EldoS | Feel safer!

Software components for data protection, secure storage and transfer

CMS signer

Posted: 05/06/2009 03:37:46
by delagoutte jean (Standard support level)
Joined: 04/02/2009
Posts: 36

Thanks you it's good.
Now, i'mlooking up the difference between my sign and the third party sign. I could see my sign have 2 attributes more.
The attributes are :
OID : 1.2.840.113549.1.9.4 (MessageDigest)
OID : 1.2.840.113549. (?????)

How can i do for this attributes are not include in signature with CMS ?
I use :
Posted: 05/06/2009 04:44:43
by Ken Ivanov (Team)

Message digest attribute is always added if the signature contains one or more signed attributes. Only unsigned attributes can be added to the signature if you wish to prevent the message digest from being included to it.

The second OID stands for the SB_OID_COMMITMENT_TYPE type. This attribute is not added to the signature, unless you are explicitly setting TElCMSSignature.CommitmentTypeIndication.Included to true.
Posted: 05/26/2009 11:39:13
by delagoutte jean (Standard support level)
Joined: 04/02/2009
Posts: 36

My sig file can't be read by the third product. He said me there is problem with the encoding asn1 in ocsp part, his library said him " unexpected tag ENUMERATED instead of SEQUENCE"

For adding ocsp to my sign i use this code :
procedure TSignCMS.AddOCSP(Sig : TElCMSSignature; Cert : TElX509Certificate);
  status : array[TElOCSPServerError] of string =
    ('Success', 'Malformed request', 'Internal error', 'Try later', '', 'Signature required', 'Unauthorized');
  HTTPCli : TElHTTPSClient;
  Chain,CertToVerif : TElMemoryCertStorage;
  ServerOCSPResult: TElOCSPServerError;
  ValidityOCSP : TSBCertificateValidity;
  ReasonOCSP : TSBCertificateValidityReason;
  ReplyOCsp : ByteArray;
  resocsp,indexofOcsp,i : Integer;
    MemoForDisplay.Lines.Add('Processus de vérification de certificat');
    Chain := TElMemoryCertStorage.Create(nil);
    CertToVerif:= TElMemoryCertStorage.Create(nil);
    ConstructeChain(Cert,false,chain);//add all issuer of the cert in chain certstorage
    OCSPCli := TElHTTPOCSPClient.Create(nil);
    HTTPCli:= TElHTTPSClient.Create(nil);
    if pos('https://',OCSPCli.URL)>0 then
    resocsp := OCSPCli.PerformRequest(ServeroCSPResult,ReplyOcsp);
    MemoForDisplay.Lines.Add('Analyse de la réponse de preuve de validité de certificat');
    if resOCSP <> 0 then
      case resOCSP of
        SB_OCSP_ERROR_NO_PARAMETERS: MemoForDisplay.Lines.Add('URL not specified');
        SB_OCSP_ERROR_NO_REPLY: MemoForDisplay.Lines.Add('Failed to retrieve a reply from OCSP server');
        SB_OCSP_ERROR_WRONG_SIGNATURE: MemoForDisplay.Lines.Add('Reply from OCSP server contains invalid or broken signature');
        SB_OCSP_ERROR_NO_CERTIFICATES: MemoForDisplay.Lines.Add('No certificates have been specified for checking');
        SB_OCSP_ERROR_NO_ISSUER_CERTIFICATES: MemoForDisplay.Lines.Add('No issuer certificates were found');
          MemoForDisplay.Lines.Add(Format('Error %x happened when trying to check certificate status', [resOCSP]));
      MemoForDisplay.Lines.Add('The server replied with the following status: ' + status[ServerOCSPResult]);
      if ServerOCSPResult = oseSuccessful then
        // First validate the server certificates
        ValidityOCSP := cvStorageError;
        if OCSPCli.ReplyCertificates.Count = 0 then
          MemoForDisplay.Lines.Add('The server didn''t include signing certificates to the reply');
        for i := OCSPCli.ReplyCertificates.Count - 1 downto 0 do
          ValidityOCSP := OCSPCli.ReplyCertificates.Validate(OCSPCli.ReplyCertificates.Certificates[i], ReasonOCSP);
          if ValidityOCSP = cvInvalid then
        if ValidityOCSP = cvInvalid then
          MemoForDisplay.Lines.Add('One of certificates, used to sign the reply, is not valid');
        // Next, check certificate's status
        for i := 0 to CertToVerif.Count -1 do
          case OCSPCli.CertStatus[i] of
            csGood: MemoForDisplay.Lines.Add(Format('Certificate %d is ok', [i]));
            csRevoked: begin MemoForDisplay.Lines.Add(Format('Certificate %d has been revoked at %s', [i, DateTimeToStr(OCSPCli.RevocationTime[i])]));end;
            csUnknown: begin MemoForDisplay.Lines.Add(Format('Certificate %d is not known to OCSP server', [i]));end;
        sig.CustomUnsignedAttributes.Attributes[sig.CustomUnsignedAttributes.Count-1]:= SB_OCSP_OID_BASIC_RESPONSE;

    if Chain <> nil then
    if CertToVerif <> nil then

I join to the message an exemple of the sig file(encoded base64 .sig and not encoded .sig.dec).

Could you said me if there is an error in my code and/or in my sign file ?
Thanks for your help
Posted: 05/26/2009 14:25:43
by Ken Ivanov (Team)

There is no file attached, sorry. Please be sure to use .ZIP format.
Posted: 05/27/2009 03:07:58
by delagoutte jean (Standard support level)
Joined: 04/02/2009
Posts: 36

i add a third party software sig file

[ Download ]
Posted: 05/27/2009 03:57:06
by Ken Ivanov (Team)

Your code puts the whole OCSP response to the signature, while the verifying party only seems to expect the internal BasicOCSPResponse structure. Please use the following code to get the basic response and add it as an attribute (writing on the knee, so minor mistakes/typos are legal):
  BasicResponse : BufferType;
  BasicResponseSize : integer;
// obtaining OCSP response
resocsp := OCSPCli.PerformRequest(ServeroCSPResult,ReplyOcsp);

// checking that the response is OK

// obtaining basic response
BasicResponseSize := 0;
OCSPCli.Response.Save(nil, BasicResponseSize);
SetLength(BasicResponse, BasicResponseSize);
OCSPCli.Response.Save(@BasicResponse[1], BasicResponseSize);
SetLength(BasicResponse, BasicResponseSize);

// doing other things

// adding basic response as an attribute
sig.CustomUnsignedAttributes.Attributes[sig.CustomUnsignedAttributes.Count-1]:= SB_OCSP_OID_BASIC_RESPONSE;



Topic viewed 8510 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!