public static void CheckRevocation(PdfPKCS7 pkcs7, X509Certificate signCert, X509Certificate issuerCert, DateTime date)
{
List <BasicOcspResp> ocsps = new List <BasicOcspResp>();
if (pkcs7.Ocsp != null)
{
ocsps.Add(pkcs7.Ocsp);
}
OcspVerifier ocspVerifier = new OcspVerifier(null, ocsps);
List <VerificationOK> verification =
ocspVerifier.Verify(signCert, issuerCert, date);
if (verification.Count == 0)
{
List <X509Crl> crls = new List <X509Crl>();
if (pkcs7.CRLs != null)
{
foreach (X509Crl crl in pkcs7.CRLs)
{
crls.Add(crl);
}
}
CrlVerifier crlVerifier = new CrlVerifier(null, crls);
verification.AddRange(crlVerifier.Verify(signCert, issuerCert, date));
}
if (verification.Count == 0)
{
Console.WriteLine("The signing certificate couldn't be verified with the example");
}
else
{
foreach (VerificationOK v in verification)
{
Console.WriteLine(v);
}
}
//Code not in the example, added by me
//This way, I can find out if the certificate is revoked or not (through CRL). Not sure if it's the right way though
if (verification.Count == 0 && pkcs7.CRLs != null && pkcs7.CRLs.Count != 0)
{
bool revoked = false;
foreach (X509Crl crl in pkcs7.CRLs)
{
revoked = crl.IsRevoked(pkcs7.SigningCertificate);
if (revoked)
{
break;
}
}
Console.WriteLine("Is certificate revoked?: " + revoked.ToString());
}
}
private static bool CheckRevocation(PdfPKCS7 pkcs7, X509Certificate signCert, X509Certificate issuerCert, DateTime date)
{
List <BasicOcspResp> ocsps = new List <BasicOcspResp>();
if (pkcs7.Ocsp != null)
{
ocsps.Add(pkcs7.Ocsp);
}
OcspVerifier ocspVerifier = new OcspVerifier(null, ocsps);
List <VerificationOK> verification =
ocspVerifier.Verify(signCert, issuerCert, date);
if (verification.Count == 0)
{
List <X509Crl> crls = new List <X509Crl>();
if (pkcs7.CRLs != null)
{
foreach (X509Crl crl in pkcs7.CRLs)
{
crls.Add(crl);
}
}
if (crls.Count > 0)
{
CrlVerifier crlVerifier = new CrlVerifier(null, crls);
verification.AddRange(crlVerifier.Verify(signCert, issuerCert, date));
}
}
if (verification.Count == 0)
{
return(false);
}
else
{
foreach (VerificationOK v in verification)
{
Console.WriteLine(v);
}
}
return(verification.Count > 0);
}
public static void CheckRevocation(PdfPKCS7 pkcs7, X509Certificate signCert, X509Certificate issuerCert, DateTime date)
{
List <BasicOcspResp> ocsps = new List <BasicOcspResp>();
if (pkcs7.Ocsp != null)
{
ocsps.Add(pkcs7.Ocsp);
}
OcspVerifier ocspVerifier = new OcspVerifier(null, ocsps);
List <VerificationOK> verification =
ocspVerifier.Verify(signCert, issuerCert, date);
if (verification.Count == 0)
{
List <X509Crl> crls = new List <X509Crl>();
if (pkcs7.CRLs != null)
{
foreach (X509Crl crl in pkcs7.CRLs)
{
crls.Add(crl);
}
}
CrlVerifier crlVerifier = new CrlVerifier(null, crls);
verification.AddRange(crlVerifier.Verify(signCert, issuerCert, date));
}
if (verification.Count == 0)
{
Console.WriteLine("The signing certificate couldn't be verified");
}
else
{
foreach (VerificationOK v in verification)
{
Console.WriteLine(v);
}
}
}
private SignaturesResult VerifyP7m(byte[] barr, string fileName)
{
//System.Diagnostics.Trace.WriteLine(string.Format("Verifica firme del file {0} ...",
