Sign and counter-sign the data (embedded and detached signatures)

Navigation

To sign the data using X.509 certificates and PKCS#7 format you need to use TElMessageSigner component.

First of all, you need to specify the certificate(s), which will be used for signing. When you sign the data, you need to have the certificates with corresponding private keys. The storage with the certificates is specified using CertStorage property of TElMessageSigner class.

If you need to create a MAC signature, you can set SignatureType property. In case of MAC signature, you need to specify the certificates of the recipients using RecipientCerts property of TElMessageSigner class. Only the owners of the private keys, which are related to certificates specified in RecipientCerts storage, will be able to decrypt and validate the MAC signature.

You can specify, whether the certificates are included with the signature, using IncludeCertificates property of TElMessageSigner class. If the certificates are not included, the verifying party would need to have the certificates in order to validate them.

To specify, what hash (digest) algorithm should be used when creating the signature, set HashAlgorithm property. Note that MD5 and SHA1 hashes are prone to certain types of cryptography attacks. SHA-2 (SHA256, SHA384, SHA512) is more secure. On the other hand, not all applications support SHA2 algorithms.

If you need to specify the attributes (arbitrary information, attached to the signed data), you can use AuthenticatedAttributes and UnauthenticatedAttributes properties of TElMessageSigner class.

If you want to timestamp the signature, you can set the TSPClient property to refer to the timestamping component. Read more about timesamping in the corresponding how-to article.

The final step is to call Sign() method of TElMessageSigner class. Detached parameter of this method specifies the type of signature which is created. Regular signature "wraps" the data. Detached signature doesn't include the data being signed.

To sign the already signed data, call Countersign() method of TElMessageSigner class.

In SecureBlackbox 5 and later two options are available: you can sign the data buffer or the data stream.

If you need to sign a text string, you can either create a data buffer from it, or write it to MemoryStream (available in .NET Framework and in VCL) and use this memory stream as the input data stream.