private void TimeStampCertRefs(SignatureDocument signatureDocument, UpgradeParameters parameters)
{
XmlElement signatureElement = signatureDocument.XadesSignature.GetSignatureElement();
XmlNamespaceManager xmlNamespaceManager = new XmlNamespaceManager(signatureDocument.Document.NameTable);
xmlNamespaceManager.AddNamespace("xades", "http://uri.etsi.org/01903/v1.3.2#");
xmlNamespaceManager.AddNamespace("ds", "http://www.w3.org/2000/09/xmldsig#");
XmlNode xmlNode = signatureElement.SelectSingleNode("ds:Object/xades:QualifyingProperties/xades:UnsignedProperties/xades:UnsignedSignatureProperties/xades:CompleteCertificateRefs", xmlNamespaceManager);
if (xmlNode == null)
{
signatureDocument.UpdateDocument();
}
ArrayList arrayList = new ArrayList();
arrayList.Add("ds:SignatureValue");
arrayList.Add("ds:Object/xades:QualifyingProperties/xades:UnsignedProperties/xades:UnsignedSignatureProperties/xades:SignatureTimeStamp");
arrayList.Add("ds:Object/xades:QualifyingProperties/xades:UnsignedProperties/xades:UnsignedSignatureProperties/xades:CompleteCertificateRefs");
arrayList.Add("ds:Object/xades:QualifyingProperties/xades:UnsignedProperties/xades:UnsignedSignatureProperties/xades:CompleteRevocationRefs");
byte[] hash = DigestUtil.ComputeHashValue(XMLUtil.ComputeValueOfElementList(signatureDocument.XadesSignature, arrayList), parameters.DigestMethod);
byte[] timeStamp = parameters.TimeStampClient.GetTimeStamp(hash, parameters.DigestMethod, true);
TimeStamp timeStamp2 = new TimeStamp("SigAndRefsTimeStamp");
timeStamp2.Id = "SigAndRefsStamp-" + signatureDocument.XadesSignature.Signature.Id;
timeStamp2.EncapsulatedTimeStamp.PkiData = timeStamp;
timeStamp2.EncapsulatedTimeStamp.Id = "SigAndRefsStamp-" + Guid.NewGuid().ToString();
UnsignedProperties unsignedProperties = signatureDocument.XadesSignature.UnsignedProperties;
unsignedProperties.UnsignedSignatureProperties.RefsOnlyTimeStampFlag = false;
unsignedProperties.UnsignedSignatureProperties.SigAndRefsTimeStampCollection.Add(timeStamp2);
signatureDocument.XadesSignature.UnsignedProperties = unsignedProperties;
}
private byte[] getSignatureInput(byte[] aData)
{
DigestAlg digestAlg = null;
String digestAlgStr = null;
try
{
digestAlgStr = Algorithms.getDigestAlgOfSignatureAlg(signatureAlgorithmStr);
digestAlg = DigestAlg.fromName(digestAlgStr);
}
catch (ESYAException e)
{
throw new ESYAException("UnKnown Digest Algorithm", e);
}
catch (Exception aEx)
{
throw new Exception(digestAlg + " algorithm is not supported " + aEx.Message.ToString());
}
byte[] messageHash = DigestUtil.digest(digestAlg, aData);
byte[] hashPrefix = getPrefixForDigestAlg(digestAlgStr);
byte[] realHashstruct = new byte[hashPrefix.Length + messageHash.Length];
Array.Copy(hashPrefix, 0, realHashstruct, 0,
hashPrefix.Length);
Array.Copy(messageHash, 0, realHashstruct, hashPrefix.Length,
messageHash.Length);
return(realHashstruct);
}
public void Upgrade(SignatureDocument signatureDocument, UpgradeParameters parameters)
{
UnsignedProperties unsignedProperties = signatureDocument.XadesSignature.UnsignedProperties;
try
{
if (unsignedProperties.UnsignedSignatureProperties.SignatureTimeStampCollection.Count > 0)
{
throw new Exception("La firma ya contiene un sello de tiempo");
}
ArrayList arrayList = new ArrayList();
arrayList.Add("ds:SignatureValue");
byte[] hash = DigestUtil.ComputeHashValue(XMLUtil.ComputeValueOfElementList(signatureDocument.XadesSignature, arrayList), parameters.DigestMethod);
byte[] timeStamp = parameters.TimeStampClient.GetTimeStamp(hash, parameters.DigestMethod, true);
TimeStamp timeStamp2 = new TimeStamp("SignatureTimeStamp");
timeStamp2.Id = "SignatureTimeStamp-" + signatureDocument.XadesSignature.Signature.Id;
timeStamp2.EncapsulatedTimeStamp.PkiData = timeStamp;
timeStamp2.EncapsulatedTimeStamp.Id = "SignatureTimeStamp-" + Guid.NewGuid().ToString();
unsignedProperties.UnsignedSignatureProperties.SignatureTimeStampCollection.Add(timeStamp2);
signatureDocument.XadesSignature.UnsignedProperties = unsignedProperties;
signatureDocument.UpdateDocument();
}
catch (Exception innerException)
{
throw new Exception("Ha ocurrido un error al insertar el sellado de tiempo.", innerException);
}
}
public ValidationResult Validate(SignatureDocument sigDocument)
{
ValidationResult validationResult = new ValidationResult();
try
{
sigDocument.XadesSignature.CheckXmldsigSignature();
}
catch (Exception)
{
validationResult.IsValid = false;
validationResult.Message = "La verificación de la firma no ha sido satisfactoria";
return(validationResult);
}
if (sigDocument.XadesSignature.UnsignedProperties.UnsignedSignatureProperties.SignatureTimeStampCollection.Count > 0)
{
TimeStamp timeStamp = sigDocument.XadesSignature.UnsignedProperties.UnsignedSignatureProperties.SignatureTimeStampCollection[0];
TimeStampToken timeStampToken = new TimeStampToken(new CmsSignedData(timeStamp.EncapsulatedTimeStamp.PkiData));
byte[] messageImprintDigest = timeStampToken.TimeStampInfo.GetMessageImprintDigest();
FirmaXades.Crypto.DigestMethod byOid = FirmaXades.Crypto.DigestMethod.GetByOid(timeStampToken.TimeStampInfo.HashAlgorithm.ObjectID.Id);
ArrayList arrayList = new ArrayList();
arrayList.Add("ds:SignatureValue");
byte[] b = DigestUtil.ComputeHashValue(XMLUtil.ComputeValueOfElementList(sigDocument.XadesSignature, arrayList), byOid);
if (!Arrays.AreEqual(messageImprintDigest, b))
{
validationResult.IsValid = false;
validationResult.Message = "La huella del sello de tiempo no se corresponde con la calculada";
return(validationResult);
}
}
validationResult.IsValid = true;
validationResult.Message = "Verificación de la firma satisfactoria";
return(validationResult);
}
