public TimeStampTokenGenerator(AsymmetricKeyParameter key, X509Certificate cert, string digestOID, string tsaPolicyOID, Org.BouncyCastle.Asn1.Cms.AttributeTable signedAttr, Org.BouncyCastle.Asn1.Cms.AttributeTable unsignedAttr) { this.key = key; this.cert = cert; this.digestOID = digestOID; this.tsaPolicyOID = tsaPolicyOID; this.unsignedAttr = unsignedAttr; TspUtil.ValidateCertificate(cert); IDictionary dictionary; if (signedAttr != null) { dictionary = signedAttr.ToDictionary(); } else { dictionary = Platform.CreateHashtable(); } try { byte[] hash = DigestUtilities.CalculateDigest("SHA-1", cert.GetEncoded()); EssCertID essCertID = new EssCertID(hash); Org.BouncyCastle.Asn1.Cms.Attribute attribute = new Org.BouncyCastle.Asn1.Cms.Attribute(PkcsObjectIdentifiers.IdAASigningCertificate, new DerSet(new SigningCertificate(essCertID))); dictionary[attribute.AttrType] = attribute; } catch (CertificateEncodingException e) { throw new TspException("Exception processing certificate.", e); } catch (SecurityUtilityException e2) { throw new TspException("Can't find a SHA-1 implementation.", e2); } this.signedAttr = new Org.BouncyCastle.Asn1.Cms.AttributeTable(dictionary); }
/** * Validate the timestamp request, checking the digest to see if it is of an * accepted type and whether it is of the correct length for the algorithm specified. * * @param algorithms a set of string OIDS giving accepted algorithms. * @param policies if non-null a set of policies we are willing to sign under. * @param extensions if non-null a set of extensions we are willing to accept. * @throws TspException if the request is invalid, or processing fails. */ public void Validate( IList algorithms, IList policies, IList extensions) { if (!algorithms.Contains(this.MessageImprintAlgOid)) { throw new TspValidationException("request contains unknown algorithm.", PkiFailureInfo.BadAlg); } if (policies != null && this.ReqPolicy != null && !policies.Contains(this.ReqPolicy)) { throw new TspValidationException("request contains unknown policy.", PkiFailureInfo.UnacceptedPolicy); } if (this.Extensions != null && extensions != null) { foreach (DerObjectIdentifier oid in this.Extensions.ExtensionOids) { if (!extensions.Contains(oid.Id)) { throw new TspValidationException("request contains unknown extension.", PkiFailureInfo.UnacceptedExtension); } } } int digestLength = TspUtil.GetDigestLength(this.MessageImprintAlgOid); if (digestLength != this.GetMessageImprintDigest().Length) { throw new TspValidationException("imprint digest the wrong length.", PkiFailureInfo.BadDataFormat); } }
public void Validate(IList algorithms, IList policies, IList extensions) { if (!algorithms.Contains(this.MessageImprintAlgOid)) { throw new TspValidationException("request contains unknown algorithm.", 128); } if (policies != null && this.ReqPolicy != null && !policies.Contains(this.ReqPolicy)) { throw new TspValidationException("request contains unknown policy.", 256); } if (this.Extensions != null && extensions != null) { foreach (DerObjectIdentifier derObjectIdentifier in this.Extensions.ExtensionOids) { if (!extensions.Contains(derObjectIdentifier.Id)) { throw new TspValidationException("request contains unknown extension.", 8388608); } } } int digestLength = TspUtil.GetDigestLength(this.MessageImprintAlgOid); if (digestLength != this.GetMessageImprintDigest().Length) { throw new TspValidationException("imprint digest the wrong length.", 4); } }
