EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Distributed XAdES with timestamp

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
#25275
Posted: 06/13/2013 08:50:38
by Kees de Wit (Standard support level)
Joined: 06/13/2013
Posts: 17

I moved all XAdES logic from the AdvancedSigner example project to the ASPNet_Distributed project to create Hash signed XAdES signatures with the java applet. Everything works as expected except for the timestamp. I just can't get the timestamp in place like it does in the AdvancedSigner project. Are there things I have to do other than what is done in the AdvancedSigner project?

This is what I currently have: (I know it looks like crap, but it's just a test)

Code
    public class PreSigner : System.Web.UI.Page
    {
        protected MemoryStream output;

        private string toBeSigned;

        protected virtual void Page_Load(object sender, EventArgs e)
        {
            SBUtils.Unit.SetLicenseKey("AF47...A57A");

            SBHTTPCRL.Unit.RegisterHTTPCRLRetrieverFactory();
            SBLDAPCRL.Unit.RegisterLDAPCRLRetrieverFactory();
            SBHTTPOCSPClient.Unit.RegisterHTTPOCSPClientFactory();

            SBHTTPCertRetriever.Unit.RegisterHTTPCertificateRetrieverFactory();

            string signedFile = Server.MapPath("~/Data/" + Session.SessionID + ".tmp");

            Cache[Session.SessionID] = signedFile;

            TElDCAsyncState state = null;
            try
            {
                toBeSigned = Server.MapPath("~/Data/sample.xml");

                TElXMLDOMDocument Doc = new TElXMLDOMDocument();
                using (FileStream f = new FileStream(Server.MapPath("~/Data/sample.xml"), FileMode.Open, FileAccess.Read))
                    Doc.LoadFromStream(f);

                TElXMLSigner Signer = new TElXMLSigner();
                TElXAdESSigner XAdESSigner = null;
                try
                {
                    Signer.MACMethod = SBXMLSec.Unit.xmmHMAC_SHA256;
                    Signer.SignatureType = SBXMLSec.Unit.xstEnveloped;
                    Signer.SignatureMethodType = SBXMLSec.Unit.xmtSig;
                    Signer.CanonicalizationMethod = SBXMLDefs.Unit.xcmExclCanon;
                    Signer.SignatureMethod = SBXMLSec.Unit.xsmRSA_SHA256;
                    Signer.IncludeKey = false;

                    // sign a document element
                    TElXMLReference Ref = new TElXMLReference();
                    Ref.DigestMethod = SBXMLSec.Unit.xdmSHA256;
                    Ref.URINode = Doc.DocumentElement;
                    Ref.URI = "";
                    Ref.TransformChain.Add(new SBXMLTransform.TElXMLEnvelopedSignatureTransform());
                    Signer.References.Add(Ref);

                    XAdESSigner = new TElXAdESSigner();
                    Signer.XAdESProcessor = XAdESSigner;

                    XAdESSigner.OnBeforeCertificateValidate += HandleBeforeCertificateValidate;
                    XAdESSigner.OnStoreCertificate += new TSBXAdESStoreCertificateEvent(XAdESSigner_OnStoreCertificate);
                    XAdESSigner.OnStoreCRL += new TSBXAdESStoreCRLEvent(XAdESSigner_OnStoreCRL);
                    XAdESSigner.OnStoreOCSPResponse += new TSBXAdESStoreOCSPResponseEvent(XAdESSigner_OnStoreOCSPResponse);

                    ApplyOptions(XAdESSigner);

                    Signer.OnFormatElement += FormatElement;
                    Signer.OnFormatText += FormatText;

                    Signer.UpdateReferencesDigest();
                    Signer.GenerateSignatureAsync();

