EldoS | Feel safer!

Software components for data protection, secure storage and transfer

How can I sign a XML file with RSA-SHA1

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
#26083
Posted: 08/12/2013 06:21:37
by Jacob jvandiermen (Standard support level)
Joined: 08/09/2013
Posts: 55

Hello eldos,

Currently I'm evaluating your VLC component for a Delphi project.
In this project we want to sign a XML file with the following schema : http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd#rsa-sha1
For the signing we take the value of a xml element of the xml file, in this case the Signed Info element with tag <SignedInfo>. This value is the input of a RSA-SHA1 function. The Signed Info element consist of siblings that have a text value or SHA1 digest value. The output of the RSA-SHA1 function will be the value of a xml element Signature Value in the file with tag <SignatureValue>.
so basically Calculate the digest of the <SignedInfo> element, sign that digest and put the signature value in a <SignatureValue> element.
For the signing I got a pfx file. This pfx file is issued by http://www.digi-sign.com/
I can load the pfx file in a TElX509Certificate object with the password I got from http://www.digi-sign.com/. With this password it is possible to export the certificates from the pfx file including the private key. After loading the pfx file I can assign the TElX509Certificate to a TElRSAKeyMaterial object. The property PrivateKeyExists of this TElRSAKeyMaterial object indicates that there is a private key. Now I want to sign the xml file by encrypting the value of the <SignedInfo> element. I tried to use the sign method of a TElRSAPublicKeyCrypto object. But i get a public key crypto error with message Only detached signatures are supported. My question now is which SecureBlackBox object do I have to use to sign my xml file. And how and/or in what way must i use this object.

Regards,

Jacob
#26085
Posted: 08/12/2013 06:50:03
by Eugene Mayevski (EldoS Corp.)

You seem to be going the wrong route. You don't need to binary-sign anything. For XMLDSig signing (which you need to use according to the schema URL) you must use TElXMLSigner class. We have samples for it in Samples\Delphi\XMLBlackbox folder. Please check that sample and also review the how-to's in the help file.


Sincerely yours
Eugene Mayevski
#26087
Posted: 08/12/2013 09:27:57
by Jacob jvandiermen (Standard support level)
Joined: 08/09/2013
Posts: 55

Hello Eugene,

Thank you for you're reply.
I tried the SimpleSignature project but couldn't sign the xml file.
This is what I did.
First with OpenSSL I extracted the certificate including the private key from the pfx file using the password that www.digi-sign.com send to me.I included the PEM file but changed the extension in txt because otherwise I can't send you the file as attachment.
I loaded the xml file with SimpleSigner. The checkbox "Normalize newline characters on load" is selected. For Charset I used utf-8. I selected the SignalInfo node. In the box below I can see all the siblings of the SignalInfo node. By clicking on the Sign button I get the Signature Options window. In this window I choose for signature type enveloping. Canonilization method is set to Canonical. Signature method type is set to Signature Method. Signature Method is set to RSA SHA1. Checkbox for Include Key (public part) is selected. For Key Name I use the name Stewart Muir. For Key file I select the PEM File. For Win Cert I selected the Stewart Muir certificate that is installed by Windows Certificate Manager from the pfx file. For Password Phrase I used the password that I got from www.digi-sign.com. When I click on the OK button to sign the file I get a lot of errors in Delhi debug mode. For EEIASN1ReadError I get Invalid size, Invalid stream data. For EEICryptoKeyError I get Invalid secret Key. For EEICertificateError I get Invalid Certificate data. For EEIXMLSecurityError I get RSA Key data expected.
I think the PEM file isn't valid.
How Can I use the pfx file from www.digi-sign.com to sign the xml file.

Regards,

Jacob


[ Download ]
#26088
Posted: 08/12/2013 10:02:52
by Eugene Mayevski (EldoS Corp.)

IF the exceptions happen only in Debug mode, then they can be ignored in IDE -- those exceptions are handled internally. They are the way to control execution flow inside of SecureBlackbox. EElASN1Error is one of them. The strange thing is that the installer of the components should have added them to IDE's Exceptions To Ignore list, so normally you should not see them. Please tell me what version of Delphi you are using - we will check the installer regarding those exceptions.

