I trying to set the time stamp on my signature using SignedCms, I succeeded in returning the timestamptoken of castle bouncy but I need to implement time stamp of the authorization server on my signature.
I've tried adding UnsignedAttributes but to no avail.
This is my signature code:
static public byte[] SignMsg(Byte[] msg, X509Certificate2 signerCert, bool detached, Arquivo arquivo)
{
ContentInfo contentInfo = new ContentInfo(msg);
SignedCms signedCms = new SignedCms(contentInfo, detached);
CmsSigner cmsSigner = new CmsSigner(signerCert);
cmsSigner.IncludeOption = X509IncludeOption.EndCertOnly;
NetworkCredential myCred = new NetworkCredential(
"user", "pass");
CredentialCache myCache = new CredentialCache();
myCache.Add(new Uri("http://tsatest2.digistamp.com/tsa"), "Basic", myCred);
UserCredentials user = new UserCredentials(myCred);
var d = RequestTimeStampToken("http://tsatest2.digistamp.com/tsa", arquivo.arquivo,null, user);
var x = d.Time;
var chain = new X509Chain();
System.Security.Cryptography.AsnEncodedData timeData = new Pkcs9AttributeObject(Oid.SHA256.OID, d.EncodedToken);
cmsSigner.UnsignedAttributes.Add(timeData);
signedCms.ComputeSignature(cmsSigner, false);
return signedCms.Encode();
}
This is my response from request:
public static TimeStampToken RequestTimeStampToken(string tsaUri, string pathToFile)
{
return RequestTimeStampToken(tsaUri, pathToFile, null, null);
}
public static TimeStampToken RequestTimeStampToken(string tsaUri, string pathToFileToTimestamp, Oid digestType, UserCredentials credentials)
{
if (null == pathToFileToTimestamp)
{
throw new ArgumentNullException("pathToFileToTimestamp");
}
using (FileStream fs = new FileStream(pathToFileToTimestamp, FileMode.Open, FileAccess.Read))
{
return RequestTimeStampToken(tsaUri, fs, digestType, credentials);
}
}
public static TimeStampToken RequestTimeStampToken(string tsaUri, Stream dataToTimestamp, Oid digestType, UserCredentials credentials)
{
if (null == tsaUri)
{
throw new ArgumentNullException("tsaUri");
}
if (null == dataToTimestamp)
{
throw new ArgumentNullException("dataToTimestamp");
}
if (null == digestType)
{
digestType = Oid.SHA512;
}
byte[] digest = DigestUtils.ComputeDigest(dataToTimestamp, digestType);
Request request = new Request(digest, digestType.OID);
return RequestTST(tsaUri, request, credentials);
}
private static TimeStampToken RequestTST(string tsaUri, Request request, UserCredentials credentials = null)
{
byte[] responseBytes = null;
UriBuilder urib = new UriBuilder(tsaUri);
switch (urib.Uri.Scheme)
{
case "http":
case "https":
responseBytes = GetHttpResponse(tsaUri, request.ToByteArray(), credentials);
break;
case "tcp":
responseBytes = GetTcpResponse(tsaUri, request.ToByteArray());
break;
default:
throw new TimeStampException("Unknown protocol.");
}
Response response = new Response(responseBytes);
ValidateResponse(request, response);
return response.TST;
}
public Response(byte[] response)
{
if (null == response)
{
throw new ArgumentNullException("response");
}
this.response = new TimeStampResponse(response);
if (null != this.response.TimeStampToken)
{
Org.BouncyCastle.Asn1.Tsp.TimeStampResp asn1Response = Org.BouncyCastle.Asn1.Tsp.TimeStampResp.GetInstance(Org.BouncyCastle.Asn1.Asn1Sequence.FromByteArray(response));
var derTst = asn1Response.TimeStampToken.GetDerEncoded();
this.TST = new TimeStampToken(derTst);
}
}
I want to include the time stamp in the digital signature and information that it has been validated by an authorization server.
This works for me.
cmsSigner.SignedAttributes.Add(new Pkcs9SigningTime(DateTime.Now));
Related
I created an outgoing Teams webhook.
The callback URL points to a controller on my API, and I would like to use the HMAC provided by the webhook in the request header.
