internal SignerInfoEnumerator(SignerInfoCollection signerInfos)
{
Debug.Assert(signerInfos != null);
_signerInfos = signerInfos;
_position = -1;
}
// only accessible from SignedPkcs7.SignerInfos
internal SignerInfo(string hashName, X509Certificate2 certificate, SubjectIdentifierType type, object o, int version)
{
_digest = new Oid(CryptoConfig.MapNameToOID(hashName));
_certificate = certificate;
_counter = new SignerInfoCollection();
_signed = new CryptographicAttributeObjectCollection();
_unsigned = new CryptographicAttributeObjectCollection();
_signer = new SubjectIdentifier(type, o);
_version = version;
}
// only accessible from SignedPkcs7.SignerInfos
internal SignerInfo (string hashName, X509Certificate2 certificate, SubjectIdentifierType type, object o, int version)
{
_digest = new Oid (CryptoConfig.MapNameToOID (hashName));
_certificate = certificate;
_counter = new SignerInfoCollection ();
_signed = new CryptographicAttributeObjectCollection ();
_unsigned = new CryptographicAttributeObjectCollection ();
_signer = new SubjectIdentifier (type, o);
_version = version;
}
private static void CheckHashes(SignerInfoCollection signers)
{
if (signers == null || signers.Count < 1)
{
throw new CryptographicException(CAPI.CRYPT_E_NO_SIGNER);
}
foreach (SignerInfo signer in signers)
{
if (signer.SignerIdentifier.Type == SubjectIdentifierType.NoSignature)
{
signer.CheckHash();
}
}
}
private static void CheckHashes(SignerInfoCollection signers)
{
if ((signers == null) || (signers.Count < 1))
{
throw new CryptographicException(-2146885618);
}
SignerInfoEnumerator enumerator = signers.GetEnumerator();
while (enumerator.MoveNext())
{
SignerInfo current = enumerator.Current;
if (current.SignerIdentifier.Type == SubjectIdentifierType.NoSignature)
{
current.CheckHash();
}
}
}
private static void CheckHashes(SignerInfoCollection signers)
{
if ((signers == null) || (signers.Count < 1))
{
throw new CryptographicException(-2146885618);
}
SignerInfoEnumerator enumerator = signers.GetEnumerator();
while (enumerator.MoveNext())
{
SignerInfo current = enumerator.Current;
if (current.SignerIdentifier.Type == SubjectIdentifierType.NoSignature)
{
current.CheckHash();
}
}
}
private static void CheckSignatures(SignerInfoCollection signers,
X509Certificate2Collection extraStore,
bool verifySignatureOnly)
{
if (signers == null || signers.Count < 1)
{
throw new CryptographicException(CAPI.CRYPT_E_NO_SIGNER);
}
foreach (SignerInfo signer in signers)
{
signer.CheckSignature(extraStore, verifySignatureOnly);
if (signer.CounterSignerInfos.Count > 0)
{
CheckSignatures(signer.CounterSignerInfos, extraStore, verifySignatureOnly);
}
}
}
private static void CheckSignatures(SignerInfoCollection signers, X509Certificate2Collection extraStore, bool verifySignatureOnly)
{
if ((signers == null) || (signers.Count < 1))
{
throw new CryptographicException(-2146885618);
}
SignerInfoEnumerator enumerator = signers.GetEnumerator();
while (enumerator.MoveNext())
{
SignerInfo current = enumerator.Current;
current.CheckSignature(extraStore, verifySignatureOnly);
if (current.CounterSignerInfos.Count > 0)
{
CheckSignatures(current.CounterSignerInfos, extraStore, verifySignatureOnly);
}
}
}
public static bool TryDecode(ReadOnlyMemory <byte> source, out Rfc3161TimestampToken token, out int bytesConsumed)
{
bytesConsumed = 0;
token = null;
try
{
ContentInfoAsn contentInfo =
AsnSerializer.Deserialize <ContentInfoAsn>(source, AsnEncodingRules.BER, out int bytesActuallyRead);
// https://tools.ietf.org/html/rfc3161#section-2.4.2
//
// A TimeStampToken is as follows. It is defined as a ContentInfo
// ([CMS]) and SHALL encapsulate a signed data content type.
//
// TimeStampToken::= ContentInfo
// --contentType is id-signedData([CMS])
// --content is SignedData ([CMS])
if (contentInfo.ContentType != Oids.Pkcs7Signed)
{
return(false);
}
SignedCms cms = new SignedCms();
cms.Decode(source);
// The fields of type EncapsulatedContentInfo of the SignedData
// construct have the following meanings:
//
// eContentType is an object identifier that uniquely specifies the
// content type. For a time-stamp token it is defined as:
//
// id-ct-TSTInfo OBJECT IDENTIFIER ::= { iso(1) member-body(2)
// us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 4}
//
// eContent is the content itself, carried as an octet string.
// The eContent SHALL be the DER-encoded value of TSTInfo.
if (cms.ContentInfo.ContentType.Value != Oids.TstInfo)
{
return(false);
}
// RFC3161:
// The time-stamp token MUST NOT contain any signatures other than the
// signature of the TSA. The certificate identifier (ESSCertID) of the
// TSA certificate MUST be included as a signerInfo attribute inside a
// SigningCertificate attribute.
