public void VerifyWithModifiedSignedBytesTest()
{
string encodedModifiedSignedBytes = "0029020456C0D6A904210187EBC5594827DC2B3F87918DC7AFE8A528E844D65918CD525984D65981C2C79A";
// valid from 2016.01.01 - 2026.01.01
string encodedCert =
"308201A730820110A003020102021000BAA25764984826073CEF1BEEAA7B6F300D06092A864886F70D01010B050030123110300E06035504030C0774657374696E67301E170D3136303130313030303030305A170D3236303130313030303030305A30123110300E06035504030C0774657374696E6730819F300D06092A864886F70D010101050003818D0030818902818100E66DC137E4F856EADB0D47C280BED297D70191287919FD6EBF1195DF5E821EA867F861E551A37762E3CAEBB32B1DE7E0143529F1678A87BCE2C8E5D5185F25EEC3ABC7E295EEBC64EFE4BC8ADB412A99D3F9125D30C45F887632DE4B95AA169B79D1A6FD4E735255632341ED41B5BFA828975A4F1501B02C2277CA15BD470DAB0203010001300D06092A864886F70D01010B05000381810057B6B2BED11E7DC06E7A7AD77D1922C33FE8BDEBDC48B20A9444F807AA6017890E10B21C6FA5C4795AF32B9A45E9C560580115C8DF09E4ACA8E69C2757F9CAAB3007B548A567DBE8FB228EFF4F3D7995B3B2F008F3D62BECB3D2E80827A17B42B9C8C8C0280565868D572BBE7E4916E4888D8F503BEC1561CF4A1495C43C6420";
string encodedSignature =
"308006092A864886F70D010702A0803080020101310F300D06096086480165030402010500308006092A864886F70D0107010000A080308201A730820110A003020102021000FA0A522D88F59EFD6B8D79217B94C7300D06092A864886F70D01010B050030123110300E06035504030C0774657374696E67301E170D3136303130313030303030305A170D3236303130313030303030305A30123110300E06035504030C0774657374696E6730819F300D06092A864886F70D010101050003818D0030818902818100E66DC137E4F856EADB0D47C280BED297D70191287919FD6EBF1195DF5E821EA867F861E551A37762E3CAEBB32B1DE7E0143529F1678A87BCE2C8E5D5185F25EEC3ABC7E295EEBC64EFE4BC8ADB412A99D3F9125D30C45F887632DE4B95AA169B79D1A6FD4E735255632341ED41B5BFA828975A4F1501B02C2277CA15BD470DAB0203010001300D06092A864886F70D01010B0500038181000E2B265923ED37069FEA637264A3A9D8CBFD14A6732D380B54C61FADAF4F94DBE99E51409E25535896D9EB77328AF92B572E3E037AA0E052E89A067A77F448A0DFCDB432A45EED103B0182835638C048BE0668AD659E2E93DA056E44BC8180F9637D797E1072B4F99684EC5BEBF47E7194FB2A33B95CD08B6D2932303B8EFD2100003182013B30820137020101302630123110300E06035504030C0774657374696E67021000FA0A522D88F59EFD6B8D79217B94C7300D06096086480165030402010500A069301806092A864886F70D010903310B06092A864886F70D010701301C06092A864886F70D010905310F170D3137313131333133313831335A302F06092A864886F70D01090431220420F083925226E0D857E5320AB3544F754B2FA74B364268BC755987C518083D2940300D06092A864886F70D0101010500048180990B1C530CAED23935CB286774C6089AEA1E5593AEFCE56284517B1BEB00AE2F5C90212CD9ACD95A974F11F8FC68A53E16E2471682E61CDB461BA59037F56CBB6E55CA6B1A8A49B5A316A2B45274DB36E75CB1E0403A7C0B6DBEA52F0EBAA843E64CD97B878B216E1F0656B747A925E337EA375A3885623205351FC3721D5F1D000000000000";
PkiVerificationFailedException ex = Assert.Throws <PkiVerificationFailedException>(delegate
{
ICryptoSignatureVerifier verifier = KsiProvider.CreatePkcs7CryptoSignatureVerifier();
verifier.Verify(Base16.Decode(encodedModifiedSignedBytes),
Base16.Decode(encodedSignature),
new CryptoSignatureVerificationData(Base16.Decode(encodedCert)));
});
Assert.That(
ex.Message.StartsWith("Failed to verify PKCS#7 signature") &&
(
// separate error messages for Microsoft and Bouncy Castle
ex.InnerException.Message.StartsWith("The hash value is not correct") ||
ex.InnerException.Message.StartsWith("message-digest attribute value does not match calculated value")
),
"Unexpected exception message: " + ex.Message);
}
public void AsyncSignWithInvalidPassTest(KsiService service)
{
byte[] data = Encoding.UTF8.GetBytes("This is my document");
IDataHasher dataHasher = KsiProvider.CreateDataHasher();
dataHasher.AddData(data);
DataHash dataHash = dataHasher.GetHash();
ManualResetEvent waitHandle = new ManualResetEvent(false);
