1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
34.
35.
36.
37.
38.
39.
40.
41.
42.
43.
44.
45.
46.
47.
48.
49.
50.
51.
52.
53.
54.
55.
56.
57.
58.
59.
60.
61.
62.
63.
64.
65.
66.
67.
68.
69.
70.
71.
72.
73.
74.
75.
76.
77.
78.
79.
80.
81.
82.
83.
84.
85.
86.
87.
88.
89.
90.
91.
92.
93.
94.
95.
96.
97.
98.
99.
100.
101.
102.
103.
104.
105.
106.
107.
108.
109.
110.
111.
112.
113.
114.
115.
116.
117.
118.
119.
120.
121.
122.
123.
124.
125.
126.
127.
128.
129.
130.
131.
132.
133.
134.
135.
136.
137.
138.
139.
140.
141.
142.
143.
144.
145.
146.
147.
148.
149.
150.
151.
152.
153.
154.
155.
156.
157.
158.
159.
160.
161.
162.
163.
164.
165.
166.
167.
168.
169.
170.
171.
172.
173.
174.
175.
176.
177.
178.
179.
180.
181.
182.
183.
184.
185.
186.
187.
188.
189.
190.
191.
192.
193.
194.
195.
196.
197.
198.
199.
200.
201.
202.
203.
204.
205.
206.
207.
208.
209.
210.
211.
212.
213.
214.
215.
216.
217.
218.
219.
220.
221.
222.
223.
224.
225.
226.
227.
228.
229.
230.
231.
232.
233.
234.
235.
236.
237.
238.
239.
240.
241.
242.
243.
244.
245.
246.
247.
248.
249.
250.
251.
252.
253.
254.
255.
256.
257.
258.
259.
260.
261.
262.
263.
264.
265.
266.
267.
268.
269.
270.
271.
272.
273.
274.
procedure SignStream(SignerCert: PCCERT_CONTEXT; ASourceStream: TStream; ADestStream: TStream; DetachedSignature: Boolean);
var
SignPara: CRYPT_SIGN_MESSAGE_PARA;
bToBeSigned: array of PByte;
cToBeSigned: array of DWORD;
pMsgCrl: array of PCCERT_CONTEXT;
pbSignedBlob: PByte;
cbSignedBlob: DWORD;
begin
SetLength(bToBeSigned, 1);
SetLength(cToBeSigned, 1);
SetLength(pMsgCrl, 1);
bToBeSigned[0] := GetMemory(ASourceStream.Size);
cToBeSigned[0] := ASourceStream.Size;
pMsgCrl[0] := SignerCert;
cbSignedBlob := 0;
try
ASourceStream.Read(bToBeSigned[0]^, ASourceStream.Size);
ZeroMemory(@SignPara, SizeOf(CRYPT_SIGN_MESSAGE_PARA));
SignPara.cbSize := SizeOf(CRYPT_SIGN_MESSAGE_PARA);
SignPara.dwMsgEncodingType := MY_ENCODING_TYPE;
SignPara.pSigningCert := SignerCert;
SignPara.HashAlgorithm.pszObjId := PAnsiChar(szOID_CP_GOST_R3411);
SignPara.HashAlgorithm.Parameters.cbData := 0;
SignPara.HashAlgorithm.Parameters.pbData := nil;
SignPara.cMsgCert := 1;
SignPara.rgpMsgCert := Pointer(pMsgCrl);
if not(CryptSignMessage(@SignPara, DetachedSignature, 1, Pointer(bToBeSigned), Pointer(cToBeSigned), nil, cbSignedBlob)) then
RaiseLastOSError;
pbSignedBlob := GetMemory(cbSignedBlob);
try
if not CryptSignMessage(@SignPara, DetachedSignature, 1, Pointer(bToBeSigned), Pointer(cToBeSigned), pbSignedBlob, cbSignedBlob) then
RaiseLastOSError;
ADestStream.Write(pbSignedBlob^, cbSignedBlob);
finally
FreeMemory(pbSignedBlob);
end;
finally
FreeMemory(bToBeSigned[0]);
end;
end;
procedure HashStream(ASourceStream: TStream; ADestStreamHash: TStream);
var
HashPara: CRYPT_HASH_MESSAGE_PARA;
cToBeHashed: DWORD;
rgpbToBeHashed: array of PByte;
rgcbToBeHashed: array of DWORD;
pbHashedBlob: PByte;
pcbHashedBlob: DWORD;
begin
cToBeHashed := 1;
ASourceStream.Position := 0;