However, when I compute the HMAC with the secret key, I don't obtain the same key as the one in the header.
I tried this code :
protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
{
try
{
if (!this.Request.Headers.TryGetValue("Authorization", out var headerValue))
{
return AuthenticateResult.Fail("Authorization header not found.");
}
var sentKey = headerValue.ToString().Replace("HMAC ", null);
string requestBody = null;
using (var reader = new StreamReader(this.Request.Body, Encoding.UTF8))
{
requestBody = await reader.ReadToEndAsync();
}
if (string.IsNullOrWhiteSpace(requestBody))
{
return AuthenticateResult.Fail("No content to authenticate.");
}
var secretKeyBytes = Encoding.UTF8.GetBytes(this.Options.SecretKey);
using (var hmac = new HMACSHA256(secretKeyBytes))
{
var hash = hmac.ComputeHash(Encoding.UTF8.GetBytes(requestBody));
var expectedSignature = WebEncoders.Base64UrlEncode(hash);
if (!string.Equals(sentKey, expectedSignature, StringComparison.Ordinal))
{
return AuthenticateResult.Fail("Invalid HMAC signature.");
}
}
var claimsIdentity = new ClaimsIdentity();
var ticket = new AuthenticationTicket(new ClaimsPrincipal(claimsIdentity), this.Scheme.Name);
return AuthenticateResult.Success(ticket);
}
catch (Exception ex)
{
return AuthenticateResult.Fail($"{ex.HResult}, {ex.Message}");
}
}
OCSP request does not fall into the Audit log table when I send it using Bouncy Castle library.
I don't understand why? What is wrong with my code and how to solve it?
I have a client certificate and issuer certificate. I create two client classes for this purpose. Each of them uses different libraries. One use Bouncy Castle another one uses Chilkat. Each of them validates the certificate correctly. But the problem is with the server side. The query does not fall into the Audit log table when I try Bouncy Castle version.
But when I use Chilkat API everything is ok.
Bouncy Castle version :
class TestOCSPClient
{
protected static Asn1Object GetExtensionValue(X509Certificate cert,
string oid)
{
if (cert == null)
{
return null;
}
byte[] bytes = cert.GetExtensionValue(new DerObjectIdentifier(oid)).GetOctets();
if (bytes == null)
{
return null;
}
Asn1InputStream aIn = new Asn1InputStream(bytes);
return aIn.ReadObject();
}
public static List<string> GetAuthorityInformationAccessOcspUrl(X509Certificate cert)
{
List<string> ocspUrls = new List<string>();
try
{
Asn1Object obj = GetExtensionValue(cert, X509Extensions.AuthorityInfoAccess.Id);
if (obj == null)
{
return null;
}
Asn1Sequence s = (Asn1Sequence)obj;
IEnumerator elements = s.GetEnumerator();
while (elements.MoveNext())
{
Asn1Sequence element = (Asn1Sequence)elements.Current;
DerObjectIdentifier oid = (DerObjectIdentifier)element[0];
if (oid.Id.Equals("1.3.6.1.5.5.7.48.1")) // Is Ocsp?
