/**
* Generic validate function. Validates known types of xml signature.
* @param fileName name of the signature file to be validated
*/
public static void validate(String fileName)
{
Context context = new Context(Conn.ROOT_DIR + "efatura\\config\\");
// add external resolver to resolve policies
context.addExternalResolver(getPolicyResolver());
XMLSignature signature = XMLSignature.parse(
new FileDocument(new FileInfo(fileName)),
context);
ECertificate cert = signature.SigningCertificate;
ValidationSystem vs;
if (cert.isMaliMuhurCertificate())
{
ValidationPolicy policy = new ValidationPolicy();
String policyPath = Conn.ROOT_DIR + "efatura\\config\\certval-policy-malimuhur.xml";
policy = PolicyReader.readValidationPolicy(policyPath);
vs = CertificateValidation.createValidationSystem(policy);
context.setCertValidationSystem(vs);
}
else
{
ValidationPolicy policy = new ValidationPolicy();
String policyPath = Conn.ROOT_DIR + "efatura\\config\\certval-policy.xml";
policy = PolicyReader.readValidationPolicy(policyPath);
vs = CertificateValidation.createValidationSystem(policy);
context.setCertValidationSystem(vs);
}
// no params, use the certificate in key info
ValidationResult result = signature.verify();
String sonuc = result.toXml();
Console.WriteLine(result.toXml());
// Assert.True(result.Type == ValidationResultType.VALID,"Cant verify " + fileName);
UnsignedSignatureProperties usp = signature.QualifyingProperties.UnsignedSignatureProperties;
if (usp != null)
{
IList <XMLSignature> counterSignatures = usp.AllCounterSignatures;
foreach (XMLSignature counterSignature in counterSignatures)
{
ValidationResult counterResult = signature.verify();
Console.WriteLine(counterResult.toXml());
//Assert.True(counterResult.Type == ValidationResultType.VALID,
// "Cant verify counter signature" + fileName + " : "+counterSignature.Id);
}
}
}
public void ValidateSelfSignedAllowedNoViolation()
{
var path = Path.Combine(Environment.CurrentDirectory, "security", "TestValidationCertificate.pfx");
var certificate = new X509Certificate2(path, "abc123");
var chain = X509Chain.Create();
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EndCertificateOnly;
chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllFlags;
chain.Build(certificate);
var isValid = CertificateValidation.CertificateValidationCallBackAllowsSelfSigned(this, certificate, chain, SslPolicyErrors.None);
Assert.IsTrue(isValid, "The certificate is expected to pass validation");
}
/**
* Validates given certificate
*/
public static Boolean validateCertificate(ECertificate certificate)
{
try
{
ValidationSystem vs;
// generate policy which going to be used in validation
if (certificate.isMaliMuhurCertificate())
{
ValidationPolicy policy = new ValidationPolicy();
String policyPath = Conn.ROOT_DIR + "efatura\\config\\certval-policy-malimuhur.xml";
policy = PolicyReader.readValidationPolicy(policyPath);
vs = CertificateValidation.createValidationSystem(policy);
}
else
{
ValidationPolicy policy = new ValidationPolicy();
String policyPath = Conn.ROOT_DIR + "efatura\\config\\certval-policy.xml";
policy = PolicyReader.readValidationPolicy(policyPath);
vs = CertificateValidation.createValidationSystem(policy);
}
vs.setBaseValidationTime(DateTime.UtcNow);
// validate certificate
CertificateStatusInfo csi = CertificateValidation.validateCertificate(vs, certificate);
// return true if certificate is valid, false otherwise
if (csi.getCertificateStatus() != CertificateStatus.VALID)
{
return(false);
}
else if (csi.getCertificateStatus() == CertificateStatus.VALID)
{
return(true);
}
}
catch (Exception e)
{
throw new Exception("An error occured while validating certificate", e);
}
return(false);
}
/// <summary>
/// GGets the auth token in a Membership Provider scennario.
/// </summary>
/// <param name="membershipAuthSiteEndpoint">The membership auth site endpoint.</param>
/// <param name="userName">Name of the user.</param>
/// <param name="password">The password.</param>
/// <param name="certificateValidation">Enable/Disable certificate validation.</param>
/// <returns>
/// string token from the membership site
/// </returns>
public static string GetMembershipAuthToken(string membershipAuthSiteEndpoint, string userName, string password, CertificateValidation certificateValidation)
{
string token = null;
token = GetMembershipTokenHelper(membershipAuthSiteEndpoint, userName, password, certificateValidation);
return(token);
}
/// <summary>
/// Gets the membership token.
