EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Verify signing file

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
Posted: 04/02/2009 02:27:36
by delagoutte jean (Standard support level)
Joined: 04/02/2009
Posts: 36

i'm testing your product.
I must sign all file and verify it with a X509Cert
It's seems to be good and now i want verify sign product by third software and i can't verify it.
The sig file is formatted like that :
-----BEGIN PKCS7-----
-----END PKCS7-----

This is not like formatted like my sig file

i use this for verify :

Function VerifyPKCS7(aSourceFile, aSigFile : String):string;
function GetAlgorithmName(AlgId : integer) : string;
case AlgId of
SB_ALGORITHM_CNT_3DES : Result := 'Triple DES';
SB_ALGORITHM_CNT_RC4 : Result := 'RC4';
SB_ALGORITHM_CNT_RC2 : Result := 'RC2';
SB_ALGORITHM_CNT_AES128 : Result := 'AES128';
SB_ALGORITHM_CNT_AES256 : Result := 'AES256';
SB_ALGORITHM_DGST_MD5 : Result := 'MD5';
SB_ALGORITHM_DGST_SHA256 : Result := 'SHA256';
SB_ALGORITHM_DGST_SHA384 : Result := 'SHA384';
SB_ALGORITHM_DGST_SHA512 : Result := 'SHA512';
Result := 'Unknown';
function WriteCertificateInfo(Storage : TElCustomCertStorage) : string;
I : integer;
Cert : TElX509Certificate;
Sz : word;
for I := 0 to Storage.Count - 1 do
Cert := Storage.Certificates[I];
Result := Result + 'Certificate #' + IntToStr(I + 1) + ':'#13#10;
Result := Result + 'Issuer: C=' + Cert.IssuerName.Country + ', L=' +
Cert.IssuerName.Locality + ', O=' + Cert.IssuerName.Organization + ', CN=' +
Cert.IssuerName.CommonName + #13#10;
Result := Result + 'Subject: C=' + Cert.SubjectName.Country + ', L=' +
Cert.SubjectName.Locality + ', O=' + Cert.SubjectName.Organization + ', CN=' +
Cert.SubjectName.CommonName + #13#10;
Sz := 0;
Cert.SaveKeyToBuffer(nil, Sz);
if Sz > 0 then
Result := Result + 'Private key available'#13#10#13#10
Result := Result + 'Private key is not available'#13#10#13#10;
var Fsig,fSource : file;
FsigBuf,fSourceBuf : array of byte;
I : Integer;
Verifier : TElMessageVerifier;
verifresult : TStringList;
Verifier := TElMessageVerifier.Create(nil);
AssignFile(FSig, aSigFile);
Reset(FSig, 1);
SetLength(FsigBuf, FileSize(FSig));
BlockRead(FSig, FsigBuf[0], Length(FsigBuf));

AssignFile(FSource, aSourceFile);
Reset(FSource, 1);
SetLength(FsourceBuf, FileSize(FSource));
BlockRead(FSource, FsourceBuf[0], Length(FsourceBuf));

if I = 0 then
verifresult.Add('Successfully verified!');
if Verifier.SignatureType = mstPublicKey then
verifresult.Add('Signature type: PUBLIC KEY');
verifresult.Add('Signature type: MAC');
verifresult.Add('MAC algorithm: ' + GetAlgorithmName(Verifier.MacAlgorithm));
verifresult.Add('Hash Algorithm: ' + GetAlgorithmName(Verifier.HashAlgorithm));
verifresult.Add('Certificates contained in message:');
verifresult.Add('Verification failed with error #' + IntToHex(I, 4));

What i forget ? and how can i generate similar sig file.
Posted: 04/02/2009 05:38:26
by Ken Ivanov (Team)

The third-party software you are using additionally encodes the signature in Base-64 form, so you have to decode it first. Please use SBPEM.TElPEMProcessor class to encode/decode such messages. Unfortunately, this class is internal and thus not documented, but its methods and properties are quite straightforward, so I am sure you will succeed in using it.
Posted: 04/02/2009 08:00:23
by delagoutte jean (Standard support level)
Joined: 04/02/2009
Posts: 36

Thanks you, It's working.