{
Asn1TaggedObject taggedObject = (Asn1TaggedObject)element[1];
GeneralName gn = (GeneralName)GeneralName.GetInstance(taggedObject);
ocspUrls.Add(((DerIA5String)DerIA5String.GetInstance(gn.Name)).GetString());
}
}
}
catch (Exception e)
{
throw new Exception("Error parsing AIA.", e);
}
return ocspUrls;
}
public CertificateStatusEnum ValidateOCSP(X509Certificate cert, X509Certificate cacert)
{
List<string> urls = GetAuthorityInformationAccessOcspUrl(cert);
if (urls.Count == 0)
{
throw new Exception("No OCSP url found in ee certificate.");
}
string url = urls[0];
Console.WriteLine("Sending to : '" + url + "'...");
byte[] packtosend = CreateOCSPPackage(cert, cacert);
byte[] response = PostRequest(url, packtosend, "Content-Type", "application/ocsp-request");
return VerifyResponse(response);
}
public byte[] ToByteArray(Stream stream)
{
byte[] buffer = new byte[4096 * 8];
MemoryStream ms = new MemoryStream();
int read = 0;
while ((read = stream.Read(buffer, 0, buffer.Length)) > 0)
{
ms.Write(buffer, 0, read);
}
return ms.ToArray();
}
public byte[] PostRequest(string url, byte[] data, string contentType, string accept)
{
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url);
request.Method = "POST";
request.ContentType = contentType;
request.ContentLength = data.Length;
request.Accept = accept;
Stream stream = request.GetRequestStream();
stream.Write(data, 0, data.Length);
stream.Close();
HttpWebResponse response = (HttpWebResponse)request.GetResponse();
Stream respStream = response.GetResponseStream();
Console.WriteLine(string.Format("HttpStatusCode : {0}", response.StatusCode.ToString()));
byte[] resp = ToByteArray(respStream);
respStream.Close();
return resp;
}
private CertificateStatusEnum VerifyResponse(byte[] response)
{
OcspResp r = new OcspResp(response);
CertificateStatusEnum cStatusEnum = CertificateStatusEnum.Unknown;
switch (r.Status)
{
case OcspRespStatus.Successful:
BasicOcspResp or = (BasicOcspResp)r.GetResponseObject();
//ValidateResponse(or, issuerCert);
Console.WriteLine(or.Responses.Length);
if (or.Responses.Length == 1)
{
SingleResp resp = or.Responses[0];
Object certificateStatus = resp.GetCertStatus();
//this part returns null actually
if (certificateStatus == null)
{
Console.WriteLine("Status is null ! ");
}
if (certificateStatus==null || certificateStatus == Org.BouncyCastle.Ocsp.CertificateStatus.Good)
{
cStatusEnum = CertificateStatusEnum.Good;
}
else if (certificateStatus is Org.BouncyCastle.Ocsp.RevokedStatus)
{
cStatusEnum = CertificateStatusEnum.Revoked;
}
else if (certificateStatus is Org.BouncyCastle.Ocsp.UnknownStatus)
{
cStatusEnum = CertificateStatusEnum.Unknown;
}
}
break;
default:
throw new Exception("Unknow status '" + r.Status + "'.");
}
return cStatusEnum;
}
private static byte[] CreateOCSPPackage(X509Certificate cert, X509Certificate cacert)
{
OcspReqGenerator gen = new OcspReqGenerator();
try
{
CertificateID certId = new CertificateID(CertificateID.HashSha1, cacert, cert.SerialNumber);
gen.AddRequest(certId);
gen.SetRequestExtensions(CreateExtension());
OcspReq req;
req = gen.Generate();
return req.GetEncoded();
}
catch (OcspException e)
{
Console.WriteLine(e.StackTrace);
}
catch (IOException e)
{
Console.WriteLine(e.StackTrace);
}
return null;
}
private static X509Extensions CreateExtension()
{
byte[] nonce = new byte[16];
Hashtable exts = new Hashtable();
BigInteger nc = BigInteger.ValueOf(DateTime.Now.Ticks);
X509Extension nonceext = new X509Extension(false, new DerOctetString(nc.ToByteArray()));
exts.Add(OcspObjectIdentifiers.PkixOcspNonce, nonceext);
return new X509Extensions(exts);
}
}
Chilkat Version :
public static class ChilCatOCSP
{
public static void Validate( string cetpat )
{
Chilkat.Global glob = new Chilkat.Global();
bool chksuccesss = glob.UnlockBundle("Anything for 30-day trial");
if (chksuccesss != true)
{
Console.WriteLine(glob.LastErrorText);
return;
}
Chilkat.Cert cert = new Chilkat.Cert();
bool success = cert.LoadFromFile(cetpat);
if (success != true)
{
Console.WriteLine(cert.LastErrorText);
return;
}
string ocspUrl = cert.OcspUrl;
// Build the JSON that will be the OCSP request.
