public void TestBadAlgorithm()
{
TimeStampTokenGenerator tsTokenGen = new TimeStampTokenGenerator(
privateKey, cert, TspAlgorithms.Sha1, "1.2");
tsTokenGen.SetCertificates(certs);
TimeStampRequestGenerator reqGen = new TimeStampRequestGenerator();
TimeStampRequest request = reqGen.Generate("1.2.3.4.5", new byte[20]);
TimeStampResponseGenerator tsRespGen = new TimeStampResponseGenerator(tsTokenGen, TspAlgorithms.Allowed);
TimeStampResponse tsResp = tsRespGen.Generate(request, BigInteger.ValueOf(23), DateTime.UtcNow);
tsResp = new TimeStampResponse(tsResp.GetEncoded());
TimeStampToken tsToken = tsResp.TimeStampToken;
if (tsToken != null)
{
Assert.Fail("badAlgorithm - token not null.");
}
PkiFailureInfo failInfo = tsResp.GetFailInfo();
if (failInfo == null)
{
Assert.Fail("badAlgorithm - failInfo set to null.");
}
if (failInfo.IntValue != PkiFailureInfo.BadAlg)
{
Assert.Fail("badAlgorithm - wrong failure info returned.");
}
}
private void incorrectHashTest(AsymmetricKeyParameter privateKey, X509Certificate cert, IX509Store certs)
{
TimeStampTokenGenerator tsTokenGen = new TimeStampTokenGenerator(
privateKey, cert, TspAlgorithms.Sha1, "1.2");
tsTokenGen.SetCertificates(certs);
TimeStampRequestGenerator reqGen = new TimeStampRequestGenerator();
TimeStampRequest request = reqGen.Generate(TspAlgorithms.Sha1, new byte[16]);
TimeStampResponseGenerator tsRespGen = new TimeStampResponseGenerator(tsTokenGen, TspAlgorithms.Allowed);
TimeStampResponse tsResp = tsRespGen.Generate(request, BigInteger.ValueOf(23), DateTime.UtcNow);
tsResp = new TimeStampResponse(tsResp.GetEncoded());
TimeStampToken tsToken = tsResp.TimeStampToken;
Assert.IsNull(tsToken, "incorrect hash -- token not null");
PkiFailureInfo failInfo = tsResp.GetFailInfo();
if (failInfo == null)
{
Assert.Fail("incorrectHash - failInfo set to null.");
}
if (failInfo.IntValue != PkiFailureInfo.BadDataFormat)
{
Assert.Fail("incorrectHash - wrong failure info returned.");
}
}
private void badAlgorithmTest(AsymmetricKeyParameter privateKey, X509Certificate cert, IX509Store certs)
{
TimeStampTokenGenerator tsTokenGen = new TimeStampTokenGenerator(
privateKey, cert, TspAlgorithms.Sha1, "1.2");
tsTokenGen.SetCertificates(certs);
TimeStampRequestGenerator reqGen = new TimeStampRequestGenerator();
TimeStampRequest request = reqGen.Generate(new DerObjectIdentifier("1.2.3.4.5"), new byte[21]);
TimeStampResponseGenerator tsRespGen = new TimeStampResponseGenerator(tsTokenGen, TspAlgorithms.Allowed);
TimeStampResponse tsResp = tsRespGen.Generate(request, BigInteger.ValueOf(23), DateTime.UtcNow);
tsResp = new TimeStampResponse(tsResp.GetEncoded());
TimeStampToken tsToken = tsResp.TimeStampToken;
if (tsToken != null)
{
Assert.Fail("badAlgorithm - token not null.");
}
PkiFailureInfo failInfo = tsResp.GetFailInfo();
if (failInfo == null)
{
Assert.Fail("badAlgorithm - failInfo set to null.");
}
if (failInfo.IntValue != PkiFailureInfo.BadAlg)
{
Assert.Fail("badAlgorithm - wrong failure info returned.");
}
}
/**
* Get RFC 3161 timeStampToken.