/// </summary>
/// <param name="authSiteEndPoint">The auth site end point.</param>
/// <param name="userName">Name of the user.</param>
/// <param name="password">The password.</param>
/// <param name="certificateValidation">The certificate validation is enabled by default. users can disable this manually.</param>
/// <returns>string token from the membership site</returns>
private static string GetMembershipTokenHelper(string authSiteEndPoint, string userName, string password, CertificateValidation certificateValidation = CertificateValidation.Enable)
{
var identityProviderEndpoint = new EndpointAddress(new Uri(authSiteEndPoint + "/wstrust/issue/usernamemixed"));
var identityProviderBinding = new WS2007HttpBinding(SecurityMode.TransportWithMessageCredential);
identityProviderBinding.Security.Message.EstablishSecurityContext = false;
identityProviderBinding.Security.Message.ClientCredentialType = MessageCredentialType.UserName;
identityProviderBinding.Security.Transport.ClientCredentialType = HttpClientCredentialType.None;
var trustChannelFactory = new WSTrustChannelFactory(identityProviderBinding, identityProviderEndpoint)
{
TrustVersion = TrustVersion.WSTrust13,
};
////This line is only if we're using self-signed certs in the installation
if (certificateValidation == CertificateValidation.Disable)
{
trustChannelFactory.Credentials.ServiceCertificate.SslCertificateAuthentication = new X509ServiceCertificateAuthentication()
{
CertificateValidationMode = X509CertificateValidationMode.None
};
}
trustChannelFactory.Credentials.SupportInteractive = false;
trustChannelFactory.Credentials.UserName.UserName = userName;
trustChannelFactory.Credentials.UserName.Password = password;
var channel = trustChannelFactory.CreateChannel();
var rst = new RequestSecurityToken(RequestTypes.Issue)
{
AppliesTo = new EndpointReference("http://azureservices/TenantSite"),
TokenType = "urn:ietf:params:oauth:token-type:jwt",
KeyType = KeyTypes.Bearer,
};
RequestSecurityTokenResponse rstr = null;
SecurityToken token = null;
token = channel.Issue(rst, out rstr);
var tokenString = (token as GenericXmlSecurityToken).TokenXml.InnerText;
var jwtString = Encoding.UTF8.GetString(Convert.FromBase64String(tokenString));
return(jwtString);
}
private static uint HandleEventPeerCertificateReceived(State state, ref ConnectionEvent connectionEvent)
{
SslPolicyErrors sslPolicyErrors = SslPolicyErrors.None;
X509Chain? chain = null;
X509Certificate2? certificate = null;
X509Certificate2Collection?additionalCertificates = null;
try
{
if (connectionEvent.Data.PeerCertificateReceived.PlatformCertificateHandle != IntPtr.Zero)
{
if (OperatingSystem.IsWindows())
{
certificate = new X509Certificate2(connectionEvent.Data.PeerCertificateReceived.PlatformCertificateHandle);
}
else
{
unsafe
{
ReadOnlySpan <QuicBuffer> quicBuffer = new ReadOnlySpan <QuicBuffer>((void *)connectionEvent.Data.PeerCertificateReceived.PlatformCertificateHandle, sizeof(QuicBuffer));
certificate = new X509Certificate2(new ReadOnlySpan <byte>(quicBuffer[0].Buffer, (int)quicBuffer[0].Length));
if (connectionEvent.Data.PeerCertificateReceived.PlatformCertificateChainHandle != IntPtr.Zero)
{
quicBuffer = new ReadOnlySpan <QuicBuffer>((void *)connectionEvent.Data.PeerCertificateReceived.PlatformCertificateChainHandle, sizeof(QuicBuffer));
if (quicBuffer[0].Length != 0 && quicBuffer[0].Buffer != null)
{
additionalCertificates = new X509Certificate2Collection();
additionalCertificates.Import(new ReadOnlySpan <byte>(quicBuffer[0].Buffer, (int)quicBuffer[0].Length));
}
}
}
}
}
if (certificate == null)
{
if (NetEventSource.Log.IsEnabled() && state.RemoteCertificateRequired)
{
NetEventSource.Error(state, $"{state.TraceId} Remote certificate required, but no remote certificate received");
}
sslPolicyErrors |= SslPolicyErrors.RemoteCertificateNotAvailable;
}
else
{
chain = new X509Chain();
chain.ChainPolicy.RevocationMode = state.RevocationMode;
chain.ChainPolicy.RevocationFlag = X509RevocationFlag.ExcludeRoot;
chain.ChainPolicy.ApplicationPolicy.Add(state.IsServer ? s_clientAuthOid : s_serverAuthOid);
if (additionalCertificates != null && additionalCertificates.Count > 1)
{
chain.ChainPolicy.ExtraStore.AddRange(additionalCertificates);
}
sslPolicyErrors |= CertificateValidation.BuildChainAndVerifyProperties(chain, certificate, true, state.IsServer, state.TargetHost);
}
if (!state.RemoteCertificateRequired)
{
sslPolicyErrors &= ~SslPolicyErrors.RemoteCertificateNotAvailable;
}
state.RemoteCertificate = certificate;
if (state.RemoteCertificateValidationCallback != null)
{
bool success = state.RemoteCertificateValidationCallback(state, certificate, chain, sslPolicyErrors);
// Unset the callback to prevent multiple invocations of the callback per a single connection.