Exception ex = null;
IKsiSignature signature = null;
service.BeginSign(dataHash, delegate(IAsyncResult ar)
{
try
{
signature = service.EndSign(ar);
}
catch (Exception e)
{
ex = e;
}
finally
{
waitHandle.Set();
}
}, null);
Assert.IsTrue(waitHandle.WaitOne(10000), "Wait handle timed out.");
Assert.IsNull(signature, "Signature should be null.");
Assert.IsNotNull(ex, "Exception should not be null.");
Assert.AreEqual("Server responded with error message. Status: 258; Message: The request could not be authenticated.", ex.Message);
}
public void LinkUserIdToSignature()
{
BlockSigner ksiBlockSigner = new BlockSigner(GetKsiService());
IDataHasher dh = KsiProvider.CreateDataHasher(HashAlgorithm.Sha2256);
// This is the data we are signing
string data = "data";
dh.AddData(Encoding.UTF8.GetBytes(data));
// Suppose that this is the user that initiated the signing
// and it has been verified using a 3rd party authentication provider (e.g. LDAP)
string userId = "john.smith";
// Add both, the data and the user to the block signer
ksiBlockSigner.Add(dh.GetHash(), new IdentityMetadata(userId));
IKsiSignature[] signatures = ksiBlockSigner.Sign().ToArray();
// We should get only one signature as we only had one item that we signed
Assert.AreEqual(1, signatures.Length);
// Print the last part of the identity to show john.smith is there
IIdentity[] identity = signatures[0].GetIdentity().ToArray();
Console.WriteLine("User: " + identity[identity.Length - 1].ClientId);
// Store the signature as needed
// ...
}
public void VerifyWithPublicationsFileCertTest()
{
PublicationsFile pubsFile = TestUtil.GetPublicationsFile(Resources.PkiTrustProvider_PubsFileCustomCert);
ICryptoSignatureVerifier verifier = KsiProvider.CreatePkcs7CryptoSignatureVerifier();
verifier.Verify(pubsFile.GetSignedBytes(), pubsFile.GetSignatureValue(), new CryptoSignatureVerificationData(GetFileBytes(Resources.PkiTrustProvider_CustomCert)));
}
public void VerifyUnextendedSignatureUsingDefaultPolicy()
{
// Create simple wrapper.
KSI.Ksi ksi = GetKsi();
// Read signature, assume to be not extended
IKsiSignature signature = LoadUnextendedSignature();
// We need to compute the hash from the original data, to make sure it
// matches the one in the signature and has not been changed
// Use the same algorithm as the input hash in the signature
DataHash documentHash = KsiProvider.CreateDataHasher(signature.InputHash.Algorithm)
.AddData(File.ReadAllBytes("Resources/infile.txt"))
.GetHash();
// Do the verification and check the result.
// At first KSI signature is verified against given document hash.
// Then the signature is extended. If extending succeeds then the signature is verified
// against publications file (publications file is automatically downloaded by simple wrapper).
// If extending is not yet possible then key based verification is done.
VerificationResult verificationResult = ksi.Verify(signature, documentHash);
if (verificationResult.ResultCode == VerificationResultCode.Ok)
{
Console.WriteLine("VerifyUnextendedSignatureUsingDefaultPolicy > signature valid");
}
else
{
Console.WriteLine("VerifyUnextendedSignatureUsingDefaultPolicy > verification failed with error > " + verificationResult.VerificationError);
}
}
public void VerifyExtendedSignatureUsingDefaultPolicy()
{
// Create simple wrapper.
KSI.Ksi ksi = GetKsi();
// Read the existing signature, assume it is extended
IKsiSignature signature = LoadExtendedSignature();
DataHash documentHash = KsiProvider.CreateDataHasher(signature.InputHash.Algorithm)
.AddData(File.ReadAllBytes("Resources/infile.txt"))
.GetHash();
// Do the verification and check the result.
// The signature is verified against given document hash and publications file (publications file is automatically downloaded by simple wrapper).
