EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Creating a signed xml

Posted: 10/17/2012 09:23:21
by Chris Sennrich (Standard support level)
Joined: 10/17/2012
Posts: 12

We downloaded SecureBlackBox (.NET) and trying to create a signed XML document.
As we have to replace an existing application the resulting xml has to look the same as before.

At the moment (the old way) we are creating an empty SignedXml (System.Security.Cryptography.XML..) and adding the signature, references and objects (such as the original xml content) by ourselves.

I've managed to create a new TElXMLDOMDocument, adding some TElXMLReferences and TElXMLObjects (which can be XML, a Base64-Encoded PDF or similar).

Now I have some problems:
1. The TElXMLDOMDocument can't be empty (an error is thrown when calling Signer.Save())
2. The added TElXMLObjects are not present in the signed xml
3. There is no DigestValue in the references

I'm sure I'm doing something wrong so maybe you can provide a short how-to?

Thanks for your help!
Posted: 10/17/2012 09:25:51
by Eugene Mayevski (Team)

You seem to try to mimic old application (manual addition of elements) with SecureBlackbox which is not the way SecureBlackbox was designed to be used.

The how-to is simple: load the document and sign it with help of SecureBlackbox. After signing you can alter the resulting XML DOM as you need. The detailed how-to is present in the help file that you have on your computer and in sample projects which you also have on your computer.

Sincerely yours
Eugene Mayevski
Posted: 10/18/2012 00:21:25
by Vsevolod Ievgiienko (Team)

What does the signed xml mean and how to use it?

Thank you for contacting us.

Please refer to this page and its references: http://eldos.com/sbb/desc-xml.php
Posted: 10/22/2012 07:31:04
by Chris Sennrich (Standard support level)
Joined: 10/17/2012
Posts: 12

Thanks for the reply.

We now managed to create a signed xml document which looks almost the same as the existing one. The error we made first was using xstEnveloped instead of xstEnveloping as the SignatureType.

The next problem we have is with multithreading. Because we have to sign thousands of documents in a very short time, we need to start multiple threads which are signing the xmls.

We simply tried to create several threads in our code but when we try to open the TElPKCS11CertStorage (HSM) a second time our program crashes immediately with now error message.
We then tried to open the TElPKCS11CertStorage and read the certificate only once an reuse the same in every thread. But this way we get the following error when calling Signer.Save(ref SigNode):

SBPKCS11Base.EElPKCS11Error: PKCS#11 error #-2147482750 in function C_SignInit

Do you have any examples which show how to use xmlblackbox with multiple threads? Specially we would be interested in which objects we should use per thread an which objects we should create only once and then reuse it.
Posted: 10/22/2012 08:09:10
by Ken Ivanov (Team)

The problem of accessing hardware security modules from multiple threads is fairly common. While it can be solved in some way with some particular token types, the others simply do not support parallel access from different threads and thus cannot be used in such environments.

First, please try to create an individual TElPKCS11CertStorage instance per thread, yet assign every instance with a separate TElPKCS11CryptoProvider object before opening it:

storage = new TElPKCS11CertStorage();
storage.CryptoProvider = new TElPKCS11CryptoProvider();
storage.DLLName = ...;

Remember to dispose of the cryptoprovider object explicitly when disposing of the storage.

If this doesn't help, please additionally set the ThreadSafe option for the PKCS#11 cryptoprovider objects being created:

((TElPKCS11CryptoProviderOptions)(((TElPKCS11CryptoProvider)storage.CryptoProvider).Options)).ThreadSafe = true;
Posted: 10/22/2012 08:39:13
by Chris Sennrich (Standard support level)
Joined: 10/17/2012
Posts: 12

I'm a step further now as opening the storage works! But I get an "index was outside the bounds of the array" exception now when I try to open the session.

*Edit*: It only worked two or three times. Now the programm crashes again...