                    TElXMLDOMNode sigNode = Doc.DocumentElement;
                    state = Signer.InitiateAsyncSign(ref sigNode);
                    using (FileStream f = new FileStream(signedFile, FileMode.Create, FileAccess.Write))
                        Doc.SaveToStream(f, SBXMLDefs.Unit.xcmCanon, "");
                }
                finally
                {
                    Signer.Dispose();
                }

                output = new MemoryStream();
                state.SaveToStream(output, SBDCXMLEnc.__Global.DCXMLEncoding());
            }
            finally
            {
                if (state != null)
                    state.Dispose();
            }
        }

        void HandleBeforeCertificateValidate(object Sender, TElX509Certificate Cert, TElX509CertificateValidator CertValidator)
        {
            CertValidator.IgnoreSystemTrust = false;
            //CertificateValidatorLogForm.Instance.SetupCertificateValidatorLogging(CertValidator);
        }

        private void FormatElement(object Sender, TElXMLDOMElement Element, int Level, string Path, ref string StartTagWhitespace, ref string EndTagWhitespace)
        {
            StartTagWhitespace = "\n";
            string s = new string('\t', Level - 1);

            StartTagWhitespace = StartTagWhitespace + s;
            if (Element.FirstChild != null)
            {
                bool HasElements = false;
                TElXMLDOMNode Node = Element.FirstChild;
                while (Node != null)
                {
                    if (Node.NodeType == SBXMLCore.Unit.ntElement)
                    {
                        HasElements = true;
                        break;
                    }

                    Node = Node.NextSibling;
                }

                if (HasElements)
                    EndTagWhitespace = "\n" + s;
            }
        }

        private void FormatText(object Sender, ref string Text, short TextType, int Level, string Path)
        {
            if ((TextType == SBXMLDefs.Unit.ttBase64) && (Text.Length > 64))
            {
                string s = "\n";
                while (Text.Length > 0)
                {
                    if (Text.Length > 64)
                    {
                        s = s + Text.Substring(0, 64) + "\n";
                        Text = Text.Remove(0, 64);
                    }
                    else
                    {
                        s = s + Text + "\n";
                        Text = "";
                    }
                }

                Text = s + new string('\t', Level - 2);
            }
        }

        void XAdESSigner_OnStoreCertificate(object Sender, TElX509Certificate Cert, ref string URI)
        {
            byte[] buf;
            Cert.SaveToBuffer(out buf);
            URI = string.Format("cert-{0}.cer", SBRandom.Unit.SBRndGenerate(0));
            File.WriteAllBytes(Path.GetDirectoryName(toBeSigned) + Path.DirectorySeparatorChar + URI, buf);
        }

        void XAdESSigner_OnStoreCRL(object Sender, TElCertificateRevocationList CRL, ref string URI)
        {
            byte[] buf;
            CRL.SaveToBuffer(out buf);
            URI = string.Format("crl-{0}.crl", SBRandom.Unit.SBRndGenerate(0));
            File.WriteAllBytes(Path.GetDirectoryName(toBeSigned) + Path.DirectorySeparatorChar + URI, buf);
        }

        void XAdESSigner_OnStoreOCSPResponse(object Sender, TElOCSPResponse OCSPResponse, ref string URI)
        {
            byte[] buf = null;
            int Size = 0;
            OCSPResponse.Save(ref buf, 0, ref Size);
            buf = new byte[Size];
            OCSPResponse.Save(ref buf, 0, ref Size);
            URI = string.Format("ocsp-{0}.ocsp", SBRandom.Unit.SBRndGenerate(0));
            File.WriteAllBytes(Path.GetDirectoryName(toBeSigned) + Path.DirectorySeparatorChar + URI, buf);
        }

        public void ApplyOptions(TElXAdESSigner XAdESSigner)
        {
            XAdESSigner.XAdESVersion = SBXMLAdES.Unit.XAdES_v1_3_2;


            //if (cbProductionPlace.Checked)
            //{
            XAdESSigner.Included = SBXMLAdESIntf.Unit.xipProductionPlace;
            XAdESSigner.ProductionPlace.City = "Zaandam";
            XAdESSigner.ProductionPlace.StateOrProvince = "Noord-Holland";
            XAdESSigner.ProductionPlace.PostalCode = "1505HE";
            XAdESSigner.ProductionPlace.CountryName = "The Netherlands";
            //}

            // ClaimedRoles
            //if (!string.IsNullOrEmpty(tbClaimedRoles.Text))
            //{
            //    XAdESSigner.Included |= SBXMLAdESIntf.Unit.xipSignerRole;
            //    for (int i = 0; i < tbClaimedRoles.Lines.Length; i++)
            //        XAdESSigner.SignerRole.ClaimedRoles.AddText(XAdESSigner.XAdESVersion, XMLDocument, tbClaimedRoles.Lines[i]);
            //}

