private static bool ValidateSignatures(Package package)
{
var signatureManager = new PackageDigitalSignatureManager(package);
bool isSigned = signatureManager.IsSigned;
var verifyResult = signatureManager.VerifySignatures(true);
return(isSigned && verifyResult == VerifyResult.Success);
}
public static VerifyResult VerifySignature(OpenXmlPackage openXmlPackage)
{
if (openXmlPackage == null)
{
throw new ArgumentNullException(nameof(openXmlPackage));
}
var dsm = new PackageDigitalSignatureManager(openXmlPackage.Package);
return(dsm.VerifySignatures(true));
}
/// <summary>
/// Main signing process
/// </summary>
/// <param name="package"></param>
/// <returns></returns>
private bool SignAllParts(Package package)
{
if (package == null)
{
throw new ArgumentNullException("SignAllParts(package)");
}
// Create the DigitalSignature Manager
PackageDigitalSignatureManager dsm =
new PackageDigitalSignatureManager(package);
dsm.CertificateOption =
CertificateEmbeddingOption.InSignaturePart;
// Create a list of all the part URIs in the package to sign
// (GetParts() also includes PackageRelationship parts).
System.Collections.Generic.List <Uri> toSign =
new System.Collections.Generic.List <Uri>();
foreach (PackagePart packagePart in package.GetParts())
{
// Add all package parts to the list for signing.
toSign.Add(packagePart.Uri);
}
// Add the URI for SignatureOrigin PackageRelationship part.
// The SignatureOrigin relationship is created when Sign() is called.
// Signing the SignatureOrigin relationship disables counter-signatures.
toSign.Add(PackUriHelper.GetRelationshipPartUri(dsm.SignatureOrigin));
// Also sign the SignatureOrigin part.
toSign.Add(dsm.SignatureOrigin);
// Add the package relationship to the signature origin to be signed.
toSign.Add(PackUriHelper.GetRelationshipPartUri(new Uri("/", UriKind.RelativeOrAbsolute)));
// Sign() will prompt the user to select a Certificate to sign with.
try
{
var cert = new X509Certificate2(this.CertificatePath, (String.IsNullOrEmpty(this.CertificatePassword) ? null : this.CertificatePassword));
dsm.Sign(toSign, cert);
}
// If there are no certificates or the SmartCard manager is
// not running, catch the exception and show an error message.
catch (CryptographicException ex)
{
Console.WriteLine(
"Cannot Sign: {0}", ex.Message);
}
return(dsm.IsSigned && dsm.VerifySignatures(true) == VerifyResult.Success);
}// end:SignAllParts()
public static Package Verify(this Package package)
{
if (!IsSigned(package))
{
return(package);
}
// Create the PackageDigitalSignatureManager
var dsm = new PackageDigitalSignatureManager(package)
{
HashAlgorithm = "http://www.w3.org/2001/04/xmlenc#sha256"
};
// Verify the collection of certificates in the package (one, in this case)
foreach (PackageDigitalSignature signature in dsm.Signatures)
{
var x = PackageDigitalSignatureManager.VerifyCertificate(signature.Signer);
if (x == X509ChainStatusFlags.NoError)
{
continue;
}
// If the certificate has expired, but signature is created while the certificate was valid, we accept it
else if (x == X509ChainStatusFlags.NotTimeValid)
{
var signer = signature.Signer as X509Certificate2;
if (signer != null &&
signature.SigningTime >= signer.NotBefore &&
signature.SigningTime <= signer.NotAfter)
{
continue;
}
}
throw new Exception(string.Format("Certificate validation failed : {0}", x));
}
// If all certificates are valid, verify all signatures in the package.
