public void TestSigProfiles(SignatureParams sigParams, SignatureVerificationResults sigResult)
{
var ca = new X509Name("CN=ca");
var caKeyPair = CryptoHelpers.GenerateRsaKeyPair(2048);
var caCert = CryptoHelpers.GenerateCertificate(ca, ca, caKeyPair.Private, caKeyPair.Public);
var notBefore = DateTime.Now;
var notAfter = DateTime.Now.AddHours(1);
if (!(sigParams.SignatureCertTimeValid ?? true))
{
notBefore = DateTime.Now.AddHours(-2);
notAfter = DateTime.Now.AddHours(-1);
}
var signingCertName = new X509Name("CN=singing_cert");
var signingKeyPair = CryptoHelpers.GenerateRsaKeyPair(2048);
var signingCert = CryptoHelpers.GenerateCertificate(ca, signingCertName, caKeyPair.Private, signingKeyPair.Public, notBefore, notAfter);
var cadesSettings = new CAdESServiceSettings();
if (sigParams.SignatureCertTrusted ?? true)
{
cadesSettings.TrustedCerts.Add(caCert);
}
if (sigParams.SignatureCertOCSP ?? true)
{
var fakeOcsp = unityContainer.Resolve <IOcspSource>() as FakeOnlineOcspSource;
fakeOcsp.AddNotRevokedCert(signingCert, caCert);
}
if (sigParams.OCSPCertTrusted ?? true)
{
cadesSettings.TrustedCerts.Add(ocspCACert);
}
if ((sigParams.SignatureCertCRL ?? true))
{
var fakeCrl = unityContainer.Resolve <ICrlSource>() as FakeOnlineCrlSource;
fakeCrl.AddRevokedCert(!(sigParams.SignatureCertCRL ?? true) ? signingCert : null, caCert, caKeyPair);
}
if (sigParams.TSSignatureCertTrusted ?? true)
{
cadesSettings.TrustedCerts.Add(tspCACert);
}
var cadesService = unityContainer.Resolve <Func <ICAdESServiceSettings, IDocumentSignatureService> >()(cadesSettings);
// to be signed
var inputData = Encoding.UTF8.GetBytes("anydataanydataanydataanydataanydataanydataanydataanydata");
var inputDocument = new InMemoryDocument(inputData);
var signingTime = DateTime.Now;
var parameters = new SignatureParameters
{
SigningCertificate = signingCert,
CertificateChain = new X509Certificate[] { signingCert },
SignaturePackaging = SignaturePackaging.DETACHED,
SignatureProfile = sigParams.SignatureProfile,
SigningDate = signingTime,
DigestAlgorithmOID = DigestAlgorithm.SHA256.OID,
EncriptionAlgorithmOID = Org.BouncyCastle.Asn1.Pkcs.PkcsObjectIdentifiers.RsaEncryption.Id
};
var toBeSignedStream = cadesService.ToBeSigned(inputDocument, parameters);
// sign
ISigner signer = SignerUtilities.InitSigner(parameters.DigestWithEncriptionOID, true, signingKeyPair.Private, null);
toBeSignedStream.Position = 0;
toBeSignedStream.Seek(0, SeekOrigin.Begin);
var b = Streams.ReadAll(toBeSignedStream);
signer.BlockUpdate(b, 0, b.Length);
var signatureValue = signer.GenerateSignature();
if (!(sigParams.SignatureValid ?? false))
{
signatureValue[0] ^= 1;
}
// make pkcs7
var signedDocument = cadesService.GetSignedDocument(inputDocument, parameters, signatureValue);
// validate
var report = cadesService.ValidateDocument(signedDocument, true, inputDocument);
var sigInfo = report.SignatureInformationList[0];
Assert.AreEqual(sigResult.SignatureVerification, sigInfo.SignatureVerification.SignatureVerificationResult.IsValid, "Signature value is invalid");
Assert.AreEqual(sigResult.CertPathVerification, sigInfo.CertPathRevocationAnalysis.Summary.IsValid, $"Cert path is invalid: {sigInfo.CertPathRevocationAnalysis.Summary.Description}");
if (sigResult.BESLevel.HasValue)
{
Assert.AreEqual(sigInfo.SignatureLevelAnalysis.LevelBES.LevelReached.IsValid, sigResult.BESLevel, "BES is not reached");
}
