/// <summary> /// Insert the certificate in the certificate list and check the certificate validity. /// </summary> /// <param name="cert"></param> /// <param name="unsignedProperties"></param> /// <param name="addCert"></param> /// <param name="ocspServers"></param> /// <param name="crlList"></param> /// <param name="digestMethod"></param> /// <param name="addCertificateOcspUrl"></param> /// <param name="extraCerts"></param> /// <param name="useNonce">If true then nonce will be used. The ocsp server should support this. OCSP reposnder in Microsoft Windows must be configured explicitly to support nonce.</param> private void AddCertificate(X509Certificate2 cert, UnsignedProperties unsignedProperties, bool addCert, IEnumerable <OcspServer> ocspServers, IEnumerable <X509Crl> crlList, FirmaXadesNet.Crypto.DigestMethod digestMethod, bool addCertificateOcspUrl, X509Certificate2[] extraCerts = null, bool useNonce = true) { if (addCert) { if (CertificateChecked(cert, unsignedProperties)) { return; } string guidCert = Guid.NewGuid().ToString(); Cert chainCert = new Cert(); chainCert.IssuerSerial.X509IssuerName = cert.IssuerName.Name; chainCert.IssuerSerial.X509SerialNumber = cert.GetSerialNumberAsDecimalString(); DigestUtil.SetCertDigest(cert.GetRawCertData(), digestMethod, chainCert.CertDigest); chainCert.URI = "#Cert" + guidCert; unsignedProperties.UnsignedSignatureProperties.CompleteCertificateRefs.CertRefs.CertCollection.Add(chainCert); EncapsulatedX509Certificate encapsulatedX509Certificate = new EncapsulatedX509Certificate { Id = "Cert" + guidCert, PkiData = cert.GetRawCertData() }; unsignedProperties.UnsignedSignatureProperties.CertificateValues.EncapsulatedX509CertificateCollection.Add(encapsulatedX509Certificate); } var chain = CertUtil.GetCertChain(cert, extraCerts).ChainElements; if (chain.Count > 1) { X509ChainElementEnumerator enumerator = chain.GetEnumerator(); enumerator.MoveNext(); // el mismo certificado que el pasado por parametro enumerator.MoveNext(); bool valid = ValidateCertificateByCRL(unsignedProperties, cert, enumerator.Current.Certificate, crlList, digestMethod); if (!valid) { var ocspCerts = ValidateCertificateByOCSP(unsignedProperties, cert, enumerator.Current.Certificate, ocspServers, digestMethod, addCertificateOcspUrl, useNonce); if (ocspCerts != null) { X509Certificate2 startOcspCert = DetermineStartCert(ocspCerts); if (!EquivalentDN(startOcspCert.IssuerName, enumerator.Current.Certificate.SubjectName)) { var chainOcsp = CertUtil.GetCertChain(startOcspCert, ocspCerts); AddCertificate(chainOcsp.ChainElements[1].Certificate, unsignedProperties, true, ocspServers, crlList, digestMethod, addCertificateOcspUrl, ocspCerts); } } } AddCertificate(enumerator.Current.Certificate, unsignedProperties, true, ocspServers, crlList, digestMethod, addCertificateOcspUrl, extraCerts); } }
/// <summary> /// Inserta en la lista de certificados el certificado y comprueba la valided del certificado. /// </summary> /// <param name="cert"></param> /// <param name="unsignedProperties"></param> /// <param name="addCertValue"></param> /// <param name="extraCerts"></param> private void AddCertificate(X509Certificate2 cert, UnsignedProperties unsignedProperties, bool addCert, X509Certificate2[] extraCerts = null) { if (addCert) { if (CertificateChecked(cert, unsignedProperties)) { return; } string guidCert = Guid.NewGuid().ToString(); Cert chainCert = new Cert(); chainCert.IssuerSerial.X509IssuerName = cert.IssuerName.Name; chainCert.IssuerSerial.X509SerialNumber = CertUtil.HexToDecimal(cert.SerialNumber); DigestUtil.SetCertDigest(cert.GetRawCertData(), _firma.RefsDigestMethod, chainCert.CertDigest); chainCert.URI = "#Cert" + guidCert; unsignedProperties.UnsignedSignatureProperties.CompleteCertificateRefs.CertRefs.CertCollection.Add(chainCert); EncapsulatedX509Certificate encapsulatedX509Certificate = new EncapsulatedX509Certificate(); encapsulatedX509Certificate.Id = "Cert" + guidCert; encapsulatedX509Certificate.PkiData = cert.GetRawCertData(); unsignedProperties.UnsignedSignatureProperties.CertificateValues.EncapsulatedX509CertificateCollection.Add(encapsulatedX509Certificate); } var chain = CertUtil.GetCertChain(cert, extraCerts).ChainElements; if (chain.Count > 1) { X509ChainElementEnumerator enumerator = chain.GetEnumerator(); enumerator.MoveNext(); // el mismo certificado que el pasado por parametro enumerator.MoveNext(); bool valid = ValidateCertificateByCRL(unsignedProperties, cert, enumerator.Current.Certificate); if (!valid) { var ocspCerts = ValidateCertificateByOCSP(unsignedProperties, cert, enumerator.Current.Certificate); if (ocspCerts != null) { X509Certificate2 startOcspCert = DetermineStartCert(new List <X509Certificate2>(ocspCerts)); if (startOcspCert.IssuerName.Name != enumerator.Current.Certificate.SubjectName.Name) { var chainOcsp = CertUtil.GetCertChain(startOcspCert, ocspCerts); AddCertificate(chainOcsp.ChainElements[1].Certificate, unsignedProperties, true, ocspCerts); } } } AddCertificate(enumerator.Current.Certificate, unsignedProperties, true, extraCerts); } }