            // SignaturePolicyIdentifier
            //XAdESSigner.PolicyId.SigPolicyId.Description = edDescription.Text;
            //if (edDocumentationReference.Text != "")
            //    XAdESSigner.PolicyId.SigPolicyId.DocumentationReferences.Add(edDocumentationReference.Text);

            //string s = edIdentifier.Text;
            //XAdESSigner.PolicyId.SigPolicyId.Identifier = s;
            //if (!string.IsNullOrEmpty(s))
            //{
            //    if (s.Substring(0, 4).ToLower() == "urn:")
            //        XAdESSigner.PolicyId.SigPolicyId.IdentifierQualifier = SBXMLAdES.Unit.xqtOIDAsURN;
            //    else
            //        XAdESSigner.PolicyId.SigPolicyId.IdentifierQualifier = SBXMLAdES.Unit.xqtOIDAsURI;
            //}
            //else
            //    XAdESSigner.PolicyId.SigPolicyId.IdentifierQualifier = SBXMLAdES.Unit.xqtNone;

            //byte[] buf = null;
            //if (!string.IsNullOrEmpty(tbPolicyPath.Text))
            //    buf = File.ReadAllBytes(tbPolicyPath.Text);
            //else
            //{
            //    if (!string.IsNullOrEmpty(s))
            //        buf = SignerUtils.DownloadData(s);
            //}

            //if (buf != null)
            //{
            //    XAdESSigner.PolicyId.SigPolicyHash.DigestMethod = SBXMLSec.Unit.DigestMethodToURI(SBXMLSec.Unit.xdmSHA1);
            //    XAdESSigner.PolicyId.SigPolicyHash.DigestValue = SBXMLSec.Unit.CalculateDigest(buf, SBXMLSec.Unit.xdmSHA1);
            //}

            // Timestamp
            //if (cbTimestamp.Checked)
            //{
            SBHTTPTSPClient.TElHTTPTSPClient TSPClient = new SBHTTPTSPClient.TElHTTPTSPClient();

            TSPClient.HTTPClient = HTTPClient;
            TSPClient.URL = "http://timestamp.digicert.com";
            TSPClient.HashAlgorithm = SBConstants.Unit.SB_ALGORITHM_DGST_SHA1;

            XAdESSigner.TSPClient = TSPClient;
            XAdESSigner.IgnoreTimestampFailure = false;
            //}

            // SigningCertificates
            //if (cbIncludeSigningCertifcate.Checked)
            //{
            //CertStorage.Add(SigningCertificate, false);
            //}

            SBCustomCertStorage.TElMemoryCertStorage CertStorage = new SBCustomCertStorage.TElMemoryCertStorage();
            XAdESSigner.SigningCertificates = CertStorage;
            XAdESSigner.SigningTime = DateTime.UtcNow;

            // create XAdESSigner.QualifyingProperties
            XAdESSigner.Generate(SBXMLAdES.Unit.XAdES_A);

            // Finally we can modify QualifyingProperties if needed
            // For example set xades prefix:
            XAdESSigner.QualifyingProperties.XAdESPrefix = "xades";
        }

        private SBHTTPSClient.TElHTTPSClient HTTPClient
        {
            get
            {
                SBHTTPSClient.TElHTTPSClient client = new SBHTTPSClient.TElHTTPSClient();
                //client.CertStorage = null;
                //client.ClientCertStorage = null;
                //client.CookieManager = null;
                SBSocket.TElDNSSettings tElDNSSettings1 = new SBSocket.TElDNSSettings();
                SBHTTPSClient.TElHTTPRequestParams tElHTTPRequestParams1 = new SBHTTPSClient.TElHTTPRequestParams();

