virtual protected void SignWithKeyInfo(String src, String dest, ICipherParameters pk,
AsymmetricAlgorithm publicKey, String digestAlgorithm)
{
// Creating the reader and the stamper
PdfReader reader = new PdfReader(src);
FileStream os = new FileStream(dest, FileMode.Create);
PdfStamper stamper = PdfStamper.createXmlSignature(reader, os);
// Creating the appearance
XmlSignatureAppearance appearance = stamper.XmlSignatureAppearance;
//Set XfaXmlLocator to control getting and setting Document
appearance.SetXmlLocator(new XfaXmlLocator(stamper));
// Creating the signature
IExternalSignature pks = new PrivateKeySignature(pk, digestAlgorithm);
KeyInfoClause keyInfo;
if (publicKey is DSA)
{
keyInfo = new DSAKeyValue((DSA)publicKey);
}
else if (publicKey is RSA)
{
keyInfo = new RSAKeyValue((RSA)publicKey);
}
else
{
throw new ArgumentException("Invalid public key algorithm", "publicKey");
}
MakeXmlSignature.SignXmlDSig(appearance, pks, keyInfo);
}
private static KeyInfoClause GenerateKeyInfo(X509Certificate[] chain, XmlSignatureAppearance sap)
{
X509Certificate certificate = chain[0];
sap.SetCertificate(certificate);
// Create a KeyInfo and add the KeyValue to it
return(new KeyInfoX509Data(chain[0].GetEncoded()));
}
/**
* Signs the xml using the enveloped mode, with optional xpath transform (see XmlSignatureAppearance).
* @param sap the XmlSignatureAppearance
* @param externalSignature the interface providing the actual signing
* @param keyInfo KeyInfo for verification
* @throws GeneralSecurityException
* @throws IOException
* @throws DocumentException
*/
public static void SignXmlDSig(XmlSignatureAppearance sap, IExternalSignature externalSignature, KeyInfoClause keyInfo) {
VerifyArguments(sap, externalSignature);
List<XmlElement> references = new List<XmlElement>(1);
references.Add(GenerateContentReference(sap.GetXmlLocator().GetDocument(), sap, null));
XmlElement signature = GenerateSignatureElement(sap.GetXmlLocator(), null, false);
Sign(signature, sap.GetXmlLocator(), externalSignature, references, null, keyInfo);
sap.Close();
}
/**
* Signs the xml using the enveloped mode, with optional xpath transform (see XmlSignatureAppearance).
* @param sap the XmlSignatureAppearance
* @param externalSignature the interface providing the actual signing
* @param keyInfo KeyInfo for verification
* @throws GeneralSecurityException
* @throws IOException
* @throws DocumentException
*/
public static void SignXmlDSig(XmlSignatureAppearance sap, IExternalSignature externalSignature, KeyInfoClause keyInfo)
{
VerifyArguments(sap, externalSignature);
List <XmlElement> references = new List <XmlElement>(1);
references.Add(GenerateContentReference(sap.GetXmlLocator().GetDocument(), sap, null));
XmlElement signature = GenerateSignatureElement(sap.GetXmlLocator(), null, false);
Sign(signature, sap.GetXmlLocator(), externalSignature, references, null, keyInfo);
sap.Close();
}
virtual protected void SignWithCertificate(String src, String dest, ICipherParameters pk,
X509Certificate[] chain, String digestAlgorithm)
{
// Creating the reader and the stamper
PdfReader reader = new PdfReader(src);
FileStream os = new FileStream(dest, FileMode.Create);
PdfStamper stamper = PdfStamper.createXmlSignature(reader, os);
// Creating the appearance
XmlSignatureAppearance appearance = stamper.XmlSignatureAppearance;
appearance.SetXmlLocator(new XfaXmlLocator(stamper));
// Creating the signature
IExternalSignature pks = new PrivateKeySignature(pk, digestAlgorithm);
MakeXmlSignature.SignXmlDSig(appearance, pks, chain);
}
virtual protected void SignWithPublicKey(String src, String dest, ICipherParameters pk,
AsymmetricAlgorithm publicKey, String digestAlgorithm)
{
// Creating the reader and the stamper
PdfReader reader = new PdfReader(src);
FileStream os = new FileStream(dest, FileMode.Create);
PdfStamper stamper = PdfStamper.createXmlSignature(reader, os);
// Creating the appearance
XmlSignatureAppearance appearance = stamper.XmlSignatureAppearance;
//Set XfaXmlLocator to control getting and setting Document
appearance.SetXmlLocator(new XfaXmlLocator(stamper));
// Creating the signature
IExternalSignature pks = new PrivateKeySignature(pk, digestAlgorithm);
MakeXmlSignature.SignXmlDSig(appearance, pks, publicKey);
}
private static void VerifyArguments(XmlSignatureAppearance sap, IExternalSignature externalSignature)
{
if (sap.GetXmlLocator() == null)
{
throw new DocumentException(MessageLocalization.GetComposedMessage("xmllocator.cannot.be.null"));
}
if (!externalSignature.GetHashAlgorithm().Equals(SecurityConstants.SHA1))
{
throw new UnsupportedPdfException(MessageLocalization.GetComposedMessage("support.only.sha1.hash.algorithm"));
}
if (!externalSignature.GetEncryptionAlgorithm().Equals(SecurityConstants.RSA) &&
!externalSignature.GetEncryptionAlgorithm().Equals(SecurityConstants.DSA))
{
throw new UnsupportedPdfException(MessageLocalization.GetComposedMessage("support.only.rsa.and.dsa.algorithms"));
}
}
virtual protected void SignXades(String src, String dest, ICipherParameters pk,
X509Certificate[] chain, String digestAlgorithm, bool includeSignaturePolicy)
{
// Creating the reader and the stamper
PdfReader reader = new PdfReader(src);
FileStream os = new FileStream(dest, FileMode.Create);
PdfStamper stamper = PdfStamper.createXmlSignature(reader, os);
// Creating the appearance
XmlSignatureAppearance appearance = stamper.XmlSignatureAppearance;
appearance.SetXmlLocator(new XfaXmlLocator(stamper));
appearance.SetDescription("Simple xfa form");
// Creating the signature
IExternalSignature pks = new PrivateKeySignature(pk, digestAlgorithm);
MakeXmlSignature.SignXades(appearance, pks, chain, includeSignaturePolicy);
}
virtual protected void SignPackageWithCertificate(String src, String dest, XfaXpathConstructor.XdpPackage xdpPackage,
ICipherParameters pk, X509Certificate[] chain, String digestAlgorithm)
{
// Creating the reader and the stamper
PdfReader reader = new PdfReader(src);
FileStream os = new FileStream(dest, FileMode.Create);
PdfStamper stamper = PdfStamper.createXmlSignature(reader, os);
// Creating the appearance
XmlSignatureAppearance appearance = stamper.XmlSignatureAppearance;
//Set XfaXmlLocator to control getting and setting Document
appearance.SetXmlLocator(new XfaXmlLocator(stamper));
// Set XpathConstructor, to construct xpath expression for signing an xdp package
appearance.SetXpathConstructor(new XfaXpathConstructor(xdpPackage));
// Creating the signature
IExternalSignature pks = new PrivateKeySignature(pk, digestAlgorithm);
MakeXmlSignature.SignXmlDSig(appearance, pks, chain);
}
/**
* Signs the xml with XAdES BES using the enveloped mode, with optional xpath transform (see XmlSignatureAppearance).
