EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Signing binary files using TElMessageSigner

Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages
#18016
Posted: 10/28/2011 05:33:30
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

Hello
I have a few questions regarding signing binary files with TElMessageSigner:

1) Is it possible to sign document keeping signature in one file, but later if needed to extract that signature? I can see that I can extract which certificate was used to sign a file, but I would need signature it self (file that I get when I sign file detached) as well.

2) When I sign document multiple times from different users (signing, already signed document), then I need to verify it twice, before I can extract content. Could it be done with just one verification? I need to see who signed document, for example three persons, with three different certificates, at once.

3) When document is signed three times (first user signs document, second signs already signed document from first user, and third signs document that is already signed by first two users) and I want to remove one sign, will that document still be valid when I want to verify it? I see that it is possible in for example word. I can sign already signed word document, and if I remove one sign from it it does not invalidate other signs.

4) Can I sign with CADES using TElMessageSigner? I saw in forum that before you were explaining to one user how to sign with CADES, but I don't see TSBCMSSigningOptions in library any more. Is it changed meanwhile?

Thanks in advance.
#18017
Posted: 10/28/2011 07:12:57
by Vsevolod Ievgiienko (EldoS Corp.)

Thank you for contacting us.

First of all its better to use TElSignedCMSMessage for your task. See
\EldoS\SecureBlackbox.NET\Samples\C#\PKIBlackbox\CMS sample for details.

Quote
1) Is it possible to sign document keeping signature in one file, but later if needed to extract that signature? I can see that I can extract which certificate was used to sign a file, but I would need signature it self (file that I get when I sign file detached) as well.


Yes you can do this by setting TElSignedCMSMessage.Detached to 'true' before saving loaded CMS.

Quote
2) When I sign document multiple times from different users (signing, already signed document), then I need to verify it twice, before I can extract content. Could it be done with just one verification? I need to see who signed document, for example three persons, with three different certificates, at once.


If you use TElSignedCMSMessage then you should call Validate method for each signature form TElSignedCMSMessage.Signatures list. But it will be a simple cycle so its nearly 'at once'.

Quote
3) When document is signed three times (first user signs document, second signs already signed document from first user, and third signs document that is already signed by first two users) and I want to remove one sign, will that document still be valid when I want to verify it? I see that it is possible in for example word. I can sign already signed word document, and if I remove one sign from it it does not invalidate other signs.


It depends on what result do you want to achieve involving three signatures. If these signatures are independent then if you remove one signature then other signatures remain valid.

If you want to certify an existing document signature with two other signatures then (this operation is done using TElCMSSignature.AddCountersignature method) you will be able to delete only these two countersignatures but not the first one. If you delete the first one then remaining two countersignatures will be also removed.

Quote
4) Can I sign with CADES using TElMessageSigner? I saw in forum that before you were explaining to one user how to sign with CADES, but I don't see TSBCMSSigningOptions in library any more. Is it changed meanwhile?


Yes you can. TSBCMSSigningOptions are located in SBCMS unit that is a part of PKIBlackbox package. In the 9th version of SecureBlackbox we've added TElCAdESSignatureProcessor class for easier CAdES signatures creation and validation.
#18061
Posted: 11/03/2011 06:47:22
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

Thank you for the answer. Still I'm not sure how to extract signature it self. You said that if I set Detached property to true, when I issue Save method of TElSignedCMSMessage, I'll get signature. That's all ok when I have just one signature in my TElSignedCMSMessage. But what if I have more than one sign inside?
#18062
Posted: 11/03/2011 06:56:29
by Vsevolod Ievgiienko (EldoS Corp.)

Quote
But what if I have more than one sign inside?

Then the output of Save method will contain all these signatures. If you need only one of them try to create a temporary copy of TElSignedCMSMessage and remove those signatures you don't want to save using RemoveSignature method.
#18063
Posted: 11/03/2011 07:10:20
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

Ok. Will I mistake if I do something like this:
Code
File.WriteAllBytes(fileName, signature.Content);


where signature is instance of TElCMSSignature class?
#18064
Posted: 11/03/2011 07:15:58
by Vsevolod Ievgiienko (EldoS Corp.)

This code will save signed data, but not the signature itself.
#18065
Posted: 11/03/2011 08:24:07
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

Ok. What I also need is certificate which was used to create signature. I need to read Certificate's SubjectName and to save Certificate to file in order to show it to client. I saw that there is Certificates (list of TElX509Certificate) property but I don't see how they are related to TElCMSSignature which I can get with cmsMessage.get_Signatures(index) method. I know that there is SigningCertificate property in TElCMSSignature, but this is not TElX509Certificate...
#18066
Posted: 11/03/2011 08:42:12
by Vsevolod Ievgiienko (EldoS Corp.)

You can use ElCMSSignature.CertificateValues property. It contains a list of signing certificates.
#18067
Posted: 11/03/2011 09:09:18
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

In my case ElCMSSignature.CertificateValues does not contain any cerificate (Count property is 0), although CMS message is valid (I can validate it OK).
#18068
Posted: 11/03/2011 09:11:55
by Ken Ivanov (EldoS Corp.)

According to PKCS#7 specification, all the certificates involved in signature creation and/or validation are placed not to this particular signature, but to the global CMS-wide certificate container (this also takes place for CRLs). There are many reasons for this, but the main reason is that such an architecture allows to extend certificate collection after the signature has been created - e.g. with the missing certificates of the chain.

There is actually no guarantee that CertificateValues will contain the needed certificates, as its use is only involved in certain CAdES levels.
Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.

Reply

Statistics

Topic viewed 3857 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!