EldoS | Feel safer!

Software components for data protection, secure storage and transfer

xades signature verification

Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.
#10048
Posted: 05/18/2009 07:58:15
by Szymon Piskula (Basic support level)
Joined: 02/05/2009
Posts: 17

Hi,

I am having a problem with verifying xades signature made to xml document.
I use your sampel program, check both "Enable xades options" and "production place". Then i fill all entries with "testsign". Finally i select my signing certificates. A signed document gets generated and saved, but then when i try to verify the signature, it fails. I try to use for it both an online service [URL=http://www.globaltrustfinder.com/XMLSignatureVerificationStep1.aspx]Service[/URL]
and some application (in polish)
[URL=http://www.sigillum.pl/sig-cmsws/page/GetFile.aspx?cfid=185&fn=SigillumSign3.0.0.27_2009_05_11.zip]App link[/URL]
signed xml is attached. Could you please help with this issue? I guess some part of signature is wrong/missing


[ Download ]
#10050
Posted: 05/18/2009 08:58:03
by Dmytro Bogatskyy (EldoS Corp.)

Quote
I try to use for it both an online service ( http://www.globaltrustfinder.com/XMLS...Step1.aspx )

It seems that this online service accept Enveloping signatures only. And it doesn't understand X509IssuerSerial and X509SubjectName elements in the X509Data element.
So, set the following options:
Signer.SignatureType := xstEnveloping;
X509KeyData.IncludeDataParams := [xkidX509Certificate];
#10051
Posted: 05/18/2009 09:31:12
by Szymon Piskula (Basic support level)
Joined: 02/05/2009
Posts: 17

thanks for help. there is one more thing - it seems that the application i've mentioned has a problem with linefeed. when i try to use the app to verify some xml everything goes well. but after opening the same file in visual studio and saving it with no modification, it fails verification. i think that the reason why i cant verify xml signed by simplesigner is the linefeed. can you suggest any way how to control linefeed during file writing?

regards,
Szymon
#10053
Posted: 05/18/2009 12:15:40
by Dmytro Bogatskyy (EldoS Corp.)

Quote
when i try to use the app to verify some xml everything goes well. but after opening the same file in visual studio and saving it with no modification

Does the SimpleSigner application verify such xml ok?
Please, post a sample xml document that Sigillum application understands.
Quote
can you suggest any way how to control linefeed during file writing?

As I can see from your xml document you are using Normalize newline characters option. So, I can only suggest to completely remove whitespace characters from the signature, to do this comment lines with: Signer.OnFormatElement and OnFormatText
#10077
Posted: 05/20/2009 07:02:30
by Szymon Piskula (Basic support level)
Joined: 02/05/2009
Posts: 17

Hi,

I have found on the net an exampel of a xml that is accepted by Sigillum. I would really appreciate if you could tell me which options set in simplesigner to obtain a document recognizable by sigillum.

To use sigillum, download the app, run it and there is a button 'Otworz' in the bottom right corner. It opens a xml doc. After that goto tab 'Podpisi'

Whenever i go to 'Podpisy' after loading doc signed by SImpleSigner, there is a cert with red cross. but after loading xml that i attach to this post, there is a cert with yellow triangle - i would like to get to this point.

regards,
Szymon


[ Download ]
#10086
Posted: 05/20/2009 15:48:08
by Dmytro Bogatskyy (EldoS Corp.)

Quote
but after loading xml that i attach to this post

In this xml document the exclusive canonicalization is used for the signature and transform.
So, replace:
Code
Ref.TransformChain.Add(TElXMLEnvelopedSignatureTransform.Create);

With:
Code
      Ref.TransformChain.Add(TElXMLC14NTransform.Create);
      TElXMLC14NTransform(Ref.TransformChain.Transforms[0]).CanonicalizationMethod := xcmExclCanon;

And:
Code
Signer.CanonicalizationMethod := frmSign.CanonicalizationMethod;

With:
Code
        Signer.CanonicalizationMethod := xcmExclCanon;

Also, this application doesn't like signature formatting, so simply remove assignment of Signer.OnFormatElement and Signer.OnFormatText events.
And add the following line to not to include RSAKeyValue element:
X509KeyData.IncludeKeyValue := False;
#10091
Posted: 05/21/2009 02:27:32
by Szymon Piskula (Basic support level)
Joined: 02/05/2009
Posts: 17

Hi,
I made changes due to you instructions, but unfortunately when i try to sing a xml, line
Code
Signer.UpdateReferencesDigest();

throws exception

i replaced
Code
Ref.TransformChain.Add(new TElXMLEnvelopedSignatureTransform());

with
Code
TElXMLC14NTransform transform = new TElXMLC14NTransform();
transform.CanonicalizationMethod = SBXMLDefs.Unit.xcmExclCanon;
Ref.TransformChain.Add(transform);


and this results in NullReferenceException. there is something wrong with the way canonicalization method is used/initialized.