* @param sap the XmlSignatureAppearance
* @param externalSignature the interface providing the actual signing
* @param chain the certificate chain
* @param includeSignaturePolicy if true SignaturePolicyIdentifier will be included (XAdES-EPES)
* @throws GeneralSecurityException
* @throws IOException
* @throws DocumentException
*/
public static void SignXades(XmlSignatureAppearance sap, IExternalSignature externalSignature, X509Certificate[] chain,
bool includeSignaturePolicy)
{
VerifyArguments(sap, externalSignature);
String contentReferenceId = SecurityConstants.Reference_ + GetRandomId();
String signedPropertiesId = SecurityConstants.SignedProperties_ + GetRandomId();
String signatureId = SecurityConstants.Signature_ + GetRandomId();
XmlDocument doc = sap.GetXmlLocator().GetDocument();
doc.XmlResolver = null;
KeyInfoClause keyInfo = GenerateKeyInfo(chain, sap);
List <XmlElement> references = new List <XmlElement>(2);
XmlElement signature = GenerateSignatureElement(sap.GetXmlLocator(), signatureId, true);
String[] signaturePolicy = null;
if (includeSignaturePolicy)
{
signaturePolicy = new String[2];
if (externalSignature.GetEncryptionAlgorithm().Equals(SecurityConstants.RSA))
{
signaturePolicy[0] = SecurityConstants.OID_RSA_SHA1;
signaturePolicy[1] = SecurityConstants.OID_RSA_SHA1_DESC;
}
else
{
signaturePolicy[0] = SecurityConstants.OID_DSA_SHA1;
signaturePolicy[1] = SecurityConstants.OID_DSA_SHA1_DESC;
}
}
XmlElement signedProperty;
XmlElement dsObject = GenerateXadesObject(sap, signatureId, contentReferenceId, signedPropertiesId, signaturePolicy, out signedProperty);
references.Add(GenerateCustomReference(doc, signedProperty, "#" + signedPropertiesId, SecurityConstants.SignedProperties_Type, null));
references.Add(GenerateContentReference(doc, sap, contentReferenceId));
Sign(signature, sap.GetXmlLocator(), externalSignature, references, dsObject, keyInfo);
sap.Close();
}
/**
* Signs the xml with XAdES BES using the enveloped mode, with optional xpath transform (see XmlSignatureAppearance).
* @param sap the XmlSignatureAppearance
* @param externalSignature the interface providing the actual signing
* @param chain the certificate chain
* @throws GeneralSecurityException
* @throws IOException
* @throws DocumentException
*/
public static void SignXadesBes(XmlSignatureAppearance sap, IExternalSignature externalSignature, X509Certificate[] chain)
{
VerifyArguments(sap, externalSignature);
String contentReferenceId = SecurityConstants.Reference_ + GetRandomId();
String signedPropertiesId = SecurityConstants.SignedProperties_ + GetRandomId();
String signatureId = SecurityConstants.Signature_ + GetRandomId();
XmlDocument doc = sap.GetXmlLocator().GetDocument();
KeyInfoClause keyInfo = GenerateKeyInfo(chain, sap);
List <XmlElement> references = new List <XmlElement>(2);
XmlElement signature = GenerateSignatureElement(sap.GetXmlLocator(), signatureId, true);
XmlElement signedProperty;
XmlElement dsObject = GenerateXadesBesObject(sap, signatureId, contentReferenceId, signedPropertiesId, out signedProperty);
references.Add(GenerateCustomReference(doc, signedProperty, "#" + signedPropertiesId, SecurityConstants.SignedProperties_Type, null));
references.Add(GenerateContentReference(doc, sap, contentReferenceId));
Sign(signature, sap.GetXmlLocator(), externalSignature, references, dsObject, keyInfo);
sap.Close();
}
/**
* Signs the xml using the enveloped mode, with optional xpath transform (see XmlSignatureAppearance).