if (sigResult.TLevel.HasValue)
{
Assert.AreEqual(sigResult.TLevel, sigInfo.SignatureLevelAnalysis.LevelT.LevelReached.IsValid, "T is not reached");
Assert.IsTrue(sigInfo.SignatureLevelAnalysis.LevelT.SignatureTimestampVerification.All(x => (sigResult.TSignatureVerifications ?? true) && x.SameDigest.IsValid || !(sigResult.TSignatureVerifications ?? true) && !x.SameDigest.IsValid), "T timestamps are not valid");
Assert.IsTrue(sigInfo.SignatureLevelAnalysis.LevelT.SignatureTimestampVerification.All(x => (sigResult.TCertPathVerifications ?? true) && x.CertPathVerification.IsValid || !(sigResult.TCertPathVerifications ?? true) && !x.CertPathVerification.IsValid), "T cert paths are not valid");
}
if (sigResult.CLevel.HasValue)
{
Assert.AreEqual(sigResult.CLevel, sigInfo.SignatureLevelAnalysis.LevelC.LevelReached.IsValid, "C is not reached");
Assert.AreEqual(sigResult.CCertRefs, sigInfo.SignatureLevelAnalysis.LevelC.CertificateRefsVerification.IsValid, "C cert refs are not valid");
Assert.AreEqual(sigResult.CRevocationRefs, sigInfo.SignatureLevelAnalysis.LevelC.RevocationRefsVerification.IsValid, "C cert revocations refs are not valid");
}
if (sigResult.XLLevel.HasValue)
{
Assert.AreEqual(sigResult.XLLevel, sigInfo.SignatureLevelAnalysis.LevelXL.LevelReached.IsValid, "XL is not reached");
Assert.AreEqual(sigResult.CCertValues, sigInfo.SignatureLevelAnalysis.LevelXL.CertificateValuesVerification.IsValid, "XL cert values are not valid");
Assert.AreEqual(sigResult.CRevocationRefs, sigInfo.SignatureLevelAnalysis.LevelXL.RevocationValuesVerification.IsValid, "XL cert revocations values are not valid");
}
if (sigResult.XType1Level.HasValue)
{
Assert.AreEqual(sigResult.XType1Level, sigInfo.SignatureLevelAnalysis.LevelX.LevelReached.IsValid, "XType1 is not reached");
Assert.AreEqual(sigResult.CLevel, sigInfo.SignatureLevelAnalysis.LevelC.LevelReached.IsValid, "C is not reached");
Assert.IsTrue(sigInfo.SignatureLevelAnalysis.LevelX.SignatureAndRefsTimestampsVerification.All(x => (sigResult.XType1SignatureVerifications ?? true) && x.SameDigest.IsValid || !(sigResult.XType1SignatureVerifications ?? true) && !x.SameDigest.IsValid), "XType1 timestamps are not valid");
Assert.IsTrue(sigInfo.SignatureLevelAnalysis.LevelX.SignatureAndRefsTimestampsVerification.All(x => (sigResult.XType1CertPathVerifications ?? true) && x.CertPathVerification.IsValid || !(sigResult.XType1CertPathVerifications ?? true) && !x.CertPathVerification.IsValid), "XType1 cert paths are not valid");
}
if (sigResult.XType2Level.HasValue)
{
Assert.AreEqual(sigResult.XType2Level, sigInfo.SignatureLevelAnalysis.LevelX.LevelReached.IsValid, "XType2 is not reached");
Assert.AreEqual(sigResult.CLevel, sigInfo.SignatureLevelAnalysis.LevelC.LevelReached.IsValid, "C is not reached");
Assert.IsTrue(sigInfo.SignatureLevelAnalysis.LevelX.ReferencesTimestampsVerification.All(x => (sigResult.XType2SignatureVerifications ?? true) && x.SameDigest.IsValid || !(sigResult.XType2SignatureVerifications ?? true) && !x.SameDigest.IsValid), "XType2 timestamps are not valid");
Assert.IsTrue(sigInfo.SignatureLevelAnalysis.LevelX.ReferencesTimestampsVerification.All(x => (sigResult.XType2CertPathVerifications ?? true) && x.CertPathVerification.IsValid || !(sigResult.XType2CertPathVerifications ?? true) && !x.CertPathVerification.IsValid), "XType2 cert paths are not valid");
}
if (sigResult.XLType1Level.HasValue)
{
