public void Test4_2()
{
byte[] data = GetRfc4134Data("4.2.bin");
CmsSignedData signedData = new CmsSignedData(data);
VerifySignatures(signedData);
CmsSignedDataParser parser = new CmsSignedDataParser(data);
VerifySignatures(parser);
}
public void Test4_3()
{
CmsProcessableByteArray unencap = new CmsProcessableByteArray(exContent);
byte[] data = GetRfc4134Data("4.3.bin");
CmsSignedData signedData = new CmsSignedData(unencap, data);
VerifySignatures(signedData, sha1);
CmsSignedDataParser parser = new CmsSignedDataParser(
new CmsTypedStream(unencap.GetInputStream()), data);
VerifySignatures(parser);
}
public void Test4_4()
{
byte[] data = GetRfc4134Data("4.4.bin");
byte[] counterSigCert = GetRfc4134Data("AliceRSASignByCarl.cer");
CmsSignedData signedData = new CmsSignedData(data);
VerifySignatures(signedData, sha1);
VerifySignerInfo4_4(GetFirstSignerInfo(signedData.GetSignerInfos()), counterSigCert);
CmsSignedDataParser parser = new CmsSignedDataParser(data);
VerifySignatures(parser);
VerifySignerInfo4_4(GetFirstSignerInfo(parser.GetSignerInfos()), counterSigCert);
}
private static Signature GenerateSignatureWithNoCertificates(Signature signature)
{
var certificateStore = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(Array.Empty <Org.BouncyCastle.X509.X509Certificate>()));
var crlStore = X509StoreFactory.Create(
"CRL/Collection",
new X509CollectionStoreParameters(Array.Empty <Org.BouncyCastle.X509.X509Crl>()));
var bytes = signature.SignedCms.Encode();
using (var readStream = new MemoryStream(bytes))
using (var writeStream = new MemoryStream())
{
CmsSignedDataParser.ReplaceCertificatesAndCrls(
readStream,
certificateStore,
crlStore,
certificateStore,
writeStream);
return(Signature.Load(writeStream.ToArray()));
}
}
private void VerifySignatures(CmsSignedDataParser sp)
{
CmsTypedStream sc = sp.GetSignedContent();
if (sc != null)
{
sc.Drain();
}
IX509Store x509Certs = sp.GetCertificates("Collection");
SignerInformationStore signers = sp.GetSignerInfos();
foreach (SignerInformation signer in signers.GetSigners())
{
ICollection certCollection = x509Certs.GetMatches(signer.SignerID);
IEnumerator certEnum = certCollection.GetEnumerator();
certEnum.MoveNext();
X509Certificate cert = (X509Certificate)certEnum.Current;
VerifySigner(signer, cert);
}
}
private async Task <dynamic> GetAxInfoData(string url)
{
var resp = await url.GetStringAsync();
var signedData = Convert.FromBase64String(resp);
var parser = new CmsSignedDataParser(signedData);
var stream = parser.GetSignedContent().ContentStream;
var doc = XDocument.Load(stream);
return(doc.Root.Elements("object")
.GroupBy(x => x.Element("objectName").Value)
.Select(g => g.First())
.Select(x => new {
allowrun = true,
allowrundomains = "",
backupurl = x.Element("backupURL").Value,
block = false,
browsertype = x.Element("browserType").Value,
browserversion = -1,
description = "",
displayname = x.Element("displayName").Value,
downloadurl = x.Element("downloadURL").Value,
forceinstall = false,
installstate = true,
killbit = false,
localversion = x.Element("objectVersion").Value,
objectclsid = x.Element("objectMIMEType").Value,
objectname = x.Element("objectName").Value,
objecttype = 0,
objectversion = x.Element("objectVersion").Value,
policydisable = false,
systemtype = x.Element("systemType").Value,
updatestate = false,
version = 0,
}));
}
private void VerifySignatures(
CmsSignedDataParser sp,
byte[] contentDigest)
{
IX509Store certStore = sp.GetCertificates("Collection");
SignerInformationStore signers = sp.GetSignerInfos();
foreach (SignerInformation signer in signers.GetSigners())
{
ICollection certCollection = certStore.GetMatches(signer.SignerID);
IEnumerator certEnum = certCollection.GetEnumerator();
certEnum.MoveNext();
X509Certificate cert = (X509Certificate)certEnum.Current;
Assert.IsTrue(signer.Verify(cert));
if (contentDigest != null)
{