private X509Certificate2[] ValidateCertificateByOCSP(UnsignedProperties unsignedProperties, X509Certificate2 client, X509Certificate2 issuer, IEnumerable <string> ocspServers, FirmaXades.Crypto.DigestMethod digestMethod)
{
bool byKey = false;
List <string> list = new List <string>();
Org.BouncyCastle.X509.X509Certificate eeCert = client.ToBouncyX509Certificate();
Org.BouncyCastle.X509.X509Certificate x509Certificate = issuer.ToBouncyX509Certificate();
OcspClient ocspClient = new OcspClient();
string authorityInformationAccessOcspUrl = ocspClient.GetAuthorityInformationAccessOcspUrl(x509Certificate);
if (!string.IsNullOrEmpty(authorityInformationAccessOcspUrl))
{
list.Add(authorityInformationAccessOcspUrl);
}
foreach (string ocspServer in ocspServers)
{
list.Add(ocspServer);
}
foreach (string item in list)
{
byte[] array = ocspClient.QueryBinary(eeCert, x509Certificate, item);
switch (ocspClient.ProcessOcspResponse(array))
{
case FirmaXades.Clients.CertificateStatus.Revoked:
throw new Exception("Certificado revocado");
case FirmaXades.Clients.CertificateStatus.Good:
{
OcspResp ocspResp = new OcspResp(array);
byte[] encoded = ocspResp.GetEncoded();
BasicOcspResp basicOcspResp = (BasicOcspResp)ocspResp.GetResponseObject();
string str = Guid.NewGuid().ToString();
OCSPRef oCSPRef = new OCSPRef();
oCSPRef.OCSPIdentifier.UriAttribute = "#OcspValue" + str;
DigestUtil.SetCertDigest(encoded, digestMethod, oCSPRef.CertDigest);
ResponderID responderId = basicOcspResp.ResponderId.ToAsn1Object();
string responderName = GetResponderName(responderId, ref byKey);
if (!byKey)
{
oCSPRef.OCSPIdentifier.ResponderID = RevertIssuerName(responderName);
}
else
{
oCSPRef.OCSPIdentifier.ResponderID = responderName;
oCSPRef.OCSPIdentifier.ByKey = true;
}
oCSPRef.OCSPIdentifier.ProducedAt = basicOcspResp.ProducedAt.ToLocalTime();
unsignedProperties.UnsignedSignatureProperties.CompleteRevocationRefs.OCSPRefs.OCSPRefCollection.Add(oCSPRef);
OCSPValue oCSPValue = new OCSPValue();
oCSPValue.PkiData = encoded;
oCSPValue.Id = "OcspValue" + str;
unsignedProperties.UnsignedSignatureProperties.RevocationValues.OCSPValues.OCSPValueCollection.Add(oCSPValue);
return((from cert in basicOcspResp.GetCerts()
select new X509Certificate2(cert.GetEncoded())).ToArray());
}
}
}
throw new Exception("El certificado no ha podido ser validado");
}
/// <summary>
/// Insert the certificate in the certificate list and check the certificate validity.
/// </summary>
/// <param name="cert"></param>
/// <param name="unsignedProperties"></param>
/// <param name="addCert"></param>
/// <param name="ocspServers"></param>
/// <param name="crlList"></param>
/// <param name="digestMethod"></param>
/// <param name="addCertificateOcspUrl"></param>
/// <param name="extraCerts"></param>
/// <param name="useNonce">If true then nonce will be used. The ocsp server should support this. OCSP reposnder in Microsoft Windows must be configured explicitly to support nonce.</param>
private void AddCertificate(X509Certificate2 cert, UnsignedProperties unsignedProperties, bool addCert, IEnumerable <OcspServer> ocspServers,
IEnumerable <X509Crl> crlList, FirmaXadesNet.Crypto.DigestMethod digestMethod, bool addCertificateOcspUrl, X509Certificate2[] extraCerts = null, bool useNonce = true)
{
if (addCert)
{
if (CertificateChecked(cert, unsignedProperties))
{
return;
}
string guidCert = Guid.NewGuid().ToString();
Cert chainCert = new Cert();
chainCert.IssuerSerial.X509IssuerName = cert.IssuerName.Name;
chainCert.IssuerSerial.X509SerialNumber = cert.GetSerialNumberAsDecimalString();
DigestUtil.SetCertDigest(cert.GetRawCertData(), digestMethod, chainCert.CertDigest);
chainCert.URI = "#Cert" + guidCert;
unsignedProperties.UnsignedSignatureProperties.CompleteCertificateRefs.CertRefs.CertCollection.Add(chainCert);
EncapsulatedX509Certificate encapsulatedX509Certificate = new EncapsulatedX509Certificate
{
Id = "Cert" + guidCert,
PkiData = cert.GetRawCertData()
};
unsignedProperties.UnsignedSignatureProperties.CertificateValues.EncapsulatedX509CertificateCollection.Add(encapsulatedX509Certificate);
}
var chain = CertUtil.GetCertChain(cert, extraCerts).ChainElements;
if (chain.Count > 1)
{
X509ChainElementEnumerator enumerator = chain.GetEnumerator();
enumerator.MoveNext(); // el mismo certificado que el pasado por parametro
enumerator.MoveNext();
bool valid = ValidateCertificateByCRL(unsignedProperties, cert, enumerator.Current.Certificate, crlList, digestMethod);
if (!valid)
{
var ocspCerts = ValidateCertificateByOCSP(unsignedProperties, cert, enumerator.Current.Certificate, ocspServers, digestMethod, addCertificateOcspUrl, useNonce);
if (ocspCerts != null)
{
X509Certificate2 startOcspCert = DetermineStartCert(ocspCerts);
if (!EquivalentDN(startOcspCert.IssuerName, enumerator.Current.Certificate.SubjectName))
{
var chainOcsp = CertUtil.GetCertChain(startOcspCert, ocspCerts);
AddCertificate(chainOcsp.ChainElements[1].Certificate, unsignedProperties, true, ocspServers, crlList, digestMethod, addCertificateOcspUrl, ocspCerts);
}
}
}
AddCertificate(enumerator.Current.Certificate, unsignedProperties, true, ocspServers, crlList, digestMethod, addCertificateOcspUrl, extraCerts);
}
}
public ValidationResult Validate(SignatureDocument sigDocument)
{
/* Los elementos que se validan son:
*
* 1. Las huellas de las referencias de la firma.
* 2. Se comprueba la huella del elemento SignedInfo y se verifica la firma con la clave pública del certificado.
* 3. Si la firma contiene un sello de tiempo se comprueba que la huella de la firma coincide con la del sello de tiempo.
*
* La validación de perfiles -C, -X, -XL y -A esta fuera del ámbito de este proyecto.