VerificationResult verificationResult = ksi.Verify(signature, documentHash);
if (verificationResult.ResultCode == VerificationResultCode.Ok)
{
Console.WriteLine("VerifyExtendedSignatureUsingDefaultPolicy > signature valid");
}
else
{
Console.WriteLine("VerifyExtendedSignatureUsingDefaultPolicy > verification failed with error > " + verificationResult.VerificationError);
}
}
public void VerifyKeyBased()
{
KSI.Ksi ksi = GetKsi();
// Read signature, assume to be not extended
IKsiSignature signature = LoadUnextendedSignature();
DataHash documentHash = KsiProvider.CreateDataHasher(signature.InputHash.Algorithm)
.AddData(File.ReadAllBytes("Resources/infile.txt"))
.GetHash();
VerificationPolicy policy = new KeyBasedVerificationPolicy(new X509Store(StoreName.Root), GetCertificateSubjectRdnSelector());
VerificationContext context = new VerificationContext(signature)
{
DocumentHash = documentHash,
PublicationsFile = ksi.GetPublicationsFile(),
};
VerificationResult verificationResult = policy.Verify(context);
if (verificationResult.ResultCode == VerificationResultCode.Ok)
{
Console.WriteLine("VerifyKeyBased > signature valid");
}
else
{
Console.WriteLine("VerifyKeyBased > signature verification failed with error > " + verificationResult.VerificationError);
}
}
public void VerifyCalendarBasedUnextended()
{
IKsiSignature signature = LoadUnextendedSignature();
DataHash documentHash = KsiProvider.CreateDataHasher(signature.InputHash.Algorithm)
.AddData(File.ReadAllBytes("Resources/infile.txt"))
.GetHash();
VerificationPolicy policy = new CalendarBasedVerificationPolicy();
VerificationContext context = new VerificationContext(signature)
{
DocumentHash = documentHash,
KsiService = GetKsiService(),
};
VerificationResult verificationResult = policy.Verify(context);
if (verificationResult.ResultCode == VerificationResultCode.Ok)
{
Console.WriteLine("VerifyCalendarBasedUnextended > signature valid");
}
else
{
Console.WriteLine("VerifyCalendarBasedUnextended > signature verification failed with error > " + verificationResult.VerificationError);
}
}
public void VerifyExtendedSignatureUsingPublicationsCodeAutoExtend()
{
// Read signature, assume to be not extended
IKsiSignature signature = LoadUnextendedSignature();
DataHash documentHash = KsiProvider.CreateDataHasher(signature.InputHash.Algorithm)
.AddData(File.ReadAllBytes("Resources/infile.txt"))
.GetHash();
PublicationData publicationData = new PublicationData("AAAAAA-CWYEKQ-AAIYPA-UJ4GRT-HXMFBE-OTB4AB-XH3PT3-KNIKGV-PYCJXU-HL2TN4-RG6SCC-3ZGSBM");
// Do the verification and check the result
VerificationPolicy policy = new PublicationBasedVerificationPolicy();
VerificationContext context = new VerificationContext(signature)
{
DocumentHash = documentHash,
UserPublication = publicationData,
IsExtendingAllowed = true,
KsiService = GetKsiService(),
};
VerificationResult verificationResult = policy.Verify(context);
if (verificationResult.ResultCode == VerificationResultCode.Ok)
{
Console.WriteLine("VerifyExtendedSignatureUsingPublicationsCodeAutoExtend > signature valid");
}
else
{
Console.WriteLine("VerifyExtendedSignatureUsingPublicationsCodeAutoExtend > signature verification failed with error > " + verificationResult.VerificationError);
}
}
public void VerifyExtendedSignatureUsingPublicationsCode()
{
// Read the existing signature, assume it is extended
IKsiSignature signature = LoadExtendedSignature();
DataHash documentHash = KsiProvider.CreateDataHasher(signature.InputHash.Algorithm)
.AddData(File.ReadAllBytes("Resources/infile.txt"))
.GetHash();
// The trust anchor in this example is the publication code in Financial Times or on Twitter
PublicationData publicationData = new PublicationData("AAAAAA-CWYEKQ-AAIYPA-UJ4GRT-HXMFBE-OTB4AB-XH3PT3-KNIKGV-PYCJXU-HL2TN4-RG6SCC-3ZGSBM");
// Do the verification and check the result
VerificationPolicy policy = new PublicationBasedVerificationPolicy();
VerificationContext context = new VerificationContext(signature)
{
DocumentHash = documentHash,
UserPublication = publicationData
};
VerificationResult verificationResult = policy.Verify(context);
if (verificationResult.ResultCode == VerificationResultCode.Ok)
{
Console.WriteLine("VerifyExtendedSignatureUsingPublicationsCode > signature valid");