Assert.AreEqual(sigResult.XLType1Level, sigInfo.SignatureLevelAnalysis.LevelXL.LevelReached.IsValid, "XLType1 is not reached");
Assert.IsTrue(sigInfo.SignatureLevelAnalysis.LevelX.SignatureAndRefsTimestampsVerification.All(x => (sigResult.XType1SignatureVerifications ?? true) && x.SameDigest.IsValid || !(sigResult.XType1SignatureVerifications ?? true) && !x.SameDigest.IsValid), "XType1 timestamps are not valid");
Assert.IsTrue(sigInfo.SignatureLevelAnalysis.LevelX.SignatureAndRefsTimestampsVerification.All(x => (sigResult.XType1CertPathVerifications ?? true) && x.CertPathVerification.IsValid || !(sigResult.XType1CertPathVerifications ?? true) && !x.CertPathVerification.IsValid), "XType1 cert paths are not valid");
}
if (sigResult.XLType2Level.HasValue)
{
Assert.AreEqual(sigResult.XLType2Level, sigInfo.SignatureLevelAnalysis.LevelXL.LevelReached.IsValid, "XLType2 is not reached");
Assert.IsTrue(sigInfo.SignatureLevelAnalysis.LevelX.ReferencesTimestampsVerification.All(x => (sigResult.XType2SignatureVerifications ?? true) && x.SameDigest.IsValid || !(sigResult.XType2SignatureVerifications ?? true) && !x.SameDigest.IsValid), "XType2 timestamps are not valid");
Assert.IsTrue(sigInfo.SignatureLevelAnalysis.LevelX.ReferencesTimestampsVerification.All(x => (sigResult.XType2CertPathVerifications ?? true) && x.CertPathVerification.IsValid || !(sigResult.XType2CertPathVerifications ?? true) && !x.CertPathVerification.IsValid), "XType2 cert paths are not valid");
}
if (sigResult.ALevel.HasValue)
{
Assert.AreEqual(sigResult.ALevel, sigInfo.SignatureLevelAnalysis.LevelA.LevelReached.IsValid, "A is not reached");
Assert.IsTrue(sigInfo.SignatureLevelAnalysis.LevelA.ArchiveTimestampsVerification.All(x => (sigResult.ASignatureVerifications ?? true) && x.SameDigest.IsValid || !(sigResult.ASignatureVerifications ?? true) && !x.SameDigest.IsValid), "A timestamps are not valid");
Assert.IsTrue(sigInfo.SignatureLevelAnalysis.LevelA.ArchiveTimestampsVerification.All(x => (sigResult.ACertPathVerifications ?? true) && x.CertPathVerification.IsValid || !(sigResult.ACertPathVerifications ?? true) && !x.CertPathVerification.IsValid), "A cert paths are not valid");
}
}
public void Setup()
{
{
var ocspCA = new X509Name("CN=ocspCA");
ocspCAKeyPair = CryptoHelpers.GenerateRsaKeyPair(2048);
ocspCACert = CryptoHelpers.GenerateCertificate(ocspCA, ocspCA, ocspCAKeyPair.Private, ocspCAKeyPair.Public);
var ocsp = new X509Name("CN=ocsp");
ocspKeyPair = CryptoHelpers.GenerateRsaKeyPair(2048);
ocspCert = CryptoHelpers.GenerateCertificate(ocspCA, ocsp, ocspCAKeyPair.Private, ocspKeyPair.Public);
}
{
var crlCA = new X509Name("CN=crlCA");
crlCAKeyPair = CryptoHelpers.GenerateRsaKeyPair(2048);
crlCACert = CryptoHelpers.GenerateCertificate(crlCA, crlCA, crlCAKeyPair.Private, crlCAKeyPair.Public);
var crl = new X509Name("CN=crl");
crlKeyPair = CryptoHelpers.GenerateRsaKeyPair(2048);
crlCert = CryptoHelpers.GenerateCertificate(crlCA, crl, crlCAKeyPair.Private, crlKeyPair.Public);
}
{
var tspCA = new X509Name("CN=tspCA");
tspCAKeyPair = CryptoHelpers.GenerateRsaKeyPair(2048);
tspCACert = CryptoHelpers.GenerateCertificate(tspCA, tspCA, tspCAKeyPair.Private, tspCAKeyPair.Public);
var tsp = new X509Name("CN=tsp");
tspKeyPair = CryptoHelpers.GenerateRsaKeyPair(2048);
tspCert = CryptoHelpers.GenerateCertificate(tspCA, tsp, tspCAKeyPair.Private, tspKeyPair.Public);
}