//System.IO.Path.GetFileName(fileName)));
var result = new SignaturesResult();
result.SignatureInfos = new List <SignatureInfo>();
try
{
var estensione = System.IO.Path.GetExtension(fileName).ToLower();
var nomeFile = System.IO.Path.GetFileName(fileName);
while (estensione == ".p7m")
{
Org.BouncyCastle.Cms.CmsSignedData cms = new CmsSignedData(barr);
var certs = cms.GetCertificates("Collection");
var sis = cms.GetSignerInfos();
if (sis != null)
{
if (RecursiveP7m || ExtractSignedContent)
{
using (var ms = new MemoryStream())
{
cms.SignedContent.Write(ms);
barr = ms.ToArray();
}
if (ExtractSignedContent)
{
result.SignedContent = barr;
}
}
var signers = sis.GetSigners();
foreach (SignerInformation sign in signers)
{
var si = new SignatureInfo();
DateTime?dt = null;
var aaa = sign.SignedAttributes[CmsAttributes.SigningTime];
if (aaa != null && aaa.AttrValues != null && aaa.AttrValues.Count > 0)
{
var st = aaa.AttrValues[0] as DerUtcTime;
if (st != null)
{
dt = st.ToAdjustedDateTime();
}
}
if (dt == null)
{
throw new Exception("Impossibile ricavare SignDateTime.");
}
si.SignDateTime = dt.Value;
//si.FilterSubtype=
IList ccc = new ArrayList(certs.GetMatches(null));
List <Org.BouncyCastle.X509.X509Certificate> list =
new List <Org.BouncyCastle.X509.X509Certificate>();
foreach (var c in ccc)
{
list.Add(c as Org.BouncyCastle.X509.X509Certificate);
}
var errors =
iTextSharp.text.pdf.security.CertificateVerification.VerifyCertificates(
list, keyStore, si.SignDateTime);
if (errors.Count > 0)
{
si.ChainCertificatesNotValidAtSignedTime = true;
}
IList cs = new ArrayList(certs.GetMatches(sign.SignerID));
var cc = (Org.BouncyCastle.X509.X509Certificate)cs[0];
si.DigestAlgorithm = cc.SigAlgName;
//si.EncryptionAlgorithm = sign.EncryptionAlgorithmID.ToString();
si.IntegrityValid = sign.Verify(cc);
X509Certificate2 cert2 = new X509Certificate2(cc.GetEncoded());
si.Name = null;
si.Signer = cert2.SubjectName.Name;
si.Revision = sign.Version;
if (CheckRevocation)
{
try
{
//si.CertificateRevocatedAtSignedTime = pkcs7.IsRevocationValid();
List <Org.BouncyCastle.Ocsp.BasicOcspResp> ocsps =
new List <Org.BouncyCastle.Ocsp.BasicOcspResp>();
//if (cc.Ocsp != null)
// ocsps.Add(pkcs7.Ocsp);
iTextSharp.text.pdf.security.OcspVerifier ocspVerifier = new OcspVerifier(null,
ocsps);
var issueCert =
keyStore.SingleOrDefault(
c => c.SubjectDN.Equals(cc.IssuerDN));
if (issueCert == null)
{
throw new Exception("Issuer certificate not found.");
}
List <VerificationOK> verification = ocspVerifier.Verify(
cc,
issueCert,
si.SignDateTime);
if (verification.Count == 0)
{
var crls = new List <Org.BouncyCastle.X509.X509Crl>();
CrlVerifier crlVerifier = new CrlVerifier(null, crls);
crlVerifier.OnlineCheckingAllowed = true;
verification = crlVerifier.Verify(cc, issueCert,
si.SignDateTime);
}
if (verification.Count == 0)
{
si.CertificateRevocatedAtSignedTime = null;
}
else
{
si.CertificateRevocatedAtSignedTime = false;
foreach (var verificationOk in verification)
{
System.Diagnostics.Trace.WriteLine(verificationOk);
}
}
}
catch (Exception ex)
{
si.CertificateRevocatedAtSignedTime = true; // o null?