* @param sap the XmlSignatureAppearance
* @param externalSignature the interface providing the actual signing
* @param publicKey PublicKey for verification
* @throws GeneralSecurityException
* @throws IOException
* @throws DocumentException
*/
public static void SignXmlDSig(XmlSignatureAppearance sap,
IExternalSignature externalSignature, AsymmetricAlgorithm publicKey) {
SignXmlDSig(sap, externalSignature, GenerateKeyInfo(publicKey));
}
private static XmlElement GenerateXadesObject(XmlSignatureAppearance sap, String signatureId, String contentReferenceId, String signedPropertiesId,
String[] signaturePolicy, out XmlElement signedProperty)
{
HashAlgorithm md = new SHA1Managed();
X509Certificate cert = sap.GetCertificate();
XmlDocument doc = sap.GetXmlLocator().GetDocument();
XmlElement dsObject = doc.CreateElement("Object", SecurityConstants.XMLDSIG_URI);
XmlElement QualifyingProperties = doc.CreateElement(SecurityConstants.XADES_QualifyingProperties, SecurityConstants.XADES_132_URI);
QualifyingProperties.SetAttribute("Target", "#" + signatureId);
XmlElement SignedProperties = doc.CreateElement(SecurityConstants.XADES_SignedProperties, SecurityConstants.XADES_132_URI);
SignedProperties.SetAttribute("Id", signedPropertiesId);
XmlElement SignedSignatureProperties = doc.CreateElement(SecurityConstants.XADES_SignedSignatureProperties, SecurityConstants.XADES_132_URI);
XmlElement SigningTime = doc.CreateElement(SecurityConstants.XADES_SigningTime, SecurityConstants.XADES_132_URI);
String result = sap.GetSignDate().ToString(SecurityConstants.SigningTimeFormat);
SigningTime.AppendChild(doc.CreateTextNode(result));
SignedSignatureProperties.AppendChild(SigningTime);
XmlElement SigningCertificate = doc.CreateElement(SecurityConstants.XADES_SigningCertificate, SecurityConstants.XADES_132_URI);
XmlElement Cert = doc.CreateElement(SecurityConstants.XADES_Cert, SecurityConstants.XADES_132_URI);
XmlElement CertDigest = doc.CreateElement(SecurityConstants.XADES_CertDigest, SecurityConstants.XADES_132_URI);
XmlElement DigestMethod = doc.CreateElement(SecurityConstants.DigestMethod, SecurityConstants.XMLDSIG_URI);
DigestMethod.SetAttribute(SecurityConstants.Algorithm, SecurityConstants.XMLDSIG_URI_SHA1);
CertDigest.AppendChild(DigestMethod);
XmlElement DigestValue = doc.CreateElement(SecurityConstants.DigestValue, SecurityConstants.XMLDSIG_URI);
DigestValue.AppendChild(doc.CreateTextNode(Convert.ToBase64String(md.ComputeHash(cert.GetEncoded()))));
CertDigest.AppendChild(DigestValue);
Cert.AppendChild(CertDigest);
XmlElement IssueSerial = doc.CreateElement(SecurityConstants.XADES_IssuerSerial, SecurityConstants.XADES_132_URI);
XmlElement X509IssuerName = doc.CreateElement(SecurityConstants.X509IssuerName, SecurityConstants.XMLDSIG_URI);
X509IssuerName.AppendChild(doc.CreateTextNode(GetX509IssuerName(cert)));
IssueSerial.AppendChild(X509IssuerName);
XmlElement X509SerialNumber = doc.CreateElement(SecurityConstants.X509SerialNumber, SecurityConstants.XMLDSIG_URI);
X509SerialNumber.AppendChild(doc.CreateTextNode(GetX509SerialNumber(cert)));
IssueSerial.AppendChild(X509SerialNumber);
Cert.AppendChild(IssueSerial);
SigningCertificate.AppendChild(Cert);
SignedSignatureProperties.AppendChild(SigningCertificate);
if (signaturePolicy != null)
{
XmlElement SignaturePolicyIdentifier = doc.CreateElement(SecurityConstants.XADES_SignaturePolicyIdentifier, SecurityConstants.XADES_132_URI);
XmlElement SignaturePolicyId = doc.CreateElement(SecurityConstants.XADES_SignaturePolicyId, SecurityConstants.XADES_132_URI);
XmlElement SigPolicyId = doc.CreateElement(SecurityConstants.XADES_SigPolicyId, SecurityConstants.XADES_132_URI);
XmlElement Identifier = doc.CreateElement(SecurityConstants.XADES_Identifier, SecurityConstants.XADES_132_URI);
Identifier.AppendChild(doc.CreateTextNode(signaturePolicy[0]));
Identifier.SetAttribute(SecurityConstants.Qualifier, SecurityConstants.OIDAsURN);
SigPolicyId.AppendChild(Identifier);
//ANSI X9.57 DSA signature generated with SHA-1 hash (DSA x9.30)
XmlElement Description = doc.CreateElement(SecurityConstants.XADES_Description, SecurityConstants.XADES_132_URI);
Description.AppendChild(doc.CreateTextNode(signaturePolicy[1]));
SigPolicyId.AppendChild(Description);
SignaturePolicyId.AppendChild(SigPolicyId);
XmlElement SigPolicyHash = doc.CreateElement(SecurityConstants.XADES_SigPolicyHash, SecurityConstants.XADES_132_URI);
DigestMethod = doc.CreateElement(SecurityConstants.DigestMethod, SecurityConstants.XMLDSIG_URI);
DigestMethod.SetAttribute(SecurityConstants.Algorithm, SecurityConstants.XMLDSIG_URI_SHA1);
SigPolicyHash.AppendChild(DigestMethod);
DigestValue = doc.CreateElement(SecurityConstants.DigestValue, SecurityConstants.XMLDSIG_URI);
byte[] policyIdContent = System.Text.Encoding.UTF8.GetBytes(SigPolicyId.OuterXml);
