EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Verifying and upgrading Cades-BES signature

Also by EldoS: CallbackDisk
Create virtual disks backed by memory or custom location, expose disk images as disks and more.
#26639
Posted: 09/27/2013 00:20:17
by Huseyin Yagli (Basic support level)
Joined: 09/10/2013
Posts: 2

Hi,

I'm trying to use your product to verify and upgrade a Cades-BES signature generated by an applet on the server side (asp.net)

What I'm trying to do first is to verify the signature:
Code
  // byte[] signatureData: Contains the Cades-BES signature generated by applet
  // byte[] outData
  // int outSize
  TElMessageVerifier emv = new TElMessageVerifier();

  int result = emv.Verify(signatureData, ref outData, ref outSize);


My first question is that if it is enough to check the signature like this?

After this I'm trying to upgrade this signature to CAdES-X Long.

Code
  TElSignedCMSMessage signedCmsMessage = new TElSignedCMSMessage();
  MemoryStream ms = new MemoryStream(signatureData);
  signedCmsMessage.Open(ms, null, 0, 0);

  TElCAdESSignatureProcessor csp = new TElCAdESSignatureProcessor();
  csp.Signature = signedCmsMessage.get_Signatures(0);

  TElHTTPSClient httpClient = new TElHTTPSClient();
  TElHTTPTSPClient tspClient = new TElHTTPTSPClient();
  tspClient.HTTPClient = httpClient;
  tspClient.URL = "https://clepsydre.edelweb.fr/dvcs/service-tsp";
  httpClient.SocketTimeout = 20000;

  csp.UpgradeToXL(tspClient);

  byte[] upgradedSignature = new byte[17000000];
  ms = new MemoryStream(upgradedSignature, true);
  signedCmsMessage.Save(ms);

  Array.Resize(ref upgradedSignature, Convert.ToInt32(ms.Length));


While trying this signature upgrade CAdES-XL I get the error "CAdES-C signature MUST contain a signature timestamp attribute"

How do I upgrade the signature to CAdES-XL and are there any other steps that I am making mistakess?

Also, what package/packages do we need to buy to complete these operations using your software. (We will also use Archive timestamps later)
#26642
Posted: 09/27/2013 02:24:23
by Ken Ivanov (EldoS Corp.)

Hello Huseyin,

Quote
My first question is that if it is enough to check the signature like this?

It depends on what exactly aspects of the signature you wish to check. TElMessageVerifier.Verify() only checks the integrity of the signature (i.e. that it is signed with the claimed certificate and not altered); it does not, though, validate the signing certificate chain. The latter can be checked in addition to the above code with the use of TElX509CertificateValidator class.

Quote
While trying this signature upgrade CAdES-XL I get the error "CAdES-C signature MUST contain a signature timestamp attribute"

There are two overloads of the UpgradeToXL() method available. The one you are trying to use expects CAdES-C signature on input. To upgrade a CAdES-BES signature, please use the other overload which accepts two TSP client objects. You can pass the same TSP client instance twice, to both parameters.

Your code is generally correct and is likely to work. There is some dependency on local environment though - the CAdES component needs to have access to all certificates that constitute the signing certificate chain and dependent revocation services chains, so they should be either available in local Windows certificate stores or provided to the components explicitly.

You will probably need to register revocation information retrievers prior to upgrading signatures as well:
Code
SBHTTPCRL.Unit.RegisterHTTPCRLRetrieverFactory();
SBHTTPOCSPClient.Unit.RegisterHTTPOCSPClientFactory();
SBHTTPCertRetriever.Unit.RegisterHTTPCertificateRetrieverFactory();


Quote
Also, what package/packages do we need to buy to complete these operations using your software. (We will also use Archive timestamps later)

You will need PKIBlackbox for CAdES functionality itself, and HTTPBlackbox for timestamping and revocation information retrieving purposes. In specific cases (where revocation information is provided via an LDAP service) LDAPBlackbox might also be needed.
#26645
Posted: 09/29/2013 16:40:35
by Huseyin Yagli (Basic support level)
Joined: 09/10/2013
Posts: 2

Thank you for your answer.

I learned that my time stamping authority requires that we use it's library.
Now, I have a function that takes a byte array and gets a timestamp for this data.

My question is, how do i use this function together with TElCAdESSignatureProcessor and upgrade my CAdES-BES to CAdES-XL?

Code
  byte[] data; // Data to be timestamped
  byte[] digest = DigestUtil.digest(DigestAlg.SHA256, data);
  // if TElCAdESSignatureProcessor gives me the hash of the data, i can skip the lines above (the hash must not be SHA-1, it has to be SHA256
  TSClient tsClient = new TSClient();
  TSSettings settings = new TSSettings("http://tzd.kamusm.gov.tr", 1111, "12345678",  DigestAlg.SHA256);
  ETimeStampResponse response = tsClient.timestamp(digest, settings);
  byte[] timestampBytes = response.getContentInfo().getEncoded();
  // in timestampBytes we have our beloved timestamp


I couldn't use TElFileTSPClient.OnTimestampNeeded since it expects me to send just it's TSP data to the server and give it back the server response.
#26646
Posted: 09/30/2013 00:44:01
by Eugene Mayevski (EldoS Corp.)

There exist several options in your case:

1) find out how to calculate the needed custom header, then insert it to the request sent by TElHTTPTSPClient component (this is possible).

2) Create a custom descendant of TElCustomTSPClient class that will everything. In this case you need to (a) purchase a license and use the source code of TElFileTSPClient as a sample, and (b) ensure that the server returns proper TSP response and not something custom. I am sure it does, but it's good to check anyway.


Sincerely yours
Eugene Mayevski
#26652
Posted: 09/30/2013 10:27:27
by Eugene Mayevski (EldoS Corp.)

FYI: I've added a property (HashOnlyNeeded) to TElFileTSPClient that will tell the component pass the hash and not the pre-created request to OnTimestampNeeded event. The property will available in release and it should solve your problem, with option 2.


Sincerely yours
Eugene Mayevski
#35996
Posted: 02/24/2016 08:55:53
by Eugene Mayevski (EldoS Corp.)

For all those users who need to use Kamusm TSA -- we have a solution, which involves their library, TElCustomTSPClient and some custom written code to convert the data. This combination is not suitable for a how-to or a sample, but if you have a need to use that TSA, please contact us via the HelpDesk and we'll help you.


Sincerely yours
Eugene Mayevski
Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.

Reply

Statistics

Topic viewed 2434 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!