                tElDNSSettings1.AllowStatuses = ((byte)(11));
                tElDNSSettings1.Port = ((ushort)(53));
                tElDNSSettings1.QueryTimeout = ((ushort)(3000));
                tElDNSSettings1.TotalTimeout = ((ushort)(15000));
                client.DNS = tElDNSSettings1;
                client.ForceKeepAliveIfConnectionHeaderIsAbsent = false;
                client.ForceNTLMAuth = false;
                client.HTTPProxyAuthentication = 0;
                client.HTTPProxyHost = "";
                client.HTTPProxyPassword = "";
                client.HTTPProxyPort = 3128;
                client.HTTPProxyUsername = "";
                client.HTTPVersion = SBHTTPSConstants.TSBHTTPVersion.hvHTTP10;
                client.IncomingSpeedLimit = 0;
                //client.LocalAddress = null;
                client.LocalPort = 0;
                client.MaxRedirections = 10;
                client.OutgoingSpeedLimit = 0;
                //client.OutputStream = null;
                client.PreferKeepAlive = false;
                client.RenegotiationAttackPreventionMode = SBSSLCommon.TSBRenegotiationAttackPreventionMode.rapmCompatible;
                tElHTTPRequestParams1.Accept = "";
                tElHTTPRequestParams1.AcceptCharset = "";
                tElHTTPRequestParams1.AcceptLanguage = "";
                tElHTTPRequestParams1.Authorization = "";
                tElHTTPRequestParams1.Connection = "";
                tElHTTPRequestParams1.ContentLength = ((long)(-1));
                tElHTTPRequestParams1.ContentRangeEnd = ((long)(-1));
                tElHTTPRequestParams1.ContentRangeFullSize = ((long)(-1));
                tElHTTPRequestParams1.ContentRangeStart = ((long)(-1));
                tElHTTPRequestParams1.ContentType = "";
                tElHTTPRequestParams1.Date = new System.DateTime(((long)(0)));
                tElHTTPRequestParams1.From = "";
                tElHTTPRequestParams1.Host = "";
                tElHTTPRequestParams1.IfModifiedSince = new System.DateTime(((long)(0)));
                tElHTTPRequestParams1.IfUnmodifiedSince = new System.DateTime(((long)(0)));
                tElHTTPRequestParams1.Password = "";
                tElHTTPRequestParams1.Referer = "";
                tElHTTPRequestParams1.UserAgent = "SecureBlackbox";
                tElHTTPRequestParams1.Username = "";
                client.RequestParameters = tElHTTPRequestParams1;
                client.SendBufferSize = 1024576;
                //tElClientSocketBinding1.LocalIntfAddress = null;
                SBSocket.TElClientSocketBinding tElClientSocketBinding1 = new SBSocket.TElClientSocketBinding();
                tElClientSocketBinding1.Port = 0;
                tElClientSocketBinding1.PortRangeFrom = 0;
                tElClientSocketBinding1.PortRangeTo = 0;
                client.SocketBinding = tElClientSocketBinding1;
                client.SocketTimeout = 60000;
                client.SocksAuthentication = 0;
                client.SocksPassword = "";
                client.SocksPort = 1080;
                client.SocksResolveAddress = false;
                //client.SocksServer = null;
                client.SocksUseIPv6 = false;
                client.SocksUserCode = "";
                client.SocksVersion = 1;
                client.SRPPassword = "";
                client.SRPUserName = "";
                client.SSLEnabled = false;
                client.SuppressRedirectionContent = true;
                //client.Tag = null;
                client.Use100Continue = false;
                client.UseCompression = true;
                client.UseDigestAuth = false;
                client.UseHTTPProxy = false;
                client.UseIPv6 = false;
                client.UseNTLMAuth = false;
                client.UseSocks = false;
                client.UseSSLSessionResumption = false;
                client.UseWebTunneling = false;
                client.Versions = ((short)(7));
                //client.WebTunnelAddress = null;
                client.WebTunnelAuthentication = 0;
                //client.WebTunnelPassword = null;
                client.WebTunnelPort = 3128;
                //client.WebTunnelUserId = null;
                return client;
            }
        }
    }