Here's our code:

sbbStorage = new TElPKCS11CertStorage();
sbbStorage.CryptoProvider = new TElPKCS11CryptoProvider();
((TElPKCS11CryptoProviderOptions)(((TElPKCS11CryptoProvider)sbbStorage.CryptoProvider).Options)).ThreadSafe = true;            
sbbStorage.DLLName = "XXX.dll";

TElPKCS11SessionInfo session = sbbStorage.OpenSession(3, true);
session.Login((int)SBPKCS11Base.Unit.utUser, "XXXX");

// then getting the certificate

We close (and now dispose the cryptoprovider) the storage if all documents are signed.
Posted: 10/22/2012 10:57:02
by Ken Ivanov (Team)

Thank you for checking. There is another option we can try. Please revert back to the second approach you used (sharing the session and the certificate object among all signer threads), but please set the main cryptoprovider's ThreadSafe property to true before creating a storage object:

((TElPKCS11CryptoProviderOptions)(SBCryptoProvPKCS11.Unit.PKCS11CryptoProvider().Options)).ThreadSafe = true;
Posted: 10/23/2012 01:50:11
by Chris Sennrich (Standard support level)
Joined: 10/17/2012
Posts: 12

Ok I think I found a way that works. I'm using a static class which is shared for all threads now and with the ThreadSafe option (but only on the cryptoprovider) I'm able to start several threads.

Here's the code:

sbbStorage = new TElPKCS11CertStorage();
sbbStorage.CryptoProvider = new TElPKCS11CryptoProvider();
((TElPKCS11CryptoProviderOptions)(((TElPKCS11CryptoProvider)sbbStorage.CryptoProvider).Options)).ThreadSafe = true;
sbbStorage.DLLName = "XXX.dll";

The only error I get now (but only sometimes) is a "System.ArgumentOutOfRangeException" when loading the document:

MemoryStream docdocStream = new MemoryStream(Encoding.UTF8.GetBytes(xmldoc.OuterXml));
sbbDoc.LoadFromStream(docdocStream, "UTF-8", true);

Our Sign-Method is static and shared as well at the moment but I will do some tests if it's better to use a single object for each thread.
Posted: 10/23/2012 04:26:20
by Ken Ivanov (Team)

Normally there is no requirement to move all the signing code to a static Sign() method. The cryptoprovider will rule out threading issues by itself, provided that its ThreadSafe option is set.

The only error I get now (but only sometimes) is a "System.ArgumentOutOfRangeException" when loading the document:

Could you share a call stack with us please?
Posted: 11/12/2012 02:44:13
by Chris Sennrich (Standard support level)
Joined: 10/17/2012
Posts: 12

Sorry took a bit of time...

We still trying to implement the xml signing in multiple threads.
The error only occurs the first time we start the signing threads.
When we start it again, everything works fine.

This is the excpetion we get:

System.ArgumentException: Das Quellarray ist nicht lang genug. Überprüfen Sie srcIndex, die Länge und die Untergrenze des Arrays.
bei System.Array.Copy(Array sourceArray, Int32 sourceIndex, Array destinationArray, Int32 destinationIndex, Int32 length, Boolean reliable)
bei System.Collections.ArrayList.Insert(Int32 index, Object value)
bei SBStringList.TElStringList.AddObject(String Value, Object obj)
bei SBChSConv.__Global.RegisterCharsetLibraryProc(String Category, String Description, String Aliases, MetaClass Handle, TCharsetCreateProc CreateProc)
bei SBChSConvBase.__Global.RegisterCharsetLibrary(TCharsetLibraryRegProc RegistrationProc)
bei SBChSConv.__Global.InitCharsets()
bei SBChSConv.__Global.CreateCharset(String Name)
bei SBXMLCharsets.TElXMLCodec.SetCharsetName(String Value)
bei SBXMLCharsets.TElXMLUTF8Codec..ctor(Stream aStream)
bei SBXMLCharsets.TElXMLUTF8Codec..ctor()
bei SBXMLCore.TElXMLDOMDocument.LoadFromStream(Stream aStream, String DefaultEncoding, Boolean NormalizeNEL)

We try to load the document:
MemoryStream docdocStream = new MemoryStream(Encoding.UTF8.GetBytes(xmldoc.OuterXml));

Do you have any idea what's wrong?



Topic viewed 7626 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!