It's hard to say anything regarding EElXMLSecurityError cause this one seems to be the consequence of previous errors and/or incorrect use of the sample.

I am leaving the main part of your question for the developer to answer: I see that there's some confusion regarding different files and keys, but I have difficulties understanding how to use the sample right in your particular case. So let the developer check it.


Sincerely yours
Eugene Mayevski
#26093
Posted: 08/12/2013 11:42:38
by Dmytro Bogatskyy (EldoS Corp.)

Quote
For EEIXMLSecurityError I get RSA Key data expected.

This exception could occur if selected certificate doesn't have a private key, or if you have selected RSA-SHA1 signature method but using, for example, DSA certificate.
Please try to sign with a test certificate ( SecureBlackbox\Extra\Certificates ).
#26094
Posted: 08/12/2013 12:01:40
by Dmytro Bogatskyy (EldoS Corp.)

Quote
For Key file I select the PEM File. For Win Cert I selected the Stewart Muir certificate that is installed by Windows Certificate Manager from the pfx file. For Password Phrase I used the password that I got from www.digi-sign.com.

In your case a windows certificate is used for signing.
You should either set a windows certificate or a key file (certificate in your case) with a password (if required). I will update the sample to make it clear.
#26101
Posted: 08/13/2013 04:09:25
by Jacob jvandiermen (Standard support level)
Joined: 08/09/2013
Posts: 55

Hello Dmytro,

Where can I download the update?

Regards,

Jacob
#26103
Posted: 08/13/2013 06:33:58
by Eugene Mayevski (EldoS Corp.)

The updated sample will make it clearer, what fields to choose, but these updates are hardly related to your particular problem.

As Dmytro said, you need to use *either* the key file (PFX would work, no need to convert it) OR choose the certificate from Windows Certificate Store. You tried both and involved format conversion, and this of course caused unnecessary complications. So please try to do what I described - specify just a PFX file and skip the exceptions as I mentioned in my previous message (which you probably missed as you didn't answer my question there).


Sincerely yours
Eugene Mayevski
#26104
Posted: 08/13/2013 08:57:34
by Jacob jvandiermen (Standard support level)
Joined: 08/09/2013
Posts: 55

Hallo Eugene,

Where can I download the updated version of the SimpleSigner example?

I tested the SimpelSigner with the certificate that are included in the SecureBlackbox\Extra\Certificates.
I have a plain and simple XML file that I used. The xml file is included in this mail.
I tried numerous settings in the SimpleSigner but was unable to sign the xml file with your cert.pfx file.
Evidently I must do something wrong.
How must I use the SimpleSigner applicatrion to sign the xml file?
Loading the xml file and selecting the node (in my case the dsig:SignatureInfo ) in the TTreeView object is easy. I can see the content of the selected node (in my case the dsig:SignatureInfo ) in the TMemo object.
Now I want to sign the selected node (in my case the dsig:SignatureInfo ) using your cert.pfx file. I want the ouput (RSA SHA1 value) of the signing to be the value of de node dsig:SignatureValue.
Now I'm am confused. For the signing you either use a pfx file or the Window Certificate. I want to use a pfx file.
When I use the cert.pfx file and I sign the xml file how can I assign the output value to the value of the node dsig:SignatureValue.
Furthermore I think that I have to use the XAdes button. What do I have to fill in the Policy Id TGroupbox?
And if I use the XAdes option do I still have to select the cert.pfx?
Because in the XAdes option form you must select a signing certificate with PEM extension.

Regards,

Jacob
#26105
Posted: 08/13/2013 09:02:38
by Jacob jvandiermen (Standard support level)
Joined: 08/09/2013
Posts: 55

Sorry forgot to include the xml file! Change the extension from xml to txt otherwise the mailing system will reject the file.


[ Download ]
Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.

Reply

Statistics

Topic viewed 4548 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!