internal static SignerInfoGenerator makeInfoGenerator( AsymmetricKeyParameter key, X509Certificate cert, string digestOID, Asn1.Cms.AttributeTable signedAttr, Asn1.Cms.AttributeTable unsignedAttr) { TspUtil.ValidateCertificate(cert); // // Add the ESSCertID attribute // IDictionary signedAttrs; if (signedAttr != null) { signedAttrs = signedAttr.ToDictionary(); } else { signedAttrs = Platform.CreateHashtable(); } //try //{ // byte[] hash = DigestUtilities.CalculateDigest("SHA-1", cert.GetEncoded()); // EssCertID essCertid = new EssCertID(hash); // Asn1.Cms.Attribute attr = new Asn1.Cms.Attribute( // PkcsObjectIdentifiers.IdAASigningCertificate, // new DerSet(new SigningCertificate(essCertid))); // signedAttrs[attr.AttrType] = attr; //} //catch (CertificateEncodingException e) //{ // throw new TspException("Exception processing certificate.", e); //} //catch (SecurityUtilityException e) //{ // throw new TspException("Can't find a SHA-1 implementation.", e); //} string digestName = CmsSignedHelper.Instance.GetDigestAlgName(digestOID); string signatureName = digestName + "with" + CmsSignedHelper.Instance.GetEncryptionAlgName(CmsSignedHelper.Instance.GetEncOid(key, digestOID)); Asn1SignatureFactory sigfact = new Asn1SignatureFactory(signatureName, key); return(new SignerInfoGeneratorBuilder() .WithSignedAttributeGenerator( new DefaultSignedAttributeTableGenerator( new Asn1.Cms.AttributeTable(signedAttrs))) .WithUnsignedAttributeGenerator( new SimpleAttributeTableGenerator(unsignedAttr)) .Build(sigfact, cert)); }
public void Validate(X509Certificate cert) { try { byte[] b = DigestUtilities.CalculateDigest(certID.GetHashAlgorithmName(), cert.GetEncoded()); if (!Arrays.ConstantTimeAreEqual(certID.GetCertHash(), b)) { throw new TspValidationException("certificate hash does not match certID hash."); } if (certID.IssuerSerial != null) { if (!certID.IssuerSerial.Serial.Value.Equals(cert.SerialNumber)) { throw new TspValidationException("certificate serial number does not match certID for signature."); } GeneralName[] names = certID.IssuerSerial.Issuer.GetNames(); X509Name issuerX509Principal = PrincipalUtilities.GetIssuerX509Principal(cert); bool flag = false; for (int i = 0; i != names.Length; i++) { if (names[i].TagNo == 4 && X509Name.GetInstance(names[i].Name).Equivalent(issuerX509Principal)) { flag = true; break; } } if (!flag) { throw new TspValidationException("certificate name does not match certID for signature. "); } } TspUtil.ValidateCertificate(cert); cert.CheckValidity(tstInfo.GenTime); if (!tsaSignerInfo.Verify(cert)) { throw new TspValidationException("signature not created by certificate."); } } catch (CmsException ex) { if (((global::System.Exception)ex).get_InnerException() != null) { throw new TspException(((global::System.Exception)ex).get_Message(), ((global::System.Exception)ex).get_InnerException()); } throw new TspException(string.Concat((object)"CMS exception: ", (object)ex), ex); } catch (CertificateEncodingException ex2) { throw new TspException(string.Concat((object)"problem processing certificate: ", (object)ex2), ex2); } catch (SecurityUtilityException ex3) { throw new TspException("cannot find algorithm: " + ((global::System.Exception)ex3).get_Message(), ex3); } }
/** * create with a signer with extra signed/unsigned attributes. */ public TimeStampTokenGenerator( AsymmetricKeyParameter key, X509Certificate cert, string digestOID, string tsaPolicyOID, Asn1.Cms.AttributeTable signedAttr, Asn1.Cms.AttributeTable unsignedAttr) { this.key = key; this.cert = cert; this.digestOID = digestOID; this.tsaPolicyOID = tsaPolicyOID; this.unsignedAttr = unsignedAttr; TspUtil.ValidateCertificate(cert); // // Add the ESSCertID attribute // Hashtable signedAttrs; if (signedAttr != null) { signedAttrs = signedAttr.ToHashtable(); } else { signedAttrs = new Hashtable(); } try { byte[] hash = DigestUtilities.CalculateDigest("SHA-1", cert.GetEncoded()); EssCertID essCertid = new EssCertID(hash); Asn1.Cms.Attribute attr = new Asn1.Cms.Attribute( PkcsObjectIdentifiers.IdAASigningCertificate, new DerSet(new SigningCertificate(essCertid))); signedAttrs[attr.AttrType] = attr; } catch (CertificateEncodingException e) { throw new TspException("Exception processing certificate.", e); } catch (SecurityUtilityException e) { throw new TspException("Can't find a SHA-1 implementation.", e); } this.signedAttr = new Asn1.Cms.AttributeTable(signedAttrs); }
