EldoS | Feel safer!

Software components for data protection, secure storage and transfer

how to bundle/unbundle (attach/detach) signature

Posted: 01/26/2010 09:16:41
by Christoph Moar (Standard support level)
Joined: 08/28/2009
Posts: 46


I'm terribly sorry if this should be a "read the manual" question. I did extensively read the manual and checked the forums, but I must be missing something. I used a competitors library which allowed me to bundle/unbundle a signature. For example, having a *.p7m file, i could extract the original document and the *.p7s detached signature file.

Viceversa, having the original document and the *.p7s file, i could create a *.p7m mime container.

I am in the process of substituting the competitor library (which gives other problems) with your product "SecureBlackbox". How can I accomplish this task?
I tried using ElMessageVerifier, but I can't really find how to bundle/unbundle a signature.

What I would need is actually:
Having doc + p7s -> create p7m
Having p7m -> create doc + p7s

Could you please give me a hint as to how to do this sequence of things?
Just tell me which classes I should look at in case I really missed them.

By the way: I use the C++ Builder VCL version.
Posted: 01/26/2010 09:39:14
by Christoph Moar (Standard support level)
Joined: 08/28/2009
Posts: 46

Should it be that I need to use TElSignedCMSMessage classes?
I'll check that...
Posted: 01/26/2010 10:21:11
by Christoph Moar (Standard support level)
Joined: 08/28/2009
Posts: 46

Sorry, I must be lost somewhere, really.
From all I read i should be using TElMessageVerifier and TElMessageSigner to sign/countersign/verify messages in pkcs#7 format like

-----BEGIN PKCS7-----

Now, my old application is giving me original message + *.p7s file containing the signatures. I want to add a signature, so I suppose I must be using the TElMessageSigner.CounterSign Method. Do I need to create a *.p7m file for countersigning?

I will need conversion between detached and not-detached signature files anyway later, so I need to find out how to do that.

Or am I completely missing the p7s/p7m decoding somewhere?
I hope you can point me in the right direction, sorry again.

Posted: 01/26/2010 10:41:24
by Ken Ivanov (Team)

Thank you for contacting us.

TElMessageSigner and TElMessageVerifier are simple CMS classes. They do not provide low-level access to CMS elements, neither allow editing existing CMS messages (except simple countersigning and timestamping).

TElSignedCMSMessage and TElCMSMessage classes are more flexible. They provide access to all the inner elements of tree-based CMS structure, allowing to add or remove particular CMS objects (signatures, timestamps, countersignatures, certificates).

To break existing p7m message into a document and a signature, please do the following:
1) Load the message into the TElSignedCMSMessage object (using the Open method),
2) Set TElSignedCMSMessage.Detached property to true,
3) Call TElSignedCMSMessage.Save() to save the message with excluded document (p7s),
4) Read the body of the document using TElSignedCMSMessage.Content.Read() method.

Accomplishing the reverse task (building p7m from a document and a signature) is not possible with current SecureBlackbox revision (actually, you are the first user who asks about such a task). I assume that we will extend TElSignedCMSMessage with the appropriate functionality for the upcoming build update which is expected in few days.
Posted: 01/26/2010 10:43:56
by Ken Ivanov (Team)

-----BEGIN PKCS7-----

Just a note. SecureBlackbox does not understand base64-enveloped PKCS7/CMS messages. Please use Base64Decode method (SBUtils unit) to decode the message prior to passing it to TElSignedCMSMessage object.
Posted: 01/26/2010 12:22:10
by Christoph Moar (Standard support level)
Joined: 08/28/2009
Posts: 46

Well thanks Innokentiy, that did help a lot! I started by reading the howto's and got stuck into using TElMessageSigner, which now I understand is probably not so practical for me.

So can I sum up the following two scenarios (and I'd be glad if you confirm or correct me).

A. SIGNING A NEW (not already signed) MESSAGE
1) CreateNew on TElSignedCMSMessage to load the non-signed body
2) addSignature on SignedCMSMessage
3) get the new signature and call method sign() to sign it
4) Set detached property on SignedCMSMessage
5) Save the p7s detached signature
6) Base64Encode the signature as necessary

0) Base64Decode the signature as necessary
1) Load TElSignedCMSMessage (CMSStream, DataStream) to load the non-signed body and the signature
2)..6) proceed identically as above

Is this correct proceeding? If yes, I'm happy and finally got the right approach. Thanks for confirming or correcting me.


As to the issue of creating a p7m from a body+p7s, well, it is in fact a requirement for my application. Would be really fantastic if you could add the method to TElSignedCMSMessage. If so, let me know if you think you could include it into the next build!

It would probably be enough if I load TElSignedCMSMessage (CMSStream, DataStream), then set detached=false and to a save() on it to get the implicit p7m version, right?

Thanks really a lot for your clarifications,

Posted: 01/26/2010 12:22:50
by Ken Ivanov (Team)

Hmm, I misled you by saying that SBB does not support building non-detached CMS from a document and a signature. It actually does. Please do the following:
a) load the detached signature into the TElSignedCMSMessage object,
b) load the document into the Content property of the object (TElSignedCMSMessage.Content.Init),
c) set TElSignedCMSMessage.Detached to false and save the message.

Thus, you can resolve both your tasks (bundle and unbundle) with current SBB revision.
Posted: 01/26/2010 12:29:49
by Christoph Moar (Standard support level)
Joined: 08/28/2009
Posts: 46

Perfect, I almost imagined that while I was writing the post. Could you also be so kind to confirm my two approaches A) and B) from the post above? If my setup is correct, I'm all set!

Thanks again,
Posted: 01/26/2010 12:47:11
by Ken Ivanov (Team)

Yes, both your A) and B) approaches are quite correct.
Posted: 01/26/2010 15:27:14
by Christoph Moar (Standard support level)
Joined: 08/28/2009
Posts: 46

Thanks a lot Innokentiy. I managed to create a new signature and will try to "add" to a list of previous signatures as a next step. When creating the signature, in the old toolkit I had a simple sign() method, where I passed certificate, algorithm and time, that was about it (something similar to the ELMessageSigner class).

Having to use the ELSignedCMSMessage is wonderful, but it has so many options that I am terribly afraid of "forgetting" something important (something that maybe ELMessageSigner would do for me), and I would like to ask you if approximately the following is correct for signing a document which needs to be validated from other tools.

Is the following abstract ok in your opinion? Especially the part in "configure signature" is what I need to be absolutely sure that I am not "forgetting" anything that should be done there. Could you please be so kind to confirm that the options I am setting there is sufficient for the case?

// configure memory certificate store
aMemoryCertStorage->Add(mCertificate, true);

// setup the signed message, attaching the existing signature if necessary
aMessage = new TElSignedCMSMessage(0);
aMessage->CreateNew(aSignatureBuffer, aSignatureSize);
aMessage->Content->Init(aDocumentBuffer, aDocumentSize);

// now sign the message
int aNr = aMessage->AddSignature();
aSignature = aMessage->Signatures[aNr];

// configure signature
aSignature->SigningTime = UTCNow();
aSignature->SigningOptions << csoInsertMessageDigests << csoInsertSigningTime << csoIncludeCertToMessage;
aSignature->FingerprintAlgorithm = mSignatureHashMethod;
aSignature->Sign(mCertificate, aMemoryCertStorage);

// write the container file
aMessage->Detached = false;
aOutStream = new TFileStream(aContainerFileName, fmOpenWrite | fmCreate | fmShareDenyWrite);
delete aOutStream;
aOutStream = 0;

Thanks a lot,



Topic viewed 6312 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!