EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Cades-bes

Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages
#14011
Posted: 07/26/2010 06:01:14
by Claudio Vannini (Basic support level)
Joined: 07/26/2010
Posts: 3

Hi to all the people,
I need to use Cades-bes envelope in order to sign different documents (pdf,txt, doc etc...).
I read that PKIBlackBox allow this but I'm not able to find an example or documentation about the methods I have to use.
Can someone help me?

Thanks

Claudio Vannini
#14013
Posted: 07/26/2010 06:12:31
by Ken Ivanov (EldoS Corp.)

Thank you for your interest in our products.

Please have a look at the CMSManager sample (Samples\(C#|VB.NET)\PKIBlackbox\CMS\). It illustrates the use of TElSignedCMSMessage component for obtaining CAdES-compliant signed messages.
#14015
Posted: 07/26/2010 07:12:28
by Claudio Vannini (Basic support level)
Joined: 07/26/2010
Posts: 3

Thank you for your quick answer.
I'm looking at the code of the sample you mentioned, but, since I'm a little rookie in the argument, can you please give me some further hints (or link to documentation) about generating Cades-bes envelope?

Thank you again

Claudio Vannini
#14016
Posted: 07/26/2010 07:28:09
by Ken Ivanov (EldoS Corp.)

CAdES is a general format for digital signatures. Each CAdES signature, besides the signature binary itself, may include a number of pre-defined or custom attributes (signing time, message digest, revocation attributes etc.). CAdES-BES, CAdES-EPES etc. are subtypes of CAdES; every subtype narrows down the general specification of CAdES by defining the set of attributes that MUST be included to the signature to make it conformant to the corresponding subtype.

Please take a look at section 4.3.1 of RFC 5126 to find out what attributes MUST be included according to CAdES-BES subtype.
#14024
Posted: 07/27/2010 04:44:32
by Claudio Vannini (Basic support level)
Joined: 07/26/2010
Posts: 3

Here Am I again.
Thank you for your information, I'm looking through your code and, even if it's clear what it does, I'm afraid is not so clear on what I have to insert inside the envelope in order to obtain a Cades-Bes type (I'm still reading the RFC you mentioned but it's quite evasive...)
Since we are valuating the possibility to buy your software in order to implement an envelope of this type, can you please point me to a file of Cades-bes type which I can download and open with the demo allowing me to understand better the attributes I have to insert and wich methods are used?
Thank you very much..

Claudio Vannini
#14033
Posted: 07/27/2010 22:49:26
by Ken Ivanov (EldoS Corp.)

There are no existing CAdES-BES signature files available, sorry. According to the RFC, the following attributes *must* be included to the signature:
1) Content-type (an ASN.1-encoded object identifier; the value should be assigned to TElCMSSignature.ContentType property),
2) Message-digest (is calculated and included automatically by the component),
3) ESS-signing-certificate (or ESS-signing-certificate-v2) (add the csoIncludeCertToAttributes flag to the SigningOptions set to make the component include this attribute automatically).

The following attributes are optional and *may* be also included:
1) Signing-time (set this via TElCMSSignature.SigningTime property),
2) Content-hints (use TElCMSSignature.ContentHints property),
3) Content-reference (use TElCMSSignature.ContentReference property),
4) Content-identifier (use TElCMSSignature.ContentIdentifier property),
5) Commitment-type-indication (use TElCMSSignature.CommitmentTypeIndication property),
6) Signer-location (use TElCMSSignature.SignerLocation property),
7) Signer-attributes (not supported at the moment),
8) Content-timestamp.

Please note that you should set up the attributes before calling the Sign() method to make them being involved in signature generation process.
#14349
Posted: 09/02/2010 08:38:53
by tayfundogdas (Basic support level)
Joined: 09/02/2010
Posts: 2

Hi;

In your http://www.eldos.com/sbb/desc-pki-spec.php page you mention "implementation of CAdES specification (RFC 5126)" is in PKIBlackbox and i review your CMSManager_VS2010 and see AddRevInfo and Timestamp info but can't see overall example.I want to CadES-A sig i looked the spec,but can't link with your example.Can you explain more?

I have attached CAdES-A structure image.

Best Regards.


#14350
Posted: 09/02/2010 09:13:35
by Ken Ivanov (EldoS Corp.)

Thank you for your question.

In fact, none of CAdES subtypes (CAdES-A, CAdES-C, etc.; the only exceptions are probably the simplest BES and EPES subtypes) is something that can be created with a single method call. CAdES message is a complex structure that includes a bunch of digital signatures accompanied by a number of certificate chains along with corresponding revocation elements. The exact elements to be included to such signature highly depend on the particular PKI environment (CAs, TSP servers, used approach to revocation information handling etc.), and automating construction of the proper signature structure is quite challenging (not to say impossible) task.

That's why you have to build the signature of the needed type brick-by-brick yourself. First, you should create an inner CAdES-C message by configuring the attributes in the proper way and signing the data. Second, a timestamp over the created CAdES-C message should be added to the structure (with the use of AddValidationTimestamp() method with cvtESC timestamp type). Finally, an archive timestamp should be added (with the use of the same AddValidationTimestamp() method, now with cvtArchive or cvtArchive2 timestamp type).
#14352
Posted: 09/02/2010 09:34:05
by tayfundogdas (Basic support level)
Joined: 09/02/2010
Posts: 2

Thanks for your quick response,as you said "automating construction of the proper signature structure is quite challenging (not to say impossible) task".I have realized on your example we do it by hand by GUIs step by step as descripted on my attachment.We create CMS first and it's actually CAdES-BES and add validation timestamp and complete reference list and becames CAdES-C and built step by step as stated on CAdES-A document.You built example not as much as detailed but you showed core structure as enough.

Thanks for you kind support.
Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.

Reply

Statistics

Topic viewed 4260 times

Number of guests: 2, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!