var fakeOnlineOCSPSource = new FakeOnlineOcspSource(ocspCert, ocspKeyPair);
var fakeOnlineCrlSource = new FakeOnlineCrlSource(crlCert, crlKeyPair);
var fakeOnlineTspSource = new FakeOnlineTspSource(tspCert, tspKeyPair);
unityContainer = new UnityContainer();
unityContainer
.RegisterFactory <Func <ICAdESServiceSettings, IDocumentSignatureService> >(c => new Func <ICAdESServiceSettings, IDocumentSignatureService>(
(settings) => new CAdESService(c.Resolve <Func <ICAdESServiceSettings, ITspSource> >()(settings), c.Resolve <Func <ICAdESServiceSettings, ICertificateVerifier> >()(settings), c.Resolve <Func <ICAdESServiceSettings, ISignedDocumentValidator> >()(settings))
))
.RegisterFactory <Func <ICAdESServiceSettings, ICertificateVerifier> >(c => new Func <ICAdESServiceSettings, ICertificateVerifier>((settings) => new TrustedListCertificateVerifier(c.Resolve <Func <ICAdESServiceSettings, Func <X509Certificate, DateTime, ICAdESLogger, IValidationContext> > >()(settings))))
.RegisterFactory <Func <ICAdESServiceSettings, ISignedDocumentValidator> >(c => new Func <ICAdESServiceSettings, ISignedDocumentValidator>((settings) => new SignedDocumentValidator(c.Resolve <Func <ICAdESServiceSettings, ICertificateVerifier> >()(settings), c.Resolve <Func <ICAdESLogger> >())))
.RegisterType <ICAdESLogger, CAdESLogger>(new TransientLifetimeManager())
// for testing purposes
.RegisterFactory <IOcspSource>(c => fakeOnlineOCSPSource)
// for testing purposes
.RegisterFactory <ICrlSource>(c => fakeOnlineCrlSource)
.RegisterFactory <Func <ICAdESServiceSettings, ITspSource> >(c => new Func <ICAdESServiceSettings, ITspSource>((settings) => fakeOnlineTspSource))
.RegisterFactory <Func <ICAdESServiceSettings, IOcspSource> >(c => new Func <ICAdESServiceSettings, IOcspSource>((settings) => fakeOnlineOCSPSource))
.RegisterFactory <Func <ICAdESServiceSettings, ICrlSource> >(c => new Func <ICAdESServiceSettings, ICrlSource>((settings) => fakeOnlineCrlSource))
.RegisterFactory <Func <ICAdESServiceSettings, ICertificateSource> >(c => new Func <ICAdESServiceSettings, ICertificateSource>((settings) => new ListCertificateSourceWithSetttings(settings)))
.RegisterType <ICertificateSourceFactory, FakeAIACertificateFactoryImpl>(new TransientLifetimeManager())
.RegisterFactory <Func <ICAdESServiceSettings, Func <X509Certificate, DateTime, ICAdESLogger, IValidationContext> > >(c => new Func <ICAdESServiceSettings, Func <X509Certificate, DateTime, ICAdESLogger, IValidationContext> >(
(settings) => (cert, date, logger) => new ValidationContext(cert, date, logger, c.Resolve <Func <ICAdESServiceSettings, IOcspSource> >()(settings), c.Resolve <Func <ICAdESServiceSettings, ICrlSource> >()(settings), c.Resolve <Func <ICAdESServiceSettings, ICertificateSource> >()(settings), c.Resolve <Func <IOcspSource, ICrlSource, ICertificateStatusVerifier> >(), c.Resolve <Func <CertificateAndContext, CertificateToken> >()))
)
.RegisterFactory <Func <IOcspSource, ICrlSource, ICertificateStatusVerifier> >(c =>
new Func <IOcspSource, ICrlSource, ICertificateStatusVerifier>((ocspVerifier, crlVerifier) => new OCSPAndCRLCertificateVerifier(new OCSPCertificateVerifier(ocspVerifier), new CRLCertificateVerifier(crlVerifier)))
)
.RegisterFactory <Func <CertificateAndContext, CertificateToken> >(c =>
new Func <CertificateAndContext, CertificateToken>((context) => new CertificateToken(context, c.Resolve <ICertificateSourceFactory>()))
)
;
}