Chilkat.Prng prng = new Chilkat.Prng();
Chilkat.JsonObject json = new Chilkat.JsonObject();
json.EmitCompact = false;
json.UpdateString("extensions.ocspNonce", prng.GenRandom(36, "base64"));
json.I = 0;
json.UpdateString("request[i].cert.hashAlg", "sha1");
json.UpdateString("request[i].cert.issuerNameHash", cert.HashOf("IssuerDN", "sha1", "base64"));
json.UpdateString("request[i].cert.issuerKeyHash", cert.HashOf("IssuerPublicKey", "sha1", "base64"));
json.UpdateString("request[i].cert.serialNumber", cert.SerialNumber);
Console.WriteLine(json.Emit());
Chilkat.BinData ocspRequest = new Chilkat.BinData();
Chilkat.Http http = new Chilkat.Http();
// Convert our JSON to a binary (ASN.1) OCSP request
http.CreateOcspRequest(json, ocspRequest);
// Send the OCSP request to the OCSP server
Chilkat.HttpResponse resp = http.PBinaryBd("POST", ocspUrl, ocspRequest, "application/ocsp-request", false, false);
if (http.LastMethodSuccess != true)
{
Console.WriteLine(http.LastErrorText);
return;
}
// Get the binary (ASN.1) OCSP reply
Chilkat.BinData ocspReply = new Chilkat.BinData();
resp.GetBodyBd(ocspReply);
// Convert the binary reply to JSON.
// Also returns the overall OCSP response status.
Chilkat.JsonObject jsonReply = new Chilkat.JsonObject();
int ocspStatus = http.ParseOcspReply(ocspReply, jsonReply);
// The ocspStatus can have one of these values:
// -1: The ARG1 does not contain a valid OCSP reply.
// 0: Successful - Response has valid confirmations..
// 1: Malformed request - Illegal confirmation request.
// 2: Internal error - Internal error in issuer.
// 3: Try later - Try again later.
// 4: Not used - This value is never returned.
// 5: Sig required - Must sign the request.
// 6: Unauthorized - Request unauthorized.
if (ocspStatus < 0)
{
Console.WriteLine("Invalid OCSP reply.");
return;
}
Console.WriteLine("Overall OCSP Response Status: " + Convert.ToString(ocspStatus));
// Let's examine the OCSP response (in JSON).
jsonReply.EmitCompact = false;
Console.WriteLine(jsonReply.Emit());
// The JSON reply looks like this:
// (Use the online tool at https://tools.chilkat.io/jsonParse.cshtml
// to generate JSON parsing code.)
// {
// "responseStatus": 0,
// "responseTypeOid": "1.3.6.1.5.5.7.48.1.1",
// "responseTypeName": "ocspBasic",
// "response": {
// "responderIdChoice": "KeyHash",
// "responderKeyHash": "d8K4UJpndnaxLcKG0IOgfqZ+uks=",
// "dateTime": "20180803193937Z",
// "cert": [
// {
// "hashOid": "1.3.14.3.2.26",
// "hashAlg": "SHA-1",
// "issuerNameHash": "9u2wY2IygZo19o11oJ0CShGqbK0=",
// "issuerKeyHash": "d8K4UJpndnaxLcKG0IOgfqZ+uks=",
// "serialNumber": "6175535D87BF94B6",
// "status": 0,
// "thisUpdate": "20180803193937Z",
// "nextUpdate": "20180810193937Z"
// }
// ]
// }
// }
//
// The certificate status:
int certStatus = json.IntOf("response.cert[0].status");
// Possible certStatus values are:
// 0: Good
// 1: Revoked
// 2: Unknown.
Console.WriteLine("Certificate Status: " + Convert.ToString(certStatus));
}
}
Also, I've found an online tool that works ok. here
I think problem is that you use a wrong accept type in your code. You may omit accept type if it is not necessary. You should consider
adding a nonce to your request too.