Did you manage to sign a xml with modified simplesigner so that it was recognized by sigillum? If yes then could you please send me such modified code?
Just in case i attach my modified signer.

the exception:

System.NullReferenceException was unhandled
Message="Object reference not set to an instance of an object."
Source="SecureBlackbox"
StackTrace:
at SBUtils.__Global.Trim(String S)
at SBXMLCore.TElXMLDOMElement.GetOuterXMLCanonical(Int16 aMethod, String InclNSPrefixList)
at SBXMLTransform.TElXMLC14NTransform.TransformData(TElXMLDOMNode Node, TElXMLDOMNode Reference)
at SBXMLTransform.TElXMLTransformChain.TransformData(Byte[] Data, TElXMLDOMNode Node, TElXMLDOMNodeList Nodes)
at SBXMLTransform.TElXMLTransformChain.TransformData(TElXMLDOMNode Node)
at SBXMLSec.TElXMLReference.UpdateDigestValue()
at SBXMLSig.TElXMLSigner.UpdateReferencesDigest()
at SimpleSigner.MainForm.btnSign_Click(Object sender, EventArgs e) in C:\Program Files\EldoS\SecureBlackbox.NET\Samples\C#\XMLBlackbox\modSigner\MainForm.cs:line 896
at System.Windows.Forms.Control.OnClick(EventArgs e)
at System.Windows.Forms.Button.OnClick(EventArgs e)
at System.Windows.Forms.Button.OnMouseUp(MouseEventArgs mevent)
at System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
at System.Windows.Forms.Control.WndProc(Message& m)
at System.Windows.Forms.ButtonBase.WndProc(Message& m)
at System.Windows.Forms.Button.WndProc(Message& m)
at System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message& m)
at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
at System.Windows.Forms.NativeWindow.DebuggableCallback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
at System.Windows.Forms.UnsafeNativeMethods.DispatchMessageW(MSG& msg)
at System.Windows.Forms.Application.ComponentManager.System.Windows.Forms.UnsafeNativeMethods.IMsoComponentManager.FPushMessageLoop(Int32 dwComponentID, Int32 reason, Int32 pvLoopData)
at System.Windows.Forms.Application.ThreadContext.RunMessageLoopInner(Int32 reason, ApplicationContext context)
at System.Windows.Forms.Application.ThreadContext.RunMessageLoop(Int32 reason, ApplicationContext context)
at System.Windows.Forms.Application.Run(Form mainForm)
at SimpleSigner.MainForm.Main() in C:\Program Files\EldoS\SecureBlackbox.NET\Samples\C#\XMLBlackbox\modSigner\MainForm.cs:line 332
at System.AppDomain._nExecuteAssembly(Assembly assembly, String[] args)
at System.AppDomain.ExecuteAssembly(String assemblyFile, Evidence assemblySecurity, String[] args)
at Microsoft.VisualStudio.HostingProcess.HostProc.RunUsersAssembly()
at System.Threading.ThreadHelper.ThreadStart_Context(Object state)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Threading.ThreadHelper.ThreadStart()
InnerException:


[ Download ]
#10096
Posted: 05/21/2009 05:00:50
by Dmytro Bogatskyy (EldoS Corp.)

Quote
and this results in NullReferenceException. there is something wrong with the way canonicalization method is used/initialized.

Please, add the following line:
transform.InclusiveNamespacesPrefixList = "";
after/before:
transform.CanonicalizationMethod = SBXMLDefs.Unit.xcmExclCanon;

Quote
Did you manage to sign a xml with modified simplesigner so that it was recognized by sigillum?

Not exactly, it reports now: "Podano b³êdn¹ wartoœæ parametru." Attached the signed xml document.
At least the signature is recognized by sigillum now.
It is possible that sigillum application requires a specific certificate to be used for singning. Or the structure of the signature should be the same as in the sample you gave me (for example fill an Id attributes).


[ Download ]
#10149
Posted: 05/26/2009 02:57:22
by Szymon Piskula (Basic support level)
Joined: 02/05/2009
Posts: 17

I have found that the sollution for the online verifying service mentionet at the begginging is to add values for entries in section

Code
<xades:SigPolicyHash>
  <DigestMethod Algorithm="" />
  <DigestValue></DigestValue>
  </xades:SigPolicyHash>


Both of them are generated empty when signing SimpleSigner. Wehn i fill them with some dummy values i get the generated document to be recognized

Code
<xades:SigPolicyHash>
  <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
  <DigestValue>zURNiVLyZRVTImCjiv/NKLQiq4M=</DigestValue>
  </xades:SigPolicyHash>


How to control content of those tags in mentioned section to be filled ?
#10151
Posted: 05/26/2009 04:31:48
by Dmytro Bogatskyy (EldoS Corp.)

Quote
How to control content of those tags in mentioned section to be filled ?

You can fill those tags in the following way:
Code
  XAdESSigner.PolicyId.SigPolicyHash.DigestMethod = SBXMLSec.Unit.DigestMethodToURI(SBXMLSec.Unit.xdmSHA1);
  XAdESSigner.PolicyId.SigPolicyHash.DigestValue = SBUtils.Unit.BytesOfString(SBUtils.Unit.Base64DecodeString("zURNiVLyZRVTImCjiv/NKLQiq4M=="));

P.S. The digest value of the signature policy is calculated over SigPolicyId\Identifier element. If Identifier element contains an URI, then the hash is calculated on the downloaded file (for example using TElHashFunction class), in most cases you can cache the digest value.
Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.

Reply

Statistics

Topic viewed 7097 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!