That gives me this XML

Code
<?xml version="1.0" encoding="utf-8"?>
<root>
   <data>
      This is a sample xml document used to show how to sign documents remotely using SecureBlackbox
   </data><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-1337176110">
   <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
      <ds:Reference URI="">
         <ds:Transforms>
            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
         </ds:Transforms>
         <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
         <ds:DigestValue>gX65lFkYbXZ8bMFqq6xIFe1JS9+0Qz+UczCtvPIDZ1U=</ds:DigestValue>
      </ds:Reference>
      <ds:Reference Type="http://uri.etsi.org/01903#SignedProperties" URI="#SignedProperties-1279575941">
         <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
         <ds:DigestValue>owVh9AOu8N63swlIHQ1jZUJtzsk=</ds:DigestValue>
      </ds:Reference>
   </ds:SignedInfo>
   <ds:SignatureValue Id="SignatureValue-398119136">AA+J9Hlz3TwLABAsQE6LnudklEf+duwFZXCx7Sv+Jt05sW+hz53O8Pdd3VPOkYkdVrAqr/8UAMCRez+q1FJPY9I4jJDruXzYaAWdCGS0jOlM/+2hv5...V1T5+L+unAaNzKnTm/NfPr...nXdF+qTdYSDLvAIIEab6EEEGMaBUE+iGHDhD7hZja5/0xxSt7JZ0R9zBs5ofPGZjN+/RjwM394t8U2PrwZcSon7xwH0oh7EYjWCi8jRn+f1ay...WlNP+c56B...Mlp3/dZXs...IcwA+Am4GOTLxlFYS999+k/5KQtWROIOE2drjMo6s1tZDIy2An6KVF9TZ8YEDlvOo7i+0M2yb2GDAKFUv+Tre+TO+Mbf5...ifWl+bQWNjTcMtfEIv6vYwZDiJbzI7Ag1im+wDnOjgn00HIOdwJzKzPnuLGqtBXIRDp4SA4DBpghGRK6sO4FcC+4SrtV2MmwC8pOgBDNwK3oJmO6wDQ89/kgmcVkvs9UU+P9PaHgcjAZdcU/zzm8fLxjwjsmdOehqB5SkukdMRcjXCx/noAm5WO9lrsw/r6m8PTp+qJrCQPGX2kRyq0TKMFCj0Zi46WGP/IvEZN8gi14TpF/pxnjMj8mR2QPKK+Ngb8mHfbskkdg==</ds:SignatureValue>
   <ds:Object>
      <xades:QualifyingProperties xmlns:xades="http://uri.etsi.org/01903/v1.3.2#" Target="#Signature-1337176110">
         <xades:SignedProperties Id="SignedProperties-1279575941">
            <xades:SignedSignatureProperties>
               <xades:SigningTime>2013-06-13T13:39:18.826Z</xades:SigningTime>
               <xades:SignatureProductionPlace>
                  <xades:City>Zaandam</xades:City>
                  <xades:StateOrProvince>Noord-Holland</xades:StateOrProvince>
                  <xades:PostalCode>1505HE</xades:PostalCode>
                  <xades:CountryName>The Netherlands</xades:CountryName>
               </xades:SignatureProductionPlace>
            </xades:SignedSignatureProperties>
         </xades:SignedProperties>
      </xades:QualifyingProperties>
   </ds:Object>
</ds:Signature>
</root>


As you can see I'm missing the xades:UnsignedProperties which for example contains xades:SignatureTimeStamp.
#25283
Posted: 06/13/2013 10:00:09
by Dmytro Bogatskyy (EldoS Corp.)

All UnsignedProperties elements are added after completing the signing. The component ignores everything higher then XAdES-EPES form, as for CompleteAsyncSign method a new instance of TElXMLSigner is created. XAdES options are not included in DCAsyncState, and I don't think we should add them there, as after completing async signing it is always possible to extend XAdES info using TElXMLVerifier and TElXAdESVerifier.