DigestValue.AppendChild(doc.CreateTextNode(Convert.ToBase64String((md.ComputeHash(policyIdContent)))));
SigPolicyHash.AppendChild(DigestValue);
SignaturePolicyId.AppendChild(SigPolicyHash);
SignaturePolicyIdentifier.AppendChild(SignaturePolicyId);
SignedSignatureProperties.AppendChild(SignaturePolicyIdentifier);
}
SignedProperties.AppendChild(SignedSignatureProperties);
XmlElement SignedDataObjectProperties = doc.CreateElement(SecurityConstants.XADES_SignedDataObjectProperties, SecurityConstants.XADES_132_URI);
XmlElement DataObjectFormat = doc.CreateElement(SecurityConstants.XADES_DataObjectFormat, SecurityConstants.XADES_132_URI);
DataObjectFormat.SetAttribute(SecurityConstants.ObjectReference, "#" + contentReferenceId);
String descr = sap.GetDescription();
if (descr != null)
{
XmlElement Description = doc.CreateElement(SecurityConstants.XADES_Description, SecurityConstants.XADES_132_URI);
Description.AppendChild(doc.CreateTextNode(descr));
DataObjectFormat.AppendChild(Description);
}
XmlElement MimeType = doc.CreateElement(SecurityConstants.XADES_MimeType, SecurityConstants.XADES_132_URI);
MimeType.AppendChild(doc.CreateTextNode(sap.GetMimeType()));
DataObjectFormat.AppendChild(MimeType);
String enc = sap.GetXmlLocator().GetEncoding();
if (enc != null)
{
XmlElement Encoding = doc.CreateElement(SecurityConstants.XADES_Encoding, SecurityConstants.XADES_132_URI);
Encoding.AppendChild(doc.CreateTextNode(enc));
DataObjectFormat.AppendChild(Encoding);
}
SignedDataObjectProperties.AppendChild(DataObjectFormat);
SignedProperties.AppendChild(SignedDataObjectProperties);
QualifyingProperties.AppendChild(SignedProperties);
dsObject.AppendChild(QualifyingProperties);
signedProperty = SignedProperties;
return(dsObject);
}
private static XmlElement GenerateContentReference(XmlDocument doc, XmlSignatureAppearance sap, String referenceId)
{
IXpathConstructor xpathConstructor = sap.GetXpathConstructor();
XmlElement reference = doc.CreateElement("Reference", SecurityConstants.XMLDSIG_URI);
reference.SetAttribute("URI", "");
if (referenceId != null)
{
reference.SetAttribute("Id", referenceId);
}
XmlElement transforms = doc.CreateElement("Transforms", SecurityConstants.XMLDSIG_URI);
XmlElement transform = doc.CreateElement("Transform", SecurityConstants.XMLDSIG_URI);
transform.SetAttribute("Algorithm", SecurityConstants.XMLDSIG_URI_ENVELOPED);
transforms.AppendChild(transform);
byte[] md = null;
if (xpathConstructor != null && xpathConstructor.GetXpathExpression().Length > 0)
{
XmlNodeList nodelist = doc.SelectNodes(xpathConstructor.GetXpathExpression(),
xpathConstructor.GetNamespaceManager());
if (nodelist.Count == 1 && nodelist[0].NodeType == XmlNodeType.Element)
{
XmlElement xpathSelect = (XmlElement)nodelist[0].CloneNode(true);
NormalizeNamespaces(nodelist[0].CreateNavigator(), xpathSelect.CreateNavigator());
XmlDocument digestDoc = new XmlDocument(doc.NameTable);
digestDoc.LoadXml(xpathSelect.OuterXml);
md = CalculateC14nDigest(digestDoc, new SHA1Managed());
transform = doc.CreateElement("Transform", SecurityConstants.XMLDSIG_URI);
transform.SetAttribute("Algorithm", SecurityConstants.XMLDSIG_URI_XPATH_FILTER2);
XmlElement xpath = doc.CreateElement("XPath", SecurityConstants.XMLDSIG_URI);
xpath.SetAttribute("xmlns", SecurityConstants.XMLDSIG_URI_XPATH_FILTER2);
xpath.SetAttribute("Filter", "intersect");
XmlNode xpathNode = doc.CreateTextNode(xpathConstructor.GetXpathExpression());
xpath.AppendChild(xpathNode);
transform.AppendChild(xpath);
transforms.AppendChild(transform);
}
}
if (md == null)
{
md = CalculateC14nDigest(doc, new SHA1Managed());
}
reference.AppendChild(transforms);
XmlElement digestMethod = doc.CreateElement("DigestMethod", SecurityConstants.XMLDSIG_URI);
digestMethod.SetAttribute("Algorithm", SecurityConstants.XMLDSIG_URI_SHA1);
reference.AppendChild(digestMethod);
XmlElement digestValue = doc.CreateElement("DigestValue", SecurityConstants.XMLDSIG_URI);
digestValue.AppendChild(doc.CreateTextNode(Convert.ToBase64String(md)));
reference.AppendChild(digestValue);
return(reference);
}
/**
* Signs the xml using the enveloped mode, with optional xpath transform (see XmlSignatureAppearance).
* @param sap the XmlSignatureAppearance
* @param externalSignature the interface providing the actual signing
* @param publicKey PublicKey for verification
* @throws GeneralSecurityException
* @throws IOException
* @throws DocumentException
*/
public static void signXmlDSig(XmlSignatureAppearance sap,
IExternalSignature externalSignature, PublicKey publicKey) {
throw new NotImplementedException("Xml signatures are not supported yet");
}
/**
* Signs the xml with XAdES BES using the enveloped mode, with optional xpath transform (see XmlSignatureAppearance).
