EldoS | Feel safer!

Software components for data protection, secure storage and transfer

XMLDSig detached validation

Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.
#17192
Posted: 08/03/2011 04:59:03
by Karel Benák (Standard support level)
Joined: 03/16/2011
Posts: 12

Hello,
is here any sample how to validate xml document with detached signature? Thank you.
#17193
Posted: 08/03/2011 05:16:21
by Vsevolod Ievgiienko (EldoS Corp.)

Thank you for contacting us.

We have a sample that is located in \EldoS\SecureBlackbox.NET\Samples\C#\XMLBlackbox\Signer folder. It allows to create and validate detached XML signatures.
#17194
Posted: 08/03/2011 05:20:15
by Eugene Mayevski (EldoS Corp.)

Detached signature should have external references to the data being signed. So you use Load method of TElXMLVerifier to load the signature block and then use TElXMLVerifier.ValidateSignature method. The detailed procedure is described in the corresponding how-to article in the help file.


Sincerely yours
Eugene Mayevski
#17220
Posted: 08/08/2011 02:13:48
by Karel Benák (Standard support level)
Joined: 03/16/2011
Posts: 12

Ok, but how can I make external references? For example, I have an XML document stored in a database and I need it to create a detached signature, which I put into the database. In the validation I find these two documents, save them into a stream and how do I validate? Can I create reference for example "input.xml#id-123456"? And for validate, save I them to disk, such as name input.xml and sign.xml, load sign.xml using FileStream and then validate?

And how do I create a signature in a separate reference when I need to sign only specific parts of the document, but the original document must stand preserved so that it can be validated? In an attached XML document I need to create detached signature of the document that satisfy the following XPath expressions:
Code
/dasta/is/ip[@id_pac='8408130000']/v/vr[@klic_nclp=03086]
/dasta/is/ip[@id_pac='8408130000']/v/vr[@klic_nclp=01154]

Klic_nclp attribute is not unique to the entire document, only part of the document XPath /dasta/is/ip[@id_pac='8408130000']/v

Is there an example available on how to sign using the detached signature and validate for example JPG image?

Thank you for your reply
Karel Benák
#17221
Posted: 08/08/2011 02:27:39
by Vsevolod Ievgiienko (EldoS Corp.)

Hello.

You forgot to attach the document.
#17222
Posted: 08/08/2011 02:46:08
by Karel Benák (Standard support level)
Joined: 03/16/2011
Posts: 12

Sorry
Code
<?xml version="1.0" encoding="windows-1250"?>
<!DOCTYPE dasta SYSTEM "ds031501.dtd">
<dasta id_soubor="DASTA111" verze_ds="03.15.01" verze_nclp="02.32.01" bin_priloha="T" ur="S" typ_odesm="LL" ozn_soub="NALEZ" potvrzeni="N" dat_vb="2011-05-25T13:16:20">
  <zdroj_is kod_firmy="CGM_____" kod_prog="Analytix" verze_prog="5.2" />
  <pm sr_kod="A84271060">
    <as typ="I">
      <vnitrni>6571</vnitrni>
    </as>
    <a typ="P">
      <jmeno>NsP Ke&#382;marok</jmeno>
      <adr>Huncovsk&#225; 42</adr>
      <dop1>PETER B&#193;RTA</dop1>
      <psc>53401</psc>
      <mesto>Holice</mesto>
    </a>
  </pm>
  <is>
    <as typ="I">
      <vnitrni>Beny medical a.s.</vnitrni>
    </as>
    <a typ="O">
      <jmeno>Elce pelce do pekelce</jmeno>
      <adr>Hviezdoslavova 37/46</adr>
      <psc>09101</psc>
      <mesto>Pa&#345;&#225;tkov</mesto>
    </a>
    <ip id_pac="8408130000">
      <rodcis>755820782</rodcis>
      <jmeno>Kl&#225;ra</jmeno>
      <prijmeni>Tren&#269;ianska</prijmeni>
      <dat_dn format="D">1975-08-20</dat_dn>
      <sex>F</sex>
      <dg>
        <dgz typ_dg="P" ind_oprav_sd="N">
          <diag poradi="1">I259</diag>
        </dgz>
      </dg>
      <v test_f="0" test_n="0" dat_vb="2011-05-25T13:16:20">
        <vr typ_cispol="N" klic_nclp="03086" typpol_fh="4" stav_vys="A" urg_info="N" urg_zprac="R" typ_sdel_vys="N" ind_oprav_sd="N">
          <dat_du format="DTS" typ="I">2011-05-25T09:51:00</dat_du>
          <nazev_lclp>S-Calcium</nazev_lclp>
          <vrn priznak_kvant="R">
            <prepocet hodnota_lok="3,00" jednotka_lclp="mmol/l" prepfak="1" typpol_fh_lclp="0" />
            <hodnota>3,00</hodnota>
            <jednotka>mmol/l              </jednotka>
            <skala typ="L">
              <s1>1,10</s1>
              <s2>1,20</s2>
              <s3>1,30</s3>
              <s4>2,10</s4>
              <s5>2,42</s5>
              <s6>2,90</s6>
              <s7>3,10</s7>
              <s8>4,00</s8>
            </skala>
          </vrn>
        </vr>
        <vr typ_cispol="N" klic_nclp="03078" typpol_fh="4" stav_vys="A" urg_info="N" urg_zprac="R" typ_sdel_vys="N" ind_oprav_sd="N">
          <dat_du format="DTS" typ="I">2011-05-25T09:51:00</dat_du>
          <nazev_lclp>S-Calcium</nazev_lclp>
          <vrn priznak_kvant="R">
            <prepocet hodnota_lok="3,00" jednotka_lclp="mmol/l" prepfak="1" typpol_fh_lclp="0" />
            <hodnota>3,00</hodnota>
            <jednotka>mmol/l              </jednotka>
            <skala typ="L">
              <s1>1,10</s1>
              <s2>1,20</s2>
              <s3>1,30</s3>
              <s4>2,10</s4>
              <s5>2,42</s5>
              <s6>2,90</s6>
              <s7>3,10</s7>
              <s8>4,00</s8>
            </skala>
          </vrn>
        </vr>
        <vr typ_cispol="N" klic_nclp="01154" typpol_fh="4" stav_vys="A" urg_info="N" urg_zprac="R" typ_sdel_vys="N" ind_oprav_sd="N">
          <dat_du format="DTS" typ="I">2011-05-25T09:51:00</dat_du>
          <nazev_lclp>S-Calcium</nazev_lclp>
          <vrn priznak_kvant="R">
            <prepocet hodnota_lok="3,00" jednotka_lclp="mmol/l" prepfak="1" typpol_fh_lclp="0" />
            <hodnota>3,00</hodnota>
            <jednotka>mmol/l              </jednotka>
            <skala typ="L">
              <s1>1,10</s1>
              <s2>1,20</s2>
              <s3>1,30</s3>
              <s4>2,10</s4>
              <s5>2,42</s5>
              <s6>2,90</s6>
              <s7>3,10</s7>
              <s8>4,00</s8>
            </skala>
          </vrn>
        </vr>
      </v>
    </ip>
  </is>
</dasta>
#17228
Posted: 08/08/2011 12:59:46
by Dmytro Bogatskyy (EldoS Corp.)

