SignedCms: Improve NetFx compat for SignedCms wrapping EnvelopedCms

* SignedCms with a content-type other than id-data should have attributes

* Read classic PKCS7 SignedData(EnvelopedData) documents (NetFx compat)

In NetFX if a SignedCms is created using only CmsSigners with IssuerAndSerial as
the signer identifier type, the document gets encoded using the older PKCS7
structural definition instead of the newer CMS one.

RFC 5652 has a long section (5.2.1) on how to read these documents compatibly.

Since the defaults in SignedCms / CmsSigner are the PKCS7 behavior, not
reading it means that Signed(Enveloped) documents from NetFX cannot be read.

6 files changed, 526 insertions, 10 deletions

diff --git a/src/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/Asn1/EncapsulatedContentInfoAsn.cs b/src/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/Asn1/EncapsulatedContentInfoAsn.cs
index 47d0bf6417..456fa830a8 100644
--- a/src/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/Asn1/EncapsulatedContentInfoAsn.cs
+++ b/src/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/Asn1/EncapsulatedContentInfoAsn.cs
@@ -22,7 +22,7 @@ namespace System.Security.Cryptography.Pkcs.Asn1
 
         [OptionalValue]
         [ExpectedTag(0, ExplicitTag = true)]
-        [OctetString]
+        [AnyValue]
         public ReadOnlyMemory<byte>? Content;
     }
 }
diff --git a/src/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/CmsSigner.cs b/src/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/CmsSigner.cs
index 4a5b1b23d2..559b27b928 100644
--- a/src/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/CmsSigner.cs
+++ b/src/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/CmsSigner.cs
@@ -129,7 +129,10 @@ namespace System.Security.Cryptography.Pkcs
             SignerInfoAsn newSignerInfo = new SignerInfoAsn();
             newSignerInfo.DigestAlgorithm.Algorithm = DigestAlgorithm;
 
-            if ((SignedAttributes != null && SignedAttributes.Count > 0) || contentTypeOid == null)
+            // If the user specified attributes (not null, count > 0) we need attributes.
+            // If the content type is null we're counter-signing, and need the message digest attr.
+            // If the content type is otherwise not-data we need to record it as the content-type attr.
+            if (SignedAttributes?.Count > 0 || contentTypeOid != Oids.Pkcs7Data)
             {
                 List<AttributeAsn> signedAttrs = BuildAttributes(SignedAttributes);
 
diff --git a/src/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/SignedCms.cs b/src/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/SignedCms.cs
index 45a0203b67..f209dd6511 100644
--- a/src/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/SignedCms.cs
+++ b/src/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/SignedCms.cs
@@ -2,6 +2,7 @@
 // The .NET Foundation licenses this file to you under the MIT license.
 // See the LICENSE file in the project root for more information.
 
+using System.Buffers;
 using System.Collections.Generic;
 using System.Diagnostics;
 using System.Linq;
@@ -24,6 +25,11 @@ namespace System.Security.Cryptography.Pkcs
         // bytes will be held separate once the content is "bound" (first signature or decode)
         private ReadOnlyMemory<byte>? _heldContent;
 
+        // During decode, if the PKCS#7 fallback for a missing OCTET STRING is present, this
+        // becomes true and GetHashableContentSpan behaves differently.
+        // See https://tools.ietf.org/html/rfc5652#section-5.2.1
+        private bool _hasPkcs7Content;
+
         // Similar to _heldContent, the Windows CMS API held this separate internally,
         // and thus we need to be reslilient against modification.
         private string _contentType;
@@ -127,20 +133,33 @@ namespace System.Security.Cryptography.Pkcs
             _heldData = contentInfo.Content.ToArray();
             _signedData = AsnSerializer.Deserialize<SignedDataAsn>(_heldData, AsnEncodingRules.BER);
             _contentType = _signedData.EncapContentInfo.ContentType;
+            _hasPkcs7Content = false;
 
             if (!Detached)
             {
                 ReadOnlyMemory<byte>? content = _signedData.EncapContentInfo.Content;
+                ReadOnlyMemory<byte> contentValue;
+
+                if (content.HasValue)
+                {
+                    contentValue = GetContent(content.Value, _contentType);
+                    // If no OCTET STRING was stripped off, we have PKCS7 interop concerns.
+                    _hasPkcs7Content = content.Value.Length == contentValue.Length;
+                }
+                else
+                {
+                    contentValue = ReadOnlyMemory<byte>.Empty;
+                }
 
                 // This is in _heldData, so we don't need a defensive copy.
-                _heldContent = content ?? ReadOnlyMemory<byte>.Empty;
+                _heldContent = contentValue;
 
                 // The ContentInfo object/property DOES need a defensive copy, because
                 // a) it is mutable by the user, and
                 // b) it is no longer authoritative
                 //
                 // (and c: it takes a byte[] and we have a ReadOnlyMemory<byte>)
-                ContentInfo = new ContentInfo(new Oid(_contentType), _heldContent.Value.ToArray());
+                ContentInfo = new ContentInfo(new Oid(_contentType), contentValue.ToArray());
             }
             else
             {
@@ -152,6 +171,59 @@ namespace System.Security.Cryptography.Pkcs
             _hasData = true;
         }
 
