/** * Check this response against to see if it a well formed response for * the passed in request. Validation will include checking the time stamp * token if the response status is GRANTED or GRANTED_WITH_MODS. * * @param request the request to be checked against * @throws TspException if the request can not match this response. */ public void Validate( TimeStampRequest request) { TimeStampToken tok = this.TimeStampToken; if (tok != null) { TimeStampTokenInfo tstInfo = tok.TimeStampInfo; if (request.Nonce != null && !request.Nonce.Equals(tstInfo.Nonce)) { throw new TspValidationException("response contains wrong nonce value."); } if (this.Status != (int)PkiStatus.Granted && this.Status != (int)PkiStatus.GrantedWithMods) { throw new TspValidationException("time stamp token found in failed request."); } if (!Arrays.ConstantTimeAreEqual(request.GetMessageImprintDigest(), tstInfo.GetMessageImprintDigest())) { throw new TspValidationException("response for different message imprint digest."); } if (!tstInfo.MessageImprintAlgOid.Equals(request.MessageImprintAlgOid)) { throw new TspValidationException("response for different message imprint algorithm."); } Attribute scV1 = tok.SignedAttributes[PkcsObjectIdentifiers.IdAASigningCertificate]; Attribute scV2 = tok.SignedAttributes[PkcsObjectIdentifiers.IdAASigningCertificateV2]; if (scV1 == null && scV2 == null) { throw new TspValidationException("no signing certificate attribute present."); } if (scV1 != null && scV2 != null) { /* * RFC 5035 5.4. If both attributes exist in a single message, * they are independently evaluated. */ } if (request.ReqPolicy != null && !request.ReqPolicy.Equals(tstInfo.Policy)) { throw new TspValidationException("TSA policy wrong for request."); } } else if (this.Status == (int)PkiStatus.Granted || this.Status == (int)PkiStatus.GrantedWithMods) { throw new TspValidationException("no time stamp token found and one expected."); } }
/** * create with a signer with extra signed/unsigned attributes. */ public TimeStampTokenGenerator( AsymmetricKeyParameter key, X509Certificate cert, string digestOID, string tsaPolicyOID, AttributeTable signedAttr, AttributeTable unsignedAttr) { this.key = key; this.cert = cert; this.digestOID = digestOID; this.tsaPolicyOID = tsaPolicyOID; this.unsignedAttr = unsignedAttr; TspUtil.ValidateCertificate(cert); // // Add the ESSCertID attribute // IDictionary signedAttrs; if (signedAttr != null) { signedAttrs = signedAttr.ToDictionary(); } else { signedAttrs = Platform.CreateHashtable(); } try { byte[] hash = DigestUtilities.CalculateDigest("SHA-1", cert.GetEncoded()); EssCertID essCertid = new EssCertID(hash); Attribute attr = new Attribute( PkcsObjectIdentifiers.IdAASigningCertificate, new DerSet(new SigningCertificate(essCertid))); signedAttrs[attr.AttrType] = attr; } catch (CertificateEncodingException e) { throw new TspException("Exception processing certificate.", e); } catch (SecurityUtilityException e) { throw new TspException("Can't find a SHA-1 implementation.", e); } this.signedAttr = new AttributeTable(signedAttrs); }
public TimeStampToken( CmsSignedData signedData) { this.tsToken = signedData; if (!this.tsToken.SignedContentType.Equals(PkcsObjectIdentifiers.IdCTTstInfo)) { throw new TspValidationException("ContentInfo object not for a time stamp."); } ICollection signers = tsToken.GetSignerInfos().GetSigners(); if (signers.Count != 1) { throw new ArgumentException("Time-stamp token signed by " + signers.Count + " signers, but it must contain just the TSA signature."); } IEnumerator signerEnum = signers.GetEnumerator(); signerEnum.MoveNext(); tsaSignerInfo = (SignerInformation)signerEnum.Current; try { CmsProcessable content = tsToken.SignedContent; MemoryStream bOut = new MemoryStream(); content.Write(bOut); this.tstInfo = new TimeStampTokenInfo( TstInfo.GetInstance( Asn1Object.FromByteArray(bOut.ToArray()))); Attribute attr = tsaSignerInfo.SignedAttributes[ PkcsObjectIdentifiers.IdAASigningCertificate]; // if (attr == null) // { // throw new TspValidationException( // "no signing certificate attribute found, time stamp invalid."); // } // // SigningCertificate signCert = SigningCertificate.GetInstance( // attr.AttrValues[0]); // // this.certID = EssCertID.GetInstance(signCert.GetCerts()[0]); if (attr != null) { SigningCertificate signCert = SigningCertificate.GetInstance(attr.AttrValues[0]); this.certID = new CertID(EssCertID.GetInstance(signCert.GetCerts()[0])); } else { attr = tsaSignerInfo.SignedAttributes[PkcsObjectIdentifiers.IdAASigningCertificateV2]; if (attr == null) { throw new TspValidationException("no signing certificate attribute found, time stamp invalid."); } SigningCertificateV2 signCertV2 = SigningCertificateV2.GetInstance(attr.AttrValues[0]); this.certID = new CertID(EssCertIDv2.GetInstance(signCertV2.GetCerts()[0])); } } catch (CmsException e) { throw new TspException(e.Message, e.InnerException); } }