public void Validate(global::System.Collections.IList algorithms, global::System.Collections.IList policies, global::System.Collections.IList extensions) { if (!algorithms.Contains((object)MessageImprintAlgOid)) { throw new TspValidationException("request contains unknown algorithm.", 128); } if (policies != null && ReqPolicy != null && !policies.Contains((object)ReqPolicy)) { throw new TspValidationException("request contains unknown policy.", 256); } if (Extensions != null && extensions != null) { { global::System.Collections.IEnumerator enumerator = Extensions.ExtensionOids.GetEnumerator(); try { while (enumerator.MoveNext()) { DerObjectIdentifier derObjectIdentifier = (DerObjectIdentifier)enumerator.get_Current(); if (!extensions.Contains((object)derObjectIdentifier.Id)) { throw new TspValidationException("request contains unknown extension.", 8388608); } } } finally { global::System.IDisposable disposable = enumerator as global::System.IDisposable; if (disposable != null) { disposable.Dispose(); } } } } int digestLength = TspUtil.GetDigestLength(MessageImprintAlgOid); if (digestLength != GetMessageImprintDigest().Length) { throw new TspValidationException("imprint digest the wrong length.", 4); } }
/** * Validate the timestamp request, checking the digest to see if it is of an * accepted type and whether it is of the correct length for the algorithm specified. * * @param algorithms a set of string OIDS giving accepted algorithms. * @param policies if non-null a set of policies we are willing to sign under. * @param extensions if non-null a set of extensions we are willing to accept. * @param provider the provider to confirm the digest size against. * @throws TspException if the request is invalid, or processing fails. */ public void Validate( IList algorithms, IList policies, IList extensions) { if (!algorithms.Contains(this.MessageImprintAlgOid)) { throw new TspValidationException("request contains unknown algorithm.", PkiFailureInfo.BadAlg); } if (policies != null && this.ReqPolicy != null && !policies.Contains(this.ReqPolicy)) { throw new TspValidationException("request contains unknown policy.", PkiFailureInfo.UnacceptedPolicy); } if (this.Extensions != null && extensions != null) { foreach (DerObjectIdentifier oid in this.Extensions.ExtensionOids) { if (!extensions.Contains(oid.Id)) { throw new TspValidationException("request contains unknown extension.", PkiFailureInfo.UnacceptedExtension); } } } string digestName = TspUtil.GetDigestAlgName(this.MessageImprintAlgOid); IDigest digest; try { digest = DigestUtilities.GetDigest(digestName); } catch (Exception ex) { throw new TspException("digest algorithm cannot be found.", ex); } checkImprintLength(digest); }
public static ICollection GetSignatureTimestamps(SignerInformation signerInfo) { IList list = Platform.CreateArrayList(); Org.BouncyCastle.Asn1.Cms.AttributeTable unsignedAttributes = signerInfo.UnsignedAttributes; if (unsignedAttributes != null) { foreach (Org.BouncyCastle.Asn1.Cms.Attribute attribute in unsignedAttributes.GetAll(PkcsObjectIdentifiers.IdAASignatureTimeStampToken)) { foreach (Asn1Encodable asn1Encodable in attribute.AttrValues) { try { Org.BouncyCastle.Asn1.Cms.ContentInfo instance = Org.BouncyCastle.Asn1.Cms.ContentInfo.GetInstance(asn1Encodable.ToAsn1Object()); TimeStampToken timeStampToken = new TimeStampToken(instance); TimeStampTokenInfo timeStampInfo = timeStampToken.TimeStampInfo; byte[] a = DigestUtilities.CalculateDigest(TspUtil.GetDigestAlgName(timeStampInfo.MessageImprintAlgOid), signerInfo.GetSignature()); if (!Arrays.ConstantTimeAreEqual(a, timeStampInfo.GetMessageImprintDigest())) { throw new TspValidationException("Incorrect digest in message imprint"); } list.Add(timeStampToken); } catch (SecurityUtilityException) { throw new TspValidationException("Unknown hash algorithm specified in timestamp"); } catch (Exception) { throw new TspValidationException("Timestamp could not be parsed"); } } } } return(list); }
