/** * create with a signer with extra signed/unsigned attributes. */ public TimeStampTokenGenerator( AsymmetricKeyParameter key, X509Certificate cert, string digestOID, string tsaPolicyOID, Asn1.Cms.AttributeTable signedAttr, Asn1.Cms.AttributeTable unsignedAttr) { this.key = key; this.cert = cert; this.digestOID = digestOID; this.tsaPolicyOID = tsaPolicyOID; this.unsignedAttr = unsignedAttr; TspUtil.ValidateCertificate(cert); // // Add the ESSCertID attribute // IDictionary signedAttrs; if (signedAttr != null) { signedAttrs = signedAttr.ToDictionary(); } else { signedAttrs = Platform.CreateHashtable(); } try { byte[] hash = DigestUtilities.CalculateDigest("SHA-1", cert.GetEncoded()); EssCertID essCertid = new EssCertID(hash); Asn1.Cms.Attribute attr = new Asn1.Cms.Attribute( PkcsObjectIdentifiers.IdAASigningCertificate, new DerSet(new SigningCertificate(essCertid))); signedAttrs[attr.AttrType] = attr; } catch (CertificateEncodingException e) { throw new TspException("Exception processing certificate.", e); } catch (SecurityUtilityException e) { throw new TspException("Can't find a SHA-1 implementation.", e); } this.signedAttr = new Asn1.Cms.AttributeTable(signedAttrs); }
/** * Validate the time stamp token. * <p> * To be valid the token must be signed by the passed in certificate and * the certificate must be the one referred to by the SigningCertificate * attribute included in the hashed attributes of the token. The * certificate must also have the ExtendedKeyUsageExtension with only * KeyPurposeID.IdKPTimeStamping and have been valid at the time the * timestamp was created. * </p> * <p> * A successful call to validate means all the above are true. * </p> */ public void Validate( X509Certificate cert) { try { byte[] hash = DigestUtilities.CalculateDigest( certID.GetHashAlgorithm(), cert.GetEncoded()); if (!Arrays.ConstantTimeAreEqual(certID.GetCertHash(), hash)) { throw new TspValidationException("certificate hash does not match certID hash."); } if (certID.IssuerSerial != null) { if (!certID.IssuerSerial.Serial.Value.Equals(cert.SerialNumber)) { throw new TspValidationException("certificate serial number does not match certID for signature."); } GeneralName[] names = certID.IssuerSerial.Issuer.GetNames(); X509Name principal = PrincipalUtilities.GetIssuerX509Principal(cert); bool found = false; for (int i = 0; i != names.Length; i++) { if (names[i].TagNo == 4 && X509Name.GetInstance(names[i].Name).Equivalent(principal)) { found = true; break; } } if (!found) { throw new TspValidationException("certificate name does not match certID for signature. "); } } TspUtil.ValidateCertificate(cert); cert.CheckValidity(tstInfo.GenTime); if (!tsaSignerInfo.Verify(cert)) { throw new TspValidationException("signature not created by certificate."); } } catch (CmsException e) { if (e.InnerException != null) { throw new TspException(e.Message, e.InnerException); } throw new TspException("CMS exception: " + e, e); } catch (CertificateEncodingException e) { throw new TspException("problem processing certificate: " + e, e); } catch (SecurityUtilityException e) { throw new TspException("cannot find algorithm: " + e.Message, e); } }