}
else
{
Console.WriteLine("VerifyExtendedSignatureUsingPublicationsCode > signature verification failed with error > " + verificationResult.VerificationError);
}
}
public void VerifyExtendedSignatureUsingPublicationsFile()
{
KSI.Ksi ksi = GetKsi();
// Read the existing signature, assume it is extended
IKsiSignature signature = LoadExtendedSignature();
DataHash documentHash = KsiProvider.CreateDataHasher(signature.InputHash.Algorithm)
.AddData(File.ReadAllBytes("Resources/infile.txt"))
.GetHash();
// Do the verification and check the result
VerificationPolicy policy = new PublicationBasedVerificationPolicy();
VerificationContext context = new VerificationContext(signature)
{
DocumentHash = documentHash,
PublicationsFile = ksi.GetPublicationsFile(),
};
VerificationResult verificationResult = policy.Verify(context);
if (verificationResult.ResultCode == VerificationResultCode.Ok)
{
Console.WriteLine("VerifyExtendedSignatureUsingPublicationsFile > signature valid");
}
else
{
Console.WriteLine("VerifyExtendedSignatureUsingPublicationsFile > verification failed with error > " + verificationResult.VerificationError);
}
}
public void SignHashDirectly()
{
KSI.Ksi ksi = GetKsi();
// Compute the hash first, use the input stream to provide the data to save memory for
// hashing very large documents
// In this example we simply use an input stream from an array of bytes but in practice it
// could be file input stream from a very large file (several GB)
IDataHasher dataHasher = KsiProvider.CreateDataHasher();
using (MemoryStream stream = new MemoryStream())
{
byte[] data = Encoding.UTF8.GetBytes("Imagine this is a large file");
stream.Write(data, 0, data.Length);
stream.Seek(0, SeekOrigin.Begin);
dataHasher.AddData(stream);
}
// Provide the signing method with the computed hash instead of document itself
IKsiSignature signature = ksi.Sign(dataHasher.GetHash());
// Persist signature to file
//using (FileStream stream = File.OpenRead("sample-file-for-signing.txt.ksig"))
//{
// signature.WriteTo(stream);
//}
}
public void BlockSignerGetUniSignaturesOfManyRandomHashesTest(Ksi ksi)
{
int k = 7;
Random random = new Random();
IdentityMetadata metadata = new IdentityMetadata("test client id", "test machine id");
List <DataHash> hashes = new List <DataHash>();
byte[] buffer = new byte[10];
for (int i = 0; i < k; i++)
{
IDataHasher hasher = KsiProvider.CreateDataHasher();
random.NextBytes(buffer);
hasher.AddData(buffer);
hashes.Add(hasher.GetHash());
}
BlockSigner blockSigner = new BlockSigner(GetHttpKsiService());
foreach (DataHash hash in hashes)
{
blockSigner.Add(hash, metadata);
}
IEnumerable <IKsiSignature> uniSignatures = blockSigner.Sign();
int n = 0;
foreach (IKsiSignature signature in uniSignatures)
{
Verify(ksi, signature, hashes[n++]);
}
}
public void SignStaticByteArrayEmptyTest()
{
Ksi ksi = GetStaticKsi(Resources.KsiService_AggregationResponsePdu_SignedZeroBytes, 6607061513599596791);
byte[] documentBytes = new byte[] { };
IKsiSignature signature = ksi.Sign(documentBytes);
Verify(signature, KsiProvider.CreateDataHasher(HashAlgorithm.Default).AddData(documentBytes).GetHash());
}
/// <summary>
/// Hash two hashes together.
/// </summary>
/// <param name="hashA">first hash</param>
/// <param name="hashB">second hash</param>
/// <param name="level">hash chain level</param>
/// <returns>resulting hash</returns>
private DataHash GetStepHash(byte[] hashA, byte[] hashB, ulong level)
{
IDataHasher hasher = KsiProvider.CreateDataHasher(_aggrAlgorithm);
hasher.AddData(hashA);
hasher.AddData(hashB);
hasher.AddData(Util.EncodeUnsignedLong(level));
return(hasher.GetHash());
}
/// <summary>
/// Hash two hashes together with algorithm.
/// </summary>
/// <param name="algorithm">hash algorithm</param>
/// <param name="hashA">hash a</param>
/// <param name="hashB">hash b</param>
/// <returns>result hash</returns>
private static DataHash GetStepHash(HashAlgorithm algorithm, byte[] hashA, byte[] hashB)
{
IDataHasher hasher = KsiProvider.CreateDataHasher(algorithm);
hasher.AddData(hashA);
hasher.AddData(hashB);
hasher.AddData(new byte[] { 0xFF });
return(hasher.GetHash());
}
/// <summary>
/// Calculate MAC value.