// Return the same value as the custom callback just did.
state.RemoteCertificateValidationCallback = (_, _, _, _) => success;
if (!success && NetEventSource.Log.IsEnabled())
{
NetEventSource.Error(state, $"{state.TraceId} Remote certificate rejected by verification callback");
}
if (!success)
{
throw new AuthenticationException(SR.net_quic_cert_custom_validation);
}
return(MsQuicStatusCodes.Success);
}
if (NetEventSource.Log.IsEnabled())
{
NetEventSource.Info(state, $"{state.TraceId} Certificate validation for '${certificate?.Subject}' finished with ${sslPolicyErrors}");
}
if (sslPolicyErrors != SslPolicyErrors.None)
{
throw new AuthenticationException(SR.Format(SR.net_quic_cert_chain_validation, sslPolicyErrors));
}
return(MsQuicStatusCodes.Success);
}
catch (Exception ex)
{
if (NetEventSource.Log.IsEnabled())
{
NetEventSource.Error(state, $"{state.TraceId} Certificate validation failed ${ex.Message}");
}
throw;
}
}
private static bool VerifyCertChain(SafeX509StoreCtxHandle storeCtx, EasyRequest easy)
{
IntPtr leafCertPtr = Interop.Crypto.X509StoreCtxGetTargetCert(storeCtx);
if (leafCertPtr == IntPtr.Zero)
{
EventSourceTrace("Invalid certificate pointer", easy: easy);
return(false);
}
X509Certificate2[] otherCerts = null;
int otherCertsCount = 0;
var leafCert = new X509Certificate2(leafCertPtr);
try
{
// We need to respect the user's server validation callback if there is one. If there isn't one,
// we can start by first trying to use OpenSSL's verification, though only if CRL checking is disabled,
// as OpenSSL doesn't do that.
if (easy._handler.ServerCertificateCustomValidationCallback == null &&
!easy._handler.CheckCertificateRevocationList)
{
// Start by using the default verification provided directly by OpenSSL.
// If it succeeds in verifying the cert chain, we're done. Employing this instead of
// our custom implementation will need to be revisited if we ever decide to introduce a
// "disallowed" store that enables users to "untrust" certs the system trusts.
int sslResult = Interop.Crypto.X509VerifyCert(storeCtx);
if (sslResult == 1)
{
return(true);
}
// X509_verify_cert can return < 0 in the case of programmer error
Debug.Assert(sslResult == 0, "Unexpected error from X509_verify_cert: " + sslResult);
}
// Either OpenSSL verification failed, or there was a server validation callback
// or certificate revocation checking was enabled. Either way, fall back to manual
// and more expensive verification that includes checking the user's certs (not
// just the system store ones as OpenSSL does).