* @param sap the XmlSignatureAppearance
* @param externalSignature the interface providing the actual signing
* @param chain the certificate chain
* @param includeSignaturePolicy if true SignaturePolicyIdentifier will be included (XAdES-EPES)
* @throws GeneralSecurityException
* @throws IOException
* @throws DocumentException
*/
public static void SignXades(XmlSignatureAppearance sap, IExternalSignature externalSignature, X509Certificate[] chain,
bool includeSignaturePolicy) {
VerifyArguments(sap, externalSignature);
String contentReferenceId = SecurityConstants.Reference_ + GetRandomId();
String signedPropertiesId = SecurityConstants.SignedProperties_ + GetRandomId();
String signatureId = SecurityConstants.Signature_ + GetRandomId();
XmlDocument doc = sap.GetXmlLocator().GetDocument();
KeyInfoClause keyInfo = GenerateKeyInfo(chain, sap);
List<XmlElement> references = new List<XmlElement>(2);
XmlElement signature = GenerateSignatureElement(sap.GetXmlLocator(), signatureId, true);
String[] signaturePolicy = null;
if(includeSignaturePolicy) {
signaturePolicy = new String[2];
if(externalSignature.GetEncryptionAlgorithm().Equals(SecurityConstants.RSA)) {
signaturePolicy[0] = SecurityConstants.OID_RSA_SHA1;
signaturePolicy[1] = SecurityConstants.OID_RSA_SHA1_DESC;
}
else {
signaturePolicy[0] = SecurityConstants.OID_DSA_SHA1;
signaturePolicy[1] = SecurityConstants.OID_DSA_SHA1_DESC;
}
}
XmlElement signedProperty;
XmlElement dsObject = GenerateXadesObject(sap, signatureId, contentReferenceId, signedPropertiesId, signaturePolicy, out signedProperty);
references.Add(GenerateCustomReference(doc, signedProperty, "#" + signedPropertiesId, SecurityConstants.SignedProperties_Type, null));
references.Add(GenerateContentReference(doc, sap, contentReferenceId));
Sign(signature, sap.GetXmlLocator(), externalSignature, references, dsObject, keyInfo);
sap.Close();
}
/**
* Signs the xml using the enveloped mode, with optional xpath transform (see XmlSignatureAppearance).
* @param sap the XmlSignatureAppearance
* @param externalSignature the interface providing the actual signing
* @param chain the certificate chain
* @throws GeneralSecurityException
* @throws IOException
* @throws DocumentException
*/
public static void SignXmlDSig(XmlSignatureAppearance sap,
IExternalSignature externalSignature, X509Certificate[] chain)
{
SignXmlDSig(sap, externalSignature, new KeyInfoX509Data(chain[0].GetEncoded()));
}
/**
* Signs the xml using the enveloped mode, with optional xpath transform (see XmlSignatureAppearance).
* @param sap the XmlSignatureAppearance
* @param externalSignature the interface providing the actual signing
* @param publicKey PublicKey for verification
* @throws GeneralSecurityException
* @throws IOException
* @throws DocumentException
*/
public static void SignXmlDSig(XmlSignatureAppearance sap,
IExternalSignature externalSignature, AsymmetricAlgorithm publicKey)
{
SignXmlDSig(sap, externalSignature, GenerateKeyInfo(publicKey));
}
/**
* Signs the xml with XAdES BES using the enveloped mode, with optional xpath transform (see XmlSignatureAppearance).
* @param sap the XmlSignatureAppearance
* @param externalSignature the interface providing the actual signing
* @param chain the certificate chain
* @throws GeneralSecurityException
* @throws IOException
* @throws DocumentException
*/
public static void SignXadesBes(XmlSignatureAppearance sap, IExternalSignature externalSignature, X509Certificate[] chain) {
VerifyArguments(sap, externalSignature);
String contentReferenceId = SecurityConstants.Reference_ + GetRandomId();
String signedPropertiesId = SecurityConstants.SignedProperties_ + GetRandomId();
String signatureId = SecurityConstants.Signature_ + GetRandomId();
XmlDocument doc = sap.GetXmlLocator().GetDocument();
KeyInfoClause keyInfo = GenerateKeyInfo(chain, sap);
List<XmlElement> references = new List<XmlElement>(2);
XmlElement signature = GenerateSignatureElement(sap.GetXmlLocator(), signatureId, true);
XmlElement signedProperty;
XmlElement dsObject = GenerateXadesBesObject(sap, signatureId, contentReferenceId, signedPropertiesId, out signedProperty);
references.Add(GenerateCustomReference(doc, signedProperty, "#" + signedPropertiesId, SecurityConstants.SignedProperties_Type, null));
references.Add(GenerateContentReference(doc, sap, contentReferenceId));
Sign(signature, sap.GetXmlLocator(), externalSignature, references, dsObject, keyInfo);
sap.Close();
}
/**
* Signs the xml with XAdES BES using the enveloped mode, with optional xpath transform (see XmlSignatureAppearance).
* @param sap the XmlSignatureAppearance
* @param externalSignature the interface providing the actual signing
* @param chain the certificate chain
* @throws GeneralSecurityException
* @throws IOException
* @throws DocumentException
*/
public static void SignXadesEpes(XmlSignatureAppearance sap, IExternalSignature externalSignature, X509Certificate[] chain)
{
SignXades(sap, externalSignature, chain, true);
}
/**
* Signs the xml using the enveloped mode, with optional xpath transform (see XmlSignatureAppearance).