Assert.IsTrue(Arrays.AreEqual(contentDigest, signer.GetContentDigest()));
}
}
}
public void TestSha1WithRsaEncapsulatedSubjectKeyID()
{
IList certList = new ArrayList();
MemoryStream bOut = new MemoryStream();
certList.Add(OrigCert);
certList.Add(SignCert);
IX509Store x509Certs = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(certList));
CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator();
gen.AddSigner(OrigKP.Private,
CmsTestUtil.CreateSubjectKeyId(OrigCert.GetPublicKey()).GetKeyIdentifier(),
CmsSignedDataStreamGenerator.DigestSha1);
gen.AddCertificates(x509Certs);
Stream sigOut = gen.Open(bOut, true);
byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage);
sigOut.Write(testBytes, 0, testBytes.Length);
sigOut.Close();
CmsSignedDataParser sp = new CmsSignedDataParser(bOut.ToArray());
sp.GetSignedContent().Drain();
VerifySignatures(sp);
byte[] contentDigest = (byte[])gen.GetGeneratedDigests()[CmsSignedGenerator.DigestSha1];
ArrayList signers = new ArrayList(sp.GetSignerInfos().GetSigners());
AttributeTable table = ((SignerInformation)signers[0]).SignedAttributes;
Asn1.Cms.Attribute hash = table[CmsAttributes.MessageDigest];
Assert.IsTrue(Arrays.AreEqual(contentDigest, ((Asn1OctetString)hash.AttrValues[0]).GetOctets()));
//
// try using existing signer
//
gen = new CmsSignedDataStreamGenerator();
gen.AddSigners(sp.GetSignerInfos());
// gen.AddCertificatesAndCRLs(sp.getCertificatesAndCRLs("Collection", "BC"));
gen.AddCertificates(sp.GetCertificates("Collection"));
bOut.SetLength(0);
sigOut = gen.Open(bOut, true);
sigOut.Write(testBytes, 0, testBytes.Length);
sigOut.Close();
CmsSignedData sd = new CmsSignedData(new CmsProcessableByteArray(testBytes), bOut.ToArray());
Assert.AreEqual(1, sd.GetSignerInfos().GetSigners().Count);
VerifyEncodedData(bOut);
}
public void TestSha1WithRsaEncapsulatedBuffered()
{
IList certList = new ArrayList();
MemoryStream bOut = new MemoryStream();
certList.Add(OrigCert);
certList.Add(SignCert);
IX509Store x509Certs = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(certList));
//
// find unbuffered length
//
CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator();
gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha1);
gen.AddCertificates(x509Certs);
Stream sigOut = gen.Open(bOut, true);
for (int i = 0; i != 2000; i++)
{
sigOut.WriteByte((byte)(i & 0xff));
}
sigOut.Close();
CmsSignedDataParser sp = new CmsSignedDataParser(bOut.ToArray());
sp.GetSignedContent().Drain();
VerifySignatures(sp);
int unbufferedLength = bOut.ToArray().Length;
//
// find buffered length - buffer size less than default
//
bOut.SetLength(0);
gen = new CmsSignedDataStreamGenerator();
gen.SetBufferSize(300);
gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha1);
gen.AddCertificates(x509Certs);
sigOut = gen.Open(bOut, true);
for (int i = 0; i != 2000; i++)
{
sigOut.WriteByte((byte)(i & 0xff));
}
sigOut.Close();
VerifyEncodedData(bOut);
Assert.IsTrue(unbufferedLength < bOut.ToArray().Length);
}
public void TestSha1WithRsaEncapsulatedBufferedStream()
{
IList certList = new ArrayList();
MemoryStream bOut = new MemoryStream();
certList.Add(OrigCert);
certList.Add(SignCert);
IX509Store x509Certs = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(certList));
//
// find unbuffered length
//
CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator();
gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha1);
gen.AddCertificates(x509Certs);
Stream sigOut = gen.Open(bOut, true);
for (int i = 0; i != 2000; i++)
{
sigOut.WriteByte((byte)(i & 0xff));
}
sigOut.Close();
CmsSignedDataParser sp = new CmsSignedDataParser(bOut.ToArray());
sp.GetSignedContent().Drain();
VerifySignatures(sp);
int unbufferedLength = bOut.ToArray().Length;
//
// find buffered length with buffered stream - should be equal
//
bOut.SetLength(0);
gen = new CmsSignedDataStreamGenerator();
gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha1);
