EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Verify signing file

Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.
#9510
Posted: 04/02/2009 02:27:36
by delagoutte jean (Standard support level)
Joined: 04/02/2009
Posts: 34

Hello,
i'm testing your product.
I must sign all file and verify it with a X509Cert
It's seems to be good and now i want verify sign product by third software and i can't verify it.
The sig file is formatted like that :
-----BEGIN PKCS7-----
MIIaIQYJKoZIhvcNAQcCoIIaEjCCGg4CAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3
......
sXwC3lnOnh5S7gOihO8gIVHRZfC2
-----END PKCS7-----

This is not like formatted like my sig file

i use this for verify :

Function VerifyPKCS7(aSourceFile, aSigFile : String):string;
function GetAlgorithmName(AlgId : integer) : string;
begin
case AlgId of
SB_ALGORITHM_CNT_3DES : Result := 'Triple DES';
SB_ALGORITHM_CNT_RC4 : Result := 'RC4';
SB_ALGORITHM_CNT_RC2 : Result := 'RC2';
SB_ALGORITHM_CNT_AES128 : Result := 'AES128';
SB_ALGORITHM_CNT_AES256 : Result := 'AES256';
SB_ALGORITHM_DGST_MD5 : Result := 'MD5';
SB_ALGORITHM_DGST_SHA1 : Result := 'SHA1';
SB_ALGORITHM_DGST_SHA256 : Result := 'SHA256';
SB_ALGORITHM_DGST_SHA384 : Result := 'SHA384';
SB_ALGORITHM_DGST_SHA512 : Result := 'SHA512';
SB_ALGORITHM_MAC_HMACSHA1 : Result := 'HMAC-SHA1';
else
Result := 'Unknown';
end;
end;
function WriteCertificateInfo(Storage : TElCustomCertStorage) : string;
var
I : integer;
Cert : TElX509Certificate;
Sz : word;
begin
for I := 0 to Storage.Count - 1 do
begin
Cert := Storage.Certificates[I];
Result := Result + 'Certificate #' + IntToStr(I + 1) + ':'#13#10;
Result := Result + 'Issuer: C=' + Cert.IssuerName.Country + ', L=' +
Cert.IssuerName.Locality + ', O=' + Cert.IssuerName.Organization + ', CN=' +
Cert.IssuerName.CommonName + #13#10;
Result := Result + 'Subject: C=' + Cert.SubjectName.Country + ', L=' +
Cert.SubjectName.Locality + ', O=' + Cert.SubjectName.Organization + ', CN=' +
Cert.SubjectName.CommonName + #13#10;
Sz := 0;
Cert.SaveKeyToBuffer(nil, Sz);
if Sz > 0 then
Result := Result + 'Private key available'#13#10#13#10
else
Result := Result + 'Private key is not available'#13#10#13#10;
end;
end;
var Fsig,fSource : file;
FsigBuf,fSourceBuf : array of byte;
I : Integer;
Verifier : TElMessageVerifier;
verifresult : TStringList;
begin
verifresult:=TStringList.Create;
Verifier := TElMessageVerifier.Create(nil);
AssignFile(FSig, aSigFile);
Reset(FSig, 1);
SetLength(FsigBuf, FileSize(FSig));
BlockRead(FSig, FsigBuf[0], Length(FsigBuf));
CloseFile(FSig);

AssignFile(FSource, aSourceFile);
Reset(FSource, 1);
SetLength(FsourceBuf, FileSize(FSource));
BlockRead(FSource, FsourceBuf[0], Length(FsourceBuf));
CloseFile(FSource);


I:=Verifier.VerifyDetached(@FsourceBuf[0],Length(FsourceBuf),@FsigBuf[0],Length(FsigBuf));
if I = 0 then
begin
verifresult.Add('Successfully verified!');
verifresult.Add('');
if Verifier.SignatureType = mstPublicKey then
begin
verifresult.Add('Signature type: PUBLIC KEY');
verifresult.Add('');
end
else
begin
verifresult.Add('Signature type: MAC');
verifresult.Add('');
verifresult.Add('MAC algorithm: ' + GetAlgorithmName(Verifier.MacAlgorithm));
end;
verifresult.Add('Hash Algorithm: ' + GetAlgorithmName(Verifier.HashAlgorithm));
verifresult.Add('');
verifresult.Add('Certificates contained in message:');
verifresult.Add(WriteCertificateInfo(Verifier.Certificates));
end
else
verifresult.Add('Verification failed with error #' + IntToHex(I, 4));
result:=verifresult.Text;
freeandNil(Verifier);
verifresult.Free;
end;


What i forget ? and how can i generate similar sig file.
#9513
Posted: 04/02/2009 05:38:26
by Ken Ivanov (EldoS Corp.)

The third-party software you are using additionally encodes the signature in Base-64 form, so you have to decode it first. Please use SBPEM.TElPEMProcessor class to encode/decode such messages. Unfortunately, this class is internal and thus not documented, but its methods and properties are quite straightforward, so I am sure you will succeed in using it.
#9522
Posted: 04/02/2009 08:00:23
by delagoutte jean (Standard support level)
Joined: 04/02/2009
Posts: 34

Thanks you, It's working.

