EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Nesting signed data in xml

Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.
#10232
Posted: 05/29/2009 10:23:25
by Szymon Piskula (Basic support level)
Joined: 02/05/2009
Posts: 17

Hi

When i sign data using enveloping type of signature, it results in some original data modification. Original data looks like

Code
<INVOIC01>
<IDOC BEGIN="1">
<E1EDS01 SEGMENT="1">
  <SUMID>010</SUMID>
  <SUMME>6715.59</SUMME>
  <WAERQ>PLN</WAERQ>
  </E1EDS01>
  </IDOC>
</INVOIC01>

But after signing, it is slightly modified when its nested in the object element like this:
Code
<Object>
<INVOIC01 Id="id-751237230">
<IDOC BEGIN="1">
<E1EDS01 SEGMENT="1">
  <SUMID>010</SUMID>
  <SUMME>6715.59</SUMME>
  <WAERQ>PLN</WAERQ>
  </E1EDS01>
  </IDOC>
  </INVOIC01>
  </Object>
  


Could you please tell me how to fill the references so that it would be embedded into form like:
Code
<ds:Object Id="Object-1">
<INVOIC01>
<IDOC BEGIN="1">
<E1EDS01 SEGMENT="1">
  <SUMID>010</SUMID>
  <SUMME>6715.59</SUMME>
  <WAERQ>PLN</WAERQ>
  </E1EDS01>
  </IDOC>
  </INVOIC01>
  </ds:Object>

One more thing - how to put the entire signature in the "ds" namespace ? the most importatn thing to me is still not modifying the data and being able to give an id to the <objec> item.
#10233
Posted: 05/29/2009 10:59:44
by Dmytro Bogatskyy (EldoS Corp.)

Quote
But after signing, it is slightly modified when its nested in the object element like this:

This element is modified by btnSign_Click method. The following code line modifies it:
Code
El.SetAttribute("Id", "id-" + SBUtils.Unit.IntToStr(SBUtils.Unit.SBRndGenerate(uint.MaxValue)));

Quote
Could you please tell me how to fill the references so that it would be embedded into form like:

For the Enveloping signature method the object element is created on fly, in the Save method, so it is not possible to modify it using Signer.Signature properties.
However, you can append an Id using OnFormatElement event.
Or you can create an Object element with INVOIC01 element by youself.
In this case you need:
Code
Signer.Sign();
...
TElXMLObject obj = new TElXMLObject();
obj.ID = 'id1';
obj.DataList.Add(Node.CloneNode(True)); where Node is INVOIC01
Signer.Signature.Objects.Add(obj);

Also, you need to use Enveloped or Detached SignatureMethod.

In both cases for the Reference you shouldn't fill URINode property, and do not call UpdateReferencesDigest. The digest value for elements inside the signature element will be recalculated automatically.

Quote
One more thing - how to put the entire signature in the "ds" namespace ?

Use the following code:
Code
Signer.Sign(); // Creates "Signature" structure
Signer.Signature.SignaturePrefix = "ds"; // the default value is: "#default ds"
#10248
Posted: 06/01/2009 05:48:19
by Szymon Piskula (Basic support level)
Joined: 02/05/2009
Posts: 17

Hi

After changes, it seems that the signed xml is now in proper form. But now there is other issue - since a document is signed, modification of the signed values should cause validation to fail, but it doesnt. I perform the validation using functionality implemented in simple signer, and it doesnt detect those changes.

I passed the content of signed ,unmodified , xml to a validation service and it detects that the data and its digest does not match. I think that there is something wrong with the reference.

I solved the issue of adding an id to the "Object" in a following way:

Code
Signer.Sign();


            Signer.Signature.SignaturePrefix = "ds";
            ...
            TElXMLObject obj = new TElXMLObject();
            obj.ID = "SignedData";
            obj.DataList.Add(SigNode.CloneNode(true));
            Signer.Signature.Objects.Add(obj);
            Signer.Save(ref SigNode);

            TElXMLDOMNode objNoId = SigNode.LastChild;
            SigNode.RemoveChild(objNoId);

After adding that new object to signature, in the resulting document i had duplicate entries - one with id and one without it. I noticed that the one without id is appended at the end of xml, so i remove it.

