EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Invalid XADES-BES signature

Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.
#23965
Posted: 03/06/2013 11:08:25
by Ernesto Alconada (Basic support level)
Joined: 11/01/2012
Posts: 25

Hello,
we're having problems validating a signature.
The code we use to generate the signature is:
Code
....
  Refs := TElXMLReferenceList.Create;
  try
    Signer:=TElXMLSigner.Create(Self);
    XPathTransform:=TElXMLXPathTransform.Create;    
    m:=TElXMLC14NTransform.Create;
    m2:=TElXMLC14NTransform.Create;
    CertStorage := TElMemoryCertStorage.Create(nil);
    try
      Signer.References := Refs;
      Signer.SignatureMethod := xsmRSA_SHA1;
      Signer.SignatureType := xstEnveloped;
      Signer.CanonicalizationMethod := xcmExclCanon;
      Signer.SignatureMethodType := xmtSig;
      Signer.IncludeKey:=True;
      Signer.OnFormatElement := FormatElement;
      Signer.OnFormatText := FormatText;
     
      Cert := frmSelWinCert.Certificate;
     
      if Assigned(Cert) and Cert.PrivateKeyExists then
      begin
        X509KeyData := TElXMLKeyInfoX509Data.Create(False);
        X509KeyData.Certificate := Cert;
        X509KeyData.IncludeKeyValue:=False;
        X509KeyData.IncludeDataParams := [xkidX509SubjectName,xkidX509Certificate];
        Signer.KeyData := X509KeyData;
      end;

      XAdESSigner := TElXAdESSigner.Create(nil);
      Signer.XAdESProcessor := XAdESSigner;
      XAdESSigner.XAdESVersion := XAdES_v1_3_2;
      XAdESSigner.PolicyId.SigPolicyId.IdentifierQualifier := xqtNone;
      CertStorage.Add(Cert);

      XAdESSigner.SigningCertificates:=CertStorage;
      XAdESSigner.SetXAdESForm(XAdES_BES);
      XAdESSigner.Generate;
     
      Signer.UpdateReferencesDigest;
     
      XAdESSigner.QualifyingProperties.XAdESPrefix := 'etsi';
      XAdESSigner.QualifyingProperties.SignedProperties.SignedSignatureProperties.SignedTime :=    SBXMLUtils.DateTimeToXMLString(Now,xdfDateTimeWithSeconds, 120);
      XAdESSigner.QualifyingProperties.SignedProperties.SignedSignatureProperties.SignaturePolicyIdentifier.SignaturePolicyImplied:=False;
      XAdESSigner.QualifyingProperties.Target:='#SignatureUsuario';
      XAdESSigner.PolicyId.SigPolicyId.Identifier := 'XADES';
     
      XML_RefDocu:=TElXMLReference.Create;
      XML_RefDocu.DigestMethod := xdmSHA1;
      XML_RefDocu.URINode:=TElXMLDOMDocument(tvXML.Selected.Data).DocumentElement;
      XML_RefDocu.URI := '';     
      XPathTransform.XPath := 'not(ancestor-or-self::ds:Signature)';
      XML_RefDocu.TransformChain.Add(XPathTransform);

      Refs.Add(XML_RefDocu);     
      Signer.UpdateReferencesDigest;

      RefkEY := TElXMLReference.Create;
      RefkEY.URI := '#KeyInfo';
      RefkEY.DigestMethod := xdmSHA1;
      m.CanonicalizationMethod:=xcmExclCanon;
      RefkEY.TransformChain.Add(m);
      Refs.Add(RefkEY);
     
      Signer.Sign;

      Signer.Signature.KeyInfo.ID := 'KeyInfo';
      Signer.Signature.SignedInfo.SigPropRef.RefType := 'http://uri.etsi.org/01903/v1.2.2#SignedProperties';
      Signer.References[1].ID:='SignatureUsuario-KeyInfo-Ref';
      Signer.Signature.SignatureValue.ID:='SignatureValue';
      Signer.Signature.ID:='SignatureUsuario';
      XAdESSigner.QualifyingProperties.SignedProperties.ID:='XADES-Properties';
      Signer.Signature.SignedInfo.SigPropRef.DigestMethod := xdmSHA1;
      Signer.Signature.SignedInfo.SigPropRef.ID := 'SignatureUsuario-XADES-Properties-Ref';
      Signer.Signature.SignedInfo.SigPropRef.URI := '#XADES-Properties';
      m2.CanonicalizationMethod:=xcmExclCanon;
      Signer.Signature.SignedInfo.SigPropRef.TransformChain.Add(m2);