* @param sap the XmlSignatureAppearance
* @param externalSignature the interface providing the actual signing
* @param publicKey PublicKey for verification
* @throws GeneralSecurityException
* @throws IOException
* @throws DocumentException
*/
public static void signXmlDSig(XmlSignatureAppearance sap,
IExternalSignature externalSignature, PublicKey publicKey)
{
throw new NotImplementedException("Xml signatures are not supported yet");
}
private static XmlElement GenerateContentReference(XmlDocument doc, XmlSignatureAppearance sap, String referenceId) {
IXpathConstructor xpathConstructor = sap.GetXpathConstructor();
XmlElement reference = doc.CreateElement("Reference", SecurityConstants.XMLDSIG_URI);
reference.SetAttribute("URI", "");
if (referenceId != null)
reference.SetAttribute("Id", referenceId);
XmlElement transforms = doc.CreateElement("Transforms", SecurityConstants.XMLDSIG_URI);
XmlElement transform = doc.CreateElement("Transform", SecurityConstants.XMLDSIG_URI);
transform.SetAttribute("Algorithm", SecurityConstants.XMLDSIG_URI_ENVELOPED);
transforms.AppendChild(transform);
byte[] md = null;
if (xpathConstructor != null && xpathConstructor.GetXpathExpression().Length > 0)
{
XmlNodeList nodelist = doc.SelectNodes(xpathConstructor.GetXpathExpression(),
xpathConstructor.GetNamespaceManager());
if (nodelist.Count == 1 && nodelist[0].NodeType == XmlNodeType.Element)
{
XmlElement xpathSelect = (XmlElement) nodelist[0].CloneNode(true);
NormalizeNamespaces(nodelist[0].CreateNavigator(), xpathSelect.CreateNavigator());
XmlDocument digestDoc = new XmlDocument(doc.NameTable);
digestDoc.LoadXml(xpathSelect.OuterXml);
md = CalculateC14nDigest(digestDoc, new SHA1Managed());
transform = doc.CreateElement("Transform", SecurityConstants.XMLDSIG_URI);
transform.SetAttribute("Algorithm", SecurityConstants.XMLDSIG_URI_XPATH_FILTER2);
XmlElement xpath = doc.CreateElement("XPath", SecurityConstants.XMLDSIG_URI);
xpath.SetAttribute("xmlns", SecurityConstants.XMLDSIG_URI_XPATH_FILTER2);
xpath.SetAttribute("Filter", "intersect");
XmlNode xpathNode = doc.CreateTextNode(xpathConstructor.GetXpathExpression());
xpath.AppendChild(xpathNode);
transform.AppendChild(xpath);
transforms.AppendChild(transform);
}
}
if (md == null)
md = CalculateC14nDigest(doc, new SHA1Managed());
reference.AppendChild(transforms);
XmlElement digestMethod = doc.CreateElement("DigestMethod", SecurityConstants.XMLDSIG_URI);
digestMethod.SetAttribute("Algorithm", SecurityConstants.XMLDSIG_URI_SHA1);
reference.AppendChild(digestMethod);
XmlElement digestValue = doc.CreateElement("DigestValue", SecurityConstants.XMLDSIG_URI);
digestValue.AppendChild(doc.CreateTextNode(Convert.ToBase64String(md)));
reference.AppendChild(digestValue);
return reference;
}
/**
* Signs the xml with XAdES BES using the enveloped mode, with optional xpath transform (see XmlSignatureAppearance).
* @param sap the XmlSignatureAppearance
* @param externalSignature the interface providing the actual signing
* @param chain the certificate chain
* @throws GeneralSecurityException
* @throws IOException
* @throws DocumentException
*/
public static void SignXadesEpes(XmlSignatureAppearance sap, IExternalSignature externalSignature, X509Certificate[] chain) {
SignXades(sap, externalSignature, chain, true);
}
/**
* Signs the xml using the enveloped mode, with optional xpath transform (see XmlSignatureAppearance).
* @param sap the XmlSignatureAppearance
* @param externalSignature the interface providing the actual signing
* @param keyInfo KeyInfo for verification
* @throws GeneralSecurityException
* @throws IOException
* @throws DocumentException
*/
//public static void SignXmlDSig(XmlSignatureAppearance sap, IExternalSignature externalSignature, KeyInfoClause keyInfo) {
// VerifyArguments(sap, externalSignature);
// List<XmlElement> references = new List<XmlElement>(1);
// references.Add(GenerateContentReference(sap.GetXmlLocator().GetDocument(), sap, null));
// XmlElement signature = GenerateSignatureElement(sap.GetXmlLocator(), null, false);
// Sign(signature, sap.GetXmlLocator(), externalSignature, references, null, keyInfo);
// sap.Close();
//}
/**
* Signs the xml with XAdES BES using the enveloped mode, with optional xpath transform (see XmlSignatureAppearance).
* @param sap the XmlSignatureAppearance
* @param externalSignature the interface providing the actual signing
* @param chain the certificate chain
* @param includeSignaturePolicy if true SignaturePolicyIdentifier will be included (XAdES-EPES)
* @throws GeneralSecurityException
* @throws IOException
* @throws DocumentException
*/
//public static void SignXades(XmlSignatureAppearance sap, IExternalSignature externalSignature, X509Certificate[] chain,
// bool includeSignaturePolicy) {
// VerifyArguments(sap, externalSignature);
// String contentReferenceId = SecurityConstants.Reference_ + GetRandomId();
// String signedPropertiesId = SecurityConstants.SignedProperties_ + GetRandomId();
// String signatureId = SecurityConstants.Signature_ + GetRandomId();
// XmlDocument doc = sap.GetXmlLocator().GetDocument();
// KeyInfoClause keyInfo = GenerateKeyInfo(chain, sap);
// List<XmlElement> references = new List<XmlElement>(2);
// XmlElement signature = GenerateSignatureElement(sap.GetXmlLocator(), signatureId, true);
// String[] signaturePolicy = null;
// if(includeSignaturePolicy) {
// signaturePolicy = new String[2];
// if(externalSignature.GetEncryptionAlgorithm().Equals(SecurityConstants.RSA)) {
// signaturePolicy[0] = SecurityConstants.OID_RSA_SHA1;
// signaturePolicy[1] = SecurityConstants.OID_RSA_SHA1_DESC;
// }
// else {
// signaturePolicy[0] = SecurityConstants.OID_DSA_SHA1;
// signaturePolicy[1] = SecurityConstants.OID_DSA_SHA1_DESC;
// }
// }
// XmlElement signedProperty;
// XmlElement dsObject = GenerateXadesObject(sap, signatureId, contentReferenceId, signedPropertiesId, signaturePolicy, out signedProperty);
// references.Add(GenerateCustomReference(doc, signedProperty, "#" + signedPropertiesId, SecurityConstants.SignedProperties_Type, null));
// references.Add(GenerateContentReference(doc, sap, contentReferenceId));
// Sign(signature, sap.GetXmlLocator(), externalSignature, references, dsObject, keyInfo);
// sap.Close();
//}
/**
* Signs the xml with XAdES BES using the enveloped mode, with optional xpath transform (see XmlSignatureAppearance).