* Method may return null indicating that timestamp should be skipped.
* @param imprint data imprint to be time-stamped
* @return encoded, TSA signed data of the timeStampToken
*/
public virtual byte[] GetTimeStampToken(byte[] imprint)
{
byte[] respBytes = null;
// Setup the time stamp request
TimeStampRequestGenerator tsqGenerator = new TimeStampRequestGenerator();
tsqGenerator.SetCertReq(true);
if (!string.IsNullOrEmpty(tsaReqPolicy))
{
tsqGenerator.SetReqPolicy(tsaReqPolicy);
}
// tsqGenerator.setReqPolicy("1.3.6.1.4.1.601.10.3.1");
BigInteger nonce = BigInteger.ValueOf(DateTime.Now.Ticks + Environment.TickCount);
TimeStampRequest request = tsqGenerator.Generate(DigestAlgorithms.GetAllowedDigests(digestAlgorithm), imprint, nonce);
byte[] requestBytes = request.GetEncoded();
// Call the communications layer
respBytes = GetTSAResponse(requestBytes);
// Handle the TSA response
TimeStampResponse response = new TimeStampResponse(respBytes);
// validate communication level attributes (RFC 3161 PKIStatus)
response.Validate(request);
PkiFailureInfo failure = response.GetFailInfo();
int value = (failure == null) ? 0 : failure.IntValue;
if (value != 0)
{
// @todo: Translate value of 15 error codes defined by PKIFailureInfo to string
throw new IOException(MessageLocalization.GetComposedMessage("invalid.tsa.1.response.code.2", tsaURL, value));
}
// @todo: validate the time stap certificate chain (if we want
// assure we do not sign using an invalid timestamp).
// extract just the time stamp token (removes communication status info)
TimeStampToken tsToken = response.TimeStampToken;
if (tsToken == null)
{
throw new IOException(MessageLocalization.GetComposedMessage("tsa.1.failed.to.return.time.stamp.token.2", tsaURL, response.GetStatusString()));
}
TimeStampTokenInfo tsTokenInfo = tsToken.TimeStampInfo; // to view details
byte[] encoded = tsToken.GetEncoded();
LOGGER.Info("Timestamp generated: " + tsTokenInfo.GenTime);
if (tsaInfo != null)
{
tsaInfo.InspectTimeStampTokenInfo(tsTokenInfo);
}
// Update our token size estimate for the next call (padded to be safe)
this.tokenSizeEstimate = encoded.Length + 32;
return(encoded);
}
/// <summary>Get RFC 3161 timeStampToken.</summary>
/// <remarks>
/// Get RFC 3161 timeStampToken.
/// Method may return null indicating that timestamp should be skipped.
/// </remarks>
/// <param name="imprint">data imprint to be time-stamped</param>
/// <returns>encoded, TSA signed data of the timeStampToken</returns>
/// <exception cref="System.IO.IOException"/>
/// <exception cref="Org.BouncyCastle.Tsp.TSPException"/>
public virtual byte[] GetTimeStampToken(byte[] imprint)
{
byte[] respBytes = null;
// Setup the time stamp request
TimeStampRequestGenerator tsqGenerator = new TimeStampRequestGenerator();
tsqGenerator.SetCertReq(true);
if (tsaReqPolicy != null && tsaReqPolicy.Length > 0)
{
tsqGenerator.SetReqPolicy(tsaReqPolicy);
}
// tsqGenerator.setReqPolicy("1.3.6.1.4.1.601.10.3.1");
BigInteger nonce = BigInteger.ValueOf(SystemUtil.GetTimeBasedSeed());
TimeStampRequest request = tsqGenerator.Generate(new DerObjectIdentifier(DigestAlgorithms.GetAllowedDigest
(digestAlgorithm)), imprint, nonce);
byte[] requestBytes = request.GetEncoded();
// Call the communications layer
respBytes = GetTSAResponse(requestBytes);
// Handle the TSA response
TimeStampResponse response = new TimeStampResponse(respBytes);
// validate communication level attributes (RFC 3161 PKIStatus)
response.Validate(request);
PkiFailureInfo failure = response.GetFailInfo();
int value = (failure == null) ? 0 : failure.IntValue;
if (value != 0)
{
// @todo: Translate value of 15 error codes defined by PKIFailureInfo to string
throw new PdfException(PdfException.InvalidTsa1ResponseCode2).SetMessageParams(tsaURL, value.ToString());
}
// @todo: validate the time stap certificate chain (if we want
// assure we do not sign using an invalid timestamp).