Please check implementation of btnUpgradeSignature_Click method in AdvancedSigner sample.
For example, after calling TElXMLSigner.CompleteAsyncSign method you can add:
Code
            TElXMLVerifier Verifier = new TElXMLVerifier();
            TElXAdESVerifier XAdESVerifier = new TElXAdESVerifier();
            try
            {
                Verifier.XAdESProcessor = XAdESVerifier;
                Verifier.Load(Element); // Element = Signer.Signature.XMLElement

                // adding signature timestamp
                XAdESVerifier.AddSignatureTimestamp(TSPClient);
            }
            finally
            {
                Verifier.Dispose();
                XAdESVerifier.Dispose();
            }
#25326
Posted: 06/17/2013 18:48:28
by Mario Calderón (Basic support level)
Joined: 04/25/2013
Posts: 16

Hello, I have done same thing, however, the resulting xml does no have all the ds:KeyInfo tag, so when upgrating to XAdES-C it fails: "Signing certificate not found".

Does that one can also be added after completing async signing?

Thanks,
#25328
Posted: 06/18/2013 02:15:55
by Kees de Wit (Standard support level)
Joined: 06/13/2013
Posts: 17

Hello, In the presigner you can include the key by setting the IncludeKey property of the TElXMLSigner object.

Code
TElXMLSigner Signer = new TElXMLSigner();
Signer.IncludeKey = true;


I've got XAdES working via hash signing (java applet), maybe Eldos is interested in my test project so that they can add it as part of there examples.
#25331
Posted: 06/18/2013 03:37:05
by Dmytro Bogatskyy (EldoS Corp.)

Quote
Hello, In the presigner you can include the key by setting the IncludeKey property of the TElXMLSigner object.

IncludeKey option doesn't have any effect without specifying KeyData property.
You can set a user public key prior signing or after signing. After signing you can extract it from async state object. From the distributed sample:
Code
                TElXMLSigner Signer = new TElXMLSigner();
                TElXMLKeyInfoX509Data X509Data = new TElXMLKeyInfoX509Data(true);
                try
                {
                    TElDCBaseMessage Msg = state.FindMessageByType(TElDCOperationResponseMessage.MetaClass.Instance);
                    if (Msg != null)
                    {
                        byte[] buf = ((TElDCOperationResponseMessage)Msg).KeysRDN.GetFirstValueByOID(SBDCPKIConstants.Unit.SB_OID_DC_SIGNING_CERTIFICATE);
                        // load certificate from a buffer
                        TElX509Certificate Cert = new TElX509Certificate();
                        if (Cert.LoadFromBufferAuto(buf, 0, buf.Length, "") == 0)
                        {
                            // include a KeyInfo element
                            X509Data.Certificate = Cert;
                            Signer.KeyData = X509Data;
                            Signer.IncludeKey = true;
                        }
                    }

                    Signer.CompleteAsyncSign(Doc, state);
                }
                finally
                {
                    X509Data.Dispose();
                    Signer.Dispose();
                }
#25345
Posted: 06/18/2013 18:13:19
by Mario Calderón (Basic support level)
Joined: 04/25/2013
Posts: 16

Hello, Thanks both of you.

I am trying to implement a XAdES-XL signature with DC. I believe that it is almost done, except because I am now missing in the resulting xml these tags:

Object.QualifyingProperties.SignedProperties.SigningCertificate
Object.QualifyingProperties.UnsignedProperties.CertificateValues
Object.QualifyingProperties.UnsignedProperties.RevocationValues

I have based on the AdvancedSigner logic implemented in btnUpgradeSignature_Click. Any ideas how to add them?

Thank you very much!
#25351
Posted: 06/19/2013 02:43:28
by Kees de Wit (Standard support level)
Joined: 06/13/2013
Posts: 17

For Object.QualifyingProperties.UnsignedProperties.CertificateValues and Object.QualifyingProperties.UnsignedProperties.RevocationValues I did something like this:

Code
...SNIP
            Signer.CompleteAsyncSign(document, state);

            TElXMLVerifier Verifier = new TElXMLVerifier();
            TElXAdESVerifier XAdESVerifier = new TElXAdESVerifier();
            //try
            //{
            Verifier.XAdESProcessor = XAdESVerifier;
            Verifier.Load(Signer.Signature.XMLElement); // Element = Signer.Signature.XMLElement

            SBHTTPTSPClient.TElHTTPTSPClient TSPClient = new SBHTTPTSPClient.TElHTTPTSPClient();
            //SBTSPClient.TElCustomTSPClient TSPClient = new SBTSPClient.TElCustomTSPClient();
            TSPClient.HTTPClient = HTTPClient;
            TSPClient.URL = "http://timestamp.digicert.com";
            TSPClient.HashAlgorithm = SBConstants.Unit.SB_ALGORITHM_DGST_SHA256;