* @param sap the XmlSignatureAppearance
* @param externalSignature the interface providing the actual signing
* @param chain the certificate chain
* @throws GeneralSecurityException
* @throws IOException
* @throws DocumentException
*/
//public static void SignXadesBes(XmlSignatureAppearance sap, IExternalSignature externalSignature, X509Certificate[] chain) {
// SignXades(sap, externalSignature, chain, false);
//}
/**
* Signs the xml with XAdES BES using the enveloped mode, with optional xpath transform (see XmlSignatureAppearance).
* @param sap the XmlSignatureAppearance
* @param externalSignature the interface providing the actual signing
* @param chain the certificate chain
* @throws GeneralSecurityException
* @throws IOException
* @throws DocumentException
*/
//public static void SignXadesEpes(XmlSignatureAppearance sap, IExternalSignature externalSignature, X509Certificate[] chain) {
// SignXades(sap, externalSignature, chain, true);
//}
/**
* Signs the xml using the enveloped mode, with optional xpath transform (see XmlSignatureAppearance).
* @param sap the XmlSignatureAppearance
* @param externalSignature the interface providing the actual signing
* @param chain the certificate chain
* @throws GeneralSecurityException
* @throws IOException
* @throws DocumentException
*/
//public static void SignXmlDSig(XmlSignatureAppearance sap,
// IExternalSignature externalSignature, X509Certificate[] chain) {
// SignXmlDSig(sap, externalSignature, new KeyInfoX509Data(chain[0].GetEncoded()));
//}
/**
* Signs the xml using the enveloped mode, with optional xpath transform (see XmlSignatureAppearance).
* @param sap the XmlSignatureAppearance
* @param externalSignature the interface providing the actual signing
* @param publicKey PublicKey for verification
* @throws GeneralSecurityException
* @throws IOException
* @throws DocumentException
*/
//public static void SignXmlDSig(XmlSignatureAppearance sap,
// IExternalSignature externalSignature, AsymmetricAlgorithm publicKey) {
// SignXmlDSig(sap, externalSignature, GenerateKeyInfo(publicKey));
//}
private static void VerifyArguments(XmlSignatureAppearance sap, IExternalSignature externalSignature) {
if (sap.GetXmlLocator() == null)
throw new DocumentException(MessageLocalization.GetComposedMessage("xmllocator.cannot.be.null"));
if (!externalSignature.GetHashAlgorithm().Equals(SecurityConstants.SHA1))
throw new UnsupportedPdfException(MessageLocalization.GetComposedMessage("support.only.sha1.hash.algorithm"));
if (!externalSignature.GetEncryptionAlgorithm().Equals(SecurityConstants.RSA)
&& !externalSignature.GetEncryptionAlgorithm().Equals(SecurityConstants.DSA))
throw new UnsupportedPdfException(MessageLocalization.GetComposedMessage("support.only.rsa.and.dsa.algorithms"));
}
/**
* Signs the xml using the enveloped mode, with optional xpath transform (see XmlSignatureAppearance).
* @param sap the XmlSignatureAppearance
* @param externalSignature the interface providing the actual signing
* @param chain the certificate chain
* @throws GeneralSecurityException
* @throws IOException
* @throws DocumentException
*/
public static void SignXmlDSig(XmlSignatureAppearance sap,
IExternalSignature externalSignature, X509Certificate[] chain) {
SignXmlDSig(sap, externalSignature, new KeyInfoX509Data(chain[0].GetEncoded()));
}
private static XmlElement GenerateXadesObject(XmlSignatureAppearance sap, String signatureId,String contentReferenceId, String signedPropertiesId,
String[] signaturePolicy, out XmlElement signedProperty) {
HashAlgorithm md = new SHA1Managed();
X509Certificate cert = sap.GetCertificate();
XmlDocument doc = sap.GetXmlLocator().GetDocument();
XmlElement dsObject = doc.CreateElement("Object", SecurityConstants.XMLDSIG_URI);
XmlElement QualifyingProperties = doc.CreateElement(SecurityConstants.XADES_QualifyingProperties, SecurityConstants.XADES_132_URI);
QualifyingProperties.SetAttribute("Target", "#"+signatureId);
XmlElement SignedProperties = doc.CreateElement(SecurityConstants.XADES_SignedProperties, SecurityConstants.XADES_132_URI);
SignedProperties.SetAttribute("Id", signedPropertiesId);
XmlElement SignedSignatureProperties = doc.CreateElement(SecurityConstants.XADES_SignedSignatureProperties, SecurityConstants.XADES_132_URI);
XmlElement SigningTime = doc.CreateElement(SecurityConstants.XADES_SigningTime, SecurityConstants.XADES_132_URI);
String result = sap.GetSignDate().ToString(SecurityConstants.SigningTimeFormat);
SigningTime.AppendChild(doc.CreateTextNode(result));
SignedSignatureProperties.AppendChild(SigningTime);
XmlElement SigningCertificate = doc.CreateElement(SecurityConstants.XADES_SigningCertificate, SecurityConstants.XADES_132_URI);
XmlElement Cert = doc.CreateElement(SecurityConstants.XADES_Cert, SecurityConstants.XADES_132_URI);
XmlElement CertDigest = doc.CreateElement(SecurityConstants.XADES_CertDigest, SecurityConstants.XADES_132_URI);