*/
ValidationResult result = new ValidationResult();
try
{
// Verifica las huellas de las referencias y la firma
sigDocument.XadesSignature.CheckXmldsigSignature();
}
catch
{
result.IsValid = false;
result.Message = "Signature verification is unsuccessful!";
return(result);
}
if (sigDocument.XadesSignature.UnsignedProperties.UnsignedSignatureProperties.SignatureTimeStampCollection.Count > 0)
{
// Se comprueba el sello de tiempo
TimeStamp timeStamp = sigDocument.XadesSignature.UnsignedProperties.UnsignedSignatureProperties.SignatureTimeStampCollection[0];
TimeStampToken token = new TimeStampToken(new CmsSignedData(timeStamp.EncapsulatedTimeStamp.PkiData));
byte[] tsHashValue = token.TimeStampInfo.GetMessageImprintDigest();
Crypto.DigestMethod tsDigestMethod = Crypto.DigestMethod.GetByOid(token.TimeStampInfo.HashAlgorithm.Algorithm.Id);
ArrayList signatureValueElementXpaths = new ArrayList
{
"ds:SignatureValue"
};
byte[] signatureValueHash = DigestUtil.ComputeHashValue(XMLUtil.ComputeValueOfElementList(sigDocument.XadesSignature, signatureValueElementXpaths), tsDigestMethod);
if (!Arrays.AreEqual(tsHashValue, signatureValueHash))
{
result.IsValid = false;
result.Message = "La huella del sello de tiempo no se corresponde con la calculada";
return(result);
}
}
result.IsValid = true;
result.Message = "Verificación de la firma satisfactoria";
return(result);
}
private void AddSignatureProperties(SignatureDocument sigDocument, SignedSignatureProperties signedSignatureProperties, SignedDataObjectProperties signedDataObjectProperties, UnsignedSignatureProperties unsignedSignatureProperties, SignatureParameters parameters)
{
var certificateIssuerName = !string.IsNullOrEmpty(parameters.CertificateIssuerName) ?
parameters.CertificateIssuerName : createValidIssuerName(parameters.Signer.Certificate);
Cert cert = new Cert();
cert.IssuerSerial.X509IssuerName = certificateIssuerName;
cert.IssuerSerial.X509SerialNumber = parameters.Signer.Certificate.GetSerialNumberAsDecimalString();
DigestUtil.SetCertDigest(parameters.Signer.Certificate.GetRawCertData(), parameters.DigestMethod, cert.CertDigest);
signedSignatureProperties.SigningCertificate.CertCollection.Add(cert);
if (parameters.SignaturePolicyInfo != null)
{
if (!string.IsNullOrEmpty(parameters.SignaturePolicyInfo.PolicyIdentifier))
{
signedSignatureProperties.SignaturePolicyIdentifier.SignaturePolicyImplied = false;
signedSignatureProperties.SignaturePolicyIdentifier.SignaturePolicyId.SigPolicyId.Identifier.IdentifierUri = parameters.SignaturePolicyInfo.PolicyIdentifier;
}
if (!string.IsNullOrEmpty(parameters.SignaturePolicyInfo.PolicyDescription))
{
signedSignatureProperties.SignaturePolicyIdentifier.SignaturePolicyId.SigPolicyId.Description = parameters.SignaturePolicyInfo.PolicyDescription;
}
if (!string.IsNullOrEmpty(parameters.SignaturePolicyInfo.PolicyUri))
{
SigPolicyQualifier sigPolicyQualifier = new SigPolicyQualifier();
sigPolicyQualifier.AnyXmlElement = sigDocument.Document.CreateElement("SPURI", "http://uri.etsi.org/01903/v1.3.2#");
sigPolicyQualifier.AnyXmlElement.InnerText = parameters.SignaturePolicyInfo.PolicyUri;
signedSignatureProperties.SignaturePolicyIdentifier.SignaturePolicyId.SigPolicyQualifiers.SigPolicyQualifierCollection.Add(sigPolicyQualifier);
}
if (!string.IsNullOrEmpty(parameters.SignaturePolicyInfo.PolicyHash))
{
signedSignatureProperties.SignaturePolicyIdentifier.SignaturePolicyId.SigPolicyHash.DigestMethod.Algorithm = parameters.SignaturePolicyInfo.PolicyDigestAlgorithm.URI;
signedSignatureProperties.SignaturePolicyIdentifier.SignaturePolicyId.SigPolicyHash.DigestValue = Convert.FromBase64String(parameters.SignaturePolicyInfo.PolicyHash);
}
}
signedSignatureProperties.SigningTime = (parameters.SigningDate.HasValue ? parameters.SigningDate.Value : DateTime.Now);
if (parameters.SignerRole != null && (parameters.SignerRole.CertifiedRoles.Count > 0 || parameters.SignerRole.ClaimedRoles.Count > 0))
{
signedSignatureProperties.SignerRole = new Microsoft.Xades.SignerRole();
foreach (X509Certificate certifiedRole in parameters.SignerRole.CertifiedRoles)
{
signedSignatureProperties.SignerRole.CertifiedRoles.CertifiedRoleCollection.Add(new CertifiedRole
{
PkiData = certifiedRole.GetRawCertData()
});
}
foreach (string claimedRole in parameters.SignerRole.ClaimedRoles)
{
signedSignatureProperties.SignerRole.ClaimedRoles.ClaimedRoleCollection.Add(new ClaimedRole
{
InnerText = claimedRole
});
}
}
}
/// <summary>
/// Inserta en la lista de certificados el certificado y comprueba la valided del certificado.