/// </summary>
/// <param name="pduBytes">PDU encoded as byte array</param>
/// <param name="macAlgorithm">MAC algorithm</param>
/// <param name="key">HMAC key</param>
private static DataHash CalcMacValue(byte[] pduBytes, HashAlgorithm macAlgorithm, byte[] key)
{
byte[] target = pduBytes.Length < macAlgorithm.Length ? new byte[0] : new byte[pduBytes.Length - macAlgorithm.Length];
Array.Copy(pduBytes, 0, target, 0, target.Length);
IHmacHasher hasher = KsiProvider.CreateHmacHasher(macAlgorithm);
return(hasher.GetHash(key, target));
}
public void AlgorithmNullTest()
{
ArgumentNullException ex = Assert.Throws <ArgumentNullException>(delegate
{
KsiProvider.CreateRsaCryptoSignatureVerifier(null);
});
Assert.That(ex.ParamName == "algorithm", "Unexpected exception message: " + ex.Message);
}
public void GetHmacHasherWithDeprecatedAlgorithmTest()
{
Exception ex = Assert.Throws <HashingException>(delegate
{
KsiProvider.CreateHmacHasher(HashAlgorithm.Sha1);
});
Assert.That(ex.Message.StartsWith("Hash algorithm SHA1 is deprecated since 2016-07-01 and can not be used for HMAC."),
"Unexpected exception message: " + ex.Message);
}
public void SignatureBytesNullTest()
{
string encodedCert =
"308201A730820110A003020102021000BAA25764984826073CEF1BEEAA7B6F300D06092A864886F70D01010B050030123110300E06035504030C0774657374696E67301E170D3136303130313030303030305A170D3236303130313030303030305A30123110300E06035504030C0774657374696E6730819F300D06092A864886F70D010101050003818D0030818902818100E66DC137E4F856EADB0D47C280BED297D70191287919FD6EBF1195DF5E821EA867F861E551A37762E3CAEBB32B1DE7E0143529F1678A87BCE2C8E5D5185F25EEC3ABC7E295EEBC64EFE4BC8ADB412A99D3F9125D30C45F887632DE4B95AA169B79D1A6FD4E735255632341ED41B5BFA828975A4F1501B02C2277CA15BD470DAB0203010001300D06092A864886F70D01010B05000381810057B6B2BED11E7DC06E7A7AD77D1922C33FE8BDEBDC48B20A9444F807AA6017890E10B21C6FA5C4795AF32B9A45E9C560580115C8DF09E4ACA8E69C2757F9CAAB3007B548A567DBE8FB228EFF4F3D7995B3B2F008F3D62BECB3D2E80827A17B42B9C8C8C0280565868D572BBE7E4916E4888D8F503BEC1561CF4A1495C43C6420";
ICryptoSignatureVerifier verifier = KsiProvider.CreatePkcs7CryptoSignatureVerifier();
ArgumentNullException ex = Assert.Throws <ArgumentNullException>(delegate
{
verifier.Verify(Base16.Decode("01"), null, new CryptoSignatureVerificationData(Base16.Decode(encodedCert)));
});
Assert.That(ex.ParamName == "signatureBytes", "Unexpected exception message: " + ex.Message);
}
public void SignatureBytesNullTest()
{
string encodedCert =
"308201A730820110A00302010202100096577055BF04943952E580CD2DF257300D06092A864886F70D01010B050030123110300E06035504030C0774657374696E67301E170D3136303130313030303030305A170D3236303130313030303030305A30123110300E06035504030C0774657374696E6730819F300D06092A864886F70D010101050003818D0030818902818100E66DC137E4F856EADB0D47C280BED297D70191287919FD6EBF1195DF5E821EA867F861E551A37762E3CAEBB32B1DE7E0143529F1678A87BCE2C8E5D5185F25EEC3ABC7E295EEBC64EFE4BC8ADB412A99D3F9125D30C45F887632DE4B95AA169B79D1A6FD4E735255632341ED41B5BFA828975A4F1501B02C2277CA15BD470DAB0203010001300D06092A864886F70D01010B050003818100A7668A7341CC50F71045D80419AFC648FAA869DCDAD248C7BCA171EBDF54EA4FFE7D339B5A227402A2E23B554BF0E1570FFB6D0F47F3EE155984CCD3A3676C66A780560CE0A3B75B0F6D83D25FBE0B19B7491114529F208470060BFEAB1F91CA59940D53FCFA277B6E3BAE0057AD7CD2C9549B9CCF4FBF942E37B13ACC430302";
ICryptoSignatureVerifier verifier = KsiProvider.CreateRsaCryptoSignatureVerifier("SHA256");
ArgumentNullException ex = Assert.Throws <ArgumentNullException>(delegate
{
verifier.Verify(Base16.Decode("01"), null, new CryptoSignatureVerificationData(Base16.Decode(encodedCert)));
});
Assert.That(ex.ParamName == "signatureBytes", "Unexpected exception message: " + ex.Message);
}
/// <summary>
/// Get crypto signature verifier by oid.