gen.AddCertificates(x509Certs);
sigOut = gen.Open(bOut, true);
byte[] data = new byte[2000];
for (int i = 0; i != 2000; i++)
{
data[i] = (byte)(i & 0xff);
}
Streams.PipeAll(new MemoryStream(data, false), sigOut);
sigOut.Close();
VerifyEncodedData(bOut);
Assert.AreEqual(unbufferedLength, bOut.ToArray().Length);
}
public void TestSha1WithRsa()
{
IList certList = new ArrayList();
IList crlList = new ArrayList();
MemoryStream bOut = new MemoryStream();
certList.Add(OrigCert);
certList.Add(SignCert);
crlList.Add(SignCrl);
crlList.Add(OrigCrl);
IX509Store x509Certs = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(certList));
IX509Store x509Crls = X509StoreFactory.Create(
"CRL/Collection",
new X509CollectionStoreParameters(crlList));
CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator();
gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha1);
gen.AddCertificates(x509Certs);
gen.AddCrls(x509Crls);
Stream sigOut = gen.Open(bOut);
byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage);
sigOut.Write(testBytes, 0, testBytes.Length);
sigOut.Close();
CheckSigParseable(bOut.ToArray());
CmsSignedDataParser sp = new CmsSignedDataParser(
new CmsTypedStream(new MemoryStream(testBytes, false)), bOut.ToArray());
sp.GetSignedContent().Drain();
//
// compute expected content digest
//
IDigest md = DigestUtilities.GetDigest("SHA1");
md.BlockUpdate(testBytes, 0, testBytes.Length);
byte[] hash = DigestUtilities.DoFinal(md);
VerifySignatures(sp, hash);
//
// try using existing signer
//
gen = new CmsSignedDataStreamGenerator();
gen.AddSigners(sp.GetSignerInfos());
gen.AddCertificates(sp.GetCertificates("Collection"));
gen.AddCrls(sp.GetCrls("Collection"));
bOut.SetLength(0);
sigOut = gen.Open(bOut, true);
sigOut.Write(testBytes, 0, testBytes.Length);
sigOut.Close();
VerifyEncodedData(bOut);
//
// look for the CRLs
//
ArrayList col = new ArrayList(x509Crls.GetMatches(null));
Assert.AreEqual(2, col.Count);
Assert.IsTrue(col.Contains(SignCrl));
Assert.IsTrue(col.Contains(OrigCrl));
}
private void VerifySignatures(
CmsSignedDataParser sp)
{
VerifySignatures(sp, null);
}
public void TestSha1WithRsa()
{
IList certList = new ArrayList();
IList crlList = new ArrayList();
MemoryStream bOut = new MemoryStream();
certList.Add(OrigCert);
certList.Add(SignCert);
crlList.Add(SignCrl);
crlList.Add(OrigCrl);
IX509Store x509Certs = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(certList));
IX509Store x509Crls = X509StoreFactory.Create(
"CRL/Collection",
new X509CollectionStoreParameters(crlList));
CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator();
gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha1);
gen.AddCertificates(x509Certs);
gen.AddCrls(x509Crls);
Stream sigOut = gen.Open(bOut);
CmsCompressedDataStreamGenerator cGen = new CmsCompressedDataStreamGenerator();
Stream cOut = cGen.Open(sigOut, CmsCompressedDataStreamGenerator.ZLib);
byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage);
cOut.Write(testBytes, 0, testBytes.Length);
cOut.Close();
sigOut.Close();
CheckSigParseable(bOut.ToArray());
// generate compressed stream
MemoryStream cDataOut = new MemoryStream();
cOut = cGen.Open(cDataOut, CmsCompressedDataStreamGenerator.ZLib);
cOut.Write(testBytes, 0, testBytes.Length);
cOut.Close();
CmsSignedDataParser sp = new CmsSignedDataParser(
new CmsTypedStream(new MemoryStream(cDataOut.ToArray(), false)), bOut.ToArray());
sp.GetSignedContent().Drain();
//
// compute expected content digest
//
IDigest md = DigestUtilities.GetDigest("SHA1");
byte[] cDataOutBytes = cDataOut.ToArray();
md.BlockUpdate(cDataOutBytes, 0, cDataOutBytes.Length);
byte[] hash = DigestUtilities.DoFinal(md);
VerifySignatures(sp, hash);
}
protected void Complete(Level?level, Stream embedded, Stream signed, Stream content, X509Certificate2 providedSigner, out TimemarkKey timemarkKey)
{
#if NETFRAMEWORK