// extract just the time stamp token (removes communication status info)
TimeStampToken tsToken = response.TimeStampToken;
if (tsToken == null)
{
throw new PdfException(PdfException.Tsa1FailedToReturnTimeStampToken2).SetMessageParams(tsaURL, response.GetStatusString
());
}
TimeStampTokenInfo tsTokenInfo = tsToken.TimeStampInfo;
// to view details
byte[] encoded = tsToken.GetEncoded();
LOGGER.Info("Timestamp generated: " + tsTokenInfo.GenTime);
if (tsaInfo != null)
{
tsaInfo.InspectTimeStampTokenInfo(tsTokenInfo);
}
// Update our token size estimate for the next call (padded to be safe)
this.tokenSizeEstimate = encoded.Length + 32;
return(encoded);
}
public void TestNullPolicy()
{
// null in request and token generator - should fail
TimeStampTokenGenerator tsTokenGen = new TimeStampTokenGenerator(
privateKey, cert, TspAlgorithms.Sha1, null);
tsTokenGen.SetCertificates(certs);
TimeStampRequestGenerator reqGen = new TimeStampRequestGenerator();
TimeStampRequest request = reqGen.Generate(TspAlgorithms.Sha1, new byte[20]);
TimeStampResponseGenerator tsRespGen = new TimeStampResponseGenerator(tsTokenGen, TspAlgorithms.Allowed, null);
TimeStampResponse tsResp = tsRespGen.Generate(request, BigInteger.ValueOf(23), DateTime.UtcNow);
tsResp = new TimeStampResponse(tsResp.GetEncoded());
TimeStampToken tsToken = tsResp.TimeStampToken;
if (tsToken != null)
{
Assert.Fail("badPolicy - token not null.");
}
PkiFailureInfo failInfo = tsResp.GetFailInfo();
if (failInfo == null)
{
Assert.Fail("badPolicy - failInfo set to null.");
}
if (failInfo.IntValue != PkiFailureInfo.UnacceptedPolicy)
{
Assert.Fail("badPolicy - wrong failure info returned.");
}
// request specifies policy, token generator doesn't - should work
reqGen = new TimeStampRequestGenerator();
reqGen.SetReqPolicy("1.1");
request = reqGen.Generate(TspAlgorithms.Sha1, new byte[20]);
tsRespGen = new TimeStampResponseGenerator(tsTokenGen, TspAlgorithms.Allowed, null);
tsResp = tsRespGen.Generate(request, BigInteger.ValueOf(24), DateTime.UtcNow);
tsResp = new TimeStampResponse(tsResp.GetEncoded());
tsToken = tsResp.TimeStampToken;
Assert.AreEqual(tsToken.TimeStampInfo.Policy, "1.1"); // policy should be picked up off request
}
private void doTestEncoding()
{
DerBitString bitString = (DerBitString)Asn1Object.FromByteArray(CORRECT_FAILURE_INFO);
PkiFailureInfo correct = new PkiFailureInfo(bitString);
PkiFailureInfo bug = new PkiFailureInfo(PkiFailureInfo.BadRequest | PkiFailureInfo.BadTime | PkiFailureInfo.BadDataFormat | PkiFailureInfo.IncorrectData);