/// </summary>
/// <param name="oid">signature oid</param>
/// <returns>signature verifier</returns>
public static ICryptoSignatureVerifier GetCryptoSignatureVerifierByOid(string oid)
{
switch (oid)
{
case "1.2.840.113549.1.1.11":
return(KsiProvider.CreateRsaCryptoSignatureVerifier("SHA256"));
case "1.2.840.113549.1.7.2":
return(KsiProvider.CreatePkcs7CryptoSignatureVerifier());
default:
throw new PkiVerificationErrorException("Cryptographic signature not supported. Oid: " + oid);
}
}
public void NoTrustAnchorsTest()
{
string encodedSignedBytes = "3029020456C0D6A904210187EBC5594827DC2B3F87918DC7AFE8A528E844D65918CD525984D65981C2C79A";
string encodedSignature =
"308006092A864886F70D010702A0803080020101310F300D06096086480165030402010500308006092A864886F70D0107010000A080308201A730820110A003020102021000BAA25764984826073CEF1BEEAA7B6F300D06092A864886F70D01010B050030123110300E06035504030C0774657374696E67301E170D3136303130313030303030305A170D3236303130313030303030305A30123110300E06035504030C0774657374696E6730819F300D06092A864886F70D010101050003818D0030818902818100E66DC137E4F856EADB0D47C280BED297D70191287919FD6EBF1195DF5E821EA867F861E551A37762E3CAEBB32B1DE7E0143529F1678A87BCE2C8E5D5185F25EEC3ABC7E295EEBC64EFE4BC8ADB412A99D3F9125D30C45F887632DE4B95AA169B79D1A6FD4E735255632341ED41B5BFA828975A4F1501B02C2277CA15BD470DAB0203010001300D06092A864886F70D01010B05000381810057B6B2BED11E7DC06E7A7AD77D1922C33FE8BDEBDC48B20A9444F807AA6017890E10B21C6FA5C4795AF32B9A45E9C560580115C8DF09E4ACA8E69C2757F9CAAB3007B548A567DBE8FB228EFF4F3D7995B3B2F008F3D62BECB3D2E80827A17B42B9C8C8C0280565868D572BBE7E4916E4888D8F503BEC1561CF4A1495C43C642000003182013B30820137020101302630123110300E06035504030C0774657374696E67021000BAA25764984826073CEF1BEEAA7B6F300D06096086480165030402010500A069301806092A864886F70D010903310B06092A864886F70D010701301C06092A864886F70D010905310F170D3137313130393133333235335A302F06092A864886F70D01090431220420F083925226E0D857E5320AB3544F754B2FA74B364268BC755987C518083D2940300D06092A864886F70D01010105000481809BC20BF93B9190207D585A4638AFBB3BCDB740E6030F1B56A922E7E1B25024F3DCE9F2B63B693281E5056D7BA4553814B1FF8E4A38955DAF0FA9B26D468B29D8137E1EE0FAF3A9D8FD1E5EBFF0560C51684B93735E3D1A2313484AF62EC2FD39BA7BA2781818BB38BFE2D33C2C23F74AB4F43824D4209E3DA211F1DB990DCD0D000000000000";
ICryptoSignatureVerifier verifier = KsiProvider.CreatePkcs7CryptoSignatureVerifier();
ArgumentException ex = Assert.Throws <ArgumentException>(delegate
{
verifier.Verify(Base16.Decode(encodedSignedBytes), Base16.Decode(encodedSignature), null);
});
Assert.That(ex.Message.StartsWith("No trust anchors given."), "Unexpected exception message: " + ex.Message);
}
public void CryptoSignatureVerificationDataNullTest()
{
string encodedSignedBytes = "3029020456C0D6A904210187EBC5594827DC2B3F87918DC7AFE8A528E844D65918CD525984D65981C2C79A";
string encodedSignature =
"4B08D8DE7AFB3390FD6F315877EBEB55DA4F259E57BC6A282EA00373D43FC32ECC462500CACD353DFE4916EBFD58B89D72F204668223177263DF1963934326EAABE70FDB70C9238C35C3BBAC842FE9BF205C5AD0AE5A691CC26306AAB20129FA5F9C8711E4D0ED3118FFE32B6C97572A8D6700A3471B90023A60FF71C9558E0C";
ICryptoSignatureVerifier verifier = KsiProvider.CreateRsaCryptoSignatureVerifier("SHA256");
ArgumentNullException ex = Assert.Throws <ArgumentNullException>(delegate
{
verifier.Verify(Base16.Decode(encodedSignedBytes), Base16.Decode(encodedSignature), null);
});
