EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Distributed Signing Word 2013 document

Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.
#25690
Posted: 07/16/2013 01:06:36
by Dmytro Bogatskyy (EldoS Corp.)

I have created a helpdesk ticket with updated assemblies.
#25754
Posted: 07/22/2013 06:36:01
by Jahangir Shah (Basic support level)
Joined: 06/25/2013
Posts: 18

Thanks Dmytro, we received the dlls. Our team has moved ahead and successfully signed MSWord doc. Now we are working on achieving XAdES-X-L signature. So far, we have embedded timestamping info. However, while adding Revocation info we are facing some issues.

From the XMLBlackBox>AdvancedSigner sample we used this code to add revocation information in signature:

Code
// retrieve pki data for XAdES-C form
XAdESVerifier.OnRetrieveCertificate += new TSBXAdESRetrieveCertificateEvent(XAdESVerifier_OnRetrieveCertificate);
XAdESVerifier.OnRetrieveCRL += new TSBXAdESRetrieveCRLEvent(XAdESVerifier_OnRetrieveCRL);
XAdESVerifier.OnRetrieveOCSPResponse += new TSBXAdESRetrieveOCSPResponseEvent(XAdESVerifier_OnRetrieveOCSPResponse);
...
void XAdESSigner_OnStoreCRL(object Sender, TElCertificateRevocationList CRL, ref string URI)
{
   byte[] buf;
   CRL.SaveToBuffer(out buf);
   URI = string.Format("crl-{0}.crl", SBRandom.Unit.SBRndGenerate(0));
   File.WriteAllBytes(Path.GetDirectoryName(edXMLFile.Text) + Path.DirectorySeparatorChar + URI, buf);
}
...


Is the above the right way to add revocation info in signature?
From above implementation of _OnStoreCRL(), we see that CRL is provided to the callback, where does this CRL come from? We didn't provide any.

We are attaching our current version sample with timestamp added. It would be great help if you could modify this sample to create XAdES-X-L signature. This would be time saving and we could then be able to finish our assessment of ELDOS. thanks


[ Download ]
#25758
Posted: 07/22/2013 07:36:19
by Dmytro Bogatskyy (EldoS Corp.)

Hello,

On FinishSigning stage you need to set XAdESForm property:
Code
XAdESSigner.XAdESForm = SBXMLAdES.Unit.XAdES_X_L;

this is will set a target XAdES form and force a component to auto collect revocation info.
Also, you may need to adjust properties of TElX509CertificateValidator instance, that is used to auto collect revocation info.
For example:
Code
      void HandleBeforeCertificateValidate(object Sender, TElX509Certificate Cert, TElX509CertificateValidator CertValidator)
        {
            //  treat trusted Windows Certificate Stores as trusted
            CertValidator.IgnoreSystemTrust = false;
        }

        XAdESSigner.OnBeforeCertificateValidate += HandleBeforeCertificateValidate;

Then you may need to add SigAndRefsTimestamp or RefsOnlyTimestamp. Office requires them for XAdES-X form or higher. To add SigAndRefsTimestamp or RefsOnlyTimestamp elements, you would need to call appropriate method AddRefsOnlyTimestamp or AddSigAndRefsTimestamp (in the same way as AddSignatureTimestamp method).

P.S. If you are creating XAdES-X-L form immediately after XAdES-C form, then you don't need to store revocation info in separate files as revocation and certificate values will be included in the signature.
#25767
Posted: 07/23/2013 01:48:34
by Jahangir Shah (Basic support level)
Joined: 06/25/2013
Posts: 18

Quote
On FinishSigning stage you need to set XAdESForm property


Will this trigger a form/dialog to show? if yes then can we bypass the dialog showing and only have our settings done in hidden mode?

Quote
Also, you may need to adjust properties of TElX509CertificateValidator instance, that is used to auto collect revocation info.
For example:


Auto collection means it will get the CRLs and OCSP responses automatically without involving us, right? Is it possible to achieve this manually? where we can provide the CRL's and OCSP responses?