using (var chain = new X509Chain())
{
chain.ChainPolicy.RevocationMode = easy._handler.CheckCertificateRevocationList ? X509RevocationMode.Online : X509RevocationMode.NoCheck;
chain.ChainPolicy.RevocationFlag = X509RevocationFlag.ExcludeRoot;
using (SafeSharedX509StackHandle extraStack = Interop.Crypto.X509StoreCtxGetSharedUntrusted(storeCtx))
{
if (extraStack.IsInvalid)
{
otherCerts = Array.Empty <X509Certificate2>();
}
else
{
int extraSize = Interop.Crypto.GetX509StackFieldCount(extraStack);
otherCerts = new X509Certificate2[extraSize];
for (int i = 0; i < extraSize; i++)
{
IntPtr certPtr = Interop.Crypto.GetX509StackField(extraStack, i);
if (certPtr != IntPtr.Zero)
{
X509Certificate2 cert = new X509Certificate2(certPtr);
otherCerts[otherCertsCount++] = cert;
chain.ChainPolicy.ExtraStore.Add(cert);
}
}
}
}
var serverCallback = easy._handler._serverCertificateValidationCallback;
if (serverCallback == null)
{
SslPolicyErrors errors = CertificateValidation.BuildChainAndVerifyProperties(chain, leafCert,
checkCertName: false, hostName: null); // libcurl already verifies the host name
return(errors == SslPolicyErrors.None);
}
else
{
// Authenticate the remote party: (e.g. when operating in client mode, authenticate the server).
chain.ChainPolicy.ApplicationPolicy.Add(s_serverAuthOid);
SslPolicyErrors errors = CertificateValidation.BuildChainAndVerifyProperties(chain, leafCert,
checkCertName: true, hostName: easy._requestMessage.RequestUri.Host); // we disabled automatic host verification, so we do it here
return(serverCallback(easy._requestMessage, leafCert, chain, errors));
}
}
}
finally
{
for (int i = 0; i < otherCertsCount; i++)
{
otherCerts[i].Dispose();
}
leafCert.Dispose();
}
}
private static unsafe int HandleEventPeerCertificateReceived(State state, ref QUIC_CONNECTION_EVENT connectionEvent)
{
SslPolicyErrors sslPolicyErrors = SslPolicyErrors.None;
X509Chain? chain = null;
X509Certificate2? certificate = null;
X509Certificate2Collection?additionalCertificates = null;
IntPtr certificateBuffer = IntPtr.Zero;
int certificateLength = 0;
try
{
IntPtr certificateHandle = (IntPtr)connectionEvent.PEER_CERTIFICATE_RECEIVED.Certificate;
if (certificateHandle != IntPtr.Zero)
{
if (OperatingSystem.IsWindows())
{
certificate = new X509Certificate2(certificateHandle);
}
else
{
unsafe
{
QUIC_BUFFER *certBuffer = (QUIC_BUFFER *)certificateHandle;
certificate = new X509Certificate2(new ReadOnlySpan <byte>(certBuffer->Buffer, (int)certBuffer->Length));
certificateBuffer = (IntPtr)certBuffer->Buffer;
certificateLength = (int)certBuffer->Length;
IntPtr chainHandle = (IntPtr)connectionEvent.PEER_CERTIFICATE_RECEIVED.Chain;
if (chainHandle != IntPtr.Zero)
{
QUIC_BUFFER *chainBuffer = (QUIC_BUFFER *)chainHandle;
if (chainBuffer->Length != 0 && chainBuffer->Buffer != null)
{
additionalCertificates = new X509Certificate2Collection();
additionalCertificates.Import(new ReadOnlySpan <byte>(chainBuffer->Buffer, (int)chainBuffer->Length));
}
}
}
}
}
if (certificate == null)
{
if (NetEventSource.Log.IsEnabled() && state.RemoteCertificateRequired)
{
NetEventSource.Error(state, $"{state.Handle} Remote certificate required, but no remote certificate received");
}
sslPolicyErrors |= SslPolicyErrors.RemoteCertificateNotAvailable;
}
else
{
chain = new X509Chain();
chain.ChainPolicy.RevocationMode = state.RevocationMode;
chain.ChainPolicy.RevocationFlag = X509RevocationFlag.ExcludeRoot;
chain.ChainPolicy.ApplicationPolicy.Add(state.IsServer ? s_clientAuthOid : s_serverAuthOid);
if (additionalCertificates != null && additionalCertificates.Count > 1)
{
chain.ChainPolicy.ExtraStore.AddRange(additionalCertificates);
}
sslPolicyErrors |= CertificateValidation.BuildChainAndVerifyProperties(chain, certificate, true, state.IsServer, state.TargetHost, certificateBuffer, certificateLength);
}
if (!state.RemoteCertificateRequired)
{
sslPolicyErrors &= ~SslPolicyErrors.RemoteCertificateNotAvailable;
}
state.RemoteCertificate = certificate;
if (state.RemoteCertificateValidationCallback != null)
{
bool success = state.RemoteCertificateValidationCallback(state, certificate, chain, sslPolicyErrors);
// Unset the callback to prevent multiple invocations of the callback per a single connection.