Quote
Ok, but how can I make external references?

You can create external references in the same way as internal references. What you sign is controlled by ElXMLReference.URI* properties:
1. URINode property used to specify a node in a document (it could be a different document, not the same where a signature placed)
2. URIData property used to specify a binary data
3. URIStream, URIStreamOffset, URIStreamCount property used to specify a stream (if URIStreamCount property is 0 then Stream.Size is used)
4. URINodes property used to specify a set of nodes (for example a result of ElXMLDOMNode.SelectNodes method)
Quote
For example, I have an XML document stored in a database and I need it to create a detached signature, which I put into the database. In the validation I find these two documents, save them into a stream and how do I validate? Can I create reference for example "input.xml#id-123456"? And for validate, save I them to disk, such as name input.xml and sign.xml, load sign.xml using FileStream and then validate?

You don't need to save them to disk, everything could be done in memory. You would need to use two instances of ElXMLDOMDocument, where you can load those xml documents. For example:
Code
TElXMLDOMDocument InputDoc, SignatureDoc;
// load xml documents
TElXMLVerifier Verifier = new TElXMLVerifier();
Verifier.Load(SignatureDoc.DocumentElement);
for (int i = 0; i < Verifier.References.Count; i++)
{
TElXMLReference Ref = Verifier.References.get_Reference(i);
if (Ref.URI = "input.xml#id-123456") // or parse application specific URI
{
    string s = "id-123456";
    Ref.URINode = SBXMLUtils.Unit.FindElementById(InputDoc.DocumentElement, s);
}
}

// Then call ValidateSignature, ValidateReferences and validate a signer certificate

Quote

And how do I create a signature in a separate reference when I need to sign only specific parts of the document, but the original document must stand preserved so that it can be validated? In an attached XML document I need to create detached signature of the document that satisfy the following XPath expressions: Code

/dasta/is/ip[@id_pac='8408130000']/v/vr[@klic_nclp=03086]
/dasta/is/ip[@id_pac='8408130000']/v/vr[@klic_nclp=01154]


Klic_nclp attribute is not unique to the entire document, only part of the document XPath /dasta/is/ip[@id_pac='8408130000']/v

The signature should contain a two separate references or one (combined results)? In first case you may use SelectNodes method to select a node, for example:
Code
TElXMLReference Ref = new TElXMLReference();
Ref.URI = "/dasta/is/ip[@id_pac='8408130000']/v/vr[@klic_nclp=03086]";
Ref.URINodes = InputDocument.SelectNodes(Ref.URI);
Signer.References.Add(Ref);

Ref = new TElXMLReference();
Ref.URI = "/dasta/is/ip[@id_pac='8408130000']/v/vr[@klic_nclp=01154]";
Ref.URINodes = InputDocument.SelectNodes(Ref.URI);
Signer.References.Add(Ref);


Quote
Is there an example available on how to sign using the detached signature and validate for example JPG image?

No, at the moment. You need to set ElXMLReference.URIData or URIStream properties to reference an image.
#17255
Posted: 08/10/2011 13:45:51
by Karel Benák (Standard support level)
Joined: 03/16/2011
Posts: 12

It is possible to create detached signatures of two different signers into a single XML file?
#17256
Posted: 08/10/2011 13:53:53
by Dmytro Bogatskyy (EldoS Corp.)

Detached xml signature usually means an xml document with Signature element as a document (root) element.
XML format doesn't allow two root elements in an xml document.
But you free to create a document like:
Code
<Signatures>
  <ds:Signature>..</ds:Signature>
  <ds:Signature>..</ds:Signature>
...
</Signatures>
Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.

Reply

Statistics

Topic viewed 2677 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!