+        internal static ReadOnlyMemory<byte> GetContent(
+            ReadOnlyMemory<byte> wrappedContent,
+            string contentType)
+        {
+            // Read the input.
+            //
+            // PKCS7's id-data is written in both PKCS#7 and CMS as an OCTET STRING wrapping
+            // the arbitrary bytes, so the OCTET STRING must always be present.
+            //
+            // For other types, CMS says to always write an OCTET STRING, and to put the properly
+            // encoded data within it.
+            // PKCS#7 originally ommitted the OCTET STRING wrapper for this model, so this is the
+            // dynamic adapter.
+            //
+            // See https://tools.ietf.org/html/rfc5652#section-5.2.1
+            byte[] rented = null;
+            int bytesWritten = 0;
+            try
+            {
+                AsnReader reader = new AsnReader(wrappedContent, AsnEncodingRules.BER);
+
+                if (reader.TryGetPrimitiveOctetStringBytes(out ReadOnlyMemory<byte> inner))
+                {
+                    return inner;
+                }
+
+                rented = ArrayPool<byte>.Shared.Rent(wrappedContent.Length);
+
+                if (!reader.TryCopyOctetStringBytes(rented, out bytesWritten))
+                {
+                    Debug.Fail($"TryCopyOctetStringBytes failed with an array larger than the encoded value");
+                    throw new CryptographicException();
+                }
+
+                return rented.AsSpan(0, bytesWritten).ToArray();
+            }
+            catch (Exception) when (contentType != Oids.Pkcs7Data)
+            {
+            }
+            finally
+            {
+                if (rented != null)
+                {
+                    rented.AsSpan(0, bytesWritten).Clear();
+                    ArrayPool<byte>.Shared.Return(rented);
+                }
+            }
+
+            // PKCS#7 encoding for something other than id-data.
+            Debug.Assert(contentType != Oids.Pkcs7Data);
+            return wrappedContent;
+        }
+
         public void ComputeSignature()
         {
             throw new PlatformNotSupportedException(SR.Cryptography_Cms_NoSignerCert);
@@ -177,7 +249,7 @@ namespace System.Security.Cryptography.Pkcs
             // If we had content already, use that now.
             // (The second signer doesn't inherit edits to signedCms.ContentInfo.Content)
             ReadOnlyMemory<byte> content = _heldContent ?? ContentInfo.Content;
-            string contentType = _contentType ?? ContentInfo.ContentType.Value;
+            string contentType = _contentType ?? ContentInfo.ContentType.Value ?? Oids.Pkcs7Data;
 
             X509Certificate2Collection chainCerts;
             SignerInfoAsn newSigner = signer.Sign(content, contentType, silent, out chainCerts);
@@ -198,7 +270,12 @@ namespace System.Security.Cryptography.Pkcs
                 // the copy of _heldContent or _contentType here if we're attached.
                 if (!Detached)
                 {
-                    _signedData.EncapContentInfo.Content = content;
+                    using (AsnWriter writer = new AsnWriter(AsnEncodingRules.DER))
+                    {
+                        writer.WriteOctetString(content.Span);
+
+                        _signedData.EncapContentInfo.Content = writer.Encode();
+                    }
                 }
 
                 _hasData = true;
@@ -254,7 +331,21 @@ namespace System.Security.Cryptography.Pkcs
             RemoveSignature(idx);
         }
 
-        internal ReadOnlySpan<byte> GetContentSpan() => _heldContent.Value.Span;
+        internal ReadOnlySpan<byte> GetHashableContentSpan()
+        {
+            ReadOnlyMemory<byte> content = _heldContent.Value;
+
+            if (!_hasPkcs7Content)
+            {
+                return content.Span;
+            }
+
+            // In PKCS#7 compat, only return the contents within the outermost tag.
+            // See https://tools.ietf.org/html/rfc5652#section-5.2.1
+            AsnReader reader = new AsnReader(content, AsnEncodingRules.BER);
+            // This span is safe to return because it's still bound under _heldContent.
+            return reader.PeekContentBytes().Span;
+        }
 
         internal void Reencode()
         {
diff --git a/src/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/SignerInfo.cs b/src/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/SignerInfo.cs
index 51468612c1..3211de7dbe 100644
--- a/src/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/SignerInfo.cs
+++ b/src/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/SignerInfo.cs
@@ -473,12 +473,17 @@ namespace System.Security.Cryptography.Pkcs
 
                     if (embeddedContent != null)
                     {
-                        hasher.AppendData(embeddedContent.Value.Span);
-                    }
+                        // Unwrap the OCTET STRING manually, because of PKCS#7 compatibility.
+                        // https://tools.ietf.org/html/rfc5652#section-5.2.1
+                        ReadOnlyMemory<byte> hashableContent = SignedCms.GetContent(
+                            embeddedContent.Value,
+                            documentData.EncapContentInfo.ContentType);
 
+                        hasher.AppendData(hashableContent.Span);
+                    }
                 }
 