// Return the same value as the custom callback just did.
state.RemoteCertificateValidationCallback = (_, _, _, _) => success;
if (!success && NetEventSource.Log.IsEnabled())
{
NetEventSource.Error(state, $"{state.Handle} Remote certificate rejected by verification callback");
}
if (!success)
{
if (state.IsServer)
{
return(QUIC_STATUS_USER_CANCELED);
}
throw new AuthenticationException(SR.net_quic_cert_custom_validation);
}
return(QUIC_STATUS_SUCCESS);
}
if (NetEventSource.Log.IsEnabled())
{
NetEventSource.Info(state, $"{state.Handle} Certificate validation for '${certificate?.Subject}' finished with ${sslPolicyErrors}");
}
if (sslPolicyErrors != SslPolicyErrors.None)
{
if (state.IsServer)
{
return(QUIC_STATUS_HANDSHAKE_FAILURE);
}
throw new AuthenticationException(SR.Format(SR.net_quic_cert_chain_validation, sslPolicyErrors));
}
return(QUIC_STATUS_SUCCESS);
}
catch (Exception ex)
{
if (NetEventSource.Log.IsEnabled())
{
NetEventSource.Error(state, $"{state.Handle} Certificate validation failed ${ex.Message}");
}
throw;
}
}
private static int VerifyCertChain(IntPtr storeCtxPtr, IntPtr curlPtr)
{
EasyRequest easy;
if (!TryGetEasyRequest(curlPtr, out easy))
{
EventSourceTrace("Could not find associated easy request: {0}", curlPtr);
return(0);
}
using (var storeCtx = new SafeX509StoreCtxHandle(storeCtxPtr, ownsHandle: false))
{
IntPtr leafCertPtr = Interop.Crypto.X509StoreCtxGetTargetCert(storeCtx);
if (IntPtr.Zero == leafCertPtr)
{
EventSourceTrace("Invalid certificate pointer");
return(0);
}
using (X509Certificate2 leafCert = new X509Certificate2(leafCertPtr))
{
// Set up the CBT with this certificate.
easy._requestContentStream?.SetChannelBindingToken(leafCert);
// We need to respect the user's server validation callback if there is one. If there isn't one,
// we can start by first trying to use OpenSSL's verification, though only if CRL checking is disabled,
// as OpenSSL doesn't do that.
if (easy._handler.ServerCertificateValidationCallback == null &&
!easy._handler.CheckCertificateRevocationList)
{
// Start by using the default verification provided directly by OpenSSL.
// If it succeeds in verifying the cert chain, we're done. Employing this instead of
// our custom implementation will need to be revisited if we ever decide to introduce a
// "disallowed" store that enables users to "untrust" certs the system trusts.
int sslResult = Interop.Crypto.X509VerifyCert(storeCtx);
if (sslResult == 1)
{
return(1);
}
// X509_verify_cert can return < 0 in the case of programmer error
Debug.Assert(sslResult == 0, "Unexpected error from X509_verify_cert: " + sslResult);
}
// Either OpenSSL verification failed, or there was a server validation callback.
// Either way, fall back to manual and more expensive verification that includes
// checking the user's certs (not just the system store ones as OpenSSL does).