XmlElement DigestMethod = doc.CreateElement(SecurityConstants.DigestMethod, SecurityConstants.XMLDSIG_URI);
DigestMethod.SetAttribute(SecurityConstants.Algorithm, SecurityConstants.XMLDSIG_URI_SHA1);
CertDigest.AppendChild(DigestMethod);
XmlElement DigestValue = doc.CreateElement(SecurityConstants.DigestValue, SecurityConstants.XMLDSIG_URI);
DigestValue.AppendChild(doc.CreateTextNode(Convert.ToBase64String(md.ComputeHash(cert.GetEncoded()))));
CertDigest.AppendChild(DigestValue);
Cert.AppendChild(CertDigest);
XmlElement IssueSerial = doc.CreateElement(SecurityConstants.XADES_IssuerSerial, SecurityConstants.XADES_132_URI);
XmlElement X509IssuerName = doc.CreateElement(SecurityConstants.X509IssuerName, SecurityConstants.XMLDSIG_URI);
X509IssuerName.AppendChild(doc.CreateTextNode(GetX509IssuerName(cert)));
IssueSerial.AppendChild(X509IssuerName);
XmlElement X509SerialNumber = doc.CreateElement(SecurityConstants.X509SerialNumber, SecurityConstants.XMLDSIG_URI);
X509SerialNumber.AppendChild(doc.CreateTextNode(GetX509SerialNumber(cert)));
IssueSerial.AppendChild(X509SerialNumber);
Cert.AppendChild(IssueSerial);
SigningCertificate.AppendChild(Cert);
SignedSignatureProperties.AppendChild(SigningCertificate);
if(signaturePolicy != null) {
XmlElement SignaturePolicyIdentifier = doc.CreateElement(SecurityConstants.XADES_SignaturePolicyIdentifier, SecurityConstants.XADES_132_URI);
XmlElement SignaturePolicyId = doc.CreateElement(SecurityConstants.XADES_SignaturePolicyId, SecurityConstants.XADES_132_URI);
XmlElement SigPolicyId = doc.CreateElement(SecurityConstants.XADES_SigPolicyId, SecurityConstants.XADES_132_URI);
XmlElement Identifier = doc.CreateElement(SecurityConstants.XADES_Identifier, SecurityConstants.XADES_132_URI);
Identifier.AppendChild(doc.CreateTextNode(signaturePolicy[0]));
Identifier.SetAttribute(SecurityConstants.Qualifier, SecurityConstants.OIDAsURN);
SigPolicyId.AppendChild(Identifier);
//ANSI X9.57 DSA signature generated with SHA-1 hash (DSA x9.30)
XmlElement Description = doc.CreateElement(SecurityConstants.XADES_Description, SecurityConstants.XADES_132_URI);
Description.AppendChild(doc.CreateTextNode(signaturePolicy[1]));
SigPolicyId.AppendChild(Description);
SignaturePolicyId.AppendChild(SigPolicyId);
XmlElement SigPolicyHash = doc.CreateElement(SecurityConstants.XADES_SigPolicyHash, SecurityConstants.XADES_132_URI);
DigestMethod = doc.CreateElement(SecurityConstants.DigestMethod, SecurityConstants.XMLDSIG_URI);
DigestMethod.SetAttribute(SecurityConstants.Algorithm, SecurityConstants.XMLDSIG_URI_SHA1);
SigPolicyHash.AppendChild(DigestMethod);
DigestValue = doc.CreateElement(SecurityConstants.DigestValue, SecurityConstants.XMLDSIG_URI);
byte[] policyIdContent = System.Text.Encoding.UTF8.GetBytes(SigPolicyId.OuterXml);
DigestValue.AppendChild(doc.CreateTextNode(Convert.ToBase64String((md.ComputeHash(policyIdContent)))));
SigPolicyHash.AppendChild(DigestValue);
SignaturePolicyId.AppendChild(SigPolicyHash);
SignaturePolicyIdentifier.AppendChild(SignaturePolicyId);
SignedSignatureProperties.AppendChild(SignaturePolicyIdentifier);
}
SignedProperties.AppendChild(SignedSignatureProperties);
XmlElement SignedDataObjectProperties = doc.CreateElement(SecurityConstants.XADES_SignedDataObjectProperties, SecurityConstants.XADES_132_URI);
XmlElement DataObjectFormat = doc.CreateElement(SecurityConstants.XADES_DataObjectFormat, SecurityConstants.XADES_132_URI);
DataObjectFormat.SetAttribute(SecurityConstants.ObjectReference, "#" + contentReferenceId);
String descr = sap.GetDescription();
if (descr != null) {
XmlElement Description = doc.CreateElement(SecurityConstants.XADES_Description, SecurityConstants.XADES_132_URI);
Description.AppendChild(doc.CreateTextNode(descr));
DataObjectFormat.AppendChild(Description);
}
XmlElement MimeType = doc.CreateElement(SecurityConstants.XADES_MimeType, SecurityConstants.XADES_132_URI);
MimeType.AppendChild(doc.CreateTextNode(sap.GetMimeType()));
DataObjectFormat.AppendChild(MimeType);
String enc = sap.GetXmlLocator().GetEncoding();
if (enc != null) {
XmlElement Encoding = doc.CreateElement(SecurityConstants.XADES_Encoding, SecurityConstants.XADES_132_URI);
Encoding.AppendChild(doc.CreateTextNode(enc));
DataObjectFormat.AppendChild(Encoding);
}
SignedDataObjectProperties.AppendChild(DataObjectFormat);
SignedProperties.AppendChild(SignedDataObjectProperties);
QualifyingProperties.AppendChild(SignedProperties);
dsObject.AppendChild(QualifyingProperties);
signedProperty = SignedProperties;
return dsObject;
}
private static KeyInfoClause GenerateKeyInfo(X509Certificate[] chain, XmlSignatureAppearance sap) {
X509Certificate certificate = chain[0];
sap.SetCertificate(certificate);
// Create a KeyInfo and add the KeyValue to it
return new KeyInfoX509Data(chain[0].GetEncoded());
}
