EldoS | Feel safer!

Software components for data protection, secure storage and transfer

enveloped type of signature

Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.
#14763
Posted: 10/22/2010 14:20:00
by Popeye  (Basic support level)
Joined: 10/22/2010
Posts: 10

i am signing xml with enveloped type of signature and i can verify it.
i need set Reference URI to empty like this <Reference URI="">
if i set the URI this cause validation fail the message "signature hash does not match"

this is part of valid xml with uri reference
Code
<ext:SignContent Id="id-343700231"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature_ID2010000000018">
   <ds:SignedInfo Id="SignedInfo_ID2010000000018">
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
      <ds:Reference URI="#id-343700231">
         <ds:Transforms>



this is what i need

Code
<ext:SignContent><ds:Signature Id="Signature_ID2010000000018">
   <ds:SignedInfo Id="SignedInfo_ID2010000000018">
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
      <ds:Reference URI="">
         <ds:Transforms>



this is my code

Code
function Sign(fileN: String; FId: String): Boolean;
var
  Signer: TElXMLSigner;
  XAdESSigner: TElXAdESSigner;
  X509KeyData: TElXMLKeyInfoX509Data;
  SigNode: TElXMLDOMNode;
  Ref: TElXMLReference;
  Refs: TElXMLReferenceList;
  sNode: TElXMLDOMElement;
begin
  Result := FALSE;

  LoadXML(fileN);
  sNode := TElXMLDOMElement(LocateSignNode);

  Refs := TElXMLReferenceList.Create;
  try

    if Assigned(sNode) then
    begin
      Ref := TElXMLReference.Create;
      Ref.DigestMethod := xdmSHA256;

      //if set an uri reference then validation valid
      sNode.AttribStrings['Id'] := 'id-' + IntToStr(SBRndGenerate(MaxInt));
      Ref.URI := '#' + sNode.AttribStrings['Id'];

      //if i set URI to empty this cause validation fail
      //Ref.URI := '';

      Ref.URINode := TElXMLDOMNode(sNode);
      Ref.TransformChain.Add(TElXMLEnvelopedSignatureTransform.Create);
      Refs.Add(Ref);
    end;

      Signer := TElXMLSigner.Create(NIL);
      try
        Signer.SignatureType := xstEnveloped;
        Signer.CanonicalizationMethod := xcmCanonComment;
        Signer.SignatureMethodType := xmtSig;
        Signer.SignatureMethod := xsmRSA_SHA1;
        Signer.MACMethod := xmmHMAC_SHA1;
        Signer.References := Refs;
        Signer.KeyName := '';
        Signer.IncludeKey := TRUE;

        Signer.OnFormatElement := FormatElement;
        Signer.OnFormatText := FormatText;

        if Assigned(FCert) and FCert.PrivateKeyExists then
        begin
          X509KeyData := TElXMLKeyInfoX509Data.Create(False);
          X509KeyData.Certificate := FCert;
          X509KeyData.IncludeDataParams := [xkidX509SubjectName, xkidX509Certificate];
          Signer.KeyData := X509KeyData;
        end;

        XAdESSigner := TElXAdESSigner.Create(nil);
        Signer.XAdESProcessor := XAdESSigner;
        XAdESSigner.XAdESVersion := XAdES_v1_3_2;

        XAdESSigner.Included := [xipSignerRole];
        XAdESSigner.SignerRole.ClaimedRoles.AddText(XAdESSigner.XAdESVersion, FXMLDocument, 'Role');

        XAdESSigner.SigningCertificates := TElMemoryCertStorage.Create(NIL);
        XAdESSigner.SigningCertificates.Add(FCert, false);
        XAdESSigner.SigningTime := LocalTimeToUTCTime(Now);


        // create XAdESSigner.QualifyingProperties
        XAdESSigner.Generate;
        XAdESSigner.QualifyingProperties.SignedProperties.SignedSignatureProperties.SignaturePolicyIdentifier.SignaturePolicyImplied := true;

        XAdESSigner.QualifyingProperties.Target := 'Signature_'+ FId;
        XAdESSigner.QualifyingProperties.SignedProperties.ID := 'SignedProperties_' + FId;

        XAdESSigner.QualifyingProperties.XAdESPrefix := 'xades';

        Signer.UpdateReferencesDigest;

        Signer.Sign;
          Signer.Signature.SignaturePrefix := 'ds';

          Signer.Signature.ID := 'Signature_'+ FId;
          Signer.Signature.SignedInfo.ID := 'SignedInfo_' + FId;