SetLength(rgpbToBeHashed, 1);
SetLength(rgcbToBeHashed, 1);
rgpbToBeHashed[0] := GetMemory(ASourceStream.Size);
rgcbToBeHashed[0] := ASourceStream.Size;
pcbHashedBlob := 0;
try
ASourceStream.Read(rgpbToBeHashed[0]^, ASourceStream.Size);
ZeroMemory(@HashPara, SizeOf(CRYPT_HASH_MESSAGE_PARA));
HashPara.cbSize := SizeOf(CRYPT_HASH_MESSAGE_PARA);
HashPara.dwMsgEncodingType := MY_ENCODING_TYPE;
HashPara.HashAlgorithm.pszObjId := PAnsiChar(szOID_CP_GOST_R3411);
HashPara.HashAlgorithm.Parameters.cbData := 0;
HashPara.HashAlgorithm.Parameters.pbData := nil;
HashPara.pvHashAuxInfo := nil;
if not(CryptHashMessage(@HashPara, True, cToBeHashed, Pointer(rgpbToBeHashed), Pointer(rgcbToBeHashed), nil, @pcbHashedBlob, nil,
nil { Pointer(pcbComputedHash) } )) then
RaiseLastOSError;
pbHashedBlob := GetMemory(pcbHashedBlob);
try
if not(CryptHashMessage(@HashPara, True, cToBeHashed, Pointer(rgpbToBeHashed), Pointer(rgcbToBeHashed), pbHashedBlob, @pcbHashedBlob, nil,
nil { pbComputedHash, Pointer(pcbComputedHash) } )) then
RaiseLastOSError;
ADestStreamHash.Write(pbHashedBlob^, pcbHashedBlob);
finally
FreeMemory(pbHashedBlob);
end;
finally
FreeMemory(rgpbToBeHashed[0]);
end;
end;
function CoSignMessage(ACertContext: PCCERT_CONTEXT; // Сертификат
pFileToSign: TStream; // сам файл
pSignedMessageStream: TStream; // подпись сообщения
pCosignedMessageStream: TStream; // результат - соподписаное подпись сообщения
var sMsg: String): Boolean; // сообщение об ошибке в случае Result := false;
var
hProv: HCRYPTPROV;
hMsg: HCRYPTMSG;
dwKeySpec: DWORD;
HashAlgorithm: CRYPT_ALGORITHM_IDENTIFIER;
SignerEncodeInfo: CMSG_SIGNER_ENCODE_INFO;
CosignCertBlob: CERT_BLOB;
dwSize: DWORD;
pbCoSignedBlob: PByte;
cbCoSignedBlob: DWORD;
SignFileSize: cardinal;
Buffer: PByte;
len: DWORD;
begin
try
Result := false;
if not CryptAcquireCertificatePrivateKey(ACertContext, 0, nil, hProv, @dwKeySpec, nil) then
begin
sMsg := 'CryptAcquireCertificatePrivateKey failed.'#13#10 + SysErrorMessage(GetLastError);
Exit;
end;
ZeroMemory(@HashAlgorithm, SizeOf(HashAlgorithm));
HashAlgorithm.pszObjId := PAnsiChar(szOID_CP_GOST_R3411); // Идентификатор алгоритма хэша
// Initialize the CMSG_SIGNER_ENCODE_INFO structure for the cosigner.
ZeroMemory(@SignerEncodeInfo, SizeOf(CMSG_SIGNER_ENCODE_INFO));
SignerEncodeInfo.cbSize := SizeOf(CMSG_SIGNER_ENCODE_INFO);
SignerEncodeInfo.HashAlgorithm := HashAlgorithm;
SignerEncodeInfo.HashAlgorithm.pszObjId := PAnsiChar(szOID_CP_GOST_R3411); // szOID_CP_GOST_R3411 = '1.2.643.2.2.9';
SignerEncodeInfo.pCertInfo := ACertContext.pCertInfo;
SignerEncodeInfo.HCRYPTPROV := hProv;
SignerEncodeInfo.dwKeySpec := dwKeySpec;
SignerEncodeInfo.pvHashAuxInfo := nil;
// Open a message for decoding.
hMsg := CryptMsgOpenToDecode(MY_ENCODING_TYPE, CMSG_DETACHED_FLAG, 0, 0, nil, nil);
if hMsg = nil then
begin
sMsg := 'CryptMsgOpenToDecode failed.'#13#10 + SysErrorMessage(GetLastError);
Exit;
end;
// Update the message with the encoded BLOB.