System.Diagnostics.Trace.WriteLine(
string.Format(
"Si è verificato il seguente errore durante la verifica di revoca per la firma {2} del file {0} {1}",
System.IO.Path.GetFileName(fileName), ex.Message, si.Revision));
}
}
si.SignatureValid = si.IntegrityValid &&
!si.ChainCertificatesNotValidAtSignedTime &&
(!CheckRevocation || !si.CertificateRevocatedAtSignedTime.GetValueOrDefault(true));
result.SignatureInfos.Add(si);
}
}
if (!RecursiveP7m)
{
break;
}
nomeFile = System.IO.Path.GetFileNameWithoutExtension(nomeFile);
estensione = System.IO.Path.GetExtension(nomeFile);
}
result.SignaturesValid = result.SignatureInfos.All(si => si.SignatureValid);
//System.Diagnostics.Trace.WriteLine(string.Format(
// "Verifica firme del file {0} completata con esito {1}", System.IO.Path.GetFileName(fileName),
// result.SignaturesValid ? "Positivo" : "Negativo"));
}
catch (Exception exx)
{
System.Diagnostics.Trace.WriteLine(
string.Format(
"Si è verificato il seguente errore durante la verifica delle firme del file {0} {1}",
System.IO.Path.GetFileName(fileName), exx.Message));
throw exx;
}
return(result);
}
private IOcspClient BuildOcspClient()
{
var verifier = new OcspVerifier(null, null);
return(new OcspClientBouncyCastle(verifier));
}
private SignaturesResult VerifyPdf(byte[] barr, string fileName)
{
//System.Diagnostics.Trace.WriteLine(string.Format("Verifica firme del file {0} ...", System.IO.Path.GetFileName(fileName)));
var result = new SignaturesResult();
try
{
using (var reader = new PdfReader(barr))
{
var fields = reader.AcroFields;
var sInfos = fields.GetSignatureNames();
if (sInfos.Count > 0) // è firmato
{
//System.IO.Stream stream = fields.ExtractRevision(sInfos[0]);
//using (var ms = new MemoryStream())
//{
// stream.CopyTo(ms);
// result.Content = ms.ToArray();
//}
result.SignatureInfos = new List <SignatureInfo>();
foreach (var sName in sInfos)
{
var si = new SignatureInfo()
{
Name = sName
};
result.SignatureInfos.Add(si);
si.Revision = fields.GetRevision(sName);
//si.SignCoverWholeDocument = fields.SignatureCoversWholeDocument(sName);
var pkcs7 = fields.VerifySignature(sName);
//si.Signer = pkcs7.SignName;
si.Signer = new X509Certificate2(pkcs7.SigningCertificate.GetEncoded()).SubjectName.Name;
si.SignDateTime = pkcs7.SignDate;
si.IntegrityValid = pkcs7.Verify(); //TODO: DMP Settings? annotations?
