EldoS | Feel safer!

Software components for data protection, secure storage and transfer

After verification of timestamp problem

Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.
#7888
Posted: 10/16/2008 09:37:30
by David Martinez (Basic support level)
Joined: 10/16/2008
Posts: 13

Hi everybody,

first of all I am a littel bit confused about what I am trying to do because I am a newbie in this stuff, so if anything sounds stupid, pleas my apologies.

I have succeed in signing document buffered into an array of bytes. Now I want to timestamp this moment of signing. The process is the following:

SBHTTPTSPClient.TElHTTPTSPClient TSPClient = new SBHTTPTSPClient.TElHTTPTSPClient();

TSPClient.HashAlgorithm = SBConstants.Unit.SB_ALGORITHM_DGST_SHA1;
...
...
SBHashFunction.TElHashFunction hash = new SBHashFunction.TElHashFunction(SBConstants.Unit.SB_ALGORITHM_DGST_SHA1, new SBCryptoProvBuiltIn.TElBuiltInCryptoProvider());
hash.Update(bufsign, 0, bufsign.Length);
byte[] digest = hash.Finish();

int result, failureinfo;
int error = TSPClient.Timestamp(digest, out result, out failureinfo, out bufsignaturetsp);


I use a digest instead of the bufsign (the signature of the document) because in some place I read that I had to do so.
After this error, result and failureinfo are 0 so I guess the process is good.

Later I rebuild the timestamp info with

SBTSPClient.TElClientTSPInfo tspinfo = new SBTSPClient.TElClientTSPInfo();
tspinfo.ParseCMS(signaturetsp);

and shows correctly the information.

My question is ¿how later having my document and the signature of it can I verify that this timestamp belongs to de document?

I assume all the process can be wrong but any help will appreciated.

Thanks in advance.

David
#7889
Posted: 10/16/2008 10:03:57
by Ken Ivanov (EldoS Corp.)

Thank you for your interest in our products.

You are using a very low-level approach for creating a timestamp. Please use high-level TElMessageSigner and TElMessageVerifier components to sign and validate the document instead. These classes incapsulate timestamp generation and validation, so you do not have to care about it in your code.
#7897
Posted: 10/17/2008 02:55:12
by David Martinez (Basic support level)
Joined: 10/16/2008
Posts: 13

OK, good.

I have used TElMessageSigner and el TElMessageVerifier and now I have several byte[] buffers, as document, signature and timestamp (this is the ReplyCMS out parameter of the call to TimeStamp against a TimeStamp internet server)

Later I am going to store this buffers in a database and in the future I would like to say "I can guarantee that this document was signed with this X509 certificate and this signature proves it". This is achieved but I would like also to say "I can guarantee that the time contained in this timestamp
is associated only with this document" and I am not sure about how to prove it.

I am thinking about something like the verify method of X509Certificate

bool Verify([in] byte[] InBuffer, [in] byte[] Signature);

in which to pass document, and timestamp but I don't find it.

Any advise?

Thanks.
#7898
Posted: 10/17/2008 04:22:28
by Ken Ivanov (EldoS Corp.)

Quote
I have used TElMessageSigner and el TElMessageVerifier and now I have several byte[] buffers, as document, signature and timestamp (this is the ReplyCMS out parameter of the call to TimeStamp against a TimeStamp internet server)

Actually, you should have two byte[] buffers, (a) a document itself and (b) a timestamped signature.

You do not need to use TElTSPClient object directly -- just assign it to TElMessageSigner.TSPClient property and the signature will be timestamped automatically by TElMessageSigner.Sign() method.

Quote
Later I am going to store this buffers in a database and in the future I would like to say "I can guarantee that this document was signed with this X509 certificate and this signature proves it". This is achieved but I would like also to say "I can guarantee that the time contained in this timestamp
is associated only with this document" and I am not sure about how to prove it.

That's exactly what TElMessageVerifier does. Add the voVerifyTimestamps flag to its VerificationOptions property to make it validate timestamps automatically.
#7899
Posted: 10/17/2008 06:31:06
by David Martinez (Basic support level)
Joined: 10/16/2008
Posts: 13

I am trying to follow your instructions but once the TElTSPClient is assigned to the TElMessageSigner.TSPClient property I am sure that is not being called in the signing process because I am behind a proxy and if I change the proxy credentials to other wrong does not shot an exception.