/// </summary>
/// <param name="cert"></param>
/// <param name="unsignedProperties"></param>
/// <param name="addCertValue"></param>
/// <param name="extraCerts"></param>
private void AddCertificate(X509Certificate2 cert, UnsignedProperties unsignedProperties, bool addCert, X509Certificate2[] extraCerts = null)
{
if (addCert)
{
if (CertificateChecked(cert, unsignedProperties))
{
return;
}
string guidCert = Guid.NewGuid().ToString();
Cert chainCert = new Cert();
chainCert.IssuerSerial.X509IssuerName = cert.IssuerName.Name;
chainCert.IssuerSerial.X509SerialNumber = CertUtil.HexToDecimal(cert.SerialNumber);
DigestUtil.SetCertDigest(cert.GetRawCertData(), _firma.RefsDigestMethod, chainCert.CertDigest);
chainCert.URI = "#Cert" + guidCert;
unsignedProperties.UnsignedSignatureProperties.CompleteCertificateRefs.CertRefs.CertCollection.Add(chainCert);
EncapsulatedX509Certificate encapsulatedX509Certificate = new EncapsulatedX509Certificate();
encapsulatedX509Certificate.Id = "Cert" + guidCert;
encapsulatedX509Certificate.PkiData = cert.GetRawCertData();
unsignedProperties.UnsignedSignatureProperties.CertificateValues.EncapsulatedX509CertificateCollection.Add(encapsulatedX509Certificate);
}
var chain = CertUtil.GetCertChain(cert, extraCerts).ChainElements;
if (chain.Count > 1)
{
X509ChainElementEnumerator enumerator = chain.GetEnumerator();
enumerator.MoveNext(); // el mismo certificado que el pasado por parametro
enumerator.MoveNext();
bool valid = ValidateCertificateByCRL(unsignedProperties, cert, enumerator.Current.Certificate);
if (!valid)
{
var ocspCerts = ValidateCertificateByOCSP(unsignedProperties, cert, enumerator.Current.Certificate);
if (ocspCerts != null)
{
X509Certificate2 startOcspCert = DetermineStartCert(new List <X509Certificate2>(ocspCerts));
if (startOcspCert.IssuerName.Name != enumerator.Current.Certificate.SubjectName.Name)
{
var chainOcsp = CertUtil.GetCertChain(startOcspCert, ocspCerts);
AddCertificate(chainOcsp.ChainElements[1].Certificate, unsignedProperties, true, ocspCerts);
}
}
}
AddCertificate(enumerator.Current.Certificate, unsignedProperties, true, extraCerts);
}
}
private bool ValidateCertificateByCRL(UnsignedProperties unsignedProperties, X509Certificate2 certificate, X509Certificate2 issuer,
IEnumerable <X509Crl> crlList, FirmaXadesNet.Crypto.DigestMethod digestMethod)
{
Org.BouncyCastle.X509.X509Certificate clientCert = certificate.ToBouncyX509Certificate();
Org.BouncyCastle.X509.X509Certificate issuerCert = issuer.ToBouncyX509Certificate();
foreach (var crlEntry in crlList)
{
if (crlEntry.IssuerDN.Equivalent(issuerCert.SubjectDN) && crlEntry.NextUpdate.Value > DateTime.Now)
{
if (!crlEntry.IsRevoked(clientCert))
{
if (!ExistsCRL(unsignedProperties.UnsignedSignatureProperties.CompleteRevocationRefs.CRLRefs.CRLRefCollection,
issuer.Subject))
{
string idCrlValue = "CRLValue-" + Guid.NewGuid().ToString();
CRLRef crlRef = new CRLRef();
crlRef.CRLIdentifier.UriAttribute = "#" + idCrlValue;
crlRef.CRLIdentifier.Issuer = issuer.Subject;
crlRef.CRLIdentifier.IssueTime = crlEntry.ThisUpdate.ToLocalTime();
var crlNumber = GetCRLNumber(crlEntry);
if (crlNumber.HasValue)
{
crlRef.CRLIdentifier.Number = crlNumber.Value;
}
byte[] crlEncoded = crlEntry.GetEncoded();
DigestUtil.SetCertDigest(crlEncoded, digestMethod, crlRef.CertDigest);
CRLValue crlValue = new CRLValue
{
PkiData = crlEncoded,
Id = idCrlValue
};
unsignedProperties.UnsignedSignatureProperties.CompleteRevocationRefs.CRLRefs.CRLRefCollection.Add(crlRef);
unsignedProperties.UnsignedSignatureProperties.RevocationValues.CRLValues.CRLValueCollection.Add(crlValue);
}
return(true);
}
else
{
throw new Exception("Certificate revoked");
}
}
}
return(false);
}
private void AddSignatureProperties(SignatureDocument sigDocument, SignedSignatureProperties signedSignatureProperties, SignedDataObjectProperties signedDataObjectProperties,
UnsignedSignatureProperties unsignedSignatureProperties, SignatureParameters parameters)
{
Cert cert;
cert = new Cert();
cert.IssuerSerial.X509IssuerName = parameters.Signer.Certificate.IssuerName.Name;
cert.IssuerSerial.X509SerialNumber = parameters.Signer.Certificate.GetSerialNumberAsDecimalString();
DigestUtil.SetCertDigest(parameters.Signer.Certificate.GetRawCertData(), parameters.DigestMethod, cert.CertDigest);
signedSignatureProperties.SigningCertificate.CertCollection.Add(cert);
if (parameters.SignaturePolicyInfo != null)
{
if (!string.IsNullOrEmpty(parameters.SignaturePolicyInfo.PolicyIdentifier))
{
signedSignatureProperties.SignaturePolicyIdentifier.SignaturePolicyImplied = false;
signedSignatureProperties.SignaturePolicyIdentifier.SignaturePolicyId.SigPolicyId.Identifier.IdentifierUri = parameters.SignaturePolicyInfo.PolicyIdentifier;
}
if (!string.IsNullOrEmpty(parameters.SignaturePolicyInfo.PolicyUri))
{
SigPolicyQualifier spq = new SigPolicyQualifier();
spq.AnyXmlElement = sigDocument.Document.CreateElement("SPURI", XadesSignedXml.XadesNamespaceUri);
spq.AnyXmlElement.InnerText = parameters.SignaturePolicyInfo.PolicyUri;
signedSignatureProperties.SignaturePolicyIdentifier.SignaturePolicyId.SigPolicyQualifiers.SigPolicyQualifierCollection.Add(spq);
}
if (!string.IsNullOrEmpty(parameters.SignaturePolicyInfo.PolicyHash))
{
signedSignatureProperties.SignaturePolicyIdentifier.SignaturePolicyId.SigPolicyHash.DigestMethod.Algorithm = parameters.SignaturePolicyInfo.PolicyDigestAlgorithm.URI;
signedSignatureProperties.SignaturePolicyIdentifier.SignaturePolicyId.SigPolicyHash.DigestValue = Convert.FromBase64String(parameters.SignaturePolicyInfo.PolicyHash);
}
}
signedSignatureProperties.SigningTime = parameters.SigningDate.HasValue ? parameters.SigningDate.Value : DateTime.Now;
if (!string.IsNullOrEmpty(_mimeType))
{
DataObjectFormat newDataObjectFormat = new DataObjectFormat();
newDataObjectFormat.MimeType = _mimeType;
newDataObjectFormat.Encoding = _encoding;
newDataObjectFormat.ObjectReferenceAttribute = "#" + _refContent.Id;
signedDataObjectProperties.DataObjectFormatCollection.Add(newDataObjectFormat);
}
}
private void TimeStampCertRefs(SignatureDocument signatureDocument, UpgradeParameters parameters)
{
TimeStamp xadesXTimeStamp;
ArrayList signatureValueElementXpaths;
byte[] signatureValueHash;
XmlElement nodoFirma = signatureDocument.XadesSignature.GetSignatureElement();
XmlNamespaceManager nm = new XmlNamespaceManager(signatureDocument.Document.NameTable);
nm.AddNamespace("xades", XadesSignedXml.XadesNamespaceUri);
nm.AddNamespace("ds", SignedXml.XmlDsigNamespaceUrl);
XmlNode xmlCompleteCertRefs = nodoFirma.SelectSingleNode("ds:Object/xades:QualifyingProperties/xades:UnsignedProperties/xades:UnsignedSignatureProperties/xades:CompleteCertificateRefs", nm);
if (xmlCompleteCertRefs == null)
{
signatureDocument.UpdateDocument();
}
signatureValueElementXpaths = new ArrayList
{
"ds:SignatureValue",
"ds:Object/xades:QualifyingProperties/xades:UnsignedProperties/xades:UnsignedSignatureProperties/xades:SignatureTimeStamp",
"ds:Object/xades:QualifyingProperties/xades:UnsignedProperties/xades:UnsignedSignatureProperties/xades:CompleteCertificateRefs",
"ds:Object/xades:QualifyingProperties/xades:UnsignedProperties/xades:UnsignedSignatureProperties/xades:CompleteRevocationRefs"
};
signatureValueHash = DigestUtil.ComputeHashValue(XMLUtil.ComputeValueOfElementList(signatureDocument.XadesSignature, signatureValueElementXpaths), parameters.DigestMethod);
byte[] tsa = parameters.TimeStampClient.GetTimeStamp(signatureValueHash, parameters.DigestMethod, true);
xadesXTimeStamp = new TimeStamp("SigAndRefsTimeStamp")
{
Id = "SigAndRefsStamp-" + signatureDocument.XadesSignature.Signature.Id
};
xadesXTimeStamp.EncapsulatedTimeStamp.PkiData = tsa;
xadesXTimeStamp.EncapsulatedTimeStamp.Id = "SigAndRefsStamp-" + Guid.NewGuid().ToString();
UnsignedProperties unsignedProperties = signatureDocument.XadesSignature.UnsignedProperties;
unsignedProperties.UnsignedSignatureProperties.RefsOnlyTimeStampFlag = false;
unsignedProperties.UnsignedSignatureProperties.SigAndRefsTimeStampCollection.Add(xadesXTimeStamp);
signatureDocument.XadesSignature.UnsignedProperties = unsignedProperties;
}
/// <summary>
/// The elements that are validated are:
/// 1.The traces of the references of the signature.
