EldoS | Feel safer!

Software components for data protection, secure storage and transfer

How to create XAdES from XML-DSig

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
#17334
Posted: 08/19/2011 03:17:05
by Karel Benák (Standard support level)
Joined: 03/16/2011
Posts: 12

Hello,
I have XML document with XML-DSig signature and I need to archive this document. My partner send me signed XML document without XAdES profile and I need create XAdES profile for their signature, add time stamp, add CA certificates, CRLs, etc. Is this possible? And if so, how?
#17335
Posted: 08/19/2011 05:56:27
by Dmytro Bogatskyy (EldoS Corp.)

After a document signed, you can use ElXMLVerifier together with ElXAdESVerifier to extend existent XAdES signature.
For example:
Code
  TElXMLVerifier Verifier = new TElXMLVerifier();
  TElXAdESVerifier XAdESVerifier = new TElXAdESVerifier();
  try
  {
    Verifier.XAdESProcessor = XAdESVerifier;
    Verifier.Load(SignatureElement);

    // before extending a signature we should validate it
    if (!Verifier.ValidateSignature())
    ...
    if (!Verifier.ValidateReferences())
    ...

    // extend a signature using one of XAdESVerifier.Add* methods
    for example:
    XAdESVerifier.AddValidationDataRefs();
    XAdESVerifier.AddSigAndRefsTimestamp(TSPClient);
    ...
  }
  finally
  {
    XAdESVerifier.Dispose();
    Verifier.Dispose();
  }


However it would not work for signed xml document without XAdES info. I will check for a possibility to overcome this.
At the moment you can add empty XAdES info manually, to do this you need to add a following element under Signature element (Target and Namespace could be different):
Code
<ds:Object><xades:QualifyingProperties xmlns:xades="http://uri.etsi.org/01903/v1.3.2#" Target="#Signature-2140360592"></xades:QualifyingProperties></ds:Object>
#17538
Posted: 09/19/2011 05:02:30
by Karel Benák (Standard support level)
Joined: 03/16/2011
Posts: 12

Thank your reply.
Which XAdES profile may I create XMLDSig document? BES, EPES or T? If I correctly understand the XAdES standard, XAdES-T document should be extended to XAdES-C during its validation, because its available valid actual CRL.
#17549
Posted: 09/19/2011 07:32:39
by Velin Achev (Standard support level)
Joined: 09/19/2011
Posts: 9

Hello,
thank you for the good example.
I have similar case: I have a d-sig signed XML Document and I want to apply XAdES timestamping.
Currently, in the XML Document there is a <xades:QualifyingProperties> element, as you have mentioned above. The timestamping is applied correctly.

However, I'd also like to add <xades:SigningCertificate> element in the <xades:QualifyingProperties> one, which is actually referencing the certificate of the time-stamping authority.

I cannot set signing certificate, because the SigningCertificates property of the TElXAdESVerifier instance is read-only. How can I achieve this?

Can you please help me finish my process.

Thanks in advance,
Velin
#17551
Posted: 09/19/2011 07:44:24
by Velin Achev (Standard support level)
Joined: 09/19/2011
Posts: 9

Hello again,

Please ignore my previous question about the <xades:SigningCertificate> as I realized that this should be done on a previous stage of the signing process.

Thanks again for the help.

Happy coding
#17562
Posted: 09/19/2011 09:56:10
by Dmytro Bogatskyy (EldoS Corp.)

Quote
Which XAdES profile may I create XMLDSig document? BES, EPES or T?

Either one.
Also you can create XAdES-C, XAdES-X and XAdES-X-L form with a signer.
Please see (for XAdES-C form):
Quote

NOTE 3: The signer or the TSP MAY provide the XAdES-C to minimize this risk and when the signer does not provide the XAdES-C, the verifier SHOULD create the XAdES-C when the required components of revocation and validation data become available. This MAY require a grace period.

From 4.4.3.2 page 20:
http://www.etsi.org/deliver/etsi_ts/1...10402p.pdf

For example:
Code
ElXAdESSigner.XAdESForm = XAdES_C;
ElXAdESSigner.GracePeriod = 10; // in seconds
...


It doesn't make to much sense to create XAdES-A form instantly (but it is possible with ElXAdESSigner), for example, it should be created after a few days.

Quote
If I correctly understand the XAdES standard, XAdES-T document should be extended to XAdES-C during its validation, because its available valid actual CRL.

Not necessary. That depends on the requirements.
#17567
Posted: 09/19/2011 14:44:11
by Karel Benák (Standard support level)
Joined: 03/16/2011
Posts: 12

Thank you for your reply.
With my opinion, XAdES-BES or XAdES-EPES could be a good choice. Allows your example in a distribution package extended from the document XAdES-BES to document XAdES XAdES-T or-C? Could you please attach in your examples and demonstrations of various signed and examples of various options? For example, a document signed by two persons designated for long-term archiving. When using PDF is due to the clear principle of revisions, but for XML I can't find appropriate examples.
#17573
Posted: 09/20/2011 08:05:29
by Dmytro Bogatskyy (EldoS Corp.)

Quote
Allows your example in a distribution package extended from the document XAdES-BES to document XAdES XAdES-T or-C?

At the moment, there is no such sample that shows how to extend XAdES form for existent signature. It will be included with the next build.
Quote
Could you please attach in your examples and demonstrations of various signed and examples of various options?

I have attached archive with several xml document with a signatures in different XAdES forms.


[ Download ]
#21191
Posted: 08/27/2012 01:21:53
by janjoris van der Lei (Priority Standard support level)
Joined: 08/16/2012
Posts: 14

Quote
Dmytro Bogatskyy wrote:
After a document signed, you can use ElXMLVerifier together with ElXAdESVerifier to extend existent XAdES signature.
For example:
Code
  TElXMLVerifier Verifier = new TElXMLVerifier();
  TElXAdESVerifier XAdESVerifier = new TElXAdESVerifier();
  try
  {
    Verifier.XAdESProcessor = XAdESVerifier;
    Verifier.Load(SignatureElement);
 
    // before extending a signature we should validate it
    if (!Verifier.ValidateSignature())
    ...
    if (!Verifier.ValidateReferences())
    ...
 
    // extend a signature using one of XAdESVerifier.Add* methods
    for example:
    XAdESVerifier.AddValidationDataRefs();
    XAdESVerifier.AddSigAndRefsTimestamp(TSPClient);
    ...
  }
  finally
  {
    XAdESVerifier.Dispose();
    Verifier.Dispose();
  }


However it would not work for signed xml document without XAdES info. I will check for a possibility to overcome this.
At the moment you can add empty XAdES info manually, to do this you need to add a following element under Signature element (Target and Namespace could be different):
Code
<ds:Object><xades:QualifyingProperties xmlns:xades="http://uri.etsi.org/01903/v1.3.2#" Target="#Signature-2140360592"></xades:QualifyingProperties></ds:Object>



I tried this but I keep getting: "QualifyingProperties object not found (or signature is not calculated).", When I save the xml that I have I can see the signature and the <ds:Object><xades:QualifyingProperties> tags. Any ideas on what I'm doing wrong?
#21198
Posted: 08/27/2012 06:37:16
by Dmytro Bogatskyy (EldoS Corp.)

Quote
Any ideas on what I'm doing wrong?

This question was answered here: https://www.eldos.com/forum/read.php?FID=7&TID=3673
Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.

Reply

Statistics

Topic viewed 4679 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!