Now i try to generate signature and encode in Base64.
I have a result but the result can't be verify.
With elMessageSigner
i use
I := ElMessageSigner1.Sign(@InBuf[0], Length(InBuf), @OutBuf[0], Sz,true);
if i=0 then
PEMProc:= TelPEMProcessor.Create(nil);
//encode Base64

SetLength(FBase64, Sz);
AssignFile(F, aFile+'.SIG');
Rewrite(F, 1);
BlockWrite(F, FBase64[0], Sz);

It is the good method for encode signature in Base64 ?
Posted: 04/02/2009 08:11:30
by Ken Ivanov (Team)

Yes, you can use PEMEncode for this purpose. However, your code is slightly incorrect:
// SetLength(FBase64, Sz); <-- not needed
AssignFile(F, aFile+'.SIG');
Rewrite(F, 1);
BlockWrite(F, FBase64[0], {Sz}Length(FBase64));
Posted: 04/03/2009 02:05:41
by delagoutte jean (Standard support level)
Joined: 04/02/2009
Posts: 36

thank you you are wonderful.

Now i'll try to timestamp my sign.
Do you know if it exists free tsp server ? so how can i test timestamping ?
Posted: 04/03/2009 04:24:39
by Ken Ivanov (Team)

Posted: 04/03/2009 10:07:08
by delagoutte jean (Standard support level)
Joined: 04/02/2009
Posts: 36

Thanks it's seems working.

2 other questions and i think that's be ok

I must verify a sig file generate by a third product. In this sig file there is a OCSP part.
How can i do access to this OCSP part with the ElMessageVerifier ?
And the second question is : i think i can generate the OCSP part with the OCSPclient in pkiblackbox but how can i integrate it in my sig file with the ElMessageSigner ?
Posted: 04/06/2009 00:02:19
by Ken Ivanov (Team)

Revocation information (such as OCSP responses and CRLs) is added to the signature using the attributes mechanism. Every signature may contain two sets of attributes, signed attributes and unsigned ones. Signed attributes are included to the signature calculation process and thus are covered by the signature. Unsigned attributes are not included to hash calculation, and this fact allows to add unsigned attributes to the existing signature in future without invalidating it. Each attribute is simply a (name, values) pair, where name is some OID (object identifier) and values is ASN.1-encoded content of the attribute.

There are several different attributes (with different OIDs) that correspond to OCSP response content. To be able to help you we need at least to know what standard (with regard to OCSP responses storing) should your application be conformant to.
Posted: 04/10/2009 07:39:15
by delagoutte jean (Standard support level)
Joined: 04/02/2009
Posts: 36

I'm using an other third software for having this information :
When i sign a doc with eldos components i have 3 attributes :
Attribute 1 :
ident : 1.2.840.113549.1.9.5
Name : signingTime

Attribute 2 :
ident : 1.2.840.113549.1.9.4
name : messageDisgest

Attribute 3 :
ident : 1.2.840.113549.
name : timeStampToken

when i sign with th third software i have 2 attributes :
attribute 1:
ident : 1.2.840.113549.
name TimestampToken

attribute 2 :
ident :
name :

this second attribute seems to be the ocsp response and in this attributes the value is like :
SEQUENCE[C] = 4 elements
SEQUENCE[C] = 3 elements
SEQUENCE[C] = 3 elements
SET[C] = 1 elements
SEQUENCE[C] = 2 elements
OBJECT ID = countryName
PrintableString = "FR"
SET[C] = 1 elements

Is this what you expected?
Posted: 04/10/2009 08:06:11
by Ken Ivanov (Team)

The object identifier ( corresponds to the BasicOCSPResponse type. To get the response from the signature, you should iterate over the list of attributes (TElMessageVerifier.Attributes) until the attribute with the specified OID is found. Please use the SB_OCSP_OID_BASIC_RESPONSE constant declared in the SBOCSPCommon unit as a needed OID value.

The value of the attribute, once found, can be passed to the TElOCSPResponse.Load() method.

To put OCSP response to the signature, add an attribute to the TElMessageSigner.AuthenticatedAttributes. Specify the same SB_OCSP_OID_BASIC_RESPONSE OID and assign the content of the OCSP response that you need to be available in the signature to the attribute's value.
Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.



Topic viewed 6293 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!