/// 2.The trace of the SignedInfo element is verified and the signature is verified with the public key of the ///certificate.
/// 3. If the signature contains a time stamp it is verified that the imprint of the signature coincides with that of the time stamp.
/// The validation of profiles -C, -X, -XL and -A is outside the scope of this project.
/// </summary>
/// <param name="sigDocument"></param>
/// <returns></returns>
public ValidationResult Validate(SignatureDocument sigDocument)
{
ValidationResult result = new ValidationResult();
try
{
// Check the traces of references and signature
sigDocument.XadesSignature.CheckXmldsigSignature();
}
catch
{
result.IsValid = false;
result.Message = "Signature verification is unsuccessful!";
return(result);
}
if (sigDocument.XadesSignature.UnsignedProperties.UnsignedSignatureProperties.SignatureTimeStampCollection.Count > 0)
{
// Check time stamp
TimeStamp timeStamp = sigDocument.XadesSignature.UnsignedProperties.UnsignedSignatureProperties.SignatureTimeStampCollection[0];
TimeStampToken token = new TimeStampToken(new CmsSignedData(timeStamp.EncapsulatedTimeStamp.PkiData));
byte[] tsHashValue = token.TimeStampInfo.GetMessageImprintDigest();
Crypto.DigestMethod tsDigestMethod = Crypto.DigestMethod.GetByOid(token.TimeStampInfo.HashAlgorithm.Algorithm.Id);
ArrayList signatureValueElementXpaths = new ArrayList
{
"ds:SignatureValue"
};
byte[] signatureValueHash = DigestUtil.ComputeHashValue(XMLUtil.ComputeValueOfElementList(sigDocument.XadesSignature, signatureValueElementXpaths), tsDigestMethod);
if (!Arrays.AreEqual(tsHashValue, signatureValueHash))
{
result.IsValid = false;
result.Message = "The imprint of the time stamp does not correspond with the calculated";
return(result);
}
}
result.IsValid = true;
result.Message = "Signature validated successfully";
return(result);
}
private void AddSignatureProperties(SignedSignatureProperties signedSignatureProperties, SignedDataObjectProperties signedDataObjectProperties,
UnsignedSignatureProperties unsignedSignatureProperties, string mimeType, X509Certificate2 certificado)
{
Cert cert;
cert = new Cert();
cert.IssuerSerial.X509IssuerName = certificado.IssuerName.Name;
cert.IssuerSerial.X509SerialNumber = CertUtil.HexToDecimal(certificado.SerialNumber);
DigestUtil.SetCertDigest(_signCertificate.GetRawCertData(), _refsMethodUri, cert.CertDigest);
signedSignatureProperties.SigningCertificate.CertCollection.Add(cert);
if (!string.IsNullOrEmpty(_policyId))
{
signedSignatureProperties.SignaturePolicyIdentifier.SignaturePolicyImplied = false;
signedSignatureProperties.SignaturePolicyIdentifier.SignaturePolicyId.SigPolicyId.Identifier.IdentifierUri = _policyId;
}
if (!string.IsNullOrEmpty(_policyUri))
{
SigPolicyQualifier spq = new SigPolicyQualifier();
spq.AnyXmlElement = _document.CreateElement("SPURI", XadesSignedXml.XadesNamespaceUri);
spq.AnyXmlElement.InnerText = _policyUri;
signedSignatureProperties.SignaturePolicyIdentifier.SignaturePolicyId.SigPolicyQualifiers.SigPolicyQualifierCollection.Add(spq);
}
if (!string.IsNullOrEmpty(_policyHash))
{
signedSignatureProperties.SignaturePolicyIdentifier.SignaturePolicyId.SigPolicyHash.DigestMethod.Algorithm = SignedXml.XmlDsigSHA1Url;
signedSignatureProperties.SignaturePolicyIdentifier.SignaturePolicyId.SigPolicyHash.DigestValue = Convert.FromBase64String(PolicyHash);
}
signedSignatureProperties.SigningTime = DateTime.Now;
if (!string.IsNullOrEmpty(mimeType))
{
DataObjectFormat newDataObjectFormat = new DataObjectFormat();
newDataObjectFormat.MimeType = mimeType;
newDataObjectFormat.ObjectReferenceAttribute = "#" + _objectReference;
signedDataObjectProperties.DataObjectFormatCollection.Add(newDataObjectFormat);
}
}
private void AddCertificate(X509Certificate2 cert, UnsignedProperties unsignedProperties, bool addCert, IEnumerable <string> ocspServers, IEnumerable <X509Crl> crlList, FirmaXades.Crypto.DigestMethod digestMethod, X509Certificate2[] extraCerts = null)
{
if (addCert)
{
if (CertificateChecked(cert, unsignedProperties))
{
return;
}
string str = Guid.NewGuid().ToString();
Cert cert2 = new Cert();
cert2.IssuerSerial.X509IssuerName = cert.IssuerName.Name;
cert2.IssuerSerial.X509SerialNumber = cert.GetSerialNumberAsDecimalString();
DigestUtil.SetCertDigest(cert.GetRawCertData(), digestMethod, cert2.CertDigest);
cert2.URI = "#Cert" + str;
unsignedProperties.UnsignedSignatureProperties.CompleteCertificateRefs.CertRefs.CertCollection.Add(cert2);
EncapsulatedX509Certificate encapsulatedX509Certificate = new EncapsulatedX509Certificate();
encapsulatedX509Certificate.Id = "Cert" + str;
encapsulatedX509Certificate.PkiData = cert.GetRawCertData();
unsignedProperties.UnsignedSignatureProperties.CertificateValues.EncapsulatedX509CertificateCollection.Add(encapsulatedX509Certificate);
}
X509ChainElementCollection chainElements = CertUtil.GetCertChain(cert, extraCerts).ChainElements;
if (chainElements.Count > 1)
{
X509ChainElementEnumerator enumerator = chainElements.GetEnumerator();
enumerator.MoveNext();
enumerator.MoveNext();
if (!ValidateCertificateByCRL(unsignedProperties, cert, enumerator.Current.Certificate, crlList, digestMethod))
{
X509Certificate2[] array = ValidateCertificateByOCSP(unsignedProperties, cert, enumerator.Current.Certificate, ocspServers, digestMethod);
if (array != null)
{
X509Certificate2 x509Certificate = DetermineStartCert(new List <X509Certificate2>(array));
if (x509Certificate.IssuerName.Name != enumerator.Current.Certificate.SubjectName.Name)