Assert.That(ex.ParamName == "data", "Unexpected exception message: " + ex.Message);
}
public void SignedBytesNullTest()
{
string encodedCert =
"308201A730820110A00302010202100096577055BF04943952E580CD2DF257300D06092A864886F70D01010B050030123110300E06035504030C0774657374696E67301E170D3136303130313030303030305A170D3236303130313030303030305A30123110300E06035504030C0774657374696E6730819F300D06092A864886F70D010101050003818D0030818902818100E66DC137E4F856EADB0D47C280BED297D70191287919FD6EBF1195DF5E821EA867F861E551A37762E3CAEBB32B1DE7E0143529F1678A87BCE2C8E5D5185F25EEC3ABC7E295EEBC64EFE4BC8ADB412A99D3F9125D30C45F887632DE4B95AA169B79D1A6FD4E735255632341ED41B5BFA828975A4F1501B02C2277CA15BD470DAB0203010001300D06092A864886F70D01010B050003818100A7668A7341CC50F71045D80419AFC648FAA869DCDAD248C7BCA171EBDF54EA4FFE7D339B5A227402A2E23B554BF0E1570FFB6D0F47F3EE155984CCD3A3676C66A780560CE0A3B75B0F6D83D25FBE0B19B7491114529F208470060BFEAB1F91CA59940D53FCFA277B6E3BAE0057AD7CD2C9549B9CCF4FBF942E37B13ACC430302";
string encodedSignature =
"4B08D8DE7AFB3390FD6F315877EBEB55DA4F259E57BC6A282EA00373D43FC32ECC462500CACD353DFE4916EBFD58B89D72F204668223177263DF1963934326EAABE70FDB70C9238C35C3BBAC842FE9BF205C5AD0AE5A691CC26306AAB20129FA5F9C8711E4D0ED3118FFE32B6C97572A8D6700A3471B90023A60FF71C9558E0C";
ICryptoSignatureVerifier verifier = KsiProvider.CreateRsaCryptoSignatureVerifier("SHA256");
ArgumentNullException ex = Assert.Throws <ArgumentNullException>(delegate
{
verifier.Verify(null, Base16.Decode(encodedSignature), new CryptoSignatureVerificationData(Base16.Decode(encodedCert)));
});
Assert.That(ex.ParamName == "signedBytes", "Unexpected exception message: " + ex.Message);
}
public void VerifyWithTimeTest()
{
string encodedSignedBytes = "3029020456C0D6A904210187EBC5594827DC2B3F87918DC7AFE8A528E844D65918CD525984D65981C2C79A";
// valid from 2016.01.01 - 2026.01.01
string encodedCert =
"308201A730820110A00302010202100096577055BF04943952E580CD2DF257300D06092A864886F70D01010B050030123110300E06035504030C0774657374696E67301E170D3136303130313030303030305A170D3236303130313030303030305A30123110300E06035504030C0774657374696E6730819F300D06092A864886F70D010101050003818D0030818902818100E66DC137E4F856EADB0D47C280BED297D70191287919FD6EBF1195DF5E821EA867F861E551A37762E3CAEBB32B1DE7E0143529F1678A87BCE2C8E5D5185F25EEC3ABC7E295EEBC64EFE4BC8ADB412A99D3F9125D30C45F887632DE4B95AA169B79D1A6FD4E735255632341ED41B5BFA828975A4F1501B02C2277CA15BD470DAB0203010001300D06092A864886F70D01010B050003818100A7668A7341CC50F71045D80419AFC648FAA869DCDAD248C7BCA171EBDF54EA4FFE7D339B5A227402A2E23B554BF0E1570FFB6D0F47F3EE155984CCD3A3676C66A780560CE0A3B75B0F6D83D25FBE0B19B7491114529F208470060BFEAB1F91CA59940D53FCFA277B6E3BAE0057AD7CD2C9549B9CCF4FBF942E37B13ACC430302";
string encodedSignature =
"4B08D8DE7AFB3390FD6F315877EBEB55DA4F259E57BC6A282EA00373D43FC32ECC462500CACD353DFE4916EBFD58B89D72F204668223177263DF1963934326EAABE70FDB70C9238C35C3BBAC842FE9BF205C5AD0AE5A691CC26306AAB20129FA5F9C8711E4D0ED3118FFE32B6C97572A8D6700A3471B90023A60FF71C9558E0C";
ICryptoSignatureVerifier verifier = KsiProvider.CreateRsaCryptoSignatureVerifier("SHA256");
verifier.Verify(Base16.Decode(encodedSignedBytes),
Base16.Decode(encodedSignature),
new CryptoSignatureVerificationData(Base16.Decode(encodedCert), Util.ConvertDateTimeToUnixTime(new DateTime(2016, 1, 1, 0, 0, 0, DateTimeKind.Utc))));
}
/// <summary>
/// Verify bytes with x509 signature.