If I call directly the TElTSPClient.TimeStamp it works an te server answers. I addition the TimeStampCount property of the verifier is 0 after a success verification.

Some light?

I really appreciate the help you are giving to me.

Thanks.
#7901
Posted: 10/17/2008 08:10:22
by Ken Ivanov (EldoS Corp.)

Quote
I am trying to follow your instructions but once the TElTSPClient is assigned to the TElMessageSigner.TSPClient property I am sure that is not being called in the signing process because I am behind a proxy and if I change the proxy credentials to other wrong does not shot an exception.

It is likely that the TSP client object is not set up appropriately. What value is returned by TElMessageSigner.Sign() call?
#7902
Posted: 10/17/2008 08:32:08
by David Martinez (Basic support level)
Joined: 10/16/2008
Posts: 13

Quote
Innokentiy Ivanov wrote:
It is likely that the TSP client object is not set up appropriately. What value is returned by TElMessageSigner.Sign() call?


It returns a 0, as expected.
#7903
Posted: 10/17/2008 08:37:09
by Ken Ivanov (EldoS Corp.)

Would you be so kind to provide us the exact code you are using?
#7904
Posted: 10/17/2008 08:49:24
by David Martinez (Basic support level)
Joined: 10/16/2008
Posts: 13

private void TimeStampSignature(byte[] bufsign, out byte[] bufsignaturetsp)
{
SBMessages.TElMessageSigner signer = new SBMessages.TElMessageSigner();

SBCustomCertStorage.TElMemoryCertStorage memoryCertStorage = new SBCustomCertStorage.TElMemoryCertStorage();
signer.CertStorage = memoryCertStorage;
signer.RecipientCerts = memoryCertStorage;
signer.HashAlgorithm = SBConstants.Unit.SB_ALGORITHM_DGST_SHA1;
signer.SigningOptions = SBMessages.Unit.soInsertMessageDigests | SBMessages.Unit.soInsertSigningTime;

SBHTTPTSPClient.TElHTTPTSPClient TSPClient = new SBHTTPTSPClient.TElHTTPTSPClient();
TSPClient.HTTPClient = new SBHTTPSClient.TElHTTPSClient();
TSPClient.HTTPClient.UseDigestAuth = false;
TSPClient.HTTPClient.SSLEnabled = false;
TSPClient.HTTPClient.UseHTTPProxy = true;
TSPClient.HTTPClient.HTTPProxyHost = "isaserver";
TSPClient.HTTPClient.HTTPProxyPort = 8080;
TSPClient.HTTPClient.HTTPProxyUsername = "dmartin4";
TSPClient.HTTPClient.HTTPProxyPassword = "asdfghjk";
TSPClient.URL = "http://tsp.iaik.tugraz.at/tsp/TspRequest";
signer.TSPClient = TSPClient;

SBX509.TElX509Certificate cert = new SBX509.TElX509Certificate(null);
FileStream fs = new FileStream(@"c:\temp\david2.pfx", FileMode.Open);
cert.LoadFromStreamPFX(fs, "dmgli95", 0);
signer.CertStorage.Add(cert, true);
fs.Close();

// Poocedemos al sellado
int result = 0, failureinfo = 0;
//int error = signer.TSPClient.Timestamp(bufsign, out result, out failureinfo, out bufsignaturetsp);
int outsize = 0;
bufsignaturetsp = new byte[0];
int error = signer.Sign(bufsign, 0, bufsign.Length, bufsignaturetsp, 0, ref outsize, false);
bufsignaturetsp = new byte[outsize];
error = signer.Sign(bufsign, 0, bufsign.Length, bufsignaturetsp, 0, ref outsize, false);
}
#7906
Posted: 10/17/2008 09:43:34
by Ken Ivanov (EldoS Corp.)

Your code works fine for us. Can it be that the proxy is the reason? Please try to connect directly to the server and check if it changes something.
Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.

Reply

Statistics

Topic viewed 5680 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!