-                hasher.AppendData(_document.GetContentSpan());
+                hasher.AppendData(_document.GetHashableContentSpan());
             }
             else
             {
diff --git a/src/System.Security.Cryptography.Pkcs/tests/SignedCms/SignedCmsTests.cs b/src/System.Security.Cryptography.Pkcs/tests/SignedCms/SignedCmsTests.cs
index 22641599a6..fbb0950fcd 100644
--- a/src/System.Security.Cryptography.Pkcs/tests/SignedCms/SignedCmsTests.cs
+++ b/src/System.Security.Cryptography.Pkcs/tests/SignedCms/SignedCmsTests.cs
@@ -900,5 +900,173 @@ namespace System.Security.Cryptography.Pkcs.Tests
             Assert.Throws<ArgumentOutOfRangeException>(() => cms.SignerInfos[-1]);
             Assert.Throws<ArgumentOutOfRangeException>(() => cms.SignerInfos[1]);
         }
+
+        [Theory]
+        [InlineData(SubjectIdentifierType.IssuerAndSerialNumber)]
+        [InlineData(SubjectIdentifierType.SubjectKeyIdentifier)]
+        public static void SignEnveloped(SubjectIdentifierType signerType)
+        {
+            using (X509Certificate2 cert = Certificates.RSAKeyTransferCapi1.TryGetCertificateWithPrivateKey())
+            {
+                EnvelopedCms envelopedCms = new EnvelopedCms(new ContentInfo(new byte[] { 3 }));
+                envelopedCms.Encrypt(new CmsRecipient(signerType, cert));
+                
+                SignedCms signedCms = new SignedCms(
+                    new ContentInfo(new Oid(Oids.Pkcs7Enveloped), envelopedCms.Encode()));
+
+                signedCms.ComputeSignature(new CmsSigner(cert));
+                signedCms.CheckSignature(true);
+
+                SignerInfoCollection signers = signedCms.SignerInfos;
+                Assert.Equal(1, signers.Count);
+
+                CryptographicAttributeObjectCollection attrs = signers[0].SignedAttributes;
+                Assert.Equal(2, attrs.Count);
+
+                CryptographicAttributeObject firstAttrSet = attrs[0];
+                Assert.Equal(Oids.ContentType, firstAttrSet.Oid.Value);
+                Assert.Equal(1, firstAttrSet.Values.Count);
+                Assert.Equal(Oids.ContentType, firstAttrSet.Values[0].Oid.Value);
+                Assert.Equal("06092A864886F70D010703", firstAttrSet.Values[0].RawData.ByteArrayToHex());
+
+                CryptographicAttributeObject secondAttrSet = attrs[1];
+                Assert.Equal(Oids.MessageDigest, secondAttrSet.Oid.Value);
+                Assert.Equal(1, secondAttrSet.Values.Count);
+                Assert.Equal(Oids.MessageDigest, secondAttrSet.Values[0].Oid.Value);
+            }
+        }
+
+        [Theory]
+        [InlineData(Oids.Pkcs7Data, "0102", false)]
+        // NetFX PKCS7: The length exceeds the payload, so this fails.
+        [InlineData("0.0", "0102", true)]
+        [InlineData("0.0", "04020102", false)]
+        // NetFX PKCS7: The payload exceeds the length, so this fails.
+        [InlineData("0.0", "0402010203", true)]
+        [InlineData("0.0", "010100", false)]
+        [InlineData(Oids.Pkcs7Hashed, "010100", false)]
+        [InlineData(Oids.Pkcs7Hashed, "3000", false)]
+        public static void SignIdentifiedContent(string oidValue, string contentHex, bool netfxProblem)
+        {
+            SignedCms signedCms = new SignedCms(
+                new ContentInfo(new Oid(oidValue, "Some Friendly Name"), contentHex.HexToByteArray()));
+
+            using (X509Certificate2 cert = Certificates.RSAKeyTransferCapi1.TryGetCertificateWithPrivateKey())
+            {
+                try
+                {
+                    signedCms.ComputeSignature(new CmsSigner(cert));
+                }
+                catch (CryptographicException) when (netfxProblem)
+                {
+                    // When no signed or unsigned attributes are present and the signer uses
+                    // IssuerAndSerial as the identifier type, NetFx uses an older PKCS7 encoding
+                    // of the current CMS one.  The older encoding fails on these inputs because of a
+                    // difference in PKCS7 vs CMS encoding of values using types other than Pkcs7Data.
+                    return;
+                }
+
+                byte[] encoded = signedCms.Encode();
+                signedCms.Decode(encoded);
+            }
+
+            // Assert.NoThrows
+            signedCms.CheckSignature(true);
+
+            Assert.Equal(oidValue, signedCms.ContentInfo.ContentType.Value);
+            Assert.Equal(contentHex, signedCms.ContentInfo.Content.ByteArrayToHex());
+        }
+
+        [Theory]
+        [InlineData(null, "0102", Oids.Pkcs7Data)]
+        [InlineData(null, "010100", Oids.Pkcs7Data)]
+        [InlineData("potato", "010100", null)]
+        [InlineData(" 1.1", "010100", null)]
+        [InlineData("1.1 ", "010100", null)]