{
X509Chain certChain = CertUtil.GetCertChain(x509Certificate, array);
AddCertificate(certChain.ChainElements[1].Certificate, unsignedProperties, true, ocspServers, crlList, digestMethod, array);
}
}
}
AddCertificate(enumerator.Current.Certificate, unsignedProperties, true, ocspServers, crlList, digestMethod, extraCerts);
}
}
/// <summary>
/// Determina si un certificado ya ha sido añadido a la colección de certificados
/// </summary>
/// <param name="cert"></param>
/// <param name="unsignedProperties"></param>
/// <returns></returns>
private bool CertificateChecked(X509Certificate2 cert, UnsignedProperties unsignedProperties)
{
string certHash = null;
using (var hashAlg = DigestUtil.GetHashAlg(_firma.RefsDigestMethod))
{
certHash = Convert.ToBase64String(hashAlg.ComputeHash(cert.GetRawCertData()));
}
foreach (Cert item in unsignedProperties.UnsignedSignatureProperties.CompleteCertificateRefs.CertRefs.CertCollection)
{
if (Convert.ToBase64String(item.CertDigest.DigestValue) == certHash)
{
return(true);
}
}
return(false);
}
public void Upgrade(SignatureDocument signatureDocument, UpgradeParameters parameters)
{
TimeStamp signatureTimeStamp;
ArrayList signatureValueElementXpaths;
byte[] signatureValueHash;
UnsignedProperties unsignedProperties = signatureDocument.XadesSignature.UnsignedProperties;
try
{
if (unsignedProperties.UnsignedSignatureProperties.SignatureTimeStampCollection.Count > 0)
{
throw new Exception("La firma ya contiene un sello de tiempo");
}
XmlDsigExcC14NTransform excTransform = new XmlDsigExcC14NTransform();
signatureValueElementXpaths = new ArrayList();
signatureValueElementXpaths.Add("ds:SignatureValue");
signatureValueHash = DigestUtil.ComputeHashValue(XMLUtil.ComputeValueOfElementList(signatureDocument.XadesSignature, signatureValueElementXpaths, excTransform), parameters.DigestMethod);
byte[] tsa = parameters.TimeStampClient.GetTimeStamp(signatureValueHash, parameters.DigestMethod, true);
signatureTimeStamp = new TimeStamp("SignatureTimeStamp");
signatureTimeStamp.Id = "SignatureTimeStamp-" + signatureDocument.XadesSignature.Signature.Id;
signatureTimeStamp.CanonicalizationMethod = new CanonicalizationMethod();
signatureTimeStamp.CanonicalizationMethod.Algorithm = excTransform.Algorithm;
signatureTimeStamp.EncapsulatedTimeStamp.PkiData = tsa;
signatureTimeStamp.EncapsulatedTimeStamp.Id = "SignatureTimeStamp-" + Guid.NewGuid().ToString();
unsignedProperties.UnsignedSignatureProperties.SignatureTimeStampCollection.Add(signatureTimeStamp);
signatureDocument.XadesSignature.UnsignedProperties = unsignedProperties;
signatureDocument.UpdateDocument();
}
catch (Exception ex)
{
throw new Exception("Ha ocurrido un error al insertar el sellado de tiempo.", ex);
}
}
public void Upgrade(SignatureDocument signatureDocument, UpgradeParameters parameters)
{
TimeStamp signatureTimeStamp;
ArrayList signatureValueElementXpaths;
byte[] signatureValueHash;
UnsignedProperties unsignedProperties = signatureDocument.XadesSignature.UnsignedProperties;
try
{
if (unsignedProperties.UnsignedSignatureProperties.SignatureTimeStampCollection.Count > 0)
{
throw new Exception("The signature already contains a time stamp");
}
signatureValueElementXpaths = new ArrayList
{
"ds:SignatureValue"
};
signatureValueHash = DigestUtil.ComputeHashValue(XMLUtil.ComputeValueOfElementList(signatureDocument.XadesSignature, signatureValueElementXpaths), parameters.DigestMethod);
byte[] tsa = parameters.TimeStampClient.GetTimeStamp(signatureValueHash, parameters.DigestMethod, true);
signatureTimeStamp = new TimeStamp("SignatureTimeStamp")
{
Id = "SignatureTimeStamp-" + signatureDocument.XadesSignature.Signature.Id
};
signatureTimeStamp.EncapsulatedTimeStamp.PkiData = tsa;
signatureTimeStamp.EncapsulatedTimeStamp.Id = "SignatureTimeStamp-" + Guid.NewGuid().ToString();
unsignedProperties.UnsignedSignatureProperties.SignatureTimeStampCollection.Add(signatureTimeStamp);
signatureDocument.XadesSignature.UnsignedProperties = unsignedProperties;
signatureDocument.UpdateDocument();
}
catch (Exception ex)
{
throw new Exception("An error occurred while inserting the time stamp", ex);
}
}
private bool ValidateCertificateByCRL(UnsignedProperties unsignedProperties, X509Certificate2 certificate, X509Certificate2 issuer, IEnumerable <X509Crl> crlList, FirmaXades.Crypto.DigestMethod digestMethod)
{
Org.BouncyCastle.X509.X509Certificate cert = certificate.ToBouncyX509Certificate();
Org.BouncyCastle.X509.X509Certificate x509Certificate = issuer.ToBouncyX509Certificate();
foreach (X509Crl crl in crlList)
{
if (crl.IssuerDN.Equivalent(x509Certificate.SubjectDN) && crl.NextUpdate.Value > DateTime.Now)
{
if (crl.IsRevoked(cert))
{
throw new Exception("Certificado revocado");
}
if (!ExistsCRL(unsignedProperties.UnsignedSignatureProperties.CompleteRevocationRefs.CRLRefs.CRLRefCollection, issuer.Subject))
{
string text = "CRLValue-" + Guid.NewGuid().ToString();
CRLRef cRLRef = new CRLRef();
cRLRef.CRLIdentifier.UriAttribute = "#" + text;
cRLRef.CRLIdentifier.Issuer = issuer.Subject;
cRLRef.CRLIdentifier.IssueTime = crl.ThisUpdate.ToLocalTime();
long?cRLNumber = GetCRLNumber(crl);
if (cRLNumber.HasValue)
{
cRLRef.CRLIdentifier.Number = cRLNumber.Value;
}
byte[] encoded = crl.GetEncoded();
DigestUtil.SetCertDigest(encoded, digestMethod, cRLRef.CertDigest);
CRLValue cRLValue = new CRLValue();
cRLValue.PkiData = encoded;
cRLValue.Id = text;
unsignedProperties.UnsignedSignatureProperties.CompleteRevocationRefs.CRLRefs.CRLRefCollection.Add(cRLRef);
