EldoS | Feel safer!

Software components for data protection, secure storage and transfer

CMS signer

Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.
#9928
Posted: 05/06/2009 03:37:46
by delagoutte jean (Standard support level)
Joined: 04/02/2009
Posts: 34

Thanks you it's good.
Now, i'mlooking up the difference between my sign and the third party sign. I could see my sign have 2 attributes more.
The attributes are :
OID : 1.2.840.113549.1.9.4 (MessageDigest)
OID : 1.2.840.113549.1.9.16.2.16 (?????)

How can i do for this attributes are not include in signature with CMS ?
I use :
Code
TElCMSSignature(sig).SigningOptions:=[];//
#9930
Posted: 05/06/2009 04:44:43
by Ken Ivanov (EldoS Corp.)

Message digest attribute is always added if the signature contains one or more signed attributes. Only unsigned attributes can be added to the signature if you wish to prevent the message digest from being included to it.

The second OID stands for the SB_OID_COMMITMENT_TYPE type. This attribute is not added to the signature, unless you are explicitly setting TElCMSSignature.CommitmentTypeIndication.Included to true.
#10155
Posted: 05/26/2009 11:39:13
by delagoutte jean (Standard support level)
Joined: 04/02/2009
Posts: 34

My sig file can't be read by the third product. He said me there is problem with the encoding asn1 in ocsp part, his library said him " unexpected tag ENUMERATED instead of SEQUENCE"

For adding ocsp to my sign i use this code :
Code
procedure TSignCMS.AddOCSP(Sig : TElCMSSignature; Cert : TElX509Certificate);
const
  status : array[TElOCSPServerError] of string =
    ('Success', 'Malformed request', 'Internal error', 'Try later', '', 'Signature required', 'Unauthorized');
var
  OCSPCli : TElHTTPOCSPClient;
  HTTPCli : TElHTTPSClient;
  Chain,CertToVerif : TElMemoryCertStorage;
  ServerOCSPResult: TElOCSPServerError;
  ValidityOCSP : TSBCertificateValidity;
  ReasonOCSP : TSBCertificateValidityReason;
  ReplyOCsp : ByteArray;
  resocsp,indexofOcsp,i : Integer;
begin
  try
    MemoForDisplay.Lines.Add('Processus de vérification de certificat');
    Chain := TElMemoryCertStorage.Create(nil);
    CertToVerif:= TElMemoryCertStorage.Create(nil);
    CertToVerif.Add(Cert);
    ConstructeChain(Cert,false,chain);//add all issuer of the cert in chain certstorage
    OCSPCli := TElHTTPOCSPClient.Create(nil);
    OCSPCli.URL:=fOCSPURL;
    HTTPCli:= TElHTTPSClient.Create(nil);
    HTTPCli.UseCompression:=false;
    if pos('https://',OCSPCli.URL)>0 then
      HTTPCli.SSLEnabled:=true
    else
      HTTPCli.SSLEnabled:=false;
    OCSPCli.HTTPClient:=HTTPCli;
    OCSPCli.CertStorage:=CertToVerif;
    OCSPCli.IssuerCertStorage:=chain;
    resocsp := OCSPCli.PerformRequest(ServeroCSPResult,ReplyOcsp);
    MemoForDisplay.Lines.Add('Analyse de la réponse de preuve de validité de certificat');
    if resOCSP <> 0 then
    begin
      case resOCSP of
        SB_OCSP_ERROR_NO_PARAMETERS: MemoForDisplay.Lines.Add('URL not specified');
        SB_OCSP_ERROR_NO_REPLY: MemoForDisplay.Lines.Add('Failed to retrieve a reply from OCSP server');
        SB_OCSP_ERROR_WRONG_SIGNATURE: MemoForDisplay.Lines.Add('Reply from OCSP server contains invalid or broken signature');
        SB_OCSP_ERROR_NO_CERTIFICATES: MemoForDisplay.Lines.Add('No certificates have been specified for checking');
        SB_OCSP_ERROR_NO_ISSUER_CERTIFICATES: MemoForDisplay.Lines.Add('No issuer certificates were found');
        else
          MemoForDisplay.Lines.Add(Format('Error %x happened when trying to check certificate status', [resOCSP]));
      end;
    end
    else
    begin
      MemoForDisplay.Lines.Add('The server replied with the following status: ' + status[ServerOCSPResult]);
      if ServerOCSPResult = oseSuccessful then
      begin
        // First validate the server certificates
        ValidityOCSP := cvStorageError;
        if OCSPCli.ReplyCertificates.Count = 0 then
          MemoForDisplay.Lines.Add('The server didn''t include signing certificates to the reply');
        for i := OCSPCli.ReplyCertificates.Count - 1 downto 0 do
        begin
          ValidityOCSP := OCSPCli.ReplyCertificates.Validate(OCSPCli.ReplyCertificates.Certificates[i], ReasonOCSP);
          if ValidityOCSP = cvInvalid then
            break;
        end;
        if ValidityOCSP = cvInvalid then
          MemoForDisplay.Lines.Add('One of certificates, used to sign the reply, is not valid');
        // Next, check certificate's status
        for i := 0 to CertToVerif.Count -1 do
        begin
          case OCSPCli.CertStatus[i] of
            csGood: MemoForDisplay.Lines.Add(Format('Certificate %d is ok', [i]));
            csRevoked: begin MemoForDisplay.Lines.Add(Format('Certificate %d has been revoked at %s', [i, DateTimeToStr(OCSPCli.RevocationTime[i])]));end;
            csUnknown: begin MemoForDisplay.Lines.Add(Format('Certificate %d is not known to OCSP server', [i]));end;
          end;
        end;
        sig.CustomUnsignedAttributes.Count:=sig.CustomUnsignedAttributes.Count+1;
        sig.CustomUnsignedAttributes.Attributes[sig.CustomUnsignedAttributes.Count-1]:= SB_OCSP_OID_BASIC_RESPONSE;
        sig.CustomUnsignedAttributes.Values[sig.CustomUnsignedAttributes.Count-1].Add(StringOfBytes(ReplyOcsp));
      end;
    end;