// RFC5816 says that ESSCertIDv2 should be allowed instead.
SignerInfoCollection signerInfos = cms.SignerInfos;
if (signerInfos.Count != 1)
{
return(false);
}
SignerInfo signer = signerInfos[0];
EssCertId certId;
EssCertIdV2 certId2;
if (!TryGetCertIds(signer, out certId, out certId2))
{
return(false);
}
X509Certificate2 signerCert = signer.Certificate;
if (signerCert == null &&
signer.SignerIdentifier.Type == SubjectIdentifierType.IssuerAndSerialNumber)
{
// If the cert wasn't provided, but the identifier was IssuerAndSerialNumber,
// and the ESSCertId(V2) has specified an issuerSerial value, ensure it's a match.
X509IssuerSerial issuerSerial = (X509IssuerSerial)signer.SignerIdentifier.Value;
if (certId?.IssuerSerial != null)
{
if (!IssuerAndSerialMatch(
certId.IssuerSerial.Value,
issuerSerial.IssuerName,
issuerSerial.SerialNumber))
{
return(false);
}
}
if (certId2?.IssuerSerial != null)
{
if (!IssuerAndSerialMatch(
certId2.IssuerSerial.Value,
issuerSerial.IssuerName,
issuerSerial.SerialNumber))
{
return(false);
}
}
}
Rfc3161TimestampTokenInfo tokenInfo;
if (Rfc3161TimestampTokenInfo.TryDecode(cms.ContentInfo.Content, out tokenInfo, out _))
{
if (signerCert != null &&
!CheckCertificate(signerCert, signer, certId, certId2, tokenInfo))
{
return(false);
}
token = new Rfc3161TimestampToken
{
_parsedDocument = cms,
_signerInfo = signer,
_essCertId = certId,
_essCertIdV2 = certId2,
TokenInfo = tokenInfo,
};
bytesConsumed = bytesActuallyRead;
return(true);
}
}
catch (CryptographicException)
{
}
return(false);
}
// constructors
public SignedCms()
{
_certs = new X509Certificate2Collection();
_info = new SignerInfoCollection();
}
internal SignerInfoEnumerator(SignerInfoCollection signerInfos)
{
this.m_signerInfos = signerInfos;
this.m_current = -1;
}
private static void CheckHashes (SignerInfoCollection signers) {
if (signers == null || signers.Count < 1)
throw new CryptographicException(CAPI.CRYPT_E_NO_SIGNER);
foreach (SignerInfo signer in signers) {
if (signer.SignerIdentifier.Type == SubjectIdentifierType.NoSignature)
signer.CheckHash();
}
}
private static void CheckSignatures (SignerInfoCollection signers,
X509Certificate2Collection extraStore,
bool verifySignatureOnly) {
if (signers == null || signers.Count < 1)
throw new CryptographicException(CAPI.CRYPT_E_NO_SIGNER);
foreach (SignerInfo signer in signers) {
signer.CheckSignature(extraStore, verifySignatureOnly);
if (signer.CounterSignerInfos.Count > 0)
CheckSignatures(signer.CounterSignerInfos, extraStore, verifySignatureOnly);
}
}
// constructors
public SignedCms ()
{
_certs = new X509Certificate2Collection ();
_info = new SignerInfoCollection ();
}
/// <summary>
/// Checks that a collection of signature was signed by the signer certificate.
/// </summary>
/// <param name="signers">The collection of <see cref="SignerInfo"/> to check</param>
/// <param name="signerCertificate">The signer certificate that purports to sign the entity</param>
/// <exception cref="SignatureException">If the entity was not signed by the claimed certificate</exception>
public void CheckSignature(SignerInfoCollection signers, X509Certificate2 signerCertificate)
{
if (signerCertificate == null)
{
throw new SignatureException(SignatureError.NoCertificates);
}
if (signers == null || signers.Count == 0)
{
throw new SignatureException(SignatureError.NoSigners);
}
//
// Find the signer
//
SignerInfo signer = signers.FindByThumbprint(signerCertificate.Thumbprint);
if (signer == null)
{
throw new SignatureException(SignatureError.NoSigners);
}
signer.CheckSignature(true);
}
internal SignerInfoEnumerator(SignerInfoCollection signerInfos)
{
this.m_signerInfos = signerInfos;
this.m_current = -1;
}
private static void CheckSignatures(SignerInfoCollection signers, X509Certificate2Collection extraStore, bool verifySignatureOnly)
{
if ((signers == null) || (signers.Count < 1))
{
throw new CryptographicException(-2146885618);
}
SignerInfoEnumerator enumerator = signers.GetEnumerator();
while (enumerator.MoveNext())
{
SignerInfo current = enumerator.Current;
current.CheckSignature(extraStore, verifySignatureOnly);
if (current.CounterSignerInfos.Count > 0)
{
CheckSignatures(current.CounterSignerInfos, extraStore, verifySignatureOnly);
}
}
}
