EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Timestamps with PKCS1

Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.
#1886
Posted: 12/15/2006 14:15:10
by Sebastian Jaeschke (Priority Standard support level)
Joined: 12/15/2006
Posts: 11

Hello,

I wonder if it is possible (and how) to use the timestamping functionality (TSPClient/HTTPClient) with SignHashPKCS1 in SBPDFSecurity. I just can find it within SignHashPKCS7. Do I miss anything? Am I right, that this is not implemented?

How can I make a timestamp within a PDF signed with a pstX509RSASHA1 signature?

Any help is welcome!

Many thanks in advance
Sebastian
#1887
Posted: 12/15/2006 14:34:40
by Eugene Mayevski (EldoS Corp.)

PKCS1 doesn't support timestamping. TSP is applicable only to PKCS7 packets.


Sincerely yours
Eugene Mayevski
#1888
Posted: 12/15/2006 14:49:06
by Sebastian Jaeschke (Priority Standard support level)
Joined: 12/15/2006
Posts: 11

[QUOTE]TSP is applicable only to PKCS7 packets[code]

Hmm, so this means it is not possible to use timestamping with a SHA-1 RSA Certificate ?

Best Regards,
Sebastian
#1889
Posted: 12/15/2006 14:56:36
by Eugene Mayevski (EldoS Corp.)

PKCS#1 means signing with plain RSA key. There are no certificates involved into the *signing* process (although one can use the keys, associated *with* certificate, to perform signing). So there's no room for TSP there.


Sincerely yours
Eugene Mayevski
#1890
Posted: 12/16/2006 10:17:28
by Sebastian Jaeschke (Priority Standard support level)
Joined: 12/15/2006
Posts: 11

yep, ok.
My lack of knowledge is the obvious reason, why I bought your wonderful software ;)

I will try to show what I do and what I want to do. Maybe this clears my intention why I ask.

Atm I rewrote your SBPDFSecurity within SignHashPKCS1 so that instead of using the SBRSA.Sign function here, I call my own implemention of signing the hash within a USB Token over my own CTAPI unit. Like SBRSA.Sign it takes the hash after the ASN.1 PKCS1Prefix.
Doing this I used pstX509RSASHA1 wich produced an adbe.x509.rsa_sha1 object at the end in my pdf. Everything perfect so far.

So, but as I began in my thread, in the meantime I come up to the timestamping, which would be great for several reasons in my application.

As far as I get your answer and a short look into the rfcs, PKCS#7 is a completly different set of ASN.1 syntax, giving the ability to store more information than just the pure hash signing of PKCS#1 - right? (Don't hit me, I'm still learning...)

I tracked down the SBPDFSecurity to the SignHashPKCS7 function where the 'signing' seems to start. I'm lost while tracking TElMessageSigner.Sign in SBMessages and things like CalculateEstimatedSize. I feeded my Certificate chain into the FCertStorage and faked the first cert to have PrivateKeyExists true, as I did in SignHashPKCS1. But at least at the point where FillSigner(SgnData.Signers[.... is called I'm completely lost in understanding the code.

So, is there a way to do a PKCS#7 into a PDF the way I do it with PKCS#1? I mean, where could be the point where I can use the token signing functionality instead of signing it with the private key of a PKCS11 or Windows Certificate as it seems to be intended in TElMessageSigner.Sign? Is it possible to do all other things like CalculateEstimatedSize etc. without the private key (because one can't get it out of the keycard)?

I would be really pleased if you could point me to some lines of your code that must be altered to achieve this, if possible at all with PKCS#7 and a token. Doing this with PKCS#1 was much easier.

Ok, long post, no knowledge ;)
Many thanks in advance for your support!

Sebastian
#1891
Posted: 12/17/2006 08:47:55
by Sebastian Jaeschke (Priority Standard support level)
Joined: 12/15/2006
Posts: 11

Ok then,

I found out what was needed. I added some overload functions to SBMessages (EncryptRSA, FillSigner, etc.) and changed TElMessageSigner.Sign accordingly and now I manage to include PKCS#7 Signature into the PDFs, signed with the USB token.

Thanks again for your support!
Best Regards,
Sebastian
#1892
Posted: 12/17/2006 10:17:32
by Eugene Mayevski (EldoS Corp.)

Why would you need to do this? PKCS#7 signatures work perfectly with USB tokens and cryptocards since SecureBlackbox 4.3 if memory serves.


Sincerely yours
Eugene Mayevski
#1893
Posted: 12/17/2006 13:41:38
by Sebastian Jaeschke (Priority Standard support level)
Joined: 12/15/2006
Posts: 11

Hmm, long time that I checked your PKI/PKCS11 samples, but as far as I remember, one needs a pkcs11 API dll for using your codes.
Our Application is intended for DIN V 66291-1 which is the base for signing according the german (and european) law. All based on ISO/IEC 7816. None of the card application vendors that are accepted here for such, provides pkcs11 apis. The easiest solution was taking this DIN and ISO Norm to write our own wrapper. Doing this, we can support the different card vendors in europe. Each of them have a different card OS and the resulting pathes etc on the card are at least slightly different. So, having the ability to modify APDUs etc was mandatory for us (e.g. supporting secure messaging).

Let me know if I missed something regarding this and SecureBlackbox. Maybe I could have saved a lot of work here if I had RTFM ;)

Best Regards,
Sebastian
#1894
Posted: 12/17/2006 13:51:24
by Eugene Mayevski (EldoS Corp.)

You can use the smart card either by using PKCS#11 interface or via CryptoAPI. Don't those vendors provide CryptoAPI CSP's? If they do, then you don't need to do anything at all.
But if you do ...

One way for you would be to create your own PKCS#11 layer.

With SecureBlackbox 5 and it's cryptoproviders it will be possible to introduce your own cryptoproviders, thus avoiding the need to write a full-featured PKCS#11 provider. As of 5.0 release you can only create a cryptoprovider, but there's no interface to tell the components to use the specific provider. We will add such interface to SBB 5.1.


Sincerely yours
Eugene Mayevski
#1895
Posted: 12/17/2006 14:07:45
by Eugene Mayevski (EldoS Corp.)

And still, I don't understand what the difference between PKCS#1 and PKCS#7 is in your case. Is it only the number of changes to make to the source code?


Sincerely yours
Eugene Mayevski
Also by EldoS: CallbackDisk
Create virtual disks backed by memory or custom location, expose disk images as disks and more.

Reply

Statistics

Topic viewed 8581 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!