+        [InlineData("1 1", "010100", null)]
+        public static void SignIdentifiedContent_BadOid(string oidValueIn, string contentHex, string oidValueOut)
+        {
+            SignedCms signedCms = new SignedCms(
+                new ContentInfo(new Oid(oidValueIn, "Some Friendly Name"), contentHex.HexToByteArray()));
+
+            using (X509Certificate2 cert = Certificates.RSAKeyTransferCapi1.TryGetCertificateWithPrivateKey())
+            {
+                Action signAction = () => signedCms.ComputeSignature(new CmsSigner(cert));
+
+                if (oidValueOut == null)
+                {
+                    Assert.ThrowsAny<CryptographicException>(signAction);
+                    return;
+                }
+
+                signAction();
+
+                byte[] encoded = signedCms.Encode();
+                signedCms.Decode(encoded);
+            }
+
+            // Assert.NoThrows
+            signedCms.CheckSignature(true);
+
+            Assert.Equal(oidValueOut, signedCms.ContentInfo.ContentType.Value);
+            Assert.Equal(contentHex, signedCms.ContentInfo.Content.ByteArrayToHex());
+        }
+
+        [Fact]
+        public static void CheckSignedEncrypted_IssuerSerial_FromNetFx()
+        {
+            CheckSignedEncrypted(
+                SignedDocuments.SignedCmsOverEnvelopedCms_IssuerSerial_NetFx,
+                SubjectIdentifierType.IssuerAndSerialNumber);
+        }
+
+        [Fact]
+        public static void CheckSignedEncrypted_SKID_FromNetFx()
+        {
+            CheckSignedEncrypted(
+                SignedDocuments.SignedCmsOverEnvelopedCms_SKID_NetFx,
+                SubjectIdentifierType.SubjectKeyIdentifier);
+        }
+
+        [Fact]
+        public static void CheckSignedEncrypted_IssuerSerial_FromCoreFx()
+        {
+            CheckSignedEncrypted(
+                SignedDocuments.SignedCmsOverEnvelopedCms_IssuerSerial_CoreFx,
+                SubjectIdentifierType.IssuerAndSerialNumber);
+        }
+
+        [Fact]
+        public static void CheckSignedEncrypted_SKID_FromCoreFx()
+        {
+            CheckSignedEncrypted(
+                SignedDocuments.SignedCmsOverEnvelopedCms_SKID_CoreFx,
+                SubjectIdentifierType.SubjectKeyIdentifier);
+        }
+
+        private static void CheckSignedEncrypted(byte[] docBytes, SubjectIdentifierType expectedType)
+        {
+            SignedCms signedCms = new SignedCms();
+            signedCms.Decode(docBytes);
+
+            Assert.Equal(Oids.Pkcs7Enveloped, signedCms.ContentInfo.ContentType.Value);
+
+            SignerInfoCollection signers = signedCms.SignerInfos;
+            Assert.Equal(1, signers.Count);
+            Assert.Equal(expectedType, signers[0].SignerIdentifier.Type);
+
+            // Assert.NotThrows
+            signedCms.CheckSignature(true);
+
+            EnvelopedCms envelopedCms = new EnvelopedCms();
+            envelopedCms.Decode(signedCms.ContentInfo.Content);
+
+            using (X509Certificate2 cert = Certificates.RSAKeyTransferCapi1.TryGetCertificateWithPrivateKey())
+            {
+                envelopedCms.Decrypt(new X509Certificate2Collection(cert));
+            }
+
+            Assert.Equal("42", envelopedCms.ContentInfo.Content.ByteArrayToHex());
+        }
     }
 }
diff --git a/src/System.Security.Cryptography.Pkcs/tests/SignedCms/SignedDocuments.cs b/src/System.Security.Cryptography.Pkcs/tests/SignedCms/SignedDocuments.cs
index 8301399913..23d628be24 100644
--- a/src/System.Security.Cryptography.Pkcs/tests/SignedCms/SignedDocuments.cs
+++ b/src/System.Security.Cryptography.Pkcs/tests/SignedCms/SignedDocuments.cs
@@ -491,5 +491,254 @@ namespace System.Security.Cryptography.Pkcs.Tests
             "0906052B0E03021A0500300906072A8648CE380403042F302D021476DCB780CE" +
             "D5B308A3630726A85DB97FBC50DFD1021500CDF2649B50500BB7428B9DCA6BEF" +
             "2C7E7EF1B79C").HexToByteArray();
+
+        public static byte[] RsaPkcs1TwoCounterSignaturesInSingleAttribute = (
+            "30820BBA06092A864886F70D010702A0820BAB30820BA7020101310D300B0609" +
+            "608648016503040201301406092A864886F70D010701A00704050102030405A0" +
+            "82081D308201583081FFA003020102021035428F3B3C5107AD49E776D6E74C4D" +
+            "C8300A06082A8648CE3D04030230153113301106035504030C0A454344534120" +
+            "54657374301E170D3135303530313030333730335A170D313630353031303035" +
+            "3730335A30153113301106035504030C0A454344534120546573743059301306" +
+            "072A8648CE3D020106082A8648CE3D030107034200047590F69CA114E92927E0" +
+            "34C997B7C882A8C992AC00CEFB4EB831901536F291E1B515263BCD20E1EA3249" +
+            "6FDAC84E2D8D1B703266A9088F6EAF652549D9BB63D5A331302F300E0603551D" +
