/**
* create with a signer with extra signed/unsigned attributes.
*/
public TimeStampTokenGenerator(
AsymmetricKeyParameter key,
X509Certificate cert,
string digestOID,
string tsaPolicyOID,
Asn1.Cms.AttributeTable signedAttr,
Asn1.Cms.AttributeTable unsignedAttr)
{
this.key = key;
this.cert = cert;
this.digestOID = digestOID;
this.tsaPolicyOID = tsaPolicyOID;
this.unsignedAttr = unsignedAttr;
TspUtil.ValidateCertificate(cert);
//
// Add the ESSCertID attribute
//
IDictionary signedAttrs;
if (signedAttr != null)
{
signedAttrs = signedAttr.ToDictionary();
}
else
{
signedAttrs = Platform.CreateHashtable();
}
try
{
byte[] hash = DigestUtilities.CalculateDigest("SHA-1", cert.GetEncoded());
EssCertID essCertid = new EssCertID(hash);
Asn1.Cms.Attribute attr = new Asn1.Cms.Attribute(
PkcsObjectIdentifiers.IdAASigningCertificate,
new DerSet(new SigningCertificate(essCertid)));
signedAttrs[attr.AttrType] = attr;
}
catch (CertificateEncodingException e)
{
throw new TspException("Exception processing certificate.", e);
}
catch (SecurityUtilityException e)
{
throw new TspException("Can't find a SHA-1 implementation.", e);
}
this.signedAttr = new Asn1.Cms.AttributeTable(signedAttrs);
}
public bool Match(
// Certificate cert)
X509Certificate x509Cert)
{
// if (!(cert is X509Certificate))
// {
// return false;
// }
//
// X509Certificate x509Cert = (X509Certificate)cert;
try
{
if (holder.BaseCertificateID != null)
{
return holder.BaseCertificateID.Serial.Value.Equals(x509Cert.SerialNumber)
&& MatchesDN(PrincipalUtilities.GetIssuerX509Principal(x509Cert), holder.BaseCertificateID.Issuer);
}
if (holder.EntityName != null)
{
if (MatchesDN(PrincipalUtilities.GetSubjectX509Principal(x509Cert), holder.EntityName))
{
return true;
}
}
if (holder.ObjectDigestInfo != null)
{
IDigest md = null;
try
{
md = DigestUtilities.GetDigest(DigestAlgorithm);
}
catch (Exception)
{
return false;
}
switch (DigestedObjectType)
{
case ObjectDigestInfo.PublicKey:
{
// TODO: DSA Dss-parms
//byte[] b = x509Cert.GetPublicKey().getEncoded();
// TODO Is this the right way to encode?
byte[] b = SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(
x509Cert.GetPublicKey()).GetEncoded();
md.BlockUpdate(b, 0, b.Length);
break;
}
case ObjectDigestInfo.PublicKeyCert:
{
byte[] b = x509Cert.GetEncoded();
md.BlockUpdate(b, 0, b.Length);
break;
}
// TODO Default handler?
}
// TODO Shouldn't this be the other way around?
if (!Arrays.AreEqual(DigestUtilities.DoFinal(md), GetObjectDigest()))
{
return false;
}
}
}
catch (CertificateEncodingException)
{
return false;
}
return false;
}
/**
* Validate the time stamp token.
* <p>
* To be valid the token must be signed by the passed in certificate and
* the certificate must be the one referred to by the SigningCertificate
* attribute included in the hashed attributes of the token. The
* certificate must also have the ExtendedKeyUsageExtension with only
* KeyPurposeID.IdKPTimeStamping and have been valid at the time the
* timestamp was created.
* </p>
* <p>
* A successful call to validate means all the above are true.
* </p>
*/
public void Validate(
X509Certificate cert)
{
try
{
byte[] hash = DigestUtilities.CalculateDigest(
certID.GetHashAlgorithm(), cert.GetEncoded());
if (!Arrays.ConstantTimeAreEqual(certID.GetCertHash(), hash))
{
throw new TspValidationException("certificate hash does not match certID hash.");
}
if (certID.IssuerSerial != null)
{
if (!certID.IssuerSerial.Serial.Value.Equals(cert.SerialNumber))
{
throw new TspValidationException("certificate serial number does not match certID for signature.");
}
GeneralName[] names = certID.IssuerSerial.Issuer.GetNames();
X509Name principal = PrincipalUtilities.GetIssuerX509Principal(cert);
bool found = false;
for (int i = 0; i != names.Length; i++)
{
if (names[i].TagNo == 4
&& X509Name.GetInstance(names[i].Name).Equivalent(principal))
{
found = true;
break;
}
}
if (!found)
{
throw new TspValidationException("certificate name does not match certID for signature. ");
}
}
TspUtil.ValidateCertificate(cert);
cert.CheckValidity(tstInfo.GenTime);
if (!tsaSignerInfo.Verify(cert))
{
throw new TspValidationException("signature not created by certificate.");
}
}
catch (CmsException e)
{
if (e.InnerException != null)
{
throw new TspException(e.Message, e.InnerException);
}
throw new TspException("CMS exception: " + e, e);
}
catch (CertificateEncodingException e)
{
throw new TspException("problem processing certificate: " + e, e);
}
catch (SecurityUtilityException e)
{
throw new TspException("cannot find algorithm: " + e.Message, e);
}
}
/**
* Return a DERObject containing the encoded certificate.
*
* @param cert the X509Certificate object to be encoded
*
* @return the DERObject
**/
private Asn1Object ToAsn1Object(
X509Certificate cert)
{
try
{
return Asn1Object.FromByteArray(cert.GetEncoded());
}
catch (Exception e)
{
throw new CertificateEncodingException("Exception while encoding certificate", e);
}
}