            XAdESVerifier.AddSignatureTimestamp(TSPClient);

            XAdESVerifier.OnStoreCertificate += new TSBXAdESStoreCertificateEvent(XAdESSigner_OnStoreCertificate);
            XAdESVerifier.OnStoreCRL += new TSBXAdESStoreCRLEvent(XAdESSigner_OnStoreCRL);
            XAdESVerifier.OnStoreOCSPResponse += new TSBXAdESStoreOCSPResponseEvent(XAdESSigner_OnStoreOCSPResponse);

            [B]XAdESVerifier.AddCompleteCertificateRefs(X509Data.CertStorage);[/B]


Please correct me if I did this wrong.
#25355
Posted: 06/19/2013 04:26:03
by Dmytro Bogatskyy (EldoS Corp.)

Quote
I am trying to implement a XAdES-XL signature with DC. I believe that it is almost done, except because I am now missing in the resulting xml these tags:

Object.QualifyingProperties.SignedProperties.SigningCertificate

To add a signing certificate with DC you should have or send a public certificate (or it CertID) from a user to the server before signing. You can't add it after signing. Because SigningCertificate element should be signed together with the other elements in SignedProperties element.
For example, if you have a public signing certificate you can add it using a following code:
Code
// see XAdESOptionsForm.ApplyOptions method
CertStorage.Add(SigningCertificate, false);
XAdESSigner.SigningCertificates = CertStorage;

Quote
Object.QualifyingProperties.UnsignedProperties.CertificateValues
Object.QualifyingProperties.UnsignedProperties.RevocationValues
I have based on the AdvancedSigner logic implemented in btnUpgradeSignature_Click. Any ideas how to add them?

Please see a code after a line:
Code
if (CurXAdESForm == SBXMLAdES.Unit.XAdES_X)

If you want a component to auto collect validation data, then you need to call AddValidationDataValues method. You may need to explicitly specify signing certificate as a first parameter of this method, if you don't have a SigningCertificate element.
Or you can add certificate values and CRLs, OCSP responses directly using AddCertificateValues and AddRevocationValues methods.

Quote

For Object.QualifyingProperties.UnsignedProperties.CertificateValues and Object.QualifyingProperties.UnsignedProperties.RevocationValues I did something like this:
...
XAdESVerifier.AddCompleteCertificateRefs(X509Data.CertStorage);

In your code you adding references to certificates and revocation values (XAdES-C form), not a certificate and revocation values itself (XAdES-X-L form)
#25360
Posted: 06/19/2013 11:38:38
by Mario Calderón (Basic support level)
Joined: 04/25/2013
Posts: 16

Thanks both,

Dmytro, what do you mean by
Quote
To add a signing certificate with DC you should have or send a public certificate (or it CertID) from a user to the server before signing

?

Does it mean that the server should have somewhere in it, stored the public certificate of everybody who wishes to perform XAdES-XL signature?

Like If I want to sign, prior to of doing it, I have to send somehow my public certificate to the server? like by email? or how? and when?


I don't quite understand that...

Thanks for your time and effort.
#25362
Posted: 06/19/2013 13:29:12
by Dmytro Bogatskyy (EldoS Corp.)

Quote
Does it mean that the server should have somewhere in it, stored the public certificate of everybody who wishes to perform XAdES-XL signature?

No and yes, the SigningCertificate element is not required, by the standard, it is recommended. However, if SigningCertificate element is not present in the signature, the ds:KeyInfo should contain the signing certificate, and SignedInfo element should contain a reference that signs at least the signing certificate. Also, implicit way is possible, when user data is signed and it contains some identifier that correspond to the user certificate.
So, in general, in pre-sign step (with an xml file to sign) you should sent a public certificate or CertID (it consist from certificate Issuer RDN, Serial number and certificate digest value - this information is included in SigningCertificate element, not a raw public certificate data). Of course, for each user you can store this data on the server.
Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.

Reply

Statistics

Topic viewed 3260 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!