+            "0F0101FF040403020388301D0603551D0E0416041411218A92C5EB12273B3C5C" +
+            "CFB8220CCCFDF387DB300A06082A8648CE3D040302034800304502201AFE595E" +
+            "19F1AE4B6A4B231E8851926438C55B5DDE632E6ADF13C1023A65898E022100CB" +
+            "DF434FDD197D8B594E8026E44263BADE773C2BEBD060CC4109484A498E7C7E30" +
+            "82032C30820214A003020102020900E0D8AB6819D7306E300D06092A864886F7" +
+            "0D01010B05003038313630340603550403132D54776F2074686F7573616E6420" +
+            "666F7274792065696768742062697473206F662052534120676F6F646E657373" +
+            "301E170D3137313130333233353131355A170D3138313130333233353131355A" +
+            "3038313630340603550403132D54776F2074686F7573616E6420666F72747920" +
+            "65696768742062697473206F662052534120676F6F646E65737330820122300D" +
+            "06092A864886F70D01010105000382010F003082010A028201010096C114A589" +
+            "8D09133EF859F89C1D848BA8CB5258793E05B92D499C55EEFACE274BBBC26803" +
+            "FB813B9C11C6898153CC1745DED2C4D2672F807F0B2D957BC4B65EBC9DDE26E2" +
+            "EA7B2A6FE9A7C4D8BD1EF6032B8F0BB6AA33C8B57248B3D5E3901D8A38A283D7" +
+            "E25FF8E6F522381EE5484234CFF7B30C174635418FA89E14C468AD89DCFCBBB5" +
+            "35E5AF53510F9EA7F9DA8C1B53375B6DAB95A291439A5648726EE1012E41388E" +
+            "100691642CF6917F5569D8351F2782F435A579014E8448EEA0C4AECAFF2F4767" +
+            "99D88457E2C8BCB56E5E128782B4FE26AFF0720D91D52CCAFE344255808F5271" +
+            "D09F784F787E8323182080915BE0AE15A71D66476D0F264DD084F30203010001" +
+            "A3393037301D0603551D0E04160414745B5F12EF962E84B897E246D399A2BADE" +
+            "A9C5AC30090603551D1304023000300B0603551D0F040403020780300D06092A" +
+            "864886F70D01010B0500038201010087A15DF37FBD6E9DED7A8FFF25E60B731F" +
+            "635469BA01DD14BC03B2A24D99EFD8B894E9493D63EC88C496CB04B33DF25222" +
+            "544F23D43F4023612C4D97B719C1F9431E4DB7A580CDF66A3E5F0DAF89A267DD" +
+            "187ABFFB08361B1F79232376AA5FC5AD384CC2F98FE36C1CEA0B943E1E396119" +
+            "0648889C8ABE8397A5A338843CBFB1D8B212BE46685ACE7B80475CC7C97FC037" +
+            "7936ABD5F664E9C09C463897726650711A1110FA9866BC1C278D95E5636AB96F" +
+            "AE95CCD67FD572A8C727E2C03E7B242457318BEC1BE52CA5BD9454A0A41140AE" +
+            "96ED1C56D220D1FD5DD3B1B4FB2AA0E04FC94F7E3C7D476F298962245563953A" +
+            "D7225EDCEAC8B8509E49292E62D8BF3082038D3082034AA003020102020900AB" +
+            "740A714AA83C92300B060960864801650304030230818D310B30090603550406" +
+            "13025553311330110603550408130A57617368696E67746F6E3110300E060355" +
+            "040713075265646D6F6E64311E301C060355040A13154D6963726F736F667420" +
+            "436F72706F726174696F6E3120301E060355040B13172E4E4554204672616D65" +
+            "776F726B2028436F7265465829311530130603550403130C313032342D626974" +
+            "20445341301E170D3135313132353134343030335A170D313531323235313434" +
+            "3030335A30818D310B3009060355040613025553311330110603550408130A57" +
+            "617368696E67746F6E3110300E060355040713075265646D6F6E64311E301C06" +
+            "0355040A13154D6963726F736F667420436F72706F726174696F6E3120301E06" +
+            "0355040B13172E4E4554204672616D65776F726B2028436F7265465829311530" +
+            "130603550403130C313032342D62697420445341308201B73082012C06072A86" +
+            "48CE3804013082011F02818100AEE3309FC7C9DB750D4C3797D333B3B9B234B4" +
+            "62868DB6FFBDED790B7FC8DDD574C2BD6F5E749622507AB2C09DF5EAAD84859F" +
+            "C0706A70BB8C9C8BE22B4890EF2325280E3A7F9A3CE341DBABEF6058D063EA67" +
+            "83478FF8B3B7A45E0CA3F7BAC9995DCFDDD56DF168E91349130F719A4E717351" +
+            "FAAD1A77EAC043611DC5CC5A7F021500D23428A76743EA3B49C62EF0AA17314A" +
+            "85415F0902818100853F830BDAA738465300CFEE02418E6B07965658EAFDA7E3" +
+            "38A2EB1531C0E0CA5EF1A12D9DDC7B550A5A205D1FF87F69500A4E4AF5759F3F" +
+            "6E7F0C48C55396B738164D9E35FB506BD50E090F6A497C70E7E868C61BD4477C" +
+            "1D62922B3DBB40B688DE7C175447E2E826901A109FAD624F1481B276BF63A665" +
+            "D99C87CEE9FD06330381840002818025B8E7078E149BAC352667623620029F5E" +
+            "4A5D4126E336D56F1189F9FF71EA671B844EBD351514F27B69685DDF716B32F1" +
+            "02D60EA520D56F544D19B2F08F5D9BDDA3CBA3A73287E21E559E6A07586194AF" +
+            "AC4F6E721EDCE49DE0029627626D7BD30EEB337311DB4FF62D7608997B6CC32E" +
+            "9C42859820CA7EF399590D5A388C48A330302E302C0603551D11042530238704" +
+            "7F00000187100000000000000000000000000000000182096C6F63616C686F73" +
+            "74300B0609608648016503040302033000302D021500B9316CC7E05C9F79197E" +
+            "0B41F6FD4E3FCEB72A8A0214075505CCAECB18B7EF4C00F9C069FA3BC78014DE" +
+            "3182035A3082035602010130453038313630340603550403132D54776F207468" +