Could you please have look at the code that illustrates process of signing? I think there might be an issue with some missing reference in the document
Code
TElXMLSigner Signer;
            TElXAdESSigner XAdESSigner = null;
            TElXMLKeyInfoHMACData HMACKeyData = null;
            TElXMLKeyInfoRSAData RSAKeyData = null;
            TElXMLKeyInfoX509Data X509KeyData = null;
            TElXMLKeyInfoPGPData PGPKeyData = null;
            FileStream F;
            TElXMLDOMNode SigNode;
            byte[] Buf;
            TElXMLReference Ref = null;
            TElXMLReferenceList Refs;
            Refs = new TElXMLReferenceList();
            Ref = new TElXMLReference();
            Ref.DigestMethod = SBXMLSec.Unit.xdmSHA1;

            TElXMLNodeSet nodeset = FXMLDocument.SelectNodes("/");
            Ref.URI = "#SignedData";
            TElXMLC14NTransform transform = new TElXMLC14NTransform();
            transform.CanonicalizationMethod = SBXMLDefs.Unit.xcmExclCanon;
            transform.InclusiveNamespacesPrefixList = "";

            Ref.TransformChain.Add(transform);

            Refs.Add(Ref);
            Signer = new TElXMLSigner();

            Signer.SignatureType = SBXMLSec.Unit.xstEnveloping; //frmSign.SignatureType;
            Signer.CanonicalizationMethod = SBXMLDefs.Unit.xcmCanon; //frmSign.CanonicalizationMethod;
            Signer.SignatureMethodType = 0;
            Signer.SignatureMethod = 2;
            Signer.MACMethod = 1;
            Signer.References = Refs;
            Signer.KeyName = "";
            Signer.IncludeKey = true;
            // Commented out
            /*TElXMLDOMElement El = (TElXMLDOMElement)Ref.URINode;
            El.SetAttribute("Id", "id-" + SBUtils.Unit.IntToStr(SBUtils.Unit.SBRndGenerate(uint.MaxValue)));
            Ref.URI = "#" + El.GetAttribute("Id");
            */
            X509KeyData = new TElXMLKeyInfoX509Data(false);
            X509KeyData.IncludeDataParams = SBXMLSec.Unit.xkidX509Certificate;
            X509KeyData.Certificate = Cert;
            Signer.KeyData = X509KeyData;
            XAdESSigner = new TElXAdESSigner();
            Signer.XAdESProcessor = XAdESSigner;
            XAdESSigner.XAdESVersion = SBXMLAdES.Unit.XAdES_v1_3_2;
            XAdESSigner.PolicyId.SigPolicyId.Description = "testing";
            XAdESSigner.PolicyId.SigPolicyId.DocumentationReferences.Add("testing");
            XAdESSigner.PolicyId.SigPolicyId.Identifier = "testing";
            XAdESSigner.PolicyId.SigPolicyId.IdentifierQualifier = SBXMLAdES.Unit.xqtOIDAsURI;

            TElMemoryCertStorage CertStorage = new TElMemoryCertStorage();
            CertStorage.Add(Cert, false);
            XAdESSigner.SigningCertificates = CertStorage;
            XAdESSigner.SigningTime = DateTime.Now.ToUniversalTime();
            XAdESSigner.PolicyId.SigPolicyHash.DigestMethod = SBXMLSec.Unit.DigestMethodToURI(SBXMLSec.Unit.xdmSHA1);
            XAdESSigner.Generate();
            XAdESSigner.QualifyingProperties.XAdESPrefix = "xades";
            XAdESSigner.QualifyingProperties.SignedProperties.SignedSignatureProperties.SignaturePolicyIdentifier.SignaturePolicyImplied = true;
            //Signer.UpdateReferencesDigest();
            Signer.Sign();


            Signer.Signature.SignaturePrefix = "ds";
            SigNode = (TElXMLDOMNode)nodeset[0];
            if (SigNode is TElXMLDOMDocument)
                SigNode = ((TElXMLDOMDocument)SigNode).DocumentElement;

            TElXMLObject obj = new TElXMLObject();
            obj.ID = "SignedData";
            obj.DataList.Add(SigNode.CloneNode(true));
            Signer.Signature.Objects.Add(obj);
            
            Signer.Save(ref SigNode);

            TElXMLDOMNode objNoId = SigNode.LastChild;
            SigNode.RemoveChild(objNoId);


I attach the document that i try to sign


[ Download ]
#10249
Posted: 06/01/2009 05:59:40
by Szymon Piskula (Basic support level)
Joined: 02/05/2009
Posts: 17

In this attachment i have two signed files - one original not modified and other modified in notepad - for both of them i get Verification Ok () whene validating references (#SignedData)


[ Download ]
#10250
Posted: 06/01/2009 07:05:17
by Dmytro Bogatskyy (EldoS Corp.)