/// </summary>
/// <param name="signedBytes">Bytes to be verified</param>
/// <param name="signatureBytes">Byte array containing signature</param>
public void Verify(byte[] signedBytes, byte[] signatureBytes)
{
if (signedBytes == null)
{
throw new ArgumentNullException(nameof(signedBytes));
}
if (signatureBytes == null)
{
throw new ArgumentNullException(nameof(signatureBytes));
}
ICryptoSignatureVerifier verifier = KsiProvider.CreatePkcs7CryptoSignatureVerifier(_trustStore, _certificateRdnSelector);
verifier.Verify(signedBytes, signatureBytes, null);
}
public void AsyncSignHashTest(KsiService service)
{
byte[] data = Encoding.UTF8.GetBytes("This is my document");
IDataHasher dataHasher = KsiProvider.CreateDataHasher();
dataHasher.AddData(data);
DataHash dataHash = dataHasher.GetHash();
ManualResetEvent waitHandle = new ManualResetEvent(false);
IKsiSignature signature = null;
object testObject = new object();
bool isAsyncStateCorrect = false;
service.BeginSign(dataHash, delegate(IAsyncResult ar)
{
try
{
isAsyncStateCorrect = ar.AsyncState == testObject;
signature = service.EndSign(ar);
}
catch (Exception ex)
{
Assert.Fail("Unexpected exception: " + ex);
}
finally
{
waitHandle.Set();
}
}, testObject);
Assert.IsTrue(waitHandle.WaitOne(10000), "Wait handle timed out.");
Assert.IsNotNull(signature, "Signature should not be null.");
Assert.AreEqual(true, isAsyncStateCorrect, "Unexpected async state.");
VerificationContext verificationContext = new VerificationContext(signature)
{
DocumentHash = dataHash
};
InternalVerificationPolicy policy = new InternalVerificationPolicy();
VerificationResult verificationResult = policy.Verify(verificationContext);
Assert.AreEqual(VerificationResultCode.Ok, verificationResult.ResultCode, "Signature should verify with internal policy");
}
/// <summary>
/// Get output hash for RFC 3161 from document hash
/// </summary>
/// <returns>aggregation input hash</returns>
public DataHash GetOutputHash()
{
IDataHasher hasher = KsiProvider.CreateDataHasher(_tstInfoAlgorithm);
hasher.AddData(_tstInfoPrefix.Value);
hasher.AddData(InputHash.Value);
hasher.AddData(_tstInfoSuffix.Value);
DataHash inputHash = hasher.GetHash();
hasher = KsiProvider.CreateDataHasher(_signedAttributesAlgorithm);
hasher.AddData(_signedAttributesPrefix.Value);
hasher.AddData(inputHash.Value);
hasher.AddData(_signedAttributesSuffix.Value);
return(hasher.GetHash());
}
/// <see cref="VerificationRule.Verify" />
public override VerificationResult Verify(IVerificationContext context)
{
IKsiSignature signature = GetSignature(context);
if (!signature.IsRfc3161Signature)
{
return(new VerificationResult(GetRuleName(), VerificationResultCode.Ok));
}
DataHash aggregationHashChainInputHash = GetAggregationHashChains(signature, false)[0].InputHash;
DataHash inputHash = KsiProvider.CreateDataHasher(aggregationHashChainInputHash.Algorithm)
.AddData(signature.Rfc3161Record.GetOutputHash().Imprint)
.GetHash();
return(inputHash != aggregationHashChainInputHash
? new VerificationResult(GetRuleName(), VerificationResultCode.Fail, VerificationError.Int01)
: new VerificationResult(GetRuleName(), VerificationResultCode.Ok));
}