public CertificateStatusEnum ValidateOCSP(X509Certificate cert, X509Certificate cacert)
{
List<string> urls = GetAuthorityInformationAccessOcspUrl(cert);
if (urls.Count == 0)
{
throw new Exception("No OCSP url found in ee certificate.");
}
string url = urls[0];
Console.WriteLine("Sending to : '" + url + "'...");
byte[] packtosend = CreateOCSPPackage(cert, cacert);
byte[] response = PostRequest(url, packtosend, **"application/ocsp-request"**, **"application/ocsp-response"**);
return VerifyResponse(response);
}
I have the following code in the Login(username, password)
if (hasher.Compare(password, person.Hash))
{
FormsAuthentication.SetAuthCookie(userId, true);
OpenAccount(person);
var principle = new GenericPrincipal( new GenericIdentity($"{person.FirstName} {person.LastName}"), new string[] {"All"});
var data = Konstants.Serialize(principle);
var ticket = new FormsAuthenticationTicket(1, principle.Identity.Name, DateTime.Now, DateTime.Now.AddMinutes(30), true, data);
var encryptedTicket = FormsAuthentication.Encrypt(ticket);
FormsAuthentication.SetAuthCookie(principle.Identity.Name, false);
var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
Response.SetCookie(cookie);
Response.RedirectToRoute("Default");
}
Then in the Global.asax I have the following code:
protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
var authCookie = Request.Cookies[FormsAuthentication.FormsCookieName];
try
{
if (authCookie != null)
{
FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt(authCookie.Value);
if (!string.IsNullOrEmpty(ticket.UserData))
{
var principle = Konstants.Deserialize<GenericPrincipal>(ticket.UserData);
HttpContext.Current.User = principle;
}
}
}
catch
{
}
}
But in the AutheticateRequest the ticket.UserData is always empty. In fact the cookie value I get is the one that was before authentication not the one that I stored. What am I doing wrong here.
Update: The Serialize and Deserialize code is as follows:
public static string Serialize<T>(T obj)
{
var ret = string.Empty;
using(var ms = new MemoryStream())
{
var bf = new BinaryFormatter();
bf.Serialize(ms, obj);
ret= Convert.ToBase64String(ms.GetBuffer());
}
return ret;
}
public static T Deserialize<T>(string text)
{
var obj = default(T);
var data = Convert.FromBase64String(text);
using(var ms = new MemoryStream(data, false))
{
var bf = new BinaryFormatter();
obj = (T)bf.Deserialize(ms);
}
return obj;
}
You've got two calls to SetAuthCookie in that first code block, but you don't need either if you're creating a custom ticket. I think this should do the trick:
OpenAccount(person);
var principle = new GenericPrincipal( new GenericIdentity($"{person.FirstName} {person.LastName}"), new string[] {"All"});
var data = Konstants.Serialize(principle);
var ticket = new FormsAuthenticationTicket(1, principle.Identity.Name, DateTime.Now, DateTime.Now.AddMinutes(30), true, data);
var encryptedTicket = FormsAuthentication.Encrypt(ticket);
var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
Response.SetCookie(cookie);
Response.RedirectToRoute("Default");
Edit: I also just noticed that you're not passing your serialized data into the userData field of the new ticket, is that the intention?
I have a problem how i can find the private key from windows 2008 server.
first i encrypt a data with public key that i extracted it from url HTTPS
like this:
public static string Encrypt(string Data)
{
try
{
var Crypto = new RSACryptoServiceProvider(2048);
var RsaKeyInfo = Crypto.ExportParameters(false);
RsaKeyInfo.Modulus = PublicKeyByte();
Crypto.ImportParameters(RsaKeyInfo);
var bytesData = Encoding.Unicode.GetBytes(Data);
var bytesCypherText = Crypto.Encrypt(bytesData, false);
var cypherText = Convert.ToBase64String(bytesCypherText);
return cypherText;
}
catch (Exception ex)
{
return null;
}
}
private static byte[] PublicKeyByte()
{
Uri u = new Uri("https:\\domain.com");
ServicePoint sp = ServicePointManager.FindServicePoint(u);
string groupName = Guid.NewGuid().ToString();
HttpWebRequest req = HttpWebRequest.Create(u) as HttpWebRequest;
req.ConnectionGroupName = groupName;
using (WebResponse resp = req.GetResponse())
{
}
sp.CloseConnectionGroup(groupName);
return sp.Certificate.GetPublicKey(); ;
}
Now i dont know how extract private key in C# for decrypting message?
