut = gen.Open(bOut, true); sigOut.Write(testBytes, 0, testBytes.Length); sigOut.Close(); CmsSignedDataParser sp = new CmsSignedDataParser(bOut.ToArray()); sp.GetSignedContent().Drain(); VerifySignatures(sp); byte[] contentDigest = (byte[])gen.GetGeneratedDigests()[CmsSignedGenerator.DigestSha1]; ArrayList signers = new ArrayList(sp.GetSignerInfos().GetSigners()); AttributeTable table = ((SignerInformation) signers[0]).SignedAttributes; Asn1.Cms.Attribute hash = table[CmsAttributes.MessageDigest]; Assert.IsTrue(Arrays.AreEqual(contentDigest, ((Asn1OctetString)hash.AttrValues[0]).GetOctets())); // // try using existing signer // gen = new CmsSignedDataStreamGenerator(); gen.AddSigners(sp.GetSignerInfos()); // gen.AddCertificatesAndCRLs(sp.GetCertificatesAndCrls("Collection", "BC")); gen.AddCertificates(sp.GetCertificates("Collection")); bOut.SetLength(0); sigOut = gen.Open(bOut, true); sigOut.Write(testBytes, 0, testBytes.Length); sigOut.Close(); CmsSignedData sd = new CmsSignedData(new CmsProcessableByteArray(testBytes), bOut.ToArray()); Assert.AreEqual(1, sd.GetSignerInfos().GetSigners().Count); VerifyEncodedData(bOut); }
public void TestSha1WithRsa() { MemoryStream bOut = new MemoryStream(); IX509Store x509Certs = CmsTestUtil.MakeCertStore(OrigCert, SignCert); IX509Store x509Crls = CmsTestUtil.MakeCrlStore(SignCrl, OrigCrl); CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator(); gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha1); gen.AddCertificates(x509Certs); gen.AddCrls(x509Crls); Stream sigOut = gen.Open(bOut); byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage); sigOut.Write(testBytes, 0, testBytes.Length); sigOut.Close(); CheckSigParseable(bOut.ToArray()); CmsSignedDataParser sp = new CmsSignedDataParser( new CmsTypedStream(new MemoryStream(testBytes, false)), bOut.ToArray()); sp.GetSignedContent().Drain(); // compute expected content digest byte[] hash = DigestUtilities.CalculateDigest("SHA1", testBytes); VerifySignatures(sp, hash); // // try using existing signer // gen = new CmsSignedDataStreamGenerator(); gen.AddSigners(sp.GetSignerInfos()); gen.AddCertificates(sp.GetCertificates("Collection")); gen.AddCrls(sp.GetCrls("Collection")); bOut.SetLength(0); sigOut = gen.Open(bOut, true); sigOut.Write(testBytes, 0, testBytes.Length); sigOut.Close(); VerifyEncodedData(bOut); // // look for the CRLs // ArrayList col = new ArrayList(x509Crls.GetMatches(null)); Assert.AreEqual(2, col.Count); Assert.IsTrue(col.Contains(SignCrl)); Assert.IsTrue(col.Contains(OrigCrl)); }
private void CheckSigParseable(byte[] sig) { CmsSignedDataParser sp = new CmsSignedDataParser(sig); sp.Version.ToString(); CmsTypedStream sc = sp.GetSignedContent(); if (sc != null) { sc.Drain(); } sp.GetAttributeCertificates("Collection"); sp.GetCertificates("Collection"); sp.GetCrls("Collection"); sp.GetSignerInfos(); sp.Close(); }
public void TestSha1WithRsa() { IList certList = new ArrayList(); IList crlList = new ArrayList(); MemoryStream bOut = new MemoryStream(); certList.Add(OrigCert); certList.Add(SignCert); crlList.Add(SignCrl); crlList.Add(OrigCrl); IX509Store x509Certs = X509StoreFactory.Create( "Certificate/Collection", new X509CollectionStoreParameters(certList)); IX509Store x509Crls = X509StoreFactory.Create( "CRL/Collection", new X509CollectionStoreParameters(crlList)); CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator(); gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha1); gen.AddCertificates(x509Certs); gen.AddCrls(x509Crls); Stream sigOut = gen.Open(bOut); byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage); sigOut.Write(testBytes, 0, testBytes.Length); sigOut.Close(); CheckSigParseable(bOut.ToArray()); CmsSignedDataParser sp = new CmsSignedDataParser( new CmsTypedStream(new MemoryStream(testBytes, false)), bOut.ToArray()); sp.GetSignedContent().Drain(); // // compute expected content digest // IDigest md = DigestUtilities.GetDigest("SHA1"); md.BlockUpdate(testBytes, 0, testBytes.Length); byte[] hash = DigestUtilities.DoFinal(md); VerifySignatures(sp, hash); // // try using existing signer // gen = new CmsSignedDataStreamGenerator(); gen.AddSigners(sp.GetSignerInfos()); gen.AddCertificates(sp.GetCertificates("Collection")); gen.AddCrls(sp.GetCrls("Collection")); bOut.SetLength(0); sigOut = gen.Open(bOut, true); sigOut.Write(testBytes, 0, testBytes.Length); sigOut.Close(); VerifyEncodedData(bOut); // // look for the CRLs // ArrayList col = new ArrayList(x509Crls.GetMatches(null)); Assert.AreEqual(2, col.Count); Assert.IsTrue(col.Contains(SignCrl)); Assert.IsTrue(col.Contains(OrigCrl)); }