si.SignatureValid = si.IntegrityValid &&
!si.ChainCertificatesNotValidAtSignedTime &&
(!CheckRevocation || !si.CertificateRevocatedAtSignedTime.GetValueOrDefault(true));
si.DigestAlgorithm = pkcs7.GetDigestAlgorithm();
//si.EncryptionAlgorithm = pkcs7.GetEncryptionAlgorithm();
//si.FilterSubtype = pkcs7.GetFilterSubtype().Type;
//si.TimeStamp = pkcs7.TimeStampDate;
//si.TimeStampService = pkcs7.TimeStampToken.TimeStampInfo.Tsa.Name.;
//si.TimeStampVerified = pkcs7.VerifyTimestampImprint();
//verifica certificati
var errors =
iTextSharp.text.pdf.security.CertificateVerification.VerifyCertificates(
pkcs7.SignCertificateChain, keyStore, pkcs7.SignDate);
if (errors.Count > 0)
{
si.ChainCertificatesNotValidAtSignedTime = true;
}
//foreach (var cert in pkcs7.SignCertificateChain)
//{
// try
// {
// cert.CheckValidity(pkcs7.SignDate);
// }
// catch (Org.BouncyCastle.Security.Certificates.CertificateExpiredException ex1)
// {
// //si.ChainCertificatesExpiredAtSignedTime = true;
// }
// catch (Org.BouncyCastle.Security.Certificates.CertificateNotYetValidException ex2)
// {
// si.ChainCertificatesNotValidAtSignedTime = true;
// }
//}
//verifica revocation
if (CheckRevocation)
{
try
{
//si.CertificateRevocatedAtSignedTime = pkcs7.IsRevocationValid();
List <Org.BouncyCastle.Ocsp.BasicOcspResp> ocsps =
new List <Org.BouncyCastle.Ocsp.BasicOcspResp>();
if (pkcs7.Ocsp != null)
{
ocsps.Add(pkcs7.Ocsp);
}
iTextSharp.text.pdf.security.OcspVerifier ocspVerifier = new OcspVerifier(null,
ocsps);
var issueCert =
keyStore.SingleOrDefault(
c => c.SubjectDN.Equals(pkcs7.SigningCertificate.IssuerDN));
if (issueCert == null)
{
throw new Exception("Issuer certificate not found.");
}
List <VerificationOK> verification = ocspVerifier.Verify(
pkcs7.SigningCertificate,
issueCert,
pkcs7.SignDate);
if (verification.Count == 0)
{
var crls = new List <Org.BouncyCastle.X509.X509Crl>(pkcs7.CRLs);
CrlVerifier crlVerifier = new CrlVerifier(null, crls);
crlVerifier.OnlineCheckingAllowed = true;
verification = crlVerifier.Verify(pkcs7.SigningCertificate, issueCert,
pkcs7.SignDate);
}
if (verification.Count == 0)
{
si.CertificateRevocatedAtSignedTime = null;
}
else
{
si.CertificateRevocatedAtSignedTime = false;
foreach (var verificationOk in verification)
{
System.Diagnostics.Trace.WriteLine(verificationOk);
}
}
}
catch (Exception ex)
{
si.CertificateRevocatedAtSignedTime = true; // o null?
System.Diagnostics.Trace.WriteLine(
string.Format(
"Si è verificato il seguente errore durante la verifica di revoca per la firma {2} del file {0} {1}",
System.IO.Path.GetFileName(fileName), ex.Message, si.Revision));
}
}
}
}
reader.Close();
}
//result.SignaturesValid = result.SignatureInfos.All(si => si.IntegrityValid
// &&
// !si.ChainCertificatesNotValidAtSignedTime
// &&
// (!CheckRevocation || !si.CertificateRevocatedAtSignedTime
// .GetValueOrDefault(true)));
//System.Diagnostics.Trace.WriteLine(string.Format("Verifica firme del file {0} completata con esito {1}", System.IO.Path.GetFileName(fileName),result.SignaturesValid?"Positivo":"Negativo"));
return(result);
}
catch (InvalidPdfException ex)
{
System.Diagnostics.Trace.WriteLine(string.Format("Si è verificato il seguente errore durante la verifica delle firme del file {0} {1}", System.IO.Path.GetFileName(fileName), ex.Message));
throw ex;
}
catch (Exception exx)
{
System.Diagnostics.Trace.WriteLine(string.Format("Si è verificato il seguente errore durante la verifica delle firme del file {0} {1}", System.IO.Path.GetFileName(fileName), exx.Message));
throw exx;
}
}
