-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathSignService.cs
91 lines (75 loc) · 3.95 KB
/
SignService.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
using iText.Kernel.Pdf;
using iText.Signatures;
using Org.BouncyCastle.Security;
using Org.BouncyCastle.X509;
using System;
using System.Collections.Generic;
using System.IO;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
namespace PdfSignSamplePkcs1
{
public class SignService
{
System.Security.Cryptography.X509Certificates.X509Certificate2 signCertificatePrivateKey;
public byte[] Digest { get; set; }
public string PathToPrivateKey { get; set; }
public string PrivatekeyPassword { get; set; }
public SignService(byte[] digest, string pathToPrivateKey, string privatekeyPassword)
{
Digest = digest;
PathToPrivateKey = pathToPrivateKey;
PrivatekeyPassword = privatekeyPassword;
}
public byte[] CreatePKCS7()
{
//Load the certificate used for signing
signCertificatePrivateKey = LoadCertificateFromFile();
//Create signature >> Replace this code with a signature call to AIS
//todo check which hash actually must be sent to the service (Might require the hash to be converted to SHA256)
//todo maybe the certificate chain must be included in case of the AIS service
Org.BouncyCastle.X509.X509Certificate cert = Org.BouncyCastle.Security.DotNetUtilities.FromX509Certificate(signCertificatePrivateKey);
RSACryptoServiceProvider rsa = (RSACryptoServiceProvider)signCertificatePrivateKey.PrivateKey;
Org.BouncyCastle.Crypto.AsymmetricCipherKeyPair keyPair = DotNetUtilities.GetRsaKeyPair(rsa);
PrivateKeySignature signature = new PrivateKeySignature(keyPair.Private, "SHA256");
String hashAlgorithm = signature.GetHashAlgorithm();
PdfPKCS7 sgn = new PdfPKCS7(null, new[] { cert }, hashAlgorithm, false);
var sh = sgn.GetAuthenticatedAttributeBytes(Digest, PdfSigner.CryptoStandard.CMS, null, null);
byte[] extSignature = signature.Sign(sh);
//Apply signature
sgn.SetExternalDigest(extSignature, null, signature.GetEncryptionAlgorithm());
//Return the complete PKCS7 CMS
return sgn.GetEncodedPKCS7(Digest, PdfSigner.CryptoStandard.CMS, null, null, null);
}
public byte[] CreatePKCS7ViaPkcs1()
{
//Load the certificate used for signing
signCertificatePrivateKey = LoadCertificateFromFile();
// create sha256 message digest
// This is from https://kb.itextpdf.com/home/it7kb/examples/how-to-use-a-digital-signing-service-dss-such-as-globalsign-with-itext-7
// Not sure if this is required, but the created signature is invalid either way
using (SHA256 sha256 = SHA256.Create())
{
Digest = sha256.ComputeHash(Digest);
}
//Create pkcs1 signature using RSA
byte[] signature = null;
using (var key = signCertificatePrivateKey.GetRSAPrivateKey())
{
signature = key.SignData(Digest, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
}
Org.BouncyCastle.X509.X509Certificate cert = DotNetUtilities.FromX509Certificate(signCertificatePrivateKey);
PdfPKCS7 sgn = new PdfPKCS7(null, new[] { cert }, "SHA256", false);
sgn.SetExternalDigest(signature, null, "RSA");
//Return the complete PKCS7 CMS
return sgn.GetEncodedPKCS7(Digest, PdfSigner.CryptoStandard.CMS, null, null, null);
}
public X509Certificate2 LoadCertificateFromFile()
{
X509Certificate2 rootCertificateWithPrivateKey = new X509Certificate2();
byte[] rawData = System.IO.File.ReadAllBytes(PathToPrivateKey);
rootCertificateWithPrivateKey.Import(rawData, PrivatekeyPassword, X509KeyStorageFlags.Exportable);
return rootCertificateWithPrivateKey;
}
}
}