VerifyResult vResult = dsm.VerifySignatures(false);
//Retrieve innerPackage/originalPackage
var innerPackageName = GetInnerPackageName();
var uriString = "/" + innerPackageName + ".pgx";
var packagePart = package.GetPart(new Uri(uriString, UriKind.Relative));
var stream = packagePart.GetStream();
var originalPackage = Package.Open(stream);
return(originalPackage);
}
/// <summary>
/// Signs all parts of the VSIX file
/// </summary>
/// <param name="vsixFileName">The file path of the VSIX file</param>
/// <param name="pfxFileName">The file path of the certificate</param>
/// <param name="password">The password for the certificate</param>
/// <returns>True if the file has been signed, false otherwise</returns>
private bool SignVSIXFile(string vsixFileName, string pfxFileName, string password)
{
if (File.Exists(vsixFileName) == false)
{
this.LogBuildError("VSIX file doesn't exist");
return(false);
}
if (File.Exists(pfxFileName) == false)
{
this.LogBuildError("Certificate file doesn't exist");
return(false);
}
LogBuildMessage(string.Format("Signing {0} ", Path.GetFileName(vsixFileName)), BuildMessageImportance.High);
using (var package = Package.Open(vsixFileName, FileMode.Open))
{
var packageSignatureManager = new PackageDigitalSignatureManager(package)
{
CertificateOption = CertificateEmbeddingOption.InSignaturePart
};
var partsToSign = package.GetParts().Select(packagePart => packagePart.Uri).ToList();
partsToSign.Add(PackUriHelper.GetRelationshipPartUri(packageSignatureManager.SignatureOrigin));
partsToSign.Add(packageSignatureManager.SignatureOrigin);
partsToSign.Add(PackUriHelper.GetRelationshipPartUri(new Uri("/", UriKind.RelativeOrAbsolute)));
try
{
packageSignatureManager.Sign(partsToSign, new System.Security.Cryptography.X509Certificates.X509Certificate2(pfxFileName, password));
}
catch (System.Security.Cryptography.CryptographicException ex)
{
this.LogBuildError("Error Signing File " + ex.Message);
return(false);
}
return(packageSignatureManager.IsSigned && packageSignatureManager.VerifySignatures(true) == VerifyResult.Success);
}
}
public async Task ShouldSupportReSigningWithDifferentCertificate()
{
string path;
using (var package = ShadowCopyPackage(SamplePackage, out path, OpcPackageFileMode.ReadWrite))
{
var signerBuilder = package.CreateSignatureBuilder();
signerBuilder.EnqueueNamedPreset <VSIXSignatureBuilderPreset>();
await signerBuilder.SignAsync(
new CertificateSignConfigurationSet
{
PkcsDigestAlgorithm = HashAlgorithmName.SHA1,
FileDigestAlgorithm = HashAlgorithmName.SHA1,
SigningCertificate = new X509Certificate2(@"certs\rsa-2048-sha1.pfx", "test")
}
);
}
using (var package = OpcPackage.Open(path, OpcPackageFileMode.ReadWrite))
{
var signerBuilder = package.CreateSignatureBuilder();
signerBuilder.EnqueueNamedPreset <VSIXSignatureBuilderPreset>();
await signerBuilder.SignAsync(
new CertificateSignConfigurationSet
{
PkcsDigestAlgorithm = HashAlgorithmName.SHA256,
FileDigestAlgorithm = HashAlgorithmName.SHA256,
SigningCertificate = new X509Certificate2(@"certs\rsa-2048-sha256.pfx", "test")
}
);
}
using (var netfxPackage = Package.Open(path, FileMode.Open))
{
var signatureManager = new PackageDigitalSignatureManager(netfxPackage);
Assert.Equal(VerifyResult.Success, signatureManager.VerifySignatures(true));
if (signatureManager.Signatures.Count != 1 || signatureManager.Signatures[0].SignedParts.Count != netfxPackage.GetParts().Count() - 1)
{
Assert.True(false, "Missing parts");
}
var packageSignature = signatureManager.Signatures[0];
Assert.Equal(OpcKnownUris.SignatureAlgorithms.rsaSHA256.AbsoluteUri, packageSignature.Signature.SignedInfo.SignatureMethod);
}
}
/// <summary>
/// Checks the signatures in the package
/// </summary>
/// <param name="packagePath"></param>
/// <param name="certificatesStatus">Status of the certificate (dictionary with the subject and
/// verification status of the certificates) </param>
/// <returns></returns>
private static VerifyResult VerifySignatures(
string packagePath, out Dictionary <string, X509ChainStatusFlags> certificatesStatus)
{
VerifyResult vResult;
certificatesStatus = new Dictionary <string, X509ChainStatusFlags>();
using (Package package = Package.Open(packagePath, FileMode.Open, FileAccess.Read))
{
PackageDigitalSignatureManager dsm = new PackageDigitalSignatureManager(package);
// Verify the collection of certificates in the package
foreach (PackageDigitalSignature signature in dsm.Signatures)
{
certificatesStatus.Add(
signature.Signer.Subject, PackageDigitalSignatureManager.VerifyCertificate(signature.Signer));
}
// For this example, if all certificates are valid, verify all signatures in the package.