protected void Complete(Level level, Stream embedded, Stream signed, X509Certificate2 providedSigner, out TimemarkKey timemarkKey) { trace.TraceEvent(TraceEventType.Information, 0, "Completing the message with of {0} bytes to level {1}", signed.Length, level); //Prepare generator, parser and time-mark Key CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator(); CmsSignedDataParser parser = new CmsSignedDataParser(signed); timemarkKey = new TimemarkKey(); //preset the digests so we can add the signers afterwards gen.AddDigests(parser.DigestOids); //Copy the content CmsTypedStream signedContent = parser.GetSignedContent(); Stream contentOut = gen.Open(embedded, parser.SignedContentType.Id, true); signedContent.ContentStream.CopyTo(contentOut); //Extract the signer info SignerInformationStore signerInfoStore = parser.GetSignerInfos(); IEnumerator signerInfos = signerInfoStore.GetSigners().GetEnumerator(); if (!signerInfos.MoveNext()) { trace.TraceEvent(TraceEventType.Error, 0, "The message to complete does not contain a signature"); throw new InvalidMessageException("The message does not contain a signature"); } SignerInformation signerInfo = (SignerInformation)signerInfos.Current; if (signerInfos.MoveNext()) { trace.TraceEvent(TraceEventType.Error, 0, "The message to complete does not contain more then one signature"); throw new InvalidMessageException("The message does contain multiple signatures, which isn't supported"); } //Extract the signing key timemarkKey.SignatureValue = signerInfo.GetSignature(); //Extract the unsigned attributes & signing time bool hasSigningTime; IDictionary unsignedAttributes = signerInfo.UnsignedAttributes != null ? signerInfo.UnsignedAttributes.ToDictionary() : new Hashtable(); BC::Asn1.Cms.Attribute singingTimeAttr = signerInfo.SignedAttributes != null ? signerInfo.SignedAttributes[CmsAttributes.SigningTime] : null; if (singingTimeAttr == null) { trace.TraceEvent(TraceEventType.Warning, 0, "The message to complete does not contain a signing time"); hasSigningTime = false; timemarkKey.SigningTime = DateTime.UtcNow; } else { hasSigningTime = false; timemarkKey.SigningTime = new BC::Asn1.Cms.Time(((DerSet)singingTimeAttr.AttrValues)[0].ToAsn1Object()).Date; } //Extract the signer, if available IX509Store embeddedCerts = parser.GetCertificates("Collection"); if (embeddedCerts != null && embeddedCerts.GetMatches(null).Count > 0) { //Embedded certs found, we use that IEnumerator signerCerts = embeddedCerts.GetMatches(signerInfo.SignerID).GetEnumerator(); if (!signerCerts.MoveNext()) { trace.TraceEvent(TraceEventType.Error, 0, "The message does contains certificates, but the signing certificate is missing"); throw new InvalidMessageException("The message does not contain the signer certificate"); } timemarkKey.Signer = new X509Certificate2(((BC::X509.X509Certificate)signerCerts.Current).GetEncoded()); trace.TraceEvent(TraceEventType.Verbose, 0, "The message contains certificates, of which {0} is the signer", timemarkKey.Signer.Subject); //Add the certs to the new message gen.AddCertificates(embeddedCerts); } else { //No embedded certs, lets construct it. if (providedSigner == null) { trace.TraceEvent(TraceEventType.Error, 0, "The provided message does not contain any embedded certificates"); throw new InvalidMessageException("The message does not contain any embedded certificates"); } timemarkKey.Signer = providedSigner; trace.TraceEvent(TraceEventType.Verbose, 0, "The message does not contains certificates, adding the chain of {0}", timemarkKey.Signer.Subject); //Construct the chain of certificates Chain chain = timemarkKey.Signer.BuildBasicChain(timemarkKey.SigningTime, extraStore); if (chain.ChainStatus.Count(x => x.Status != X509ChainStatusFlags.NoError) > 0) { trace.TraceEvent(TraceEventType.Error, 0, "The certification chain of {0} failed with errors", chain.ChainElements[0].Certificate.Subject); throw new InvalidMessageException(string.Format("The certificate chain of the signer {0} fails basic validation", timemarkKey.Signer.Subject)); } List<BC::X509.X509Certificate> senderChainCollection = new List<BC::X509.X509Certificate>(); foreach (ChainElement ce in chain.ChainElements) { trace.TraceEvent(TraceEventType.Verbose, 0, "Adding the certificate {0} to the message", ce.Certificate.Subject); senderChainCollection.Add(DotNetUtilities.FromX509Certificate(ce.Certificate)); } embeddedCerts = X509StoreFactory.Create("CERTIFICATE/COLLECTION", new X509CollectionStoreParameters(senderChainCollection)); //Add the certificates to the new message gen.AddCertificates(embeddedCerts); } //Getting any existing time stamps TimeStampToken tst = null; BC::Asn1.Cms.Attribute timestampAttr = (BC::Asn1.Cms.Attribute)unsignedAttributes[PkcsObjectIdentifiers.IdAASignatureTimeStampToken]; if (timestampAttr == null || ((DerSet)timestampAttr.AttrValues).Count == 0) { //there is no TST if ((level & Level.T_Level) == Level.T_Level && timestampProvider != null) { //There should be a TST if (DateTime.UtcNow > (timemarkKey.SigningTime + EteeActiveConfig.ClockSkewness + Settings.Default.TimestampGracePeriod)) { trace.TraceEvent(TraceEventType.Error, 0, "The message was created on {0}, which is beyond the allows period of {2} to time-stamp", timemarkKey.SigningTime, Settings.Default.TimestampGracePeriod); throw new InvalidMessageException("The message it to old to add a time-stamp"); } SHA256 sha = SHA256.Create(); byte[] signatureHash = sha.ComputeHash(timemarkKey.SignatureValue); trace.TraceEvent(TraceEventType.Verbose, 0, "SHA-256 hashed the signature value from {0} to {1}", Convert.ToBase64String(timemarkKey.SignatureValue), Convert.ToBase64String(signatureHash)); byte[] rawTst = timestampProvider.GetTimestampFromDocumentHash(signatureHash, "http://www.w3.org/2001/04/xmlenc#sha256"); tst = rawTst.ToTimeStampToken(); if (!tst.IsMatch(new MemoryStream(timemarkKey.SignatureValue))) { trace.TraceEvent(TraceEventType.Error, 0, "The time-stamp does not correspond to the signature value {0}", Convert.ToBase64String(timemarkKey.SignatureValue)); throw new InvalidOperationException("The time-stamp authority did not return a matching time-stamp"); } //Don't verify the time-stamp, it is done later //embed TST BC::Asn1.Cms.Attribute signatureTstAttr = new BC::Asn1.Cms.Attribute(PkcsObjectIdentifiers.IdAASignatureTimeStampToken, new DerSet(Asn1Object.FromByteArray(rawTst))); unsignedAttributes[signatureTstAttr.AttrType] = signatureTstAttr; trace.TraceEvent(TraceEventType.Verbose, 0, "Added the time-stamp: {0}", Convert.ToBase64String(rawTst)); //The certs are part of the TST, so no need to add them to the CMS } } else { //There is one, extract it we need it later DerSet rawTsts = (DerSet)timestampAttr.AttrValues; if (rawTsts.Count > 1) { trace.TraceEvent(TraceEventType.Error, 0, "There are {0} signature timestamps present", rawTsts.Count); throw new NotSupportedException("The library does not support more then one time-stamp"); } tst = rawTsts[0].GetEncoded().ToTimeStampToken(); if (!hasSigningTime) { trace.TraceEvent(TraceEventType.Information, 0, "Implicit signing time {0} is replaced with time-stamp time {1}", timemarkKey.SigningTime, tst.TimeStampInfo.GenTime); timemarkKey.SigningTime = tst.TimeStampInfo.GenTime; } if (tst.TimeStampInfo.GenTime > (timemarkKey.SigningTime + EteeActiveConfig.ClockSkewness + Settings.Default.TimestampGracePeriod)) { trace.TraceEvent(TraceEventType.Error, 0, "The message was time-stamped on {0}, which is beyond the allows period of {2} from the signing time {1}", tst.TimeStampInfo.GenTime, timemarkKey.SigningTime, Settings.Default.TimestampGracePeriod); throw new InvalidMessageException("The message wasn't timestamped on time"); } } if ((level & Level.L_Level) == Level.L_Level) { //Add revocation info IList<CertificateList> crls = null; IList<BasicOcspResponse> ocsps = null; BC::Asn1.Cms.Attribute revocationAttr = (BC::Asn1.Cms.Attribute)unsignedAttributes[PkcsObjectIdentifiers.IdAAEtsRevocationValues]; if (revocationAttr != null) { DerSet revocationInfoSet = (DerSet) revocationAttr.AttrValues; if (revocationInfoSet == null || revocationInfoSet.Count == 0) { RevocationValues revocationInfo = RevocationValues.GetInstance(revocationInfoSet[0]); crls = new List<CertificateList>(revocationInfo.GetCrlVals()); trace.TraceEvent(TraceEventType.Verbose, 0, "Found {1} CRL's in the message", crls.Count); ocsps = new List<BasicOcspResponse>(revocationInfo.GetOcspVals()); trace.TraceEvent(TraceEventType.Verbose, 0, "Found {1} OCSP's in the message", ocsps.Count); } } if (crls == null) crls = new List<CertificateList>(); if (ocsps == null) ocsps = new List<BasicOcspResponse>(); //Add the message certificate chain revocation info + check if successful var extraStore = new X509Certificate2Collection(); foreach (Org.BouncyCastle.X509.X509Certificate cert in embeddedCerts.GetMatches(null)) { extraStore.Add(new X509Certificate2(cert.GetEncoded())); } Chain chain = timemarkKey.Signer.BuildChain(timemarkKey.SigningTime, extraStore, ref crls, ref ocsps); if (chain.ChainStatus.Count(x => x.Status != X509ChainStatusFlags.NoError) > 0) { trace.TraceEvent(TraceEventType.Error, 0, "The certificate chain of the signer {0} failed with {1} issues: {2}, {3}", timemarkKey.Signer.Subject, chain.ChainStatus.Count, chain.ChainStatus[0].Status, chain.ChainStatus[0].StatusInformation); throw new InvalidMessageException(string.Format("The certificate chain of the signer {0} fails revocation validation", timemarkKey.Signer.Subject)); } //Add the time-stamp certificate chain revocation info + check if successful if (tst != null) { Timestamp ts = tst.Validate(ref crls, ref ocsps); if (ts.TimestampStatus.Count(x => x.Status != X509ChainStatusFlags.NoError) > 0) { trace.TraceEvent(TraceEventType.Error, 0, "The certificate chain of the time-stamp signer {0} failed with {1} issues: {2}, {3}", ts.CertificateChain.ChainElements[0].Certificate.Subject, ts.TimestampStatus.Count, ts.TimestampStatus[0].Status, ts.TimestampStatus[0].StatusInformation); throw new InvalidMessageException("The embedded time-stamp fails validation"); } } //Embed revocation info RevocationValues revocationValues = new RevocationValues(crls, ocsps, null); revocationAttr = new BC::Asn1.Cms.Attribute(PkcsObjectIdentifiers.IdAAEtsRevocationValues, new DerSet(revocationValues.ToAsn1Object())); unsignedAttributes[revocationAttr.AttrType] = revocationAttr; trace.TraceEvent(TraceEventType.Verbose, 0, "Added {0} OCSP's and {1} CRL's to the message", ocsps.Count, crls.Count); } //Update the unsigned attributes of the signer info signerInfo = SignerInformation.ReplaceUnsignedAttributes(signerInfo, new BC::Asn1.Cms.AttributeTable(unsignedAttributes)); //Copy the signer gen.AddSigners(new SignerInformationStore(new SignerInformation[] { signerInfo })); contentOut.Close(); }
private SignatureSecurityInformation VerifyStreaming(Stream verifiedContent, Stream signed, SignatureSecurityInformation outer) { trace.TraceEvent(TraceEventType.Information, 0, "Verifying the {0} signature streamed", outer == null ? "inner" : "outer"); try { CmsSignedDataParser signedData; try { signedData = new CmsSignedDataParser(signed); trace.TraceEvent(TraceEventType.Verbose, 0, "Read the cms header"); } catch (Exception e) { trace.TraceEvent(TraceEventType.Error, 0, "The message isn't a CMS Signed Data message: {0}", e.Message); throw new InvalidMessageException("The message isn't a triple wrapped message", e); } signedData.GetSignedContent().ContentStream.CopyTo(verifiedContent); trace.TraceEvent(TraceEventType.Verbose, 0, "Copied the signed data & calculated the message digest"); IX509Store certs = signedData.GetCertificates("COLLECTION"); SignerInformationStore signerInfos = signedData.GetSignerInfos(); return Verify(signerInfos, certs, outer); } catch (CmsException cmse) { if (cmse.Message.Contains("RSAandMGF1 not supported")) { throw new NotSupportedException("RSA-PSS not supported with streaming in case of raw signatures"); } throw new InvalidMessageException("The message isn't a triple wrapped message", cmse); } }