trace.TraceEvent(TraceEventType.Information, 0, "Completing the message with of {0} bytes to level {1}", signed.Length, level);
#else
logger.LogInformation("Completing the message with of {0} bytes to level {1}", signed.Length, level);
#endif
//Create the objects we need
var gen = new CmsSignedDataStreamGenerator();
var parser = new CmsSignedDataParser(signed);
timemarkKey = new TimemarkKey();
//preset the digests so we can add the signers afterwards
gen.AddDigests(parser.DigestOids);
//Copy the content to the output
Stream contentOut = gen.Open(embedded, parser.SignedContentType.Id, true);
if (content != null)
{
content.CopyTo(contentOut);
}
else
{
parser.GetSignedContent().ContentStream.CopyTo(contentOut);
}
//Extract the various data from outer layer
SignerInformation signerInfo = ExtractSignerInfo(parser);
IX509Store embeddedCerts = parser.GetCertificates("Collection");
//Extract the various data from signer info
timemarkKey.SignatureValue = signerInfo.GetSignature();
timemarkKey.SigningTime = ExtractSigningTime(signerInfo);
timemarkKey.Signer = ExtractSignerCert(embeddedCerts, signerInfo, providedSigner);
if (timemarkKey.Signer != null)
{
timemarkKey.SignerId = DotNetUtilities.FromX509Certificate(timemarkKey.Signer).GetSubjectKeyIdentifier();
}
else
{
timemarkKey.SignerId = signerInfo.SignerID.ExtractSignerId();
}
//Extract the various data from unsiged attributes of signer info
IDictionary unsignedAttributes = signerInfo.UnsignedAttributes != null?signerInfo.UnsignedAttributes.ToDictionary() : new Hashtable();
TimeStampToken tst = ExtractTimestamp(unsignedAttributes);
RevocationValues revocationInfo = ExtractRevocationInfo(unsignedAttributes);
//quick check for an expected error and extrapolate some info
if (timemarkKey.SignerId == null)
{
#if NETFRAMEWORK
trace.TraceEvent(TraceEventType.Error, 0, "We could not find any signer information");
#else
logger.LogError("We could not find any signer information");
#endif
throw new InvalidMessageException("The message does not contain any valid signer info");
}
if (timemarkKey.SigningTime == default && tst != null)
{
#if NETFRAMEWORK
trace.TraceEvent(TraceEventType.Information, 0, "Implicit signing time is replaced with time-stamp time {1}", tst.TimeStampInfo.GenTime);
#else
logger.LogInformation("Implicit signing time is replaced with time-stamp time {1}", tst.TimeStampInfo.GenTime);
#endif
timemarkKey.SigningTime = tst.TimeStampInfo.GenTime;
}
//Are we missing embedded certs and should we add them?
if ((embeddedCerts == null || embeddedCerts.GetMatches(null).Count <= 1) &&
timemarkKey.Signer != null &&
level != null)
{
embeddedCerts = GetEmbeddedCerts(timemarkKey);
}
if (embeddedCerts != null)
{
gen.AddCertificates(embeddedCerts); //add the existing or new embedded certs to the output.
}
//Are we missing timestamp and should we add them (not that time-mark authorities do not require a timestamp provider)
if (tst == null &&
(level & Level.T_Level) == Level.T_Level && timestampProvider != null)
{
tst = GetTimestamp(timemarkKey);
AddTimestamp(unsignedAttributes, tst);
}
//should be make sure we have the proper revocation info (it is hard to tell if we have everything, just go for it)
if ((level & Level.L_Level) == Level.L_Level)
{
if (embeddedCerts != null && embeddedCerts.GetMatches(null).Count > 0)
{
//extend the revocation info with info about the embedded certs
revocationInfo = GetRevocationValues(timemarkKey, embeddedCerts, revocationInfo);
}
if (tst != null)
{
//extend the revocation info with info about the TST
revocationInfo = GetRevocationValues(tst, revocationInfo);
}
//update the unsigned attributes
AddRevocationValues(unsignedAttributes, revocationInfo);
}
//Update the unsigned attributes of the signer info
signerInfo = SignerInformation.ReplaceUnsignedAttributes(signerInfo, new BC::Asn1.Cms.AttributeTable(unsignedAttributes));
//Copy the signer