      Signer.Save(SigNode);
    finally
      FreeAndNil(Signer);
      FreeAndNil(XAdESSigner);
      FreeAndNil(TSPClient);
      FreeAndNil(HTTPClient);
      FreeAndNil(HMACKeyData);
      FreeAndNil(RSAKeyData);
      FreeAndNil(X509KeyData);
      FreeAndNil(PGPKeyData);
      FreeAndNil(CertStorage);
    end;
  finally
    FreeAndNil(Refs);
  end;
  
  ......
  
procedure TfrmXades.FormatElement(Sender: {$ifndef DELPHI_NET}TObject{$else}System.Object{$endif};
  Element: TElXMLDOMElement; Level: Integer; const Path: XMLString;
  var StartTagWhitespace, EndTagWhitespace: XMLString);
begin
  if LowerCase(Element.NodeName) = 'object' then
    Element.SetAttribute('Id', 'XADES');
   .....


The correct format of the signature is:
Code
<ape:Certificacion>
...
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SignatureUsuario">
   <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
      <ds:Reference URI="">
         <ds:Transforms>
            <ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
               <ds:XPath>not(ancestor-or-self::ds:Signature)</ds:XPath>
            </ds:Transform>
            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
         </ds:Transforms>
         <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
         <ds:DigestValue>MYTWNv715dHh9B25ybm1aclGLTo=</ds:DigestValue>
      </ds:Reference>
     <ds:Reference Id="SignatureUsuario-XADES-Properties-Ref" Type="http://uri.etsi.org/01903/v1.2.2#SignedProperties" URI="#XADES-Properties">
        <ds:Transforms>
           <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
        <ds:DigestValue>RkQ8X/k1EAfkIoxPlwQ4Jn36kCQ=</ds:DigestValue>
     </ds:Reference>
     <ds:Reference Id="SignatureUsuario-KeyInfo-Ref" URI="#KeyInfo">
        <ds:Transforms>
           <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
        <ds:DigestValue>oRMY/RmmI9w0GCYVwnbiYKI2ZQA=</ds:DigestValue>
     </ds:Reference>
   </ds:SignedInfo>  
   <ds:SignatureValue Id="SignatureValue">T23uRMF/....cz7qU=</ds:SignatureValue>    
   <ds:KeyInfo Id="KeyInfo">
      <ds:X509Data>
         <ds:X509SubjectName>CERTIFICADO DE PRUEBAS</ds:X509SubjectName>
         <ds:X509Certificate>MIIITTCC....fIsIZeZOeQ=</ds:X509Certificate>
      </ds:X509Data>
   </ds:KeyInfo>
   <ds:Object Id="XADES">
      <etsi:QualifyingProperties xmlns:etsi="http://uri.etsi.org/01903/v1.3.2#"  Target="#SignatureUsuario">
         <etsi:SignedProperties Id="XADES-Properties">
            <etsi:SignedSignatureProperties>
               <etsi:SigningTime>2010-08-06T13:28:04+02:00</etsi:SigningTime>
               <etsi:SigningCertificate>
                  <etsi:Cert>
                     <etsi:CertDigest>
                         <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                         <ds:DigestValue>aAUXodVJA4VHAk/zTf9Tq5nxIgE=</ds:DigestValue>
                     </etsi:CertDigest>
                     <etsi:IssuerSerial>
                        <ds:X509IssuerName>CN=....C=ES</ds:X509IssuerName>
                        <ds:X509SerialNumber>6108</ds:X509SerialNumber>
                     </etsi:IssuerSerial>
                  </etsi:Cert>
               </etsi:SigningCertificate>
            </etsi:SignedSignatureProperties>
         </etsi:SignedProperties>
      </etsi:QualifyingProperties>
   </ds:Object>
</ds:Signature>
</ape:Certificacion>