if (!Arrays.AreEqual(correct.GetDerEncoded(), bug.GetDerEncoded()))
{
Fail("encoding doesn't match");
}
}
/**
* Get timestamp token - Bouncy Castle request encoding / decoding layer
*/
protected internal byte[] GetTimeStampToken(byte[] imprint)
{
byte[] respBytes = null;
// Setup the time stamp request
TimeStampRequestGenerator tsqGenerator = new TimeStampRequestGenerator();
tsqGenerator.SetCertReq(true);
// tsqGenerator.setReqPolicy("1.3.6.1.4.1.601.10.3.1");
BigInteger nonce = BigInteger.ValueOf(DateTime.Now.Ticks + Environment.TickCount);
TimeStampRequest request = tsqGenerator.Generate(X509ObjectIdentifiers.IdSha1.Id, imprint, nonce);
byte[] requestBytes = request.GetEncoded();
// Call the communications layer
respBytes = GetTSAResponse(requestBytes);
// Handle the TSA response
TimeStampResponse response = new TimeStampResponse(respBytes);
// validate communication level attributes (RFC 3161 PKIStatus)
response.Validate(request);
PkiFailureInfo failure = response.GetFailInfo();
int value = (failure == null) ? 0 : failure.IntValue;
if (value != 0)
{
// @todo: Translate value of 15 error codes defined by PKIFailureInfo to string
throw new Exception("Invalid TSA '" + tsaURL + "' response, code " + value);
}
// @todo: validate the time stap certificate chain (if we want
// assure we do not sign using an invalid timestamp).
// extract just the time stamp token (removes communication status info)
TimeStampToken tsToken = response.TimeStampToken;
if (tsToken == null)
{
throw new Exception("TSA '" + tsaURL + "' failed to return time stamp token: " + response.GetStatusString());
}
TimeStampTokenInfo info = tsToken.TimeStampInfo; // to view details
byte[] encoded = tsToken.GetEncoded();
// Update our token size estimate for the next call (padded to be safe)
this.tokSzEstimate = encoded.Length + 32;
return(encoded);
}
private void timeNotAvailableTest(AsymmetricKeyParameter privateKey, X509Certificate cert, IX509Store certs)
{
TimeStampTokenGenerator tsTokenGen = new TimeStampTokenGenerator(
privateKey, cert, TspAlgorithms.Sha1, "1.2");
tsTokenGen.SetCertificates(certs);
TimeStampRequestGenerator reqGen = new TimeStampRequestGenerator();
TimeStampRequest request = reqGen.Generate(new DerObjectIdentifier("1.2.3.4.5"), new byte[20]);
TimeStampResponseGenerator tsRespGen = new TimeStampResponseGenerator(tsTokenGen, TspAlgorithms.Allowed);
TimeStampResponse tsResp = null;
//
// This is different to the java api.