+            "6F7573616E6420666F7274792065696768742062697473206F66205253412067" +
+            "6F6F646E657373020900E0D8AB6819D7306E300B060960864801650304020130" +
+            "0B06092A864886F70D01010104820100457E2996B3A1AE5C7DC2F4EF4D9010F4" +
+            "8B62B72DFB43F2EDC503FD32408A1058EE7BBCF4750CB4B4242B11A599C40792" +
+            "70D32D15A57FF791FF59836A027E634B9B97E1764173597A9A6155D5ED5365F6" +
+            "5DF14FDD15928ABD63E1409DBF2D1A713D20D80E09EE76BC63775F3FA8638A26" +
+            "ED3816FF87C7CDC8A9299485055BFC38AE158BB6577812AA98436FB54844544A" +
+            "C92CD449690B8107447044580FAE590D8A7326A8D139886C8A4AC8CEEACB0458" +
+            "1666D8447D267F1A9E9CAB20F155E05D5EC055AC863C047B5E1E3A98528EA766" +
+            "7C19B33AD98B2D33ABBD7E607C1DA18BCDB87C626554C277E069CE9EC489BC87" +
+            "2E7DEAED4C642DE5AB10BD2D558EAFB3A18201EA308201E606092A864886F70D" +
+            "010906318201D73082010D02010130819B30818D310B30090603550406130255" +
+            "53311330110603550408130A57617368696E67746F6E3110300E060355040713" +
+            "075265646D6F6E64311E301C060355040A13154D6963726F736F667420436F72" +
+            "706F726174696F6E3120301E060355040B13172E4E4554204672616D65776F72" +
+            "6B2028436F7265465829311530130603550403130C313032342D626974204453" +
+            "41020900AB740A714AA83C92300706052B0E03021AA025302306092A864886F7" +
+            "0D0109043116041409200943E2EDD3DD3B186C5839BDC9B1051903FF30090607" +
+            "2A8648CE380403042F302D0215009FDBE95176B1EC0697155ADDF335E5126A9F" +
+            "59D60214736F650C74E73BEA577151BCFD226FEDC06832E53081C30201013029" +
+            "30153113301106035504030C0A45434453412054657374021035428F3B3C5107" +
+            "AD49E776D6E74C4DC8300B0609608648016503040201A031302F06092A864886" +
+            "F70D01090431220420DF5D49DB775A8F94CAB3129038B200EDE9FCD2AE8F039D" +
+            "B1AB96D9B827D299D2300A06082A8648CE3D0403020447304502202327A60E1A" +
+            "5A798CD29B72C7C7991F968D29DB15C4865BEE83A7E2FD73326CA4022100899F" +
+            "000179F77BFE296783548EAE56BA7F53C0DB0563A27A36A149BAEC9C23AC").HexToByteArray();
+
+        internal static readonly byte[] SignedCmsOverEnvelopedCms_IssuerSerial_NetFx = (
+            "3082047C06092A864886F70D010702A082046D30820469020101310B30090605" +
+            "2B0E03021A05003082012406092A864886F70D010703A0820115308201110609" +
+            "2A864886F70D010703A08201023081FF0201003181CC3081C90201003032301E" +
+            "311C301A060355040313135253414B65795472616E7366657243617069310210" +
+            "5D2FFFF863BABC9B4D3C80AB178A4CCA300D06092A864886F70D010101050004" +
+            "81800BB53BF3BD028A6B54703899B241CB358CACBF9018A4497A733C27EA223E" +
+            "05BD31099EB80AE04ADBB23A5E397C181A14476668402EFE3BCA08BCA615C743" +
+            "41FA06D56671AA940BF09B6B7B4C6905AD2927DE94960ED03DF141360589979F" +
+            "9944DB48B91AA1B139EB652D6A1BAC48DF33AF14006CD9DB4C09E7DA270733D0" +
+            "DF90302B06092A864886F70D010701301406082A864886F70D03070408E4972B" +
+            "4188B1B4FE80084CBF0A9D37B094EBA08202103082020C30820179A003020102" +
+            "02105D2FFFF863BABC9B4D3C80AB178A4CCA300906052B0E03021D0500301E31" +
+            "1C301A060355040313135253414B65795472616E736665724361706931301E17" +
+            "0D3135303431353037303030305A170D3235303431353037303030305A301E31" +
+            "1C301A060355040313135253414B65795472616E73666572436170693130819F" +
+            "300D06092A864886F70D010101050003818D0030818902818100AA272700586C" +
+            "0CC41B05C65C7D846F5A2BC27B03E301C37D9BFF6D75B6EB6671BA9596C5C63B" +
+            "A2B1AF5C318D9CA39E7400D10C238AC72630579211B86570D1A1D44EC86AA8F6" +
+            "C9D2B4E283EA3535923F398A312A23EAEACD8D34FAACA965CD910B37DA4093EF" +
+            "76C13B337C1AFAB7D1D07E317B41A336BAA4111299F99424408D0203010001A3" +
+            "533051304F0603551D0104483046801015432DB116B35D07E4BA89EDB2469D7A" +
+            "A120301E311C301A060355040313135253414B65795472616E73666572436170" +
+            "693182105D2FFFF863BABC9B4D3C80AB178A4CCA300906052B0E03021D050003" +
+            "81810081E5535D8ECEEF265ACBC82F6C5F8BC9D84319265F3CCF23369FA533C8" +
+            "DC1938952C5931662D9ECD8B1E7B81749E48468167E2FCE3D019FA70D5464697" +
+            "5B6DC2A3BA72D5A5274C1866DA6D7A5DF47938E034A075D11957D653B5C78E52" +
+            "91E4401045576F6D4EDA81BEF3C369AF56121E49A083C8D1ADB09F291822E99A" +
+            "42964631820119308201150201013032301E311C301A06035504031313525341" +
+            "4B65795472616E73666572436170693102105D2FFFF863BABC9B4D3C80AB178A" +
+            "4CCA300906052B0E03021A0500A03F301806092A864886F70D010903310B0609" +
+            "2A864886F70D010703302306092A864886F70D01090431160414FE46C861E86B" +
