Discuss this help topic in SecureBlackbox Forum

Sign data with X.509 certificates

SecureBlackbox offers a simple way for signing data with X.509 certificates compliant with PKCS#7 message standard. This standard allows to sign the same content by an arbitrary number of signers, represented by their certificates. The content is signed with the signers' private keys; each signature can be verified with the corresponding public certificate.

Note, that there are several components in SecureBlackbox that work with PKCS#7 signatures on different levels. This article discusses the simplest of all, TElMessageSigner. If you are looking for a more granulated access or a strict compliance with PKCS#7-based signatures standards (such as CMS or CAdES), please take a look at TElSignedCMSMessage and TElCAdESSignatureProcessor components.

To sign you data:

  1. Load your signing certificate(s) into a TElMemoryCertStorage object as described here. At least one of the certificates should have its private key attached, in either exportable or non-exportable form. Other certificates are included to the signature blob but are not used for signing. Often the signing certificate is accompanied with its chain up to the root certificate. It makes the signature verifiable in different environments, even when some certificates forming the chain are missing.
  2. Initialize TElMessageSigner: TElMessageSigner signer = new TElMessageSigner();
  3. Attach the certificate storage to the signer object: signer.CertStorage = certStorage;
  4. Set additional message properties if needed:
    signer.SigningTime = DateTime.UtcNow;
    signer.HashAlgorithm = SBConstants.Unit.SB_ALGORITHM_DGST_SHA256;
  5. Configure custom signed and unsigned attributes:
    signer.AuthenticatedAttributes.Count = 1;
    signer.AuthenticatedAttributes.set_OIDs(0, SBStrUtils.Unit.StrToOID(""));
    signer.AuthenticatedAttributes.get_Values(0).Add(SBASN1Tree.Unit.FormatAttributeValue(SBASN1Tree.Unit.SB_ASN1_UTF8STRING, Encoding.UTF8.GetBytes("My content")));
    Note, that MD5 and SHA1 hashes are prone to certain types of cryptographic attacks. SHA-2 algorithms (SHA256, SHA384, SHA512) are more secure. However, not all applications support SHA-2.
  6. Pass your data to the Sign() method. If you wish to create a detached signature (i.e., where the signature is stored separately alongside plain data), pass true to the Detached parameter. To create an enveloping signature (where the data is included in the signature blob), set Detached to false: signer.Sign(inputStream, signatureStream, true); That's it, signatureStream now contains the new signature.

Additional information

If you need to create a MAC signature, set SignatureType property accordingly. signer.SignatureType = mstMAC; In case of MAC signature you need to specify the recepients' certificates using the RecipientCerts property. Only the owners of the private keys corresponding to RecipientCerts will be able to decrypt and validate the MAC signature.

To sign the already signed data, use the Countersign() method.

How To articles about PKCS7 signing and encryption

Discuss this help topic in SecureBlackbox Forum