private void AddCertificate(X509Certificate2 cert, UnsignedProperties unsignedProperties, bool addCert, IEnumerable <string> ocspServers, IEnumerable <X509Crl> crlList, FirmaXades.Crypto.DigestMethod digestMethod, X509Certificate2[] extraCerts = null) { if (addCert) { if (CertificateChecked(cert, unsignedProperties)) { return; } string str = Guid.NewGuid().ToString(); Cert cert2 = new Cert(); cert2.IssuerSerial.X509IssuerName = cert.IssuerName.Name; cert2.IssuerSerial.X509SerialNumber = cert.GetSerialNumberAsDecimalString(); DigestUtil.SetCertDigest(cert.GetRawCertData(), digestMethod, cert2.CertDigest); cert2.URI = "#Cert" + str; unsignedProperties.UnsignedSignatureProperties.CompleteCertificateRefs.CertRefs.CertCollection.Add(cert2); EncapsulatedX509Certificate encapsulatedX509Certificate = new EncapsulatedX509Certificate(); encapsulatedX509Certificate.Id = "Cert" + str; encapsulatedX509Certificate.PkiData = cert.GetRawCertData(); unsignedProperties.UnsignedSignatureProperties.CertificateValues.EncapsulatedX509CertificateCollection.Add(encapsulatedX509Certificate); } X509ChainElementCollection chainElements = CertUtil.GetCertChain(cert, extraCerts).ChainElements; if (chainElements.Count > 1) { X509ChainElementEnumerator enumerator = chainElements.GetEnumerator(); enumerator.MoveNext(); enumerator.MoveNext(); if (!ValidateCertificateByCRL(unsignedProperties, cert, enumerator.Current.Certificate, crlList, digestMethod)) { X509Certificate2[] array = ValidateCertificateByOCSP(unsignedProperties, cert, enumerator.Current.Certificate, ocspServers, digestMethod); if (array != null) { X509Certificate2 x509Certificate = DetermineStartCert(new List <X509Certificate2>(array)); if (x509Certificate.IssuerName.Name != enumerator.Current.Certificate.SubjectName.Name) { X509Chain certChain = CertUtil.GetCertChain(x509Certificate, array); AddCertificate(certChain.ChainElements[1].Certificate, unsignedProperties, true, ocspServers, crlList, digestMethod, array); } } } AddCertificate(enumerator.Current.Certificate, unsignedProperties, true, ocspServers, crlList, digestMethod, extraCerts); } }
protected internal override void ExtendSignatureTag(XadesSignedXml xadesSignedXml) { base.ExtendSignatureTag(xadesSignedXml); X509Certificate signingCertificate = DotNetUtilities.FromX509Certificate( xadesSignedXml.GetSigningCertificate()); DateTime signingTime = xadesSignedXml.XadesObject.QualifyingProperties .SignedProperties.SignedSignatureProperties.SigningTime; ValidationContext ctx = certificateVerifier.ValidateCertificate(signingCertificate , signingTime, new XAdESCertificateSource(xadesSignedXml.GetXml(), false), null, null); UnsignedProperties unsignedProperties = null; //int certificateValuesCounter; CertificateValues certificateValues; EncapsulatedX509Certificate encapsulatedX509Certificate; RevocationValues revocationValues; CRLValue newCRLValue; OCSPValue newOCSPValue; unsignedProperties = xadesSignedXml.UnsignedProperties; //TODO jbonilla Validate certificate refs. { unsignedProperties.UnsignedSignatureProperties.CertificateValues = new CertificateValues(); certificateValues = unsignedProperties.UnsignedSignatureProperties.CertificateValues; //certificateValues.Id = this.certificateValuesIdTextBox.Text; //certificateValuesCounter = 0; foreach (CertificateAndContext certificate in ctx.GetNeededCertificates()) { encapsulatedX509Certificate = new EncapsulatedX509Certificate(); //encapsulatedX509Certificate.Id = this.certificateValuesIdTextBox.Text + certificateValuesCounter.ToString(); encapsulatedX509Certificate.PkiData = certificate.GetCertificate().GetEncoded(); //certificateValuesCounter++; certificateValues.EncapsulatedX509CertificateCollection.Add(encapsulatedX509Certificate); } } unsignedProperties = xadesSignedXml.UnsignedProperties; unsignedProperties.UnsignedSignatureProperties.RevocationValues = new RevocationValues(); revocationValues = unsignedProperties.UnsignedSignatureProperties.RevocationValues; //revocationValues.Id = this.revocationValuesIdTextBox.Text; if (ctx.GetNeededOCSPResp().Count > 0) { foreach (BasicOcspResp ocsp in ctx.GetNeededOCSPResp()) { newOCSPValue = new OCSPValue(); newOCSPValue.PkiData = OCSPUtils.FromBasicToResp(ocsp).GetEncoded(); revocationValues.OCSPValues.OCSPValueCollection.Add(newOCSPValue); } } if (ctx.GetNeededCRL().Count > 0) { foreach (X509Crl crl in ctx.GetNeededCRL()) { newCRLValue = new CRLValue(); newCRLValue.PkiData = crl.GetEncoded(); revocationValues.CRLValues.CRLValueCollection.Add(newCRLValue); } } xadesSignedXml.UnsignedProperties = unsignedProperties; }