Now i try to generate signature and encode in Base64.
I have a result but the result can't be verify.
With elMessageSigner
i use
I := ElMessageSigner1.Sign(@InBuf[0], Length(InBuf), @OutBuf[0], Sz,true);
if i=0 then
begin
PEMProc:= TelPEMProcessor.Create(nil);
PEMProc.Header:='PKCS7';
//encode Base64
PEMProc.PEMEncode(byteArray(OutBuf),ByteArray(FBase64),false);

SetLength(FBase64, Sz);
AssignFile(F, aFile+'.SIG');
Rewrite(F, 1);
BlockWrite(F, FBase64[0], Sz);
CloseFile(F);

It is the good method for encode signature in Base64 ?
#9523
Posted: 04/02/2009 08:11:30
by Ken Ivanov (EldoS Corp.)

Yes, you can use PEMEncode for this purpose. However, your code is slightly incorrect:
Code
PEMProc.PEMEncode(byteArray(OutBuf),ByteArray(FBase64),false);
// SetLength(FBase64, Sz); <-- not needed
AssignFile(F, aFile+'.SIG');
Rewrite(F, 1);
BlockWrite(F, FBase64[0], {Sz}Length(FBase64));
CloseFile(F);
#9542
Posted: 04/03/2009 02:05:41
by delagoutte jean (Standard support level)
Joined: 04/02/2009
Posts: 34

thank you you are wonderful.

Now i'll try to timestamp my sign.
Do you know if it exists free tsp server ? so how can i test timestamping ?
#9545
Posted: 04/03/2009 04:24:39
by Ken Ivanov (EldoS Corp.)

#9557
Posted: 04/03/2009 10:07:08
by delagoutte jean (Standard support level)
Joined: 04/02/2009
Posts: 34

Thanks it's seems working.

2 other questions and i think that's be ok

I must verify a sig file generate by a third product. In this sig file there is a OCSP part.
How can i do access to this OCSP part with the ElMessageVerifier ?
And the second question is : i think i can generate the OCSP part with the OCSPclient in pkiblackbox but how can i integrate it in my sig file with the ElMessageSigner ?
#9564
Posted: 04/06/2009 00:02:19
by Ken Ivanov (EldoS Corp.)

Revocation information (such as OCSP responses and CRLs) is added to the signature using the attributes mechanism. Every signature may contain two sets of attributes, signed attributes and unsigned ones. Signed attributes are included to the signature calculation process and thus are covered by the signature. Unsigned attributes are not included to hash calculation, and this fact allows to add unsigned attributes to the existing signature in future without invalidating it. Each attribute is simply a (name, values) pair, where name is some OID (object identifier) and values is ASN.1-encoded content of the attribute.

There are several different attributes (with different OIDs) that correspond to OCSP response content. To be able to help you we need at least to know what standard (with regard to OCSP responses storing) should your application be conformant to.
#9647
Posted: 04/10/2009 07:39:15
by delagoutte jean (Standard support level)
Joined: 04/02/2009
Posts: 34

I'm using an other third software for having this information :
When i sign a doc with eldos components i have 3 attributes :
Attribute 1 :
ident : 1.2.840.113549.1.9.5
Name : signingTime

Attribute 2 :
ident : 1.2.840.113549.1.9.4
name : messageDisgest

Attribute 3 :
ident : 1.2.840.113549.1.9.16.2.14
name : timeStampToken

when i sign with th third software i have 2 attributes :
attribute 1:
ident : 1.2.840.113549.1.9.16.2.14
name TimestampToken

attribute 2 :
ident : 1.3.6.1.5.5.7.48.1.1
name : 1.3.6.1.5.5.7.48.1.1

this second attribute seems to be the ocsp response and in this attributes the value is like :
1.3.6.1.5.5.7.48.1.1:
SEQUENCE[C] = 4 elements
SEQUENCE[C] = 3 elements
CONTEXTSPECIFIC[C] = [1] EXPLICIT
SEQUENCE[C] = 3 elements
SET[C] = 1 elements
SEQUENCE[C] = 2 elements
OBJECT ID = countryName
PrintableString = "FR"
SET[C] = 1 elements
.......

Is this what you expected?
#9648
Posted: 04/10/2009 08:06:11
by Ken Ivanov (EldoS Corp.)

The object identifier (1.3.6.1.5.5.7.48.1.1) corresponds to the BasicOCSPResponse type. To get the response from the signature, you should iterate over the list of attributes (TElMessageVerifier.Attributes) until the attribute with the specified OID is found. Please use the SB_OCSP_OID_BASIC_RESPONSE constant declared in the SBOCSPCommon unit as a needed OID value.

The value of the attribute, once found, can be passed to the TElOCSPResponse.Load() method.

To put OCSP response to the signature, add an attribute to the TElMessageSigner.AuthenticatedAttributes. Specify the same SB_OCSP_OID_BASIC_RESPONSE OID and assign the content of the OCSP response that you need to be available in the signature to the attribute's value.
Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages

Reply

Statistics

Topic viewed 6033 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!