  finally
    freeandnil(OCSPCli);
    if Chain <> nil then
        FreeAndNil(Chain);
    if CertToVerif <> nil then
      FreeAndNil(CertToVerif);
  end;
end;


I join to the message an exemple of the sig file(encoded base64 .sig and not encoded .sig.dec).

Could you said me if there is an error in my code and/or in my sign file ?
Thanks for your help
#10160
Posted: 05/26/2009 14:25:43
by Ken Ivanov (EldoS Corp.)

There is no file attached, sorry. Please be sure to use .ZIP format.
#10163
Posted: 05/27/2009 03:07:58
by delagoutte jean (Standard support level)
Joined: 04/02/2009
Posts: 34

i add a third party software sig file


[ Download ]
#10164
Posted: 05/27/2009 03:57:06
by Ken Ivanov (EldoS Corp.)

Your code puts the whole OCSP response to the signature, while the verifying party only seems to expect the internal BasicOCSPResponse structure. Please use the following code to get the basic response and add it as an attribute (writing on the knee, so minor mistakes/typos are legal):
Code
var
  BasicResponse : BufferType;
  BasicResponseSize : integer;
...
// obtaining OCSP response
resocsp := OCSPCli.PerformRequest(ServeroCSPResult,ReplyOcsp);

// checking that the response is OK
...

// obtaining basic response
BasicResponseSize := 0;
OCSPCli.Response.Save(nil, BasicResponseSize);
SetLength(BasicResponse, BasicResponseSize);
OCSPCli.Response.Save(@BasicResponse[1], BasicResponseSize);
SetLength(BasicResponse, BasicResponseSize);

// doing other things
...

// adding basic response as an attribute
sig.CustomUnsignedAttributes.Count:=sig.CustomUnsignedAttributes.Count+1;
sig.CustomUnsignedAttributes.Attributes[sig.CustomUnsignedAttributes.Count-1]:= SB_OCSP_OID_BASIC_RESPONSE;
sig.CustomUnsignedAttributes.Values[sig.CustomUnsignedAttributes.Count-1].Add(BasicResponse);
Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.

Reply

Statistics

Topic viewed 7991 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!