public static byte[] ComputeHashValue(byte[] value, FirmaXades.Crypto.DigestMethod digestMethod) { using (HashAlgorithm hashAlgorithm = digestMethod.GetHashAlgorithm()) { return(hashAlgorithm.ComputeHash(value)); } }
public ValidationResult Validate(SignatureDocument sigDocument) { ValidationResult validationResult = new ValidationResult(); try { sigDocument.XadesSignature.CheckXmldsigSignature(); } catch (Exception) { validationResult.IsValid = false; validationResult.Message = "La verificación de la firma no ha sido satisfactoria"; return(validationResult); } if (sigDocument.XadesSignature.UnsignedProperties.UnsignedSignatureProperties.SignatureTimeStampCollection.Count > 0) { TimeStamp timeStamp = sigDocument.XadesSignature.UnsignedProperties.UnsignedSignatureProperties.SignatureTimeStampCollection[0]; TimeStampToken timeStampToken = new TimeStampToken(new CmsSignedData(timeStamp.EncapsulatedTimeStamp.PkiData)); byte[] messageImprintDigest = timeStampToken.TimeStampInfo.GetMessageImprintDigest(); FirmaXades.Crypto.DigestMethod byOid = FirmaXades.Crypto.DigestMethod.GetByOid(timeStampToken.TimeStampInfo.HashAlgorithm.ObjectID.Id); ArrayList arrayList = new ArrayList(); arrayList.Add("ds:SignatureValue"); byte[] b = DigestUtil.ComputeHashValue(XMLUtil.ComputeValueOfElementList(sigDocument.XadesSignature, arrayList), byOid); if (!Arrays.AreEqual(messageImprintDigest, b)) { validationResult.IsValid = false; validationResult.Message = "La huella del sello de tiempo no se corresponde con la calculada"; return(validationResult); } } validationResult.IsValid = true; validationResult.Message = "Verificación de la firma satisfactoria"; return(validationResult); }
public static void SetCertDigest(byte[] rawCert, FirmaXades.Crypto.DigestMethod digestMethod, DigestAlgAndValueType destination) { using (HashAlgorithm hashAlgorithm = digestMethod.GetHashAlgorithm()) { destination.DigestMethod.Algorithm = digestMethod.URI; destination.DigestValue = hashAlgorithm.ComputeHash(rawCert); } }
private void AddTSACertificates(UnsignedProperties unsignedProperties, IEnumerable <string> ocspServers, IEnumerable <X509Crl> crlList, FirmaXades.Crypto.DigestMethod digestMethod) { TimeStampToken timeStampToken = new TimeStampToken(new CmsSignedData(unsignedProperties.UnsignedSignatureProperties.SignatureTimeStampCollection[0].EncapsulatedTimeStamp.PkiData)); IX509Store certificates = timeStampToken.GetCertificates("Collection"); SignerID signerID = timeStampToken.SignerID; List <X509Certificate2> list = new List <X509Certificate2>(); foreach (object match in certificates.GetMatches(null)) { X509Certificate2 item = new X509Certificate2(((Org.BouncyCastle.X509.X509Certificate)match).GetEncoded()); list.Add(item); } X509Certificate2 cert = DetermineStartCert(list); AddCertificate(cert, unsignedProperties, true, ocspServers, crlList, digestMethod, list.ToArray()); }
private X509Certificate2[] ValidateCertificateByOCSP(UnsignedProperties unsignedProperties, X509Certificate2 client, X509Certificate2 issuer, IEnumerable <string> ocspServers, FirmaXades.Crypto.DigestMethod digestMethod) { bool byKey = false; List <string> list = new List <string>(); Org.BouncyCastle.X509.X509Certificate eeCert = client.ToBouncyX509Certificate(); Org.BouncyCastle.X509.X509Certificate x509Certificate = issuer.ToBouncyX509Certificate(); OcspClient ocspClient = new OcspClient(); string authorityInformationAccessOcspUrl = ocspClient.GetAuthorityInformationAccessOcspUrl(x509Certificate); if (!string.IsNullOrEmpty(authorityInformationAccessOcspUrl)) { list.Add(authorityInformationAccessOcspUrl); } foreach (string ocspServer in ocspServers) { list.Add(ocspServer); } foreach (string item in list) { byte[] array = ocspClient.QueryBinary(eeCert, x509Certificate, item); switch (ocspClient.ProcessOcspResponse(array)) { case FirmaXades.Clients.CertificateStatus.Revoked: throw new Exception("Certificado revocado"); case FirmaXades.Clients.CertificateStatus.Good: { OcspResp ocspResp = new OcspResp(array); byte[] encoded = ocspResp.GetEncoded(); BasicOcspResp basicOcspResp = (BasicOcspResp)ocspResp.GetResponseObject(); string str = Guid.NewGuid().ToString(); OCSPRef oCSPRef = new OCSPRef(); oCSPRef.OCSPIdentifier.UriAttribute = "#OcspValue" + str; DigestUtil.SetCertDigest(encoded, digestMethod, oCSPRef.CertDigest); ResponderID responderId = basicOcspResp.ResponderId.ToAsn1Object(); string responderName = GetResponderName(responderId, ref byKey); if (!byKey) { oCSPRef.OCSPIdentifier.ResponderID = RevertIssuerName(responderName); } else { oCSPRef.OCSPIdentifier.ResponderID = responderName; oCSPRef.OCSPIdentifier.ByKey = true; } oCSPRef.OCSPIdentifier.ProducedAt = basicOcspResp.ProducedAt.ToLocalTime(); unsignedProperties.UnsignedSignatureProperties.CompleteRevocationRefs.OCSPRefs.OCSPRefCollection.Add(oCSPRef); OCSPValue oCSPValue = new OCSPValue(); oCSPValue.PkiData = encoded; oCSPValue.Id = "OcspValue" + str; unsignedProperties.UnsignedSignatureProperties.RevocationValues.OCSPValues.OCSPValueCollection.Add(oCSPValue); return((from cert in basicOcspResp.GetCerts() select new X509Certificate2(cert.GetEncoded())).ToArray()); } } } throw new Exception("El certificado no ha podido ser validado"); }
private bool ValidateCertificateByCRL(UnsignedProperties unsignedProperties, X509Certificate2 certificate, X509Certificate2 issuer, IEnumerable <X509Crl> crlList, FirmaXades.Crypto.DigestMethod digestMethod) { Org.BouncyCastle.X509.X509Certificate cert = certificate.ToBouncyX509Certificate(); Org.BouncyCastle.X509.X509Certificate x509Certificate = issuer.ToBouncyX509Certificate(); foreach (X509Crl crl in crlList) { if (crl.IssuerDN.Equivalent(x509Certificate.SubjectDN) && crl.NextUpdate.Value > DateTime.Now) { if (crl.IsRevoked(cert)) { throw new Exception("Certificado revocado"); } if (!ExistsCRL(unsignedProperties.UnsignedSignatureProperties.CompleteRevocationRefs.CRLRefs.CRLRefCollection, issuer.Subject)) { string text = "CRLValue-" + Guid.NewGuid().ToString(); CRLRef cRLRef = new CRLRef(); cRLRef.CRLIdentifier.UriAttribute = "#" + text; cRLRef.CRLIdentifier.Issuer = issuer.Subject; cRLRef.CRLIdentifier.IssueTime = crl.ThisUpdate.ToLocalTime(); long?cRLNumber = GetCRLNumber(crl); if (cRLNumber.HasValue) { cRLRef.CRLIdentifier.Number = cRLNumber.Value; } byte[] encoded = crl.GetEncoded(); DigestUtil.SetCertDigest(encoded, digestMethod, cRLRef.CertDigest); CRLValue cRLValue = new CRLValue(); cRLValue.PkiData = encoded; cRLValue.Id = text; unsignedProperties.UnsignedSignatureProperties.CompleteRevocationRefs.CRLRefs.CRLRefCollection.Add(cRLRef); unsignedProperties.UnsignedSignatureProperties.RevocationValues.CRLValues.CRLValueCollection.Add(cRLValue); } return(true); } } return(false); }
private void AddCertificate(X509Certificate2 cert, UnsignedProperties unsignedProperties, bool addCert, IEnumerable <string> ocspServers, IEnumerable <X509Crl> crlList, FirmaXades.Crypto.DigestMethod digestMethod, X509Certificate2[] extraCerts = null) { if (addCert) { if (CertificateChecked(cert, unsignedProperties)) { return; } string str = Guid.NewGuid().ToString(); Cert cert2 = new Cert(); cert2.IssuerSerial.X509IssuerName = cert.IssuerName.Name; cert2.IssuerSerial.X509SerialNumber = cert.GetSerialNumberAsDecimalString(); DigestUtil.SetCertDigest(cert.GetRawCertData(), digestMethod, cert2.CertDigest); cert2.URI = "#Cert" + str; unsignedProperties.UnsignedSignatureProperties.CompleteCertificateRefs.CertRefs.CertCollection.Add(cert2); EncapsulatedX509Certificate encapsulatedX509Certificate = new EncapsulatedX509Certificate(); encapsulatedX509Certificate.Id = "Cert" + str; encapsulatedX509Certificate.PkiData = cert.GetRawCertData(); unsignedProperties.UnsignedSignatureProperties.CertificateValues.EncapsulatedX509CertificateCollection.Add(encapsulatedX509Certificate); } X509ChainElementCollection chainElements = CertUtil.GetCertChain(cert, extraCerts).ChainElements; if (chainElements.Count > 1) { X509ChainElementEnumerator enumerator = chainElements.GetEnumerator(); enumerator.MoveNext(); enumerator.MoveNext(); if (!ValidateCertificateByCRL(unsignedProperties, cert, enumerator.Current.Certificate, crlList, digestMethod)) { X509Certificate2[] array = ValidateCertificateByOCSP(unsignedProperties, cert, enumerator.Current.Certificate, ocspServers, digestMethod); if (array != null) { X509Certificate2 x509Certificate = DetermineStartCert(new List <X509Certificate2>(array)); if (x509Certificate.IssuerName.Name != enumerator.Current.Certificate.SubjectName.Name) { X509Chain certChain = CertUtil.GetCertChain(x509Certificate, array); AddCertificate(certChain.ChainElements[1].Certificate, unsignedProperties, true, ocspServers, crlList, digestMethod, array); } } } AddCertificate(enumerator.Current.Certificate, unsignedProperties, true, ocspServers, crlList, digestMethod, extraCerts); } }