Thanks
#25770
Posted: 07/23/2013 06:50:22
by Jahangir Shah (Basic support level)
Joined: 06/25/2013
Posts: 18

in FinishSigning() we set

Code
// Adding this line cases "Signer Certificate not found error".
XAdESSigner.XAdESForm = SBXMLAdES.Unit.XAdES_X_L;       // instructed by Dmytro


which caused an exception "Signer Certificate no found", at this line:

Code
doc.CompleteAsyncSign(handler, state);


We then added the signer certificate in XAdESSigner object like so:

Code
// add signer cert
TElCustomCertStorage certStore = new SBCustomCertStorage.TElMemoryCertStorage();
certStore.Add(_Certificate, true);

X509Chain chain = new X509Chain();
chain.Build(_Certificate2);
foreach (X509ChainElement e in chain.ChainElements)
{
   TElX509Certificate c = new TElX509Certificate();
   int ret = c.LoadFromBufferAuto(e.Certificate.RawData, 0, e.Certificate.RawData.Length, "");
   if (ret == 0)
      certStore.Add©;
}

XAdESSigner.SigningCertificates = certStore;


AFter doing this we started getting a new exception:
"EEIXMLAdESError was unhandled
Collected validation information is not complete"

at line:
Code
doc.CompleteAsyncSign(handler, state);


Here is complete code for FinishSigning() method:
Code
protected void FinishSigning(ref String fileName, MemoryStream signatureStream)
{
   TElDCAsyncState state = new TElDCAsyncState();
   //MemoryStream signatureStream = new MemoryStream(signature);
   state.LoadFromStream(signatureStream, SBDCXMLEnc.__Global.DCXMLEncoding());

   string SignType = "XAdES";
   bool CreateXAdES = SignType.ToLower().CompareTo("xades") == 0;

   // NEED TO ADD TIMESTAMP
   string TimestampServer = "http://"; //WebConfigurationManager.AppSettings.Get("TimestampServer");
   TElHTTPTSPClient TSPClient = null;
   TElHTTPSClient HTTPClient = null;
   if (!string.IsNullOrEmpty(TimestampServer))
   {
      TSPClient = new TElHTTPTSPClient();
      HTTPClient = new TElHTTPSClient();
      TSPClient.HTTPClient = HTTPClient;
      TSPClient.URL = TimestampServer;
      TSPClient.HashAlgorithm = SBConstants.Unit.SB_ALGORITHM_DGST_SHA256;
   }

   using (TElOfficeDocument doc = new TElOfficeDocument())
   {
      doc.Open(fileName);
      TElOfficeCustomSignatureHandler handler = doc.get_SignatureHandlers(doc.SignatureHandlerCount - 1);

      if (CreateXAdES)
      {
         TElXAdESSigner XAdESSigner = new TElXAdESSigner();

         // Adding this line cases "Signer Certificate not found error".
         XAdESSigner.XAdESForm = SBXMLAdES.Unit.XAdES_X_L;       // instructed by Dmytro

         // add signer cert
         TElCustomCertStorage certStore = new SBCustomCertStorage.TElMemoryCertStorage();
         certStore.Add(_Certificate, true);

         X509Chain chain = new X509Chain();
         chain.Build(_Certificate2);
         foreach (X509ChainElement e in chain.ChainElements)
         {
            TElX509Certificate c = new TElX509Certificate();
            int ret = c.LoadFromBufferAuto(e.Certificate.RawData, 0, e.Certificate.RawData.Length, "");
            if (ret == 0)
               certStore.Add©;
         }

         XAdESSigner.SigningCertificates = certStore;
         
         if (handler is TElOfficeOpenXMLBaseSignatureHandler)
         {
            ((TElOfficeOpenXMLBaseSignatureHandler)handler).XAdESProcessor = XAdESSigner;
            ((TElOfficeOpenXMLBaseSignatureHandler)handler).OwnXAdESProcessor = true;

         }
         else if (handler is TElOfficeBinaryXMLSignatureHandler)
         {
            ((TElOfficeBinaryXMLSignatureHandler)handler).XAdESProcessor = XAdESSigner;
            ((TElOfficeBinaryXMLSignatureHandler)handler).OwnXAdESProcessor = true;
         }
         else if (handler is TElOpenOfficeSignatureHandler)
         {
            ((TElOpenOfficeSignatureHandler)handler).XAdESProcessor = XAdESSigner;
            ((TElOpenOfficeSignatureHandler)handler).OwnXAdESProcessor = true;
         }