try
SignFileSize := pSignedMessageStream.Size;
GetMem(Buffer, SignFileSize);
pSignedMessageStream.Position := 0;
len := pSignedMessageStream.Read(Buffer^, SignFileSize);
if not CryptMsgUpdate(hMsg, Buffer, len, True) then
begin
sMsg := 'CryptMsgUpdate (detached file) failed.'#13#10 + SysErrorMessage(GetLastError);
Exit;
end;
finally
FreeMem(Buffer, SignFileSize);
end;
try
SignFileSize := pFileToSign.Size;
GetMem(Buffer, SignFileSize);
pFileToSign.Position := 0;
len := pFileToSign.Read(Buffer^, SignFileSize);
if not CryptMsgUpdate(hMsg, Buffer, len, True) then
begin
sMsg := 'CryptMsgUpdate (signed file) failed.'#13#10 + SysErrorMessage(GetLastError);
Exit;
end;
finally
FreeMem(Buffer, SignFileSize);
end;
// Add the cosigner to the message.
if not CryptMsgControl(hMsg, 0, CMSG_CTRL_ADD_SIGNER, @SignerEncodeInfo) then
begin
sMsg := 'CMSG_CTRL_ADD_SIGNER failed.'#13#10 + SysErrorMessage(GetLastError);
Exit;
end;
// Add the cosigner's certificate to the message.
CosignCertBlob.cbData := ACertContext.cbCertEncoded;
CosignCertBlob.pbData := ACertContext.pbCertEncoded;
if not CryptMsgControl(hMsg, 0, CMSG_CTRL_ADD_CERT, @CosignCertBlob) then
begin
sMsg := 'CMSG_CTRL_ADD_CERT failed.'#13#10 + SysErrorMessage(GetLastError);
Exit;
end;
// Get the size of the cosigned BLOB.
if not CryptMsgGetParam(hMsg, CMSG_ENCODED_MESSAGE, 0, nil, cbCoSignedBlob) then
begin
sMsg := 'Sizing of cbSignerInfo failed.'#13#10 + SysErrorMessage(GetLastError);
Exit;
end;
// Allocate memory for the cosigned BLOB.
pbCoSignedBlob := GetMemory(cbCoSignedBlob);
// Get the cosigned message BLOB.
try
if not CryptMsgGetParam(hMsg, CMSG_ENCODED_MESSAGE, 0, pbCoSignedBlob, cbCoSignedBlob) then
begin
sMsg := 'Getting cosigned message failed.'#13#10 + SysErrorMessage(GetLastError);
Exit;
end;
pCosignedMessageStream.Write(pbCoSignedBlob^, cbCoSignedBlob);
Result := True;
finally
FreeMemory(pbCoSignedBlob);
end;
finally
if (hMsg <> nil) then
begin
CryptMsgClose(hMsg);
end;
end;
end;
function VerifySigStreams(AFileStream: TMemoryStream; ASigStream: TMemoryStream): Boolean;
var
veriPara: CRYPT_VERIFY_MESSAGE_PARA;
arrDataPointer: array of Pointer;
arrDataSize: array of DWORD;
c, i: Integer;
begin
try
Result := false;
AFileStream.Position := 0;
ASigStream.Position := 0;
SetLength(arrDataPointer, 1);
SetLength(arrDataSize, 1);
arrDataPointer[0] := AFileStream.memory;
arrDataSize[0] := AFileStream.Size;
FillChar(veriPara, SizeOf(CRYPT_VERIFY_MESSAGE_PARA), #0);
veriPara.cbSize := SizeOf(CRYPT_VERIFY_MESSAGE_PARA);
veriPara.dwMsgAndCertEncodingType := MY_ENCODING_TYPE;
c := CryptGetMessageSignerCount(MY_ENCODING_TYPE, ASigStream.memory, ASigStream.Size);
Result := True;
Result := Result and (c > 0);
for i := 0 to c - 1 do
Result := Result and CryptVerifyDetachedMessageSignature(@veriPara, 0, ASigStream.memory, ASigStream.Size, 1, Pointer(arrDataPointer),
Pointer(arrDataSize), nil);
except
// TODO: говорить чего нибудь
Result := false;
end;
end;
function VerifySigFiles(sFileToVerifyPath, sSignaturePath: String): Boolean;
var
veriPara: CRYPT_VERIFY_MESSAGE_PARA;
mStreamIn, mStreamSignIn: TMemoryStream;
arrDataPointer: array of Pointer;
arrDataSize: array of DWORD;
begin
try
try
mStreamIn := TMemoryStream.Create;
mStreamIn.LoadFromFile(sFileToVerifyPath);
mStreamSignIn := TMemoryStream.Create;
mStreamSignIn.LoadFromFile(sSignaturePath);
Result := VerifySigStreams(mStreamIn, mStreamSignIn);
except
// TODO: говорить чего нибудь
Result := false;
end;
finally
FreeAndNil(mStreamIn);
FreeAndNil(mStreamSignIn);
end;
end;
