Sign data with X.509 certificates
SecureBlackbox offers a simple way for signing data with X.509 certificates compliant with PKCS#7 message standard. This standard allows to sign the same content by an arbitrary number of signers, represented by their certificates. The content is signed with the signers' private keys; each signature can be verified with the corresponding public certificate.
Note, that there are several components in SecureBlackbox that work with PKCS#7 signatures on different levels. This article discusses the simplest of all, TElMessageSigner. If you are looking for a more granulated access or a strict compliance with PKCS#7-based signatures standards (such as CMS or CAdES), please take a look at TElSignedCMSMessage and TElCAdESSignatureProcessor components.
To sign you data:
TElMessageSigner signer = new TElMessageSigner();
signer.CertStorage = certStorage;
signer.SigningTime = DateTime.UtcNow; signer.HashAlgorithm = SBConstants.Unit.SB_ALGORITHM_DGST_SHA256;
Note, that MD5 and SHA1 hashes are prone to certain types of cryptographic attacks. SHA-2 algorithms (SHA256, SHA384, SHA512) are more secure. However, not all applications support SHA-2.
signer.AuthenticatedAttributes.Count = 1; signer.AuthenticatedAttributes.set_OIDs(0, SBStrUtils.Unit.StrToOID("188.8.131.52.5.6.7")); signer.AuthenticatedAttributes.get_Values(0).Add(SBASN1Tree.Unit.FormatAttributeValue(SBASN1Tree.Unit.SB_ASN1_UTF8STRING, Encoding.UTF8.GetBytes("My content")));
signer.Sign(inputStream, signatureStream, true);That's it, signatureStream now contains the new signature.
If you need to create a MAC signature, set SignatureType property accordingly.
signer.SignatureType = mstMAC;
In case of MAC signature you need to specify the recepients' certificates using the RecipientCerts property.
Only the owners of the private keys corresponding to RecipientCerts will be able to decrypt and validate the MAC signature.
To sign the already signed data, use the Countersign() method.