X509Certificate2[] otherCerts;
int otherCertsCount = 0;
bool success;
using (X509Chain chain = new X509Chain())
{
chain.ChainPolicy.RevocationMode = easy._handler.CheckCertificateRevocationList ? X509RevocationMode.Online : X509RevocationMode.NoCheck;
chain.ChainPolicy.RevocationFlag = X509RevocationFlag.ExcludeRoot;
using (SafeSharedX509StackHandle extraStack = Interop.Crypto.X509StoreCtxGetSharedUntrusted(storeCtx))
{
if (extraStack.IsInvalid)
{
otherCerts = Array.Empty <X509Certificate2>();
}
else
{
int extraSize = Interop.Crypto.GetX509StackFieldCount(extraStack);
otherCerts = new X509Certificate2[extraSize];
for (int i = 0; i < extraSize; i++)
{
IntPtr certPtr = Interop.Crypto.GetX509StackField(extraStack, i);
if (certPtr != IntPtr.Zero)
{
X509Certificate2 cert = new X509Certificate2(certPtr);
otherCerts[otherCertsCount++] = cert;
chain.ChainPolicy.ExtraStore.Add(cert);
}
}
}
}
var serverCallback = easy._handler._serverCertificateValidationCallback;
if (serverCallback == null)
{
SslPolicyErrors errors = CertificateValidation.BuildChainAndVerifyProperties(chain, leafCert,
checkCertName: false, hostName: null); // libcurl already verifies the host name
success = errors == SslPolicyErrors.None;
}
else
{
SslPolicyErrors errors = CertificateValidation.BuildChainAndVerifyProperties(chain, leafCert,
checkCertName: true, hostName: easy._requestMessage.RequestUri.Host); // we disabled automatic host verification, so we do it here
try
{
success = serverCallback(easy._requestMessage, leafCert, chain, errors);
}
catch (Exception exc)
{
EventSourceTrace("Server validation callback threw exception: {0}", exc);
easy.FailRequest(exc);
success = false;
}
}
}
for (int i = 0; i < otherCertsCount; i++)
{
otherCerts[i].Dispose();
}
return(success ? 1 : 0);
}
}
}
/// <summary>
/// GGets the auth token in a Membership Provider scennario.
/// </summary>
/// <param name="membershipAuthSiteEndpoint">The membership auth site endpoint.</param>
/// <param name="userName">Name of the user.</param>
/// <param name="password">The password.</param>
/// <param name="certificateValidation">Enable/Disable certificate validation.</param>
/// <returns>
/// string token from the membership site
/// </returns>
public static string GetMembershipAuthToken(string membershipAuthSiteEndpoint, string userName, string password, CertificateValidation certificateValidation)
{
string token = null;
token = GetMembershipTokenHelper(membershipAuthSiteEndpoint, userName, password, certificateValidation);
return token;
}
/// <summary>
/// Gets the membership token.
/// </summary>
/// <param name="authSiteEndPoint">The auth site end point.</param>
/// <param name="userName">Name of the user.</param>
/// <param name="password">The password.</param>
/// <param name="certificateValidation">The certificate validation is enabled by default. users can disable this manually.</param>
/// <returns>string token from the membership site</returns>
private static string GetMembershipTokenHelper(string authSiteEndPoint, string userName, string password, CertificateValidation certificateValidation = CertificateValidation.Enable)
{
var identityProviderEndpoint = new EndpointAddress(new Uri(authSiteEndPoint + "/wstrust/issue/usernamemixed"));
var identityProviderBinding = new WS2007HttpBinding(SecurityMode.TransportWithMessageCredential);
identityProviderBinding.Security.Message.EstablishSecurityContext = false;
identityProviderBinding.Security.Message.ClientCredentialType = MessageCredentialType.UserName;
identityProviderBinding.Security.Transport.ClientCredentialType = HttpClientCredentialType.None;
var trustChannelFactory = new WSTrustChannelFactory(identityProviderBinding, identityProviderEndpoint)
{
TrustVersion = TrustVersion.WSTrust13,
};
////This line is only if we're using self-signed certs in the installation
if (certificateValidation == CertificateValidation.Disable)
{
trustChannelFactory.Credentials.ServiceCertificate.SslCertificateAuthentication = new X509ServiceCertificateAuthentication() { CertificateValidationMode = X509CertificateValidationMode.None };
}
trustChannelFactory.Credentials.SupportInteractive = false;
trustChannelFactory.Credentials.UserName.UserName = userName;
trustChannelFactory.Credentials.UserName.Password = password;
var channel = trustChannelFactory.CreateChannel();
var rst = new RequestSecurityToken(RequestTypes.Issue)
{
AppliesTo = new EndpointReference("http://azureservices/TenantSite"),