         // validate signing certificate and automatically collect all pki data
         XAdESSigner.OnBeforeCertificateValidate += HandleBeforeCertificateValidate;

         // store pki data for XAdES-C form
         XAdESSigner.OnStoreCertificate += new TSBXAdESStoreCertificateEvent(XAdESSigner_OnStoreCertificate);
         XAdESSigner.OnStoreCRL += new TSBXAdESStoreCRLEvent(XAdESSigner_OnStoreCRL);
         XAdESSigner.OnStoreOCSPResponse += new TSBXAdESStoreOCSPResponseEvent(XAdESSigner_OnStoreOCSPResponse);
         
         if (TSPClient != null)
         {
            // Add signature timestamp - XAdES-T
            XAdESSigner.AddSignatureTimestamp(TSPClient);

            // Add XAdES-X - timestamp
            XAdESSigner.AddSigAndRefsTimestamp(TSPClient);
         }                        
      }

      doc.CompleteAsyncSign(handler, state);
   }

   if (TSPClient != null)
   {
      TSPClient.Dispose();
      HTTPClient.Dispose();
   }

   File.Move(fileName, Path.ChangeExtension(fileName, ""));
   fileName = Path.ChangeExtension(fileName, "");
}


Kindly, assist us in solving this issue, also, if you see any other issue in provided code, please identify it as well. thanks.
#25773
Posted: 07/23/2013 07:49:31
by Dmytro Bogatskyy (EldoS Corp.)

Quote
Will this trigger a form/dialog to show? if yes then can we bypass the dialog showing and only have our settings done in hidden mode?

No, it shouldn't show any form/dialog.
Quote
which caused an exception "Signer Certificate no found", at this line:

Yes, a signer certificate should be added to XAdES on presign stage (as far as I know Office requires it) or you can add a signer certificate to XAdESSigner.SigningCertificates on FinishSigning() method (in this case a signing certificate would be used only for auto collecting revocation info).
Quote
AFter doing this we started getting a new exception:
"EEIXMLAdESError was unhandled
Collected validation information is not complete"

Most likely you need to add CA certificate into TrustedCertificates, your CA certificate may not be installed on Windows Certificate Stores. To do this you can use XMLAdESSigner.TrustedCertificates property, or CertValidator.AddTrustedCertificates method.
Also, you may disable this check by enabling XMLAdESSigner.IgnoreChainValidationErrors property.
You may try to sign any xml document with XMLBlackBox\AdvancedSigner sample with the same certificate and check if the same error occurs.
Quote
Auto collection means it will get the CRLs and OCSP responses automatically without involving us, right?

Yes, that's right. You can provide certificate and CRLs, OCSP responses into CertificateValidator component to help to locate them.
Quote
Is it possible to achieve this manually? where we can provide the CRL's and OCSP responses?

The general XAdES component (TElXAdESSigner, TElXAdESVerifier) do support adding a custom revocation information. In the next version we will add handler.UpdateSignature method that will allow later to extend XAdES form (automatically or in custom way).
#25805
Posted: 07/25/2013 01:37:19
by Jahangir Shah (Basic support level)
Joined: 06/25/2013
Posts: 18

Hi Dmyrto,

As you suggested we added the chain certificates to the XAdESSigner.TrustedCertificates store. The CA certificate is already present in the windows certificate store.
We added the trusted certificates like so:
Code
// Adding this line cases "Signer Certificate not found error".
XAdESSigner.XAdESForm = SBXMLAdES.Unit.XAdES_X_L;       // instructed by Dmytro

// add signer cert
TElCustomCertStorage certStore = new SBCustomCertStorage.TElMemoryCertStorage();
certStore.Add(_Certificate, true);

// instead of adding chain here, add chain to trusted authority list.
X509Chain chain = new X509Chain();
chain.Build(_Certificate2);
TElCustomCertStorage trustedStore = new SBCustomCertStorage.TElMemoryCertStorage();
foreach (X509ChainElement e in chain.ChainElements)
{
   TElX509Certificate c = new TElX509Certificate();
   int ret = c.LoadFromBufferAuto(e.Certificate.RawData, 0, e.Certificate.RawData.Length, "");
   if (ret == 0)
      trustedStore.Add( c );
}

XAdESSigner.TrustedCertificates = trustedStore;
XAdESSigner.SigningCertificates = certStore;


Still the same error is occuring "Collected validation information is not complete" at the same line.