And the signature we generated with Vcl SecureBlackBox is:
Code
<ape:Certificacion>
...
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SignatureUsuario">
   <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
      <ds:Reference URI="">
         <ds:Transforms>
            <ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
               <ds:XPath>not(ancestor-or-self::ds:Signature)</ds:XPath>
            </ds:Transform>
         </ds:Transforms>
         <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
         <ds:DigestValue>DYL89iI3t0tvNxebodgbkQyj3EQ=</ds:DigestValue>
      </ds:Reference>
      <ds:Reference Id="SignatureUsuario-KeyInfo-Ref" URI="#KeyInfo">
         <ds:Transforms>
            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
         </ds:Transforms>
         <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
         <ds:DigestValue>vzRRwZdKajDxhbsi0iHxFdqkUEs=</ds:DigestValue>
      </ds:Reference>
      <ds:Reference Id="SignatureUsuario-XADES-Properties-Ref" Type="http://uri.etsi.org/01903/v1.2.2#SignedProperties" URI="#XADES-Properties">
         <ds:Transforms>
            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
         </ds:Transforms>
         <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
         <ds:DigestValue>MYxuiFS4rjJnE36BHTOCPh+OCTE=</ds:DigestValue>
      </ds:Reference>
   </ds:SignedInfo>
   <ds:SignatureValue Id="SignatureValue">
hSTdd/UA87KSJqt/ix6gofYU8Ihsm7QoUzYVn+XLVR5tA3KCI45y4p2qEbskOXQW
vfeGvO12dQFukIJAyGRFJdam/ogVLGQPz5xMqQBp6LDIPBa6d/q0ouxFT9qukQ/2
/1TMJNjaHFc3/X+SVhlAD9+CIgF7FMF4/6lcYSDSzII=
   </ds:SignatureValue>
   <ds:KeyInfo Id="KeyInfo">
      <ds:X509Data>
         <ds:X509SubjectName>CN=ENTIDAD CAI SISTEMAS INFORMATICOS SL - CIF B36228989 - NOMBRE MARTINEZ ALVAREZ MANUEL - NIF 36030942Q, OU=703014724, OU=FNMT Clase 2 CA, O=FNMT, C=ES</ds:X509SubjectName>
         <ds:X509Certificate>
MIIEdjCCA9+gAwIBAgIEPNFBLDANBgkqhkiG9w0BAQUFADA2MQswCQYDVQQGEwJF
UzENMAsGA1UEChMERk5NVDEYMBYGA1UECxMPRk5NVCBDbGFzZSAyIENBMB4XDTEx
MDYzMDA3NDkxM1oXDTEzMDYzMDA3NDkxM1owgboxCzAJBgNVBAYTAkVTMQ0wCwYD
VQQKEwRGTk1UMRgwFgYDVQQLEw9GTk1UIENsYXNlIDIgQ0ExEjAQBgNVBAsTCTcw
MzAxNDcyNDFuMGwGA1UEAxNlRU5USURBRCBDQUkgU0lTVEVNQVMgSU5GT1JNQVRJ
Q09TIFNMIC0gQ0lGIEIzNjIyODk4OSAtIE5PTUJSRSBNQVJUSU5FWiBBTFZBUkVa
IE1BTlVFTCAtIE5JRiAzNjAzMDk0MlEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBANTCiRj3yKuEl1726O5Iljo3/SDUvJAVIGj1H3X5ZWw2OzQ0FdkLOqDBu+1X
fxHSiGlZMCHv73MR3HtjU8E+pJt0+5DDRGydMl+WZZT6DtntwIJEW8g0LIhzoRbh
Ss2JAq4FK8wYbCa5yFLPBaNJzZqA2pw9vaWLawzaUqjR6rGLAgMBAAGjggIKMIIC
BjCBzgYDVR0RBIHGMIHDgRJNTUFAQ0FJU0lTVEVNQVMuRVOkgawwgakxGDAWBgkr
BgEEAaxmAQcTCUIzNjIyODk4OTErMCkGCSsGAQQBrGYBBhMcQ0FJIFNJU1RFTUFT
IElORk9STUFUSUNPUyBTTDEYMBYGCSsGAQQBrGYBBBMJMzYwMzA5NDJRMRYwFAYJ
KwYBBAGsZgEDEwdBTFZBUkVaMRcwFQYJKwYBBAGsZgECEwhNQVJUSU5FWjEVMBMG