vResult = dsm.VerifySignatures(false);
}
return(vResult);
}
public async Task ShouldSignWithAzureCertificateAndTimestamp()
{
var creds = TestAzureCredentials.Credentials;
string path;
using (var package = ShadowCopyPackage(SamplePackage, out path, OpcPackageFileMode.ReadWrite))
{
var builder = package.CreateSignatureBuilder();
builder.EnqueueNamedPreset <VSIXSignatureBuilderPreset>();
var signature = await builder.SignAsync(
new AzureKeyVaultSignConfigurationSet
{
FileDigestAlgorithm = HashAlgorithmName.SHA256,
PkcsDigestAlgorithm = HashAlgorithmName.SHA256,
AzureClientId = creds.ClientId,
AzureClientSecret = creds.ClientSecret,
AzureKeyVaultUrl = creds.AzureKeyVaultUrl,
AzureKeyVaultCertificateName = creds.AzureKeyVaultCertificateName
}
);
Assert.NotNull(signature);
var timestampBuilder = signature.CreateTimestampBuilder();
var timestampServer = new Uri("http://timestamp.digicert.com", UriKind.Absolute);
var result = await timestampBuilder.SignAsync(timestampServer, HashAlgorithmName.SHA256);
}
using (var netfxPackage = Package.Open(path, FileMode.Open))
{
var signatureManager = new PackageDigitalSignatureManager(netfxPackage);
Assert.Equal(VerifyResult.Success, signatureManager.VerifySignatures(true));
if (signatureManager.Signatures.Count != 1 || signatureManager.Signatures[0].SignedParts.Count != netfxPackage.GetParts().Count() - 1)
{
Assert.True(false, "Missing parts");
}
var packageSignature = signatureManager.Signatures[0];
var expectedAlgorithm = OpcKnownUris.SignatureAlgorithms.rsaSHA256.AbsoluteUri;
Assert.Equal(expectedAlgorithm, packageSignature.Signature.SignedInfo.SignatureMethod);
}
}
private static bool ValidateSignatures(Package package)
{
if (package == null)
{
throw new ArgumentNullException("ValidateSignatures(package)");
}
var dsm = new PackageDigitalSignatureManager(package);
bool result = dsm.IsSigned;
if (result)
{
result = result && ValidatePackageCertificates(dsm);
if (result)
{
VerifyResult verifyResult = dsm.VerifySignatures(false);
result = result && verifyResult == VerifyResult.Success;
}
}
return(result);
}
/// <summary>
/// Validates the Package Digital Signatures
/// </summary>
/// <returns>
/// True if the Package is Valid;
/// False is the Package is Invalid.
/// </returns>
public bool Validate()
{
if (DocumentType.Equals(Types.XpsDocument))
{
int validate = 0;
foreach (XpsDigitalSignature digitalSignature in
xpsDocument.Signatures)
{
// Verify the signature object, if present.
if (digitalSignature.Verify() ==
VerifyResult.Success)
{
//Signature is valid
}
else
{
//Signature is not valid
InvalidDigitalSignatureHolderNames.Add(digitalSignature.SignerCertificate.Subject.Replace("CN=", ""));
InvalidDigitalSignatureHolderNames.Add(digitalSignature.SignedDocumentSequence.Uri.ToString());
InvalidDigitalSignatureHolderNames.Add(digitalSignature.SigningTime.ToString());
InvalidDigitalSignatureHolderNames.Add(digitalSignature.SignerCertificate.Issuer.Replace("CN=", ""));
validate = 1;
}
}
if (validate == 1)
{
return(false);
}
else
{
return(true);
}
}
else if (DocumentType.Equals(Types.PdfDocument))
{
if (this.pdfSignatureList != null)
{
foreach (CertificadoDigital.Signature sig in this.pdfSignatureList)
{
if (!sig.Valid)
{
return(false);
}
}
return(true);
}
else
{
return(false);
}
}
else
{
if (package == null)
{
throw new ArgumentNullException("ValidateSignatures(package)");
}
PackageDigitalSignatureManager dsm =
new PackageDigitalSignatureManager(package);
dsm.InvalidSignatureEvent += new InvalidSignatureEventHandler(dsm_InvalidSignatureEvent);
//Checking for Signatures
if (!dsm.IsSigned)
{
return(false);
}
VerifyResult result = dsm.VerifySignatures(false);
if (result != VerifyResult.Success)
{
return(false);
}
return(true);
}
}
public static VerifyResult VerifySignature(Package package)
{
var dsm = new PackageDigitalSignatureManager(package);
return(dsm.VerifySignatures(true));
}