gen.AddSigners(new SignerInformationStore(new SignerInformation[] { signerInfo }));
contentOut.Close();
}
private void VerifySignatures(CmsSignedDataParser sp)
{
CmsTypedStream sc = sp.GetSignedContent();
if (sc != null)
{
sc.Drain();
}
IX509Store x509Certs = sp.GetCertificates("Collection");
SignerInformationStore signers = sp.GetSignerInfos();
foreach (SignerInformation signer in signers.GetSigners())
{
ICollection certCollection = x509Certs.GetMatches(signer.SignerID);
IEnumerator certEnum = certCollection.GetEnumerator();
certEnum.MoveNext();
X509Certificate cert = (X509Certificate)certEnum.Current;
VerifySigner(signer, cert);
}
}
public static SignerInformation GetSigner(CmsSignedDataParser cms, SignerID id) => GetSignerInfoByEnumeration(cms.GetSignerInfos(), id) ?? GetSignerInfoByGetFirst(cms.GetSignerInfos(), id);
public void TestEncapsulatedSignerStoreReplacement()
{
IList certList = new ArrayList();
MemoryStream bOut = new MemoryStream();
certList.Add(OrigCert);
certList.Add(SignCert);
IX509Store x509Certs = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(certList));
CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator();
gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha1);
gen.AddCertificates(x509Certs);
Stream sigOut = gen.Open(bOut, true);
byte[] testBytes = Encoding.ASCII.GetBytes(TestMessage);
sigOut.Write(testBytes, 0, testBytes.Length);
sigOut.Close();
//
// create new Signer
//
MemoryStream original = new MemoryStream(bOut.ToArray(), false);
bOut.SetLength(0);
gen = new CmsSignedDataStreamGenerator();
gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha224);
gen.AddCertificates(x509Certs);
sigOut = gen.Open(bOut, true);
sigOut.Write(testBytes, 0, testBytes.Length);
sigOut.Close();
CmsSignedData sd = new CmsSignedData(bOut.ToArray());
//
// replace signer
//
MemoryStream newOut = new MemoryStream();
CmsSignedDataParser.ReplaceSigners(original, sd.GetSignerInfos(), newOut);
sd = new CmsSignedData(newOut.ToArray());
IEnumerator signerEnum = sd.GetSignerInfos().GetSigners().GetEnumerator();
signerEnum.MoveNext();
SignerInformation signer = (SignerInformation)signerEnum.Current;
Assert.AreEqual(signer.DigestAlgOid, CmsSignedDataStreamGenerator.DigestSha224);
CmsSignedDataParser sp = new CmsSignedDataParser(newOut.ToArray());
sp.GetSignedContent().Drain();
VerifySignatures(sp);
}
public void TestSignerStoreReplacement()
{
MemoryStream bOut = new MemoryStream();
byte[] data = Encoding.ASCII.GetBytes(TestMessage);
IX509Store x509Certs = CmsTestUtil.MakeCertStore(OrigCert, SignCert);
CmsSignedDataStreamGenerator gen = new CmsSignedDataStreamGenerator();
gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha1);
gen.AddCertificates(x509Certs);
Stream sigOut = gen.Open(bOut, false);
sigOut.Write(data, 0, data.Length);
sigOut.Close();
CheckSigParseable(bOut.ToArray());
//
// create new Signer
//
MemoryStream original = new MemoryStream(bOut.ToArray(), false);
bOut.SetLength(0);
gen = new CmsSignedDataStreamGenerator();
gen.AddSigner(OrigKP.Private, OrigCert, CmsSignedDataStreamGenerator.DigestSha224);
gen.AddCertificates(x509Certs);
sigOut = gen.Open(bOut);
sigOut.Write(data, 0, data.Length);
sigOut.Close();
CheckSigParseable(bOut.ToArray());
CmsSignedData sd = new CmsSignedData(bOut.ToArray());
//
// replace signer
//
MemoryStream newOut = new MemoryStream();
CmsSignedDataParser.ReplaceSigners(original, sd.GetSignerInfos(), newOut);
sd = new CmsSignedData(new CmsProcessableByteArray(data), newOut.ToArray());
IEnumerator signerEnum = sd.GetSignerInfos().GetSigners().GetEnumerator();
signerEnum.MoveNext();
SignerInformation signer = (SignerInformation)signerEnum.Current;
Assert.AreEqual(signer.DigestAlgOid, CmsSignedDataStreamGenerator.DigestSha224);
CmsSignedDataParser sp = new CmsSignedDataParser(new CmsTypedStream(
new MemoryStream(data, false)), newOut.ToArray());
sp.GetSignedContent().Drain();
VerifySignatures(sp);
}