and i want to know more informations about this
thanks,
i resolved this by extracting the certificate file .PFX and im using System.Security.Cryptography.X509Certificates for encrypting and decrypting:
public static string Encrypt(string data)
{
try
{
var path = #"certificate.pfx";
var password = "test";
var collection = new X509Certificate2Collection();
collection.Import(path, password, X509KeyStorageFlags.PersistKeySet);
var certificate = collection[0];
var publicKey = certificate.PublicKey.Key as RSACryptoServiceProvider;
var bytesData = Convert.FromBase64String(data);
var encryptedData = publicKey.Encrypt(bytesData, false);
var cypherText = Convert.ToBase64String(encryptedData);
return cypherText;
}
catch (Exception ex)
{
return null;
}
}
public static string Decrypt(string data)
{
try
{
var path = #"certificate.pfx";
var password = "test";
var collection = new X509Certificate2Collection();
collection.Import(path, password, X509KeyStorageFlags.PersistKeySet);
var certificate = collection[0];
var privateKey = certificate.PrivateKey as RSACryptoServiceProvider;
var bytesData = Convert.FromBase64String(data);
var dataByte = privateKey.Decrypt(bytesData, false);
return Convert.ToBase64String(dataByte);
}
catch (Exception ex)
{
return "";
}
}
I'm currently trying to upload an image through my webservice. I have this piece of code:
public async Task<Webservice> editProfile(List<KeyValuePair<string, string>> values, byte[] image)
{
String strUrl = String.Format("http://********/nl/webservice/abc123/members/update");
var HttpClientUpload = new HttpClient();
HttpMultipartFormDataContent requestUploadContent = new HttpMultipartFormDataContent();
Stream streamImage = new System.IO.MemoryStream(image);
HttpStreamContent streamContent = new HttpStreamContent(streamImage.AsInputStream());
requestUploadContent.Add(streamContent, "myFile", "image.jpg");
foreach (var keyValuePair in values)
{
requestUploadContent.Add(new HttpStringContent(keyValuePair.Value), keyValuePair.Key);
}
HttpResponseMessage responseLogin = await HttpClientUpload.PostAsync(new Uri(strUrl), requestUploadContent);
responseLogin.EnsureSuccessStatusCode();
if (responseLogin.StatusCode == Windows.Web.Http.HttpStatusCode.Ok && responseLogin.Content != null)
{
var data = new Webservice { Status = responseLogin.StatusCode };
data.Data = await responseLogin.Content.ReadAsStringAsync();
Debug.WriteLine(data.Data);
return data;
}
return new Webservice { Status = new Windows.Web.Http.HttpStatusCode() };
}
But I always get the following exception: 'System.ExecutionEngineException' on the following line:
HttpStreamContent streamContent = new HttpStreamContent(streamImage.AsInputStream());
Can anyone help please, struggling with this problem for days now....
Thanks in advance!
EDIT
I've changed my function:
public async Task<Webservice> editProfile(List<KeyValuePair<string, string>> values, byte[] image)
{
try
{
using (IsolatedStorageFile iso = IsolatedStorageFile.GetUserStoreForApplication())
{
using (IsolatedStorageFileStream stream = iso.OpenFile("image.jpg", FileMode.Open, FileAccess.Read))
{
String strUrl = String.Format("http://membr.sanmax.be/nl/webservice/abc123/members/update");
HttpMultipartFormDataContent requestUploadContent = new HttpMultipartFormDataContent();
//Stream streamImage = new System.IO.MemoryStream(stream);
HttpStreamContent streamContent = new HttpStreamContent(stream.AsInputStream());
requestUploadContent.Add(streamContent, "picture", "photo.jpg");
foreach (var keyValuePair in values)
{
requestUploadContent.Add(new HttpStringContent(keyValuePair.Value), keyValuePair.Key);
}
HttpResponseMessage responseLogin = await httpClient.PostAsync(new Uri(strUrl), requestUploadContent);
responseLogin.EnsureSuccessStatusCode();
if (responseLogin.StatusCode == Windows.Web.Http.HttpStatusCode.Ok && responseLogin.Content != null)
{
var data = new Webservice { Status = responseLogin.StatusCode };
data.Data = await responseLogin.Content.ReadAsStringAsync();
Debug.WriteLine(data.Data);
return data;
}
}
}
}
catch (Exception e)
{
Debug.WriteLine(e);
}
return new Webservice { Status = new Windows.Web.Http.HttpStatusCode() };
}
But now it stops in the catch part with this exception:
WinRT information: Response status code does not indicate success: 413 (Request Entity Too Large).
System.Exception: Request entity too large (413).