+            "719D0F665AFAE48165B56CDFBFD4300D06092A864886F70D0101010500048180" +
+            "32CEE36532673C2734C908A48B6E017FD695BE69FAC21028B6627466B72688D8" +
+            "60FC65F2F18E5C19FED2301351F247DF90217087C5F88D76CA052287E6A2F47F" +
+            "7DA5AC226B4FC202AB0B5B73A24B5C138247F54466621288F2DA941320C4CE89" +
+            "A503ED3E6F63112798A841E55344BEE84E1366E4CF3788C9788C5E86D1879029").HexToByteArray();
+
+        internal static readonly byte[] SignedCmsOverEnvelopedCms_SKID_NetFx = (
+            "3082046006092A864886F70D010702A08204513082044D020103310B30090605" +
+            "2B0E03021A05003082012806092A864886F70D010703A0820119048201153082" +
+            "011106092A864886F70D010703A08201023081FF0201003181CC3081C9020100" +
+            "3032301E311C301A060355040313135253414B65795472616E73666572436170" +
+            "693102105D2FFFF863BABC9B4D3C80AB178A4CCA300D06092A864886F70D0101" +
+            "0105000481803ECF128C059F49199D3344979BD0EBAC2A5443D4F27775B8CFAC" +
+            "7B1F28AFDDAD86097FF34DFB3ED2D514C325B78074D6D17CA14952EA954E860B" +
+            "D5980F2C629C70AE402D3E9E867246E532E345712DFA33C37EF141E2EBFD10F7" +
+            "249CFD193B313825CB7B297FB204DA755F02384659F51D97AB31F867C7E973C6" +
+            "28B9F6E43018302B06092A864886F70D010701301406082A864886F70D030704" +
+            "089FC5129D8AB0CDDE80086D7E35774EFA334AA08202103082020C30820179A0" +
+            "0302010202105D2FFFF863BABC9B4D3C80AB178A4CCA300906052B0E03021D05" +
+            "00301E311C301A060355040313135253414B65795472616E7366657243617069" +
+            "31301E170D3135303431353037303030305A170D323530343135303730303030" +
+            "5A301E311C301A060355040313135253414B65795472616E7366657243617069" +
+            "3130819F300D06092A864886F70D010101050003818D0030818902818100AA27" +
+            "2700586C0CC41B05C65C7D846F5A2BC27B03E301C37D9BFF6D75B6EB6671BA95" +
+            "96C5C63BA2B1AF5C318D9CA39E7400D10C238AC72630579211B86570D1A1D44E" +
+            "C86AA8F6C9D2B4E283EA3535923F398A312A23EAEACD8D34FAACA965CD910B37" +
+            "DA4093EF76C13B337C1AFAB7D1D07E317B41A336BAA4111299F99424408D0203" +
+            "010001A3533051304F0603551D0104483046801015432DB116B35D07E4BA89ED" +
+            "B2469D7AA120301E311C301A060355040313135253414B65795472616E736665" +
+            "72436170693182105D2FFFF863BABC9B4D3C80AB178A4CCA300906052B0E0302" +
+            "1D05000381810081E5535D8ECEEF265ACBC82F6C5F8BC9D84319265F3CCF2336" +
+            "9FA533C8DC1938952C5931662D9ECD8B1E7B81749E48468167E2FCE3D019FA70" +
+            "D54646975B6DC2A3BA72D5A5274C1866DA6D7A5DF47938E034A075D11957D653" +
+            "B5C78E5291E4401045576F6D4EDA81BEF3C369AF56121E49A083C8D1ADB09F29" +
+            "1822E99A4296463181FA3081F702010380146B4A6B92FDED07EE0119F3674A96" +
+            "D1A70D2A588D300906052B0E03021A0500A03F301806092A864886F70D010903" +
+            "310B06092A864886F70D010703302306092A864886F70D0109043116041435DE" +
+            "A4AE3B383A023271BA27D2D50EC021D40800300D06092A864886F70D01010105" +
+            "00048180386A2EB06AB0ED0111EB37214480CD782243C66105948AD8EAB3236A" +
+            "7ECF135F22B6558F3C601140F6BBDF313F7DB98B3E6277ED5C2407D57323348D" +
+            "A97F6A9653C7C219EE1B0E3F85A970FA6CFC00B53E72484F732916E6067E2F0D" +
+            "4D31EFF51CECD46F3EF245FEF8729C4E1F16C0A3054054477D6C787FC7C94D79" +
+            "A24AC54B").HexToByteArray();
+
+        internal static readonly byte[] SignedCmsOverEnvelopedCms_IssuerSerial_CoreFx = (
+            "3082048E06092A864886F70D010702A082047F3082047B020103310D300B0609" +
+            "6086480165030402013082012806092A864886F70D010703A082011904820115" +
+            "3082011106092A864886F70D010703A08201023081FF0201003181CC3081C902" +
+            "01003032301E311C301A060355040313135253414B65795472616E7366657243" +
+            "6170693102105D2FFFF863BABC9B4D3C80AB178A4CCA300D06092A864886F70D" +
+            "01010105000481801B7806566B26A92076D5C9F5A06FBC9AB1D53BD63D3B7F97" +
+            "569B683219C4BA0B285F2F3EF533387EDD7E6BE38DFDD1F33EBA8E5001238BD0" +
+            "E75B9A5C5E2504FD78954B372A2E8B183F4CBD2D239CB72D129E112D0476D9A9" +
+            "A00AF0EC700776F4719BC4838DBAC7F06C671F67B977ABDF449B42C98D28035A" +
+            "194CE2B786E8C8A2302B06092A864886F70D010701301406082A864886F70D03" +
+            "070408B4B41A525B6E8F628008767424A015173966A08202103082020C308201" +
+            "79A00302010202105D2FFFF863BABC9B4D3C80AB178A4CCA300906052B0E0302" +
+            "1D0500301E311C301A060355040313135253414B65795472616E736665724361" +
+            "706931301E170D3135303431353037303030305A170D32353034313530373030" +
+            "30305A301E311C301A060355040313135253414B65795472616E736665724361" +
