EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Sign file with SHA256 as HasAlgorithm

Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.
#28844
Posted: 03/19/2014 09:47:13
by Toni Santa (Standard support level)
Joined: 05/27/2013
Posts: 57

Hi,
I use the following piece of code to sign file with certificates from a token. When I check the signed file with an utility installed with the driver of the token, it states the HashAlgorithm of SHA1 would not be compatibile with Italian law. How can I change the HashAlgorithm? I tried to set the CMSSigner.Signatures[i].SignatureAlgorithm := SB_CERT_ALGORITHM_SHA256_RSA_ENCRYPTION;
but with this line of code Delphi says that a read-only property cannot be assigned.
best regards
Toni


Code
procedure TfrmProcessor.SignFileStream(InStream: TMemoryStream; Cert : TElX509Certificate);
var
  OutStream  : TFileStream;
  i : integer;
  CMSSigner : TElSignedCMSMessage;

begin
  CMSSigner := TElSignedCMSMessage.Create(nil);

  try
    CMSSigner := TElSignedCMSMessage.Create( nil );
    try
      CMSSigner.CreateNew(InStream, 0, InStream.Size);
      i := CMSSigner.AddSignature;
      CMSSigner.Signatures[i].UsePSS := False;
      //CAdES
      CMSSigner.Signatures[i].SigningOptions := [ csoInsertMessageDigests, csoInsertSigningTime, csoIncludeCertToMessage, csoInsertContentType,
          csoIncludeCertToAttributes, csoForceSigningCertificateV2Usage ];
      CMSSigner.Signatures[i].SigningTime := Now;
      CMSSigner.Signatures[i].FingerprintAlgorithm := SB_ALGORITHM_DGST_SHA256;
      CMSSigner.Signatures[i].DigestAlgorithm := SB_ALGORITHM_DGST_SHA256;
      //compiler says, SignatureAlgorithm is a read-only property
      //CMSSigner.Signatures[i].SignatureAlgorithm := SB_CERT_ALGORITHM_SHA256_RSA_ENCRYPTION;
      CMSSigner.Signatures[i].ContentType := 'pkcs7-data';
      CMSSigner.Signatures[i].Sign(Cert);

      OutStream := TFileStream.Create(edtOutput.Text, fmCreate or fmShareDenyWrite);
      try
        CMSSigner.Save(OutStream);
      finally
        OutStream.Free;
      end;
      MessageDlg('The file has been succesfully signed', mtInformation, [mbOk], 0);

    finally
      CMSSigner.Free;
    end;
  finally
    CMSSigner.free;
  end;

end;
#28845
Posted: 03/19/2014 09:58:41
by Vsevolod Ievgiienko (EldoS Corp.)

Thank you for contacting us.

Your code seems to be correct. What SecureBlackbox version is used (11 or 12)? Could you post produced file for investigation via Helpdesk: https://www.eldos.com/helpdesk/index.php
#28846
Posted: 03/19/2014 11:23:19
by Toni Santa (Standard support level)
Joined: 05/27/2013
Posts: 57

Could it be, this behavior depends on the certificate? With same procedure signing with an other token (certificate) from other producer, the file is signed with SHA256. Therefor I think it depends on the certificate. But signing with same certificate from an other tool (FileProtector from Actalis) the files are signed with SHA256.
I'm using SBB 11. I don't see version 12 between my downloads. Should I use that one?
best regards
Toni
#28852
Posted: 03/20/2014 03:19:06
by Vsevolod Ievgiienko (EldoS Corp.)

Quote
Could it be, this behavior depends on the certificate?

Its possible, but should be checked. Please send us two sample files: one that is recognized as signed with SHA-1 involved, and one that is recognized as a correct one. Then we'll be able to tell you exactly what is the reason of the problem.
#28853
Posted: 03/20/2014 03:57:38
by Toni Santa (Standard support level)
Joined: 05/27/2013
Posts: 57

Hi Vsevolod,
the problem has been resolved toggling the pcsoOnDemandMode from the PKCS11Options of the used TElPKCS11CertStorage. I copied the component from one of your samples to my project so this option was set. It's not clear to me whats the meaning of this option (your help says "This option switches on-demand token access mode") but since it works now, I can go on developing. Many thanks. Should I still send you the files or is it clear for you having this information?
best regards
Toni
#28855
Posted: 03/20/2014 04:19:01
by Ken Ivanov (EldoS Corp.)

Hello Toni,

The on demand mode should not have any effect on the signing process. Basically, the main idea of on demand mode is avoiding establishing long-term sessions to the token, using instead brand new, very short, sessions for each token-driven operation (a sort of 'session virtualization' in some sense).

Could you please clarify whether the things started working for you when you switched the on demand mode ON or OFF?
#28856
Posted: 03/20/2014 04:50:31
by Toni Santa (Standard support level)
Joined: 05/27/2013
Posts: 57

Hello Ken,
things started working with switching the "on demand mode" to OFF.
best regards
Toni
#28857
Posted: 03/20/2014 05:21:13
by Ken Ivanov (EldoS Corp.)

Thank you for the clarification. We will investigate what might be wrong with the on demand mode.

In the meantime, you can go on with the default mode, which is appropriate in the vast majority of the scenarios.

Ken
#28872
Posted: 03/20/2014 09:18:24
by Toni Santa (Standard support level)
Joined: 05/27/2013
Posts: 57

Hi,
now verifying a file with online tool found here http://portal.andxor.it/vol/ it states that "content-type attribute value does not match eContentType". I found some thread on this forum where you suggest to set the Signer.ContentType := '1' or '1.2.616.1.101.4.1.1' to solve this issue. I tried both values but above tool continue to report the error. Will I've to set some other value or property?
thanks and best regards
Toni
#28873
Posted: 03/20/2014 09:52:35
by Toni Santa (Standard support level)
Joined: 05/27/2013
Posts: 57

Hi,
Always verifying with online-tool of my previous post I found another difference between a file signed with CMSSigner and signed with external tool named dike.exe:
- for dike-signed file the "signing algorithm" is indicated with "SHA256withRSA"
- for CMMSigner it is statet as "RSA"
my code looks like:
Code
CMSSigner.Signatures[i].FingerprintAlgorithm := SB_ALGORITHM_DGST_SHA256;
CMSSigner.Signatures[i].DigestAlgorithm := SB_ALGORITHM_DGST_SHA256;


As just stated Yesterday, the CMSSigner.Signatures[i].SignatureAlgorithm := SB_CERT_ALGORITHM_SHA256_RSA_ENCRYPTION cannot be set as it's a read-only prorperty.
How can I generate a "SHA256withRSA"-signed file? Is this possibile?
Please help. Thank you.
best regards
Toni
Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.

Reply

Statistics

Topic viewed 2215 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!