/** * Validate the time stamp token. * <p> * To be valid the token must be signed by the passed in certificate and * the certificate must be the one referred to by the SigningCertificate * attribute included in the hashed attributes of the token. The * certificate must also have the ExtendedKeyUsageExtension with only * KeyPurposeID.IdKPTimeStamping and have been valid at the time the * timestamp was created. * </p> * <p> * A successful call to validate means all the above are true. * </p> */ public void Validate( X509Certificate cert) { try { byte[] hash = DigestUtilities.CalculateDigest( certID.GetHashAlgorithm(), cert.GetEncoded()); if (!Arrays.ConstantTimeAreEqual(certID.GetCertHash(), hash)) { throw new TspValidationException("certificate hash does not match certID hash."); } if (certID.IssuerSerial != null) { if (!certID.IssuerSerial.Serial.Value.Equals(cert.SerialNumber)) { throw new TspValidationException("certificate serial number does not match certID for signature."); } GeneralName[] names = certID.IssuerSerial.Issuer.GetNames(); X509Name principal = PrincipalUtilities.GetIssuerX509Principal(cert); bool found = false; for (int i = 0; i != names.Length; i++) { if (names[i].TagNo == 4 && X509Name.GetInstance(names[i].Name).Equivalent(principal)) { found = true; break; } } if (!found) { throw new TspValidationException("certificate name does not match certID for signature. "); } } TspUtil.ValidateCertificate(cert); cert.CheckValidity(tstInfo.GenTime); if (!tsaSignerInfo.Verify(cert)) { throw new TspValidationException("signature not created by certificate."); } } catch (CmsException e) { if (e.InnerException != null) { throw new TspException(e.Message, e.InnerException); } throw new TspException("CMS exception: " + e, e); } catch (CertificateEncodingException e) { throw new TspException("problem processing certificate: " + e, e); } catch (SecurityUtilityException e) { throw new TspException("cannot find algorithm: " + e.Message, e); } }
public TimeStampTokenGenerator( SignerInfoGenerator signerInfoGen, IDigestFactory digestCalculator, DerObjectIdentifier tsaPolicy, bool isIssuerSerialIncluded) { this.signerInfoGenerator = signerInfoGen; this.digestCalculator = digestCalculator; this.tsaPolicyOID = tsaPolicy != null ? tsaPolicy.Id : null; if (signerInfoGenerator.certificate == null) { throw new ArgumentException("SignerInfoGenerator must have an associated certificate"); } X509Certificate assocCert = signerInfoGenerator.certificate; TspUtil.ValidateCertificate(assocCert); try { IStreamCalculator calculator = digestCalculator.CreateCalculator(); Stream stream = calculator.Stream; byte[] certEnc = assocCert.GetEncoded(); stream.Write(certEnc, 0, certEnc.Length); stream.Flush(); stream.Close(); if (((AlgorithmIdentifier)digestCalculator.AlgorithmDetails).Algorithm.Equals(OiwObjectIdentifiers.IdSha1)) { EssCertID essCertID = new EssCertID( ((IBlockResult)calculator.GetResult()).Collect(), isIssuerSerialIncluded ? new IssuerSerial( new GeneralNames( new GeneralName(assocCert.IssuerDN)), new DerInteger(assocCert.SerialNumber)) : null); this.signerInfoGenerator = signerInfoGen.NewBuilder() .WithSignedAttributeGenerator(new TableGen(signerInfoGen, essCertID)) .Build(signerInfoGen.contentSigner, signerInfoGen.certificate); } else { AlgorithmIdentifier digestAlgID = new AlgorithmIdentifier( ((AlgorithmIdentifier)digestCalculator.AlgorithmDetails).Algorithm); EssCertIDv2 essCertID = new EssCertIDv2( ((IBlockResult)calculator.GetResult()).Collect(), isIssuerSerialIncluded ? new IssuerSerial( new GeneralNames( new GeneralName(assocCert.IssuerDN)), new DerInteger(assocCert.SerialNumber)) : null); this.signerInfoGenerator = signerInfoGen.NewBuilder() .WithSignedAttributeGenerator(new TableGen2(signerInfoGen, essCertID)) .Build(signerInfoGen.contentSigner, signerInfoGen.certificate); } } catch (Exception ex) { throw new TspException("Exception processing certificate", ex); } }
public virtual IList GetExtensionOids() { return(TspUtil.GetExtensionOids(this.extensions)); }
public virtual global::System.Collections.IList GetExtensionOids() { return(TspUtil.GetExtensionOids(extensions)); }
internal static IDigest CreateDigestInstance(string digestAlgOID) { string digestAlgName = TspUtil.GetDigestAlgName(digestAlgOID); return(DigestUtilities.GetDigest(digestAlgName)); }