+            "70693130819F300D06092A864886F70D010101050003818D0030818902818100" +
+            "AA272700586C0CC41B05C65C7D846F5A2BC27B03E301C37D9BFF6D75B6EB6671" +
+            "BA9596C5C63BA2B1AF5C318D9CA39E7400D10C238AC72630579211B86570D1A1" +
+            "D44EC86AA8F6C9D2B4E283EA3535923F398A312A23EAEACD8D34FAACA965CD91" +
+            "0B37DA4093EF76C13B337C1AFAB7D1D07E317B41A336BAA4111299F99424408D" +
+            "0203010001A3533051304F0603551D0104483046801015432DB116B35D07E4BA" +
+            "89EDB2469D7AA120301E311C301A060355040313135253414B65795472616E73" +
+            "666572436170693182105D2FFFF863BABC9B4D3C80AB178A4CCA300906052B0E" +
+            "03021D05000381810081E5535D8ECEEF265ACBC82F6C5F8BC9D84319265F3CCF" +
+            "23369FA533C8DC1938952C5931662D9ECD8B1E7B81749E48468167E2FCE3D019" +
+            "FA70D54646975B6DC2A3BA72D5A5274C1866DA6D7A5DF47938E034A075D11957" +
+            "D653B5C78E5291E4401045576F6D4EDA81BEF3C369AF56121E49A083C8D1ADB0" +
+            "9F291822E99A42964631820125308201210201013032301E311C301A06035504" +
+            "0313135253414B65795472616E73666572436170693102105D2FFFF863BABC9B" +
+            "4D3C80AB178A4CCA300B0609608648016503040201A04B301806092A864886F7" +
+            "0D010903310B06092A864886F70D010703302F06092A864886F70D0109043122" +
+            "042018BEF3F24109B4BCD5BF3D5372EA7A0D16AF6DF46DE9BE5C2373DF065381" +
+            "5E13300B06092A864886F70D01010104818016A02798B3CEC42BE258C85A4BED" +
+            "06099339C9E716B8C72A3330923BE4B6A0538A5DCE031CD710589E8281E24074" +
+            "F26AB6B86CEACF78449B82FF1512F511B5A97ABA4403029E2BA1D837D3F9D230" +
+            "45E0EB3CE59E3AF7E52B814EFCBBCFD7A442327C5C408D166D4302AEFF807ECB" +
+            "D107C811DC66EC35FE167408B58FB03B7F84").HexToByteArray();
+
+        internal static readonly byte[] SignedCmsOverEnvelopedCms_SKID_CoreFx = (
+            "3082047006092A864886F70D010702A08204613082045D020103310D300B0609" +
+            "6086480165030402013082012806092A864886F70D010703A082011904820115" +
+            "3082011106092A864886F70D010703A08201023081FF0201003181CC3081C902" +
+            "01003032301E311C301A060355040313135253414B65795472616E7366657243" +
+            "6170693102105D2FFFF863BABC9B4D3C80AB178A4CCA300D06092A864886F70D" +
+            "0101010500048180724D9D5E0D2110B8147589120524B1D1E7019A3F436AD459" +
+            "3DF555413423AE28FCBA01548B20FDCA21901ECF6B54331542CECD4326C7E292" +
+            "54AA563D7F38C2287C146B648E6779FA3843FB0F11A3726265266DF87BAAF04B" +
+            "AA1DD4825B9FFFEBD1DC47414EA4978580A03484B9159E57045018DAA3054704" +
+            "84046F89465169A0302B06092A864886F70D010701301406082A864886F70D03" +
+            "0704087E74D74C2652F5198008930CBA811F9E9E15A08202103082020C308201" +
+            "79A00302010202105D2FFFF863BABC9B4D3C80AB178A4CCA300906052B0E0302" +
+            "1D0500301E311C301A060355040313135253414B65795472616E736665724361" +
+            "706931301E170D3135303431353037303030305A170D32353034313530373030" +
+            "30305A301E311C301A060355040313135253414B65795472616E736665724361" +
+            "70693130819F300D06092A864886F70D010101050003818D0030818902818100" +
+            "AA272700586C0CC41B05C65C7D846F5A2BC27B03E301C37D9BFF6D75B6EB6671" +
+            "BA9596C5C63BA2B1AF5C318D9CA39E7400D10C238AC72630579211B86570D1A1" +
+            "D44EC86AA8F6C9D2B4E283EA3535923F398A312A23EAEACD8D34FAACA965CD91" +
+            "0B37DA4093EF76C13B337C1AFAB7D1D07E317B41A336BAA4111299F99424408D" +
+            "0203010001A3533051304F0603551D0104483046801015432DB116B35D07E4BA" +
+            "89EDB2469D7AA120301E311C301A060355040313135253414B65795472616E73" +
+            "666572436170693182105D2FFFF863BABC9B4D3C80AB178A4CCA300906052B0E" +
+            "03021D05000381810081E5535D8ECEEF265ACBC82F6C5F8BC9D84319265F3CCF" +
+            "23369FA533C8DC1938952C5931662D9ECD8B1E7B81749E48468167E2FCE3D019" +
+            "FA70D54646975B6DC2A3BA72D5A5274C1866DA6D7A5DF47938E034A075D11957" +
+            "D653B5C78E5291E4401045576F6D4EDA81BEF3C369AF56121E49A083C8D1ADB0" +
+            "9F291822E99A429646318201073082010302010380146B4A6B92FDED07EE0119" +
+            "F3674A96D1A70D2A588D300B0609608648016503040201A04B301806092A8648" +
+            "86F70D010903310B06092A864886F70D010703302F06092A864886F70D010904" +
+            "31220420873B6A3B7CE192922129761C3EDD8D68C4A6B0369F3BF5B3D30B0A9E" +
+            "2336A8F4300B06092A864886F70D0101010481807D31B3260AE00DE3992DDD1E" +
+            "B01FDECA28053F2B87AA723CCD27B92896E3199F7C4B3B4A391C181899E5CBD1" +
+            "4A4BCDDFF6DC6CD10CA118DAA62E32589F066D1669D2948E51B5363B7BEE2BA9" +
+            "351CDE1791D118E552F0C8A4FB58EC7C34F5BAB2D562B415C4B3F673179B8410" +
+            "86A9B0F03ED56DBD4FA9CBB775307C9BB3045F72").HexToByteArray();
     }
 }