Quote
Also, you may disable this check by enabling XMLAdESSigner.IgnoreChainValidationErrors property.

Also, we cannot use the IgnoreChainValidationErrors, because we want a valid long term signature.

Please note that we are not providing Crls or OCSP response manually, because you mentioned that the SDK will do it automatically.

Does the sdk use AIA for OCSP responses and CDP for CRLs?

Lastly, we really need a working sample in one or two days, and the current process is taking too long. Is it possible for you to provide us the working sample based on the sample we sent you earlier?

thanks
#25806
Posted: 07/25/2013 01:50:34
by Eugene Mayevski (EldoS Corp.)

Quote
Jahangir Shah wrote:
Please note that we are not providing Crls or OCSP response manually, because you mentioned that the SDK will do it automatically.


You must reference and initialize corresponding collectors though, as shown in the sample. Search for "retrieverFactory" in AdvancedSigner sample and ensure that your code has the similar lines.

Quote
Jahangir Shah wrote:
Does the sdk use AIA for OCSP responses and CDP for CRLs?


Using TLAs is not a good idea if you want to get a meaningful answer.
Anyway, yest it does.

Quote
Jahangir Shah wrote:
Lastly, we really need a working sample in one or two days, and the current process is taking too long. Is it possible for you to provide us the working sample based on the sample we sent you earlier?


Evaluating users have Basic support level which does not include analysis of custom samples at all. Basic support level includes only answering basic how-do-I questions after requests from licensed customers are handled.

You are welcome to purchase a license.


Sincerely yours
Eugene Mayevski
#25861
Posted: 07/29/2013 01:32:31
by Jahangir Shah (Basic support level)
Joined: 06/25/2013
Posts: 18

Quote
You must reference and initialize corresponding collectors though, as shown in the sample. Search for "retrieverFactory" in AdvancedSigner sample and ensure that your code has the similar lines.


This did not work. We did add the following lines in our code. With or without the commented line the output does not change. The same exception still occurs.

Code
// The following lines are required for HTTP retrieval of CRLs and OCSP in TElX509CertificateValidator to work
            SBHTTPCRL.Unit.RegisterHTTPCRLRetrieverFactory();
            SBLDAPCRL.Unit.RegisterLDAPCRLRetrieverFactory();
            //SBHTTPOCSPClient.Unit.RegisterHTTPOCSPClientFactory();
            SBHTTPCertRetriever.Unit.RegisterHTTPCertificateRetrieverFactory();


Kindly, let us know what else should we try to make it work.

Quote
Using TLAs is not a good idea if you want to get a meaningful answer.

We'll be careful next time. Thanks for ignoring :)

Quote
Evaluating users have Basic support level which does not include analysis of custom samples at all. Basic support level includes only answering basic how-do-I questions after requests from licensed customers are handled.


There were times when the issue we were facing were found to be caused by a bug or missing feature in ELDOS sdk. Considering these events we don't know whether the issue we are having is because of our limited understanding of the sdk or because of an issue in the sdk.

Purchasing a license without knowing if the sdk can achieve what we are looking for, would not be appropriate. That is why, we want to finish the reviewing as soon as possible. Also, please note that we really are on a deadline, and would welcome any support that can help us achieve it.

Thanks
#25865
Posted: 07/29/2013 04:26:24
by Eugene Mayevski (EldoS Corp.)

I am sorry but I don't think that we can spend our resources on your issue within Basic support level.


Sincerely yours
Eugene Mayevski
Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.

Reply

Statistics

Topic viewed 8108 times

Number of guests: 2, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!