          Signer.Signature.SignedInfo.SigPropRef.DigestMethod := xdmSHA256;
          Signer.Signature.SignedInfo.SigPropRef.ID := 'SignedProperties-Reference_' + FId;
          Signer.Signature.SignedInfo.SigPropRef.RefType :='http://uri.etsi.org/01903/v1.3.2#SignedProperties';
          Signer.Signature.SignedInfo.SigPropRef.URI:= '#SignedProperties_'+ FId;

          SigNode := sNode; //TElXMLDOMNode(tvXML.Selected.Data);
          if SigNode is TElXMLDOMDocument then
            SigNode := TElXMLDOMDocument(SigNode).DocumentElement;

          try
            Signer.Save(SigNode);
          except
            on E: Exception do
              raise EElXMLError.CreateFmt('Signed data saving failed. (%s)', [E.Message]);
          end;
        end;

        UpdateXML;

        Result := TRUE;
      finally
        FreeAndNil(Signer);
        FreeAndNil(XAdESSigner);
        FreeAndNil(X509KeyData);
      end;

  finally
    FreeAndNil(Refs);
  end;

  SaveXML(fileN);
end;


What i'm doing wrong ?
#14764
Posted: 10/22/2010 15:48:04
by Dmytro Bogatskyy (EldoS Corp.)

Could you please attach a signed document.
Quote
need set Reference URI to empty like this <Reference URI="">

Empty reference indicates that a document element is signed. What do you have in sNode?
It should be something like that:
Ref.URI := '';
Ref.URINode := FXMLDocument.DocumentElement;
#14765
Posted: 10/23/2010 01:17:23
by Popeye  (Basic support level)
Joined: 10/22/2010
Posts: 10

thank's for reply

i change
Quote
Ref.URINode := TElXMLDOMNode(sNode);

to
Quote
Ref.URINode := FXMLDocument.DocumentElement;


and i can validate signature

thank's for your help.
#17604
Posted: 09/21/2011 07:22:19
by Petar  (Basic support level)
Joined: 08/31/2011
Posts: 6

I’m having a similar problem. If Reference URI is set to anything other than an empty string, reference validation fails.

I’m not sure how to fix this.

Reference validation fails, regardless of method that is being used. I’ve tried with ver.ValidateReferences() and with each reference separately ver.ValidateReference(ref);

This document is signed by JAVA and reference validation fails.
Code
<Reference URI="http://www.w3.org/TR/xml-stylesheet">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>pABdjWJGeIB7U4NdYaZwMfhGCfQ=</DigestValue>
</Reference>


Signed by eldos components (C#). This works!
Code
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>8oxo/189cfoGJV8k4Eux9/FXYiY=</ds:DigestValue>
</ds:Reference>


It’s signed with the same program as the document above. This does not work!
Code
<ds:Reference URI="http://www.w3.org/TR/xml-stylesheet">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>f5jBLeXKXlAC6jx1Teri4S6Mj0k=</ds:DigestValue>
</ds:Reference>


I’m doing something wrong, but what?
#17605
Posted: 09/21/2011 08:58:01
by Vsevolod Ievgiienko (EldoS Corp.)

Thank you for contacting us.

ElXMLReference.URI property contains the URL of the referenced external data. If the data is external, then the application must set either ElXMLReference.URIData or ElXMLReference.DigestValue properties. If ElXMLReference.URIData or ElXMLReference.URINode is set, the digest is calculated automatically otherwise it must be calculated manually.

In your case the document that is signed by Java references external file that is located at http://www.w3.org/TR/xml-stylesheet.

When you use our components you should manually download the document by its URI calculate its digest and assign it to ElXMLReference.DigestValue property.
#17607
Posted: 09/21/2011 10:11:57
by Dmytro Bogatskyy (EldoS Corp.)

Quote
When you use our components you should manually download the document by its URI calculate its digest and assign it to ElXMLReference.DigestValue property.

Yes, you may calculate a digest value by yourself, but it is better and simply to set URIData or URIStream properties with a downloaded data.
Also, please check this:
https://www.eldos.com/forum/read.php?F...ssage17228
#17631
Posted: 09/23/2011 04:40:12
by Petar  (Basic support level)
Joined: 08/31/2011
Posts: 6

Thank you for your help. Everything works now.

Code snippet, looping trough references and setting data:
Code
r = verifier.References.get_Reference(i);
.
.
.
r.URIData = client.DownloadData(r.URI); //via WebClient
Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.

Reply

Statistics

Topic viewed 2711 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!