EldoS | Feel safer!

Software components for data protection, secure storage and transfer

difference in signatures eldos vs. official tool

Posted: 08/31/2011 04:54:12
by Christoph Moar (Standard support level)
Joined: 08/28/2009
Posts: 46


I have still a small problem with signatures created with eldos, as compared to those created with "official" tools from the italian government. It happens that a website where these signed documents have to be uploaded, a check is running which tells me the signature is not valid. I know for sure that the signature IS valid, I am sure that they only do check some stupid additional attribute and don't tell me which one it is.

Please have a look at the attached documents, the one marked "OK" is created with an official tool, the one marked "NOT OK" is created with Eldos.

Check also dhe "dok1.pdf" - I have put two screenshots of an online validator comparing both documents. It looks like the "OK" document has an internal timestamp, while the "NOT OK" (eldos) document is not showing such an internal timestamp (even tough I know I have the internal timestamp in there, but maybe it is a format issue?)

I create the signature as such:

aSignature->UsePSS = false;
aSignature->SigningOptions = (TSBCMSSigningOptions)0;

// add some options according to eldos forum, to have cades support
aSignature->SigningOptions <<
csoInsertMessageDigests << csoInsertSigningTime << csoInsertContentType <<
csoUseGeneralizedTimeFormat << csoIncludeCertToMessage << csoIncludeCertToAttributes <<
csoForceSigningCertificateV2Usage ;

// configure and sign signature
aSignature->SigningTime = UTCNow();
aSignature->DigestAlgorithm = mSignatureHashMethod;
aSignature->FingerprintAlgorithm = mSignatureHashMethod;
aSignature->Sign(mCertificate, aMemoryCertStorage.get());

Can you be so kind to see what I am missing? I checked both documents with various tools but cannot see the difference...

Thanks a lot,


[ Download ]
Posted: 08/31/2011 05:09:03
by Christoph Moar (Standard support level)
Joined: 08/28/2009
Posts: 46

Hi, I did a

openssl asn1parse -inform DER -i -in sigfile.p7m > sigfile.asn1

to verify the difference between both files, and the only thing I found was:

42365:d=6 hl=2 l= 24 cons: SEQUENCE
42367:d=7 hl=2 l= 9 prim: OBJECT :contentType
42378:d=7 hl=2 l= 11 cons: SET
42380:d=8 hl=2 l= 9 prim: OBJECT :pkcs7-data
42391:d=6 hl=2 l= 28 cons: SEQUENCE
42393:d=7 hl=2 l= 9 prim: OBJECT :signingTime
42404:d=7 hl=2 l= 15 cons: SET
42406:d=8 hl=2 l= 13 prim: UTCTIME :110819103609Z

82466:d=6 hl=2 l= 24 cons: SEQUENCE
82468:d=7 hl=2 l= 9 prim: OBJECT :contentType
82479:d=7 hl=2 l= 11 cons: SET
82481:d=8 hl=2 l= 9 prim: OBJECT :pkcs7-data
82492:d=6 hl=2 l= 30 cons: SEQUENCE
82494:d=7 hl=2 l= 9 prim: OBJECT :signingTime
82505:d=7 hl=2 l= 17 cons: SET
82507:d=8 hl=2 l= 15 prim: GENERALIZEDTIME :20110831094239Z

So it looks like in one case they expect a UTCTime, while Eldos is writing a GENERALIZEDTIME.
And "they" put a two-digit year while we use a four-digit year?

I will check what happens if I change my utcstring to a two-digit year.
What is the issue with "UTCTIME" and "GENERALIZEDTIME"? Can/should be intervened there?
Posted: 08/31/2011 05:25:52
by Christoph Moar (Standard support level)
Joined: 08/28/2009
Posts: 46

Ok, ignore that. I removed csoUseGeneralizedTimeFormat and now it must be identical. sorry for the noise.



Topic viewed 775 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!