// the java version has two calls, generateGrantedResponse and generateRejectedResponse
// See line 726 of NewTspTest
//
tsResp = tsRespGen.Generate(request, new BigInteger("23"), null);
tsResp = new TimeStampResponse(tsResp.GetEncoded());
TimeStampToken tsToken = tsResp.TimeStampToken;
if (tsToken != null)
{
Assert.Fail("timeNotAvailable - token not null.");
}
PkiFailureInfo failInfo = tsResp.GetFailInfo();
if (failInfo == null)
{
Assert.Fail("timeNotAvailable - failInfo set to null.");
}
if (failInfo.IntValue != PkiFailureInfo.TimeNotAvailable)
{
Assert.Fail("timeNotAvailable - wrong failure info returned.");
}
}
public const String ID_TIME_STAMP_TOKEN = "1.2.840.113549.1.9.16.2.14"; // RFC 3161 id-aa-timeStampToken
static public byte[] GetTimestampToken(String tsaURL, string tsaUserName, string tsaPassword, byte[] imprint, ref string error)
{
TimeStampRequestGenerator tsqGenerator = new TimeStampRequestGenerator();
tsqGenerator.SetCertReq(true);
tsqGenerator.SetReqPolicy("1.3.6.1.4.1.601.10.3.1");
BigInteger nonce = BigInteger.ValueOf(DateTime.Now.Ticks);
TimeStampRequest request = tsqGenerator.Generate(X509ObjectIdentifiers.IdSha1.Id, imprint, nonce);
byte[] requestBytes = request.GetEncoded();
byte[] responseBytes = GetTSAResponse(tsaURL, tsaUserName, tsaPassword, requestBytes);
TimeStampResponse response = new TimeStampResponse(responseBytes);
response.Validate(request);
PkiFailureInfo failure = response.GetFailInfo();
int value = (failure == null) ? 0 : failure.IntValue;
if (value != 0)
{
error = string.Format(Resources.TSA_URL_ERROR, tsaURL, value);
return(null);
}
TimeStampToken tsToken = response.TimeStampToken;
if (tsToken == null)
{
error = string.Format(Resources.TSA_READ_ERROR, tsaURL);
return(null);
}
return(tsToken.GetEncoded());
}
private void badPolicyTest(AsymmetricKeyParameter privateKey, X509Certificate cert, IX509Store certs)
{
TimeStampTokenGenerator tsTokenGen = new TimeStampTokenGenerator(
privateKey, cert, TspAlgorithms.Sha1, "1.2");
tsTokenGen.SetCertificates(certs);
TimeStampRequestGenerator reqGen = new TimeStampRequestGenerator();
reqGen.SetReqPolicy("1.1");
TimeStampRequest request = reqGen.Generate(TspAlgorithms.Sha1, new byte[20]);
TimeStampResponseGenerator tsRespGen = new TimeStampResponseGenerator(tsTokenGen, TspAlgorithms.Allowed, new ArrayList());
TimeStampResponse tsResp = tsRespGen.Generate(request, BigInteger.ValueOf(23), DateTime.UtcNow);
tsResp = new TimeStampResponse(tsResp.GetEncoded());
TimeStampToken tsToken = tsResp.TimeStampToken;
if (tsToken != null)
{
Assert.Fail("badPolicy - token not null.");
}
PkiFailureInfo failInfo = tsResp.GetFailInfo();
if (failInfo == null)
{
Assert.Fail("badPolicy - failInfo set to null.");
}
if (failInfo.IntValue != PkiFailureInfo.UnacceptedPolicy)
{
Assert.Fail("badPolicy - wrong failure info returned.");
}
}
public void TestTimeNotAvailable()
{
TimeStampTokenGenerator tsTokenGen = new TimeStampTokenGenerator(
privateKey, cert, TspAlgorithms.Sha1, "1.2");
tsTokenGen.SetCertificates(certs);
TimeStampRequestGenerator reqGen = new TimeStampRequestGenerator();
TimeStampRequest request = reqGen.Generate("1.2.3.4.5", new byte[20]);
TimeStampResponseGenerator tsRespGen = new TimeStampResponseGenerator(
tsTokenGen, TspAlgorithms.Allowed);
TimeStampResponse tsResp = tsRespGen.Generate(request, new BigInteger("23"), null);
tsResp = new TimeStampResponse(tsResp.GetEncoded());
TimeStampToken tsToken = tsResp.TimeStampToken;
if (tsToken != null)
{
Assert.Fail("timeNotAvailable - token not null.");
}
PkiFailureInfo failInfo = tsResp.GetFailInfo();
if (failInfo == null)
{
Assert.Fail("timeNotAvailable - failInfo set to null.");
}
if (failInfo.IntValue != PkiFailureInfo.TimeNotAvailable)
{
Assert.Fail("timeNotAvailable - wrong failure info returned.");
}
}
public PkiStatusInfo(int status, PkiFreeText statusString, PkiFailureInfo failInfo)
{
this.status = new DerInteger(status);
this.statusString = statusString;
this.failInfo = failInfo;
}