unsignedProperties.UnsignedSignatureProperties.RevocationValues.CRLValues.CRLValueCollection.Add(cRLValue);
}
return(true);
}
}
return(false);
}
public override void Upgrade()
{
TimeStamp signatureTimeStamp;
ArrayList signatureValueElementXpaths;
byte[] signatureValueHash;
UnsignedProperties unsignedProperties = _firma.XadesSignature.UnsignedProperties;
try
{
if (unsignedProperties.UnsignedSignatureProperties.SignatureTimeStampCollection.Count > 0)
{
throw new Exception("La firma ya contiene un sello de tiempo");
}
signatureValueElementXpaths = new ArrayList();
signatureValueElementXpaths.Add("ds:SignatureValue");
signatureValueHash = DigestUtil.ComputeHashValue(XMLUtil.ComputeValueOfElementList(_firma.XadesSignature, signatureValueElementXpaths), DigestMethod.SHA1);
byte[] tsa = TimeStampClient.GetTimeStamp(_firma.TSAServer, signatureValueHash, DigestMethod.SHA1, true);
signatureTimeStamp = new TimeStamp("SignatureTimeStamp");
signatureTimeStamp.Id = "SignatureTimeStamp-" + _firma.XadesSignature.Signature.Id;
signatureTimeStamp.EncapsulatedTimeStamp.PkiData = tsa;
signatureTimeStamp.EncapsulatedTimeStamp.Id = "SignatureTimeStamp-" + Guid.NewGuid().ToString();
unsignedProperties.UnsignedSignatureProperties.SignatureTimeStampCollection.Add(signatureTimeStamp);
_firma.XadesSignature.UnsignedProperties = unsignedProperties;
_firma.UpdateDocument();
}
catch (Exception ex)
{
throw new Exception("Ha ocurrido un error al insertar el sellado de tiempo.", ex);
}
}
public void TestGetMD5AsBase64()
{
Assert.That(DigestUtil.GetMD5AsBase64(""), Is.EqualTo("1B2M2Y8AsgTpgAmY7PhCfg=="));
Assert.That(DigestUtil.GetMD5AsBase64("hoge"), Is.EqualTo("6nA+eqHv2gBk6qUH2eirfg=="));
}
private void AddSignatureProperties(SignatureDocument sigDocument, SignedSignatureProperties signedSignatureProperties, SignedDataObjectProperties signedDataObjectProperties,
UnsignedSignatureProperties unsignedSignatureProperties, SignatureParameters parameters)
{
Cert cert;
cert = new Cert();
cert.IssuerSerial.X509IssuerName = parameters.Signer.Certificate.IssuerName.Name;
cert.IssuerSerial.X509SerialNumber = parameters.Signer.Certificate.GetSerialNumberAsDecimalString();
DigestUtil.SetCertDigest(parameters.Signer.Certificate.GetRawCertData(), parameters.DigestMethod, cert.CertDigest);
signedSignatureProperties.SigningCertificate.CertCollection.Add(cert);
if (parameters.SignaturePolicyInfo != null)
{
if (!string.IsNullOrEmpty(parameters.SignaturePolicyInfo.PolicyIdentifier))
{
signedSignatureProperties.SignaturePolicyIdentifier.SignaturePolicyImplied = false;
signedSignatureProperties.SignaturePolicyIdentifier.SignaturePolicyId.SigPolicyId.Identifier.IdentifierUri = parameters.SignaturePolicyInfo.PolicyIdentifier;
}
if (!string.IsNullOrEmpty(parameters.SignaturePolicyInfo.PolicyUri))
{
SigPolicyQualifier spq = new SigPolicyQualifier();
spq.AnyXmlElement = sigDocument.Document.CreateElement(XadesSignedXml.XmlXadesPrefix, "SPURI", XadesSignedXml.XadesNamespaceUri);
spq.AnyXmlElement.InnerText = parameters.SignaturePolicyInfo.PolicyUri;
signedSignatureProperties.SignaturePolicyIdentifier.SignaturePolicyId.SigPolicyQualifiers.SigPolicyQualifierCollection.Add(spq);
}
if (!string.IsNullOrEmpty(parameters.SignaturePolicyInfo.PolicyHash))
{
signedSignatureProperties.SignaturePolicyIdentifier.SignaturePolicyId.SigPolicyHash.DigestMethod.Algorithm = parameters.SignaturePolicyInfo.PolicyDigestAlgorithm.URI;
signedSignatureProperties.SignaturePolicyIdentifier.SignaturePolicyId.SigPolicyHash.DigestValue = Convert.FromBase64String(parameters.SignaturePolicyInfo.PolicyHash);
}
}
signedSignatureProperties.SigningTime = parameters.SigningDate.HasValue ? parameters.SigningDate.Value : DateTime.Now;
if (_dataFormat != null)
{
DataObjectFormat newDataObjectFormat = new DataObjectFormat();
newDataObjectFormat.MimeType = _dataFormat.MimeType;
newDataObjectFormat.Encoding = _dataFormat.Encoding;
newDataObjectFormat.Description = _dataFormat.Description;
newDataObjectFormat.ObjectReferenceAttribute = "#" + _refContent.Id;
if (_dataFormat.ObjectIdentifier != null)
{
newDataObjectFormat.ObjectIdentifier.Identifier.IdentifierUri = _dataFormat.ObjectIdentifier.Identifier.IdentifierUri;
}
signedDataObjectProperties.DataObjectFormatCollection.Add(newDataObjectFormat);
}
if (parameters.SignerRole != null &&
(parameters.SignerRole.CertifiedRoles.Count > 0 || parameters.SignerRole.ClaimedRoles.Count > 0))
{
signedSignatureProperties.SignerRole = new Microsoft.Xades.SignerRole();
foreach (X509Certificate certifiedRole in parameters.SignerRole.CertifiedRoles)
{
signedSignatureProperties.SignerRole.CertifiedRoles.CertifiedRoleCollection.Add(new CertifiedRole()
{
PkiData = certifiedRole.GetRawCertData()
});
}
foreach (string claimedRole in parameters.SignerRole.ClaimedRoles)
{
signedSignatureProperties.SignerRole.ClaimedRoles.ClaimedRoleCollection.Add(new ClaimedRole()
{
InnerText = claimedRole
});
}
}
foreach (SignatureCommitment signatureCommitment in parameters.SignatureCommitments)
{
CommitmentTypeIndication cti = new CommitmentTypeIndication();
cti.CommitmentTypeId.Identifier.IdentifierUri = signatureCommitment.CommitmentType.URI;
cti.AllSignedDataObjects = true;
foreach (XmlElement signatureCommitmentQualifier in signatureCommitment.CommitmentTypeQualifiers)
{
CommitmentTypeQualifier ctq = new CommitmentTypeQualifier();
ctq.AnyXmlElement = signatureCommitmentQualifier;
cti.CommitmentTypeQualifiers.CommitmentTypeQualifierCollection.Add(ctq);