CSsGAQQBrGYBARMGTUFOVUVMMAkGA1UdEwQCMAAwKwYDVR0QBCQwIoAPMjAxMTA2
MzAwNzQ5MTNagQ8yMDEzMDYzMDA3NDkxM1owCwYDVR0PBAQDAgWgMBEGCWCGSAGG
+EIBAQQEAwIFoDAdBgNVHQ4EFgQU06BHCFASeLgzPmnWFi33hrDu5YswHwYDVR0j
BBgwFoAUQJp2RJd0B8SsFMsejU86RXww12EwPgYJKwYBBAGsZgEhBDEWL0NFUlRJ
RklDQURPIEVYQ0xVU0lWTyBQQVJBIEVMIEFNQklUTyBUUklCVVRBUklPMFsGA1Ud
HwRUMFIwUKBOoEykSjBIMQswCQYDVQQGEwJFUzENMAsGA1UEChMERk5NVDEYMBYG
A1UECxMPRk5NVCBDbGFzZSAyIENBMRAwDgYDVQQDEwdDUkw4OTA0MA0GCSqGSIb3
DQEBBQUAA4GBAEy1FHLWo+C22R+7uO4NfSe6v/dTLTJJVSdrFBGGlwnkDdhePuFI
aKp2ssLtfqc6jg0b0tMAaYvFLou2NQJtUYpDI0RXDiC1F1V/y1+dFezZOUs/j8TC
aYmcZuh3XNV1mfbLlR8JKBhXCEu4ZQdQwVqa/frJ1K/ghus7Y5aZfaFM
         </ds:X509Certificate>
      </ds:X509Data>
   </ds:KeyInfo>
   <ds:Object Id="XADES">
      <etsi:QualifyingProperties xmlns:etsi="http://uri.etsi.org/01903/v1.3.2#" Target="#SignatureUsuario">
         <etsi:SignedProperties Id="XADES-Properties">
            <etsi:SignedSignatureProperties>
               <etsi:SigningTime>2013-03-06T17:43:47+02:00</etsi:SigningTime>
               <etsi:SigningCertificate>
                  <etsi:Cert>
                     <etsi:CertDigest>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                        <ds:DigestValue>cuzf0MqNy0DsulFGQ+GdytG3ehc=</ds:DigestValue>
                     </etsi:CertDigest>
                     <etsi:IssuerSerial>
                        <ds:X509IssuerName>OU=FNMT Clase 2 CA, O=FNMT, C=ES</ds:X509IssuerName>
                        <ds:X509SerialNumber>1020346668</ds:X509SerialNumber>
                     </etsi:IssuerSerial>
                  </etsi:Cert>
               </etsi:SigningCertificate>
            </etsi:SignedSignatureProperties>
         </etsi:SignedProperties>
      </etsi:QualifyingProperties>
   </ds:Object>
</ds:Signature>
</ape:Certificacion>


Anybody knows why SecureBlackBox generated signature is invalid?
#23966
Posted: 03/06/2013 11:14:46
by Eugene Mayevski (EldoS Corp.)

According to support policy Basic support level, available to unregistered customers, does not include analysis of code excerpts from user projects. You are welcome to purchase a license.

If you have a license, please link the license ticket to your user account before we continue. The ticket itself and the procedure of its use are specified in the registration e-mail that was sent to you upon license purchase. If you don't have the license ticket, please contact the person from which you have obtained the license key (the one in your source code) for a license ticket.

NOTE: please don't post license keys and license tickets to the forum. If you need to clarify something about your license, please use HelpDesk ( http://www.eldos.com/helpdesk/ ).


Sincerely yours
Eugene Mayevski

Reply

Statistics

Topic viewed 1736 times

Number of guests: 2, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!