TokenType = "urn:ietf:params:oauth:token-type:jwt",
KeyType = KeyTypes.Bearer,
};
RequestSecurityTokenResponse rstr = null;
SecurityToken token = null;
token = channel.Issue(rst, out rstr);
var tokenString = (token as GenericXmlSecurityToken).TokenXml.InnerText;
var jwtString = Encoding.UTF8.GetString(Convert.FromBase64String(tokenString));
return jwtString;
}
static Emailer()
{
CertificateValidation.RegisterCallback(EmailerCertCallback);
}
public static bool createEnvelopedBes(string pinNo, string signXML, String outXML, bool bInTest)
{
bool res = false;
cardPinNo = pinNo;
TestEnvelopedSignatureInitialize();
try
{
// here is our custom envelope xml
// XmlDocument envelopeDoc = newEnvelope("edefter.xml");
XmlDocument envelopeDoc = Conn.newEnvelope(signXML);
XmlElement exts = (XmlElement)envelopeDoc.GetElementsByTagName("ext:UBLExtensions").Item(0);
XmlElement ext = (XmlElement)exts.GetElementsByTagName("ext:UBLExtension").Item(0);
XmlElement extContent = (XmlElement)ext.GetElementsByTagName("ext:ExtensionContent").Item(0);
UriBuilder ub = new UriBuilder(Conn.ROOT_DIR + "efatura\\config\\");
// create context with working dir
Context context = new Context(ub.Uri);
//UriBuilder ub2 = new UriBuilder(Conn.ROOT_DIR + "efatura\\config\\xmlsignature-config.xml");
context.Config = new Config(Conn.ROOT_DIR + "efatura\\config\\xmlsignature-config.xml");
// define where signature belongs to
context.Document = envelopeDoc;
// create signature according to context,
// with default type (XADES_BES)
XMLSignature signature = new XMLSignature(context, false);
String setID = "Signature_" + envelopeDoc.GetElementsByTagName("cbc:ID").Item(0).InnerText;
signature.Id = setID;
signature.SigningTime = DateTime.Now;
// attach signature to envelope
//envelopeDoc.DocumentElement.AppendChild(signature.Element);
extContent.AppendChild(signature.Element);
//add transforms for efatura
Transforms transforms = new Transforms(context);
transforms.addTransform(new Transform(context, TransformType.ENVELOPED.Url));
// add document as reference,
//signature.addDocument("#data1", "text/xml", false);
signature.addDocument("", "text/xml", transforms, DigestMethod.SHA_256, false);
ECertificate certificate = SmartCardManager.getInstance().getEInvoiceCertificate(cardPinNo);// getSignatureCertificate(true, false);
if (certificate.isMaliMuhurCertificate())
{
ValidationPolicy policy = new ValidationPolicy();
String policyPath = Conn.ROOT_DIR + "efatura\\config\\certval-policy-malimuhur.xml";
policy = PolicyReader.readValidationPolicy(policyPath);
ValidationSystem vs = CertificateValidation.createValidationSystem(policy);
context.setCertValidationSystem(vs);
}
else
{
ValidationPolicy policy = new ValidationPolicy();
String policyPath = Conn.ROOT_DIR + "efatura\\config\\certval-policy.xml";
policy = PolicyReader.readValidationPolicy(policyPath);
ValidationSystem vs = CertificateValidation.createValidationSystem(policy);
context.setCertValidationSystem(vs);
}
if (CertValidation.validateCertificate(certificate) || bInTest)
{
BaseSigner signer = SmartCardManager.getInstance().getSigner(cardPinNo, certificate);
X509Certificate2 msCert = certificate.asX509Certificate2();
signature.addKeyInfo(msCert.PublicKey.Key);
signature.addKeyInfo(certificate);
KeyInfo keyInfo = signature.createOrGetKeyInfo();
int elementCount = keyInfo.ElementCount;
for (int k = 0; k < elementCount; k++)
{
KeyInfoElement kiElement = keyInfo.get(k);
if (kiElement.GetType().IsAssignableFrom(typeof(X509Data)))
{
X509Data x509Data = (X509Data)kiElement;
X509SubjectName x509SubjectName = new X509SubjectName(context,
certificate.getSubject().stringValue());
x509Data.add(x509SubjectName);
break;
}
}
//signature.addKeyInfo(certificate);
signature.SignedInfo.CanonicalizationMethod = C14nMethod.EXCLUSIVE_WITH_COMMENTS;
signature.sign(signer);
// this time we dont use signature.write because we need to write
// whole document instead of signature
using (Stream s = new FileStream(outXML, FileMode.Create))
{
try
{
envelopeDoc.Save(s);
s.Flush();
s.Close();
res = true;
}
catch (Exception e)
{
res = false;
MessageBox.Show("Dosya kaydedilirken hata oluştu " + e.Message.ToString());
s.Close();
}
}
}
}
catch (Exception e)
{
res = false;
MessageBox.Show("Hata Oluştu \r\n" + e.Message.ToString());
}
return(res);
}
static MonitorControlService()
{
CertificateValidation.RegisterCallback(CertificateValidation.DoNotValidate_ValidationCallback);
}