Quote
But now there is other issue - since a document is signed, modification of the signed values should cause validation to fail, but it doesnt.

The message "Signature validated successfully." mean that SignedInfo element in the signature (that store a reference list) is not modified. After that you should validate references. In your case, for both files the "SignedData" reference is invalid.
Quote
After adding that new object to signature, in the resulting document i had duplicate entries - one with id and one without it. I noticed that the one without id is appended at the end of xml, so i remove it.

As I said before you should use Enveloped or Detached SignatureMethod.
So, set:
Code
Signer.SignatureType = SBXMLSec.Unit.xstEnveloped;

And replace a code:
Code
Signer.Save(ref SigNode);
TElXMLDOMNode objNoId = SigNode.LastChild;
SigNode.RemoveChild(objNoId);

With:
Code
TElXMLDOMNode TmpNode = SigNode;
SigNode = SigNode.Parent;
SigNode.RemoveChilde(TmpNode);
Signer.Save(ref SigNode);
#10251
Posted: 06/01/2009 07:25:33
by Szymon Piskula (Basic support level)
Joined: 02/05/2009
Posts: 17

So should i put this part to make references valid ?
Code
Ref.URI = "#SignedData";


I still get the error regarding wrong digest - how to maintain the reference so that it would be valid and digest would be valid ?
#10259
Posted: 06/01/2009 12:54:47
by Dmytro Bogatskyy (EldoS Corp.)

Quote
So should i put this part to make references valid ?

Yes.
Quote
I still get the error regarding wrong digest - how to maintain the reference so that it would be valid and digest would be valid ?

Please, try to sign with the attached sample application. (You need to set a certificate and to enable XAdES.)


[ Download ]
#14728
Posted: 10/19/2010 13:10:10
by Bogdan Chudzikiewicz (Standard support level)
Joined: 10/18/2010
Posts: 3

Hi, I have a similar problem to that described above.
No i'm looking for software for signing XML files in the standard XADES enveloping mode.

For work I use Delphi 7.

Using a sample software 'SimpleSinger' I'm not able to get a satisfactory result:

I got the signature:
<Object>
<Deklaracja Id="id-0">
<Naglowek>
<KodFormularza kodPodatku ...

So it should look like that:
<ds:Object xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Dokument-0">
<Deklaracja>
<Naglowek>
<KodFormularza kodPodatku ...

Not helped me struggle with setting the parameters in the 'Reference options' form.

Can I get a similar as the above example, in Delphi 7?

Seriouslly
Bogdan bcSopot


[ Download ]

Bogdan
#14729
Posted: 10/19/2010 15:14:38
by Dmytro Bogatskyy (EldoS Corp.)

Quote
Can I get a similar as the above example, in Delphi 7?

The code will be very similar:
Code
Signer.SignatureType = xstEnveloped; // not enveloping as we create an object element manually
...
Ref.URI := '#Dokument-0'; // you don't need to call ElXMLSigner.UpdateReferencesDigest or ElXMLReference.UpdateDigestValue method after it, as this element is not created yet. A digest value will be recalculated on signing for all elements under Signature element
...
Signer.GenerateSignature();
...
Signer.Signature.SignaturePrefix := 'ds'; // the default value is: "#default ds"
...
var obj : TElXMLObject;
obj := TElXMLObject.Create();
obj.ID := 'Dokument-0';
obj.DataList.Add(Node.CloneNode(True)); // where Node is Deklaracja
Signer.Signature.Objects.Add(obj);
...
SigNode := Node.Parent;
SigNode.RemoveChild(Node);
Signer.Save(SigNode); // the signature will be placed as child of Deklaracja parent node, and Deklaracja  node removed
#14951
Posted: 11/04/2010 05:28:50
by Bogdan Chudzikiewicz (Standard support level)
Joined: 10/18/2010
Posts: 3

ok, I'm ready to BUY.
Which modules/packiets I have to buy for using folowing components for signing:

TElXMLObject;

TElXMLDOMDocument;
TElXMLDOMElement;
TElXMLDOMNode;

TElXMLSigner;
TElXmlSignedInfo;
TElXAdESSigner;

TElXMLKeyInfoHMACData;
TElXMLKeyInfoRSAData;
TElXMLKeyInfoX509Data;
TElXMLKeyInfoPGPData;

TElXMLReference;
TElXMLReferenceList;

TelXMLNodeSet;
TelXMLC14NTransform;

TElMemoryCertStorage;
TElX509Certificate;


Bogdan
Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.

Reply

Statistics

Topic viewed 9024 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!