}
signedDataObjectProperties.CommitmentTypeIndicationCollection.Add(cti);
}
if (parameters.SignatureProductionPlace != null)
{
signedSignatureProperties.SignatureProductionPlace.City = parameters.SignatureProductionPlace.City;
signedSignatureProperties.SignatureProductionPlace.StateOrProvince = parameters.SignatureProductionPlace.StateOrProvince;
signedSignatureProperties.SignatureProductionPlace.PostalCode = parameters.SignatureProductionPlace.PostalCode;
signedSignatureProperties.SignatureProductionPlace.CountryName = parameters.SignatureProductionPlace.CountryName;
}
}
private X509Certificate2[] ValidateCertificateByOCSP(UnsignedProperties unsignedProperties, X509Certificate2 client, X509Certificate2 issuer,
IEnumerable <OcspServer> ocspServers, FirmaXadesNet.Crypto.DigestMethod digestMethod, bool addCertificateOcspUrl)
{
bool byKey = false;
List <OcspServer> finalOcspServers = new List <OcspServer>();
Org.BouncyCastle.X509.X509Certificate clientCert = client.ToBouncyX509Certificate();
Org.BouncyCastle.X509.X509Certificate issuerCert = issuer.ToBouncyX509Certificate();
OcspClient ocsp = new OcspClient();
if (addCertificateOcspUrl)
{
string certOcspUrl = ocsp.GetAuthorityInformationAccessOcspUrl(issuerCert);
if (!string.IsNullOrEmpty(certOcspUrl))
{
finalOcspServers.Add(new OcspServer(certOcspUrl));
}
}
foreach (var ocspServer in ocspServers)
{
finalOcspServers.Add(ocspServer);
}
foreach (var ocspServer in finalOcspServers)
{
byte[] resp = ocsp.QueryBinary(clientCert, issuerCert, ocspServer.Url, ocspServer.RequestorName,
ocspServer.SignCertificate);
FirmaXadesNet.Clients.CertificateStatus status = ocsp.ProcessOcspResponse(resp);
if (status == FirmaXadesNet.Clients.CertificateStatus.Revoked)
{
throw new Exception("Certificado revocado");
}
else if (status == FirmaXadesNet.Clients.CertificateStatus.Good)
{
Org.BouncyCastle.Ocsp.OcspResp r = new OcspResp(resp);
byte[] rEncoded = r.GetEncoded();
BasicOcspResp or = (BasicOcspResp)r.GetResponseObject();
string guidOcsp = Guid.NewGuid().ToString();
OCSPRef ocspRef = new OCSPRef();
ocspRef.OCSPIdentifier.UriAttribute = "#OcspValue" + guidOcsp;
DigestUtil.SetCertDigest(rEncoded, digestMethod, ocspRef.CertDigest);
ResponderID rpId = or.ResponderId.ToAsn1Object();
ocspRef.OCSPIdentifier.ResponderID = GetResponderName(rpId, ref byKey);
ocspRef.OCSPIdentifier.ByKey = byKey;
ocspRef.OCSPIdentifier.ProducedAt = or.ProducedAt.ToLocalTime();
unsignedProperties.UnsignedSignatureProperties.CompleteRevocationRefs.OCSPRefs.OCSPRefCollection.Add(ocspRef);
OCSPValue ocspValue = new OCSPValue();
ocspValue.PkiData = rEncoded;
ocspValue.Id = "OcspValue" + guidOcsp;
unsignedProperties.UnsignedSignatureProperties.RevocationValues.OCSPValues.OCSPValueCollection.Add(ocspValue);
return((from cert in or.GetCerts()
select new X509Certificate2(cert.GetEncoded())).ToArray());
}
}
throw new Exception("El certificado no ha podido ser validado");
}
public void TestGetMD5()
{
Assert.That(DigestUtil.GetMD5(""), Is.EqualTo("d41d8cd98f00b204e9800998ecf8427e"));
Assert.That(DigestUtil.GetMD5("hoge"), Is.EqualTo("ea703e7aa1efda0064eaa507d9e8ab7e"));
}
public ValidationResult Validate(SignatureDocument sigDocument)
{
/* Los elementos que se validan son:
*
* 1. Las huellas de las referencias de la firma.
* 2. Se comprueba la huella del elemento SignedInfo y se verifica la firma con la clave pública del certificado.
* 3. Si la firma contiene un sello de tiempo se comprueba que la huella de la firma coincide con la del sello de tiempo.
*
* La validación de perfiles -C, -X, -XL y -A esta fuera del ámbito de este proyecto.
*/
ValidationResult result = new ValidationResult();
try
{
// Verifica las huellas de las referencias y la firma
sigDocument.XadesSignature.CheckXmldsigSignature();
}
catch (Exception ex)
{
result.IsValid = false;
result.Message = "La verificación de la firma no ha sido satisfactoria";
return(result);
}
if (sigDocument.XadesSignature.UnsignedProperties.UnsignedSignatureProperties.SignatureTimeStampCollection.Count > 0)
{
// Se comprueba el sello de tiempo
TimeStamp timeStamp = sigDocument.XadesSignature.UnsignedProperties.UnsignedSignatureProperties.SignatureTimeStampCollection[0];
TimeStampToken token = new TimeStampToken(new CmsSignedData(timeStamp.EncapsulatedTimeStamp.PkiData));
byte[] tsHashValue = token.TimeStampInfo.GetMessageImprintDigest();
//TODO: Verificare
// Crypto.DigestMethod tsDigestMethod = Crypto.DigestMethod.GetByOid(token.TimeStampInfo.HashAlgorithm.ObjectID.Id);
Crypto.DigestMethod tsDigestMethod = Crypto.DigestMethod.GetByOid(token.TimeStampInfo.HashAlgorithm.Algorithm.Id);
System.Security.Cryptography.Xml.Transform transform = null;
if (timeStamp.CanonicalizationMethod != null)
{
transform = CryptoConfig.CreateFromName(timeStamp.CanonicalizationMethod.Algorithm) as System.Security.Cryptography.Xml.Transform;
}
else
{
transform = new XmlDsigC14NTransform();
}
ArrayList signatureValueElementXpaths = new ArrayList();
signatureValueElementXpaths.Add("ds:SignatureValue");
byte[] signatureValueHash = DigestUtil.ComputeHashValue(XMLUtil.ComputeValueOfElementList(sigDocument.XadesSignature, signatureValueElementXpaths, transform), tsDigestMethod);
if (!Arrays.AreEqual(tsHashValue, signatureValueHash))
{
result.IsValid = false;
result.Message = "La huella del sello de tiempo no se corresponde con la calculada";
return(result);
}
}
result.IsValid = true;
result.Message = "Verificación de la firma satisfactoria";
return(result);
}
