EldoS | Feel safer!

Software components for data protection, secure storage and transfer

XML /SOAP Digital Sign

Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.
Posted: 04/10/2014 08:31:04
by sudhir kulkarni (Basic support level)
Joined: 04/10/2014
Posts: 7


In Following code, I am trying to digital sign a XML, but it is giving error
of access violation Signer.GenerateSignature. I have just downloaded eldos
and trying to add

in the xml packet for ssl accessing of a WEB Service. Please help.

procedure TForm3.Button1Click(Sender: TObject);
  ref  :    TElXMLReference;
  Signer : TElXMLSigner;
  FXMLDocument  : TElXMLDOMDocument;
  SigNode        : TElXMLDOMNode;
  X509KeyData :  TElXMLKeyInfoX509Data;
  Cert :TElX509Certificate;
  f,xml : TFilestream;
  RSAKeyData :  TElXMLKeyInfoRSAData;

  FXMLDocument :=   TElXMLDOMDocument.Create;


  Ref := TElXMLReference.Create;

  Ref.DigestMethod := xdmSHA1;
  Ref.URINode := FXMLDocument.DocumentElement.FindNode('<soapenv:Body xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">',True);
  Ref.URI := '#Body';
// Ref.TransformChain.Add(TElXMLEnvelopedSignatureTransform.Create);
  Signer := TElXMLSigner.Create(Self);

    Signer.SignatureType := xstEnveloped;
    Signer.CanonicalizationMethod := xcmCanon;
    Signer.SignatureMethodType := xmtSig;
    Signer.SignatureMethod := xsmRSA_SHA1;
    Signer.MACMethod := xmmHMAC_SHA1;
  //  Signer.References := Refs;
    Signer.KeyName := 'Key';
    Signer.IncludeKey := True;
    Signer.OnFormatElement := FormatElement;
    Signer.OnFormatText := FormatText;
    k := cert.LoadFromFileAuto('d:\testssl\xyz.crt','')  ;
    //if Assigned(Cert) and Cert.PrivateKeyExists then begin
    X509KeyData := TElXMLKeyInfoX509Data.Create(False);
    Signer.KeyData := X509KeyData;

    //F := TFileStream.Create('d:\testssl\xyz.crt',fmOpenRead);
    // trying to load file as RSA key material
    //RSAKeyData := TElXMLKeyInfoRSAData.Create(true);
    //RSAKeyData.RSAKeyMaterial.Passphrase := ''  ;
    //F.Position := 0;

    //  RSAKeyData.RSAKeyMaterial.LoadSecret(F);

    SigNode := FXMLDocument.DocumentElement;
      Signer.Save(SigNode );
      on E: Exception do
        raise EElXMLError.CreateFmt('Signed data saving failed. (%s)', [E.Message]);

Posted: 04/10/2014 10:03:15
by Eugene Mayevski (Team)

1) Are you trying to add XMLDSig signature or SOAP? We have separate components for SOAP message signing and signature validation.

2) Did you try our XML samples (those in Samples\Delphi\XMLBlackbox folder)? Did they work for you?

Sincerely yours
Eugene Mayevski
Posted: 04/10/2014 12:10:39
by Dmytro Bogatskyy (Team)


k := cert.LoadFromFileAuto('d:\testssl\xyz.crt','') ;

Did you create TElX509Certificate instance? I don't see this in your code above.
Posted: 04/11/2014 01:51:02
by sudhir kulkarni (Basic support level)
Joined: 04/10/2014
Posts: 7


My Orignal message is like below


[soapenv:Body xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"][xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

which I want to send to the SSL Webserver in the following format.


[?xml version="1.0" encoding="UTF-8"?][soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"][soapenv:Header][ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
[ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/]
[ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/]
[ds:Reference URI="#Body"]
[ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/]
[ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/]
[ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/]
[/ds:Signature][/soapenv:Header][soapenv:Body Id="Body"]xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx[/soapenv:Envelope]

Web Server people has provide us with .keystore and server.crt file.

Please let me know how to go about it. I have gone through XMLBlackbox sample, but got confuse as too many options are there to set. Any sample code available to achive this.
Posted: 04/11/2014 02:10:27
by Eugene Mayevski (Team)

My colleague will answer regarding SOAP signing, meanwhile I'd like to comment about certificates:

server.crt file is unrelated as it is used to identify the server during the SSL communication. As for .keystore file, you need to clarify with the server admin, what exactly the file contains and what to do with it. My assumption is that the file is in JKS Format (use TElMemoryCertStorage.LoadFromStreamJKS() method to read it) with one X.509 certificate inside, and you must use this certificate to sign the data.

Sincerely yours
Eugene Mayevski
Posted: 04/11/2014 04:37:05
by Dmytro Bogatskyy (Team)


I have gone through XMLBlackbox sample, but got confuse as too many options are there to set. Any sample code available to achive this.

You can use SecureSOAP or AdvancedSigner sample as a reference.
SecureSOAP sample might be simpler, to create a similar signature as above you need:
1. load SOAP message
2. click "Add signature"
3. Select "XML-DSIG signature handler"
4. Select Envelope\Header element (where to place a signature)
5. click "References", then "Modify" and then add "canonical transform with comments". (the SecureSOAP/AdvancedSigner sample can have a small bug with selecting this particular transform, to fix it please open ReferenceForm in designer select cmbTransform control and modify Items property: after the name of this transform remove an extra space).
Also, you can add "Enveloped signature transform" as in your sample, but it is not needed, because signature is placed not under Body element (that is referenced, but in sibling element).
6. select a signing certificate and sign.

Ref.URINode := FXMLDocument.DocumentElement.FindNode('<soapenv:Body xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">',True);
SigNode := FXMLDocument.DocumentElement;

FindNode method search for element using a node name, not a tag content. In your case it will return nil.
Second, you have select (SigNode) a document element as a place for a signature, based on your sample you need to place it under a Header element.
Posted: 04/11/2014 06:05:07
by sudhir kulkarni (Basic support level)
Joined: 04/10/2014
Posts: 7


I have a .keystore file, so which signature handler option I shall use?
Posted: 04/11/2014 06:11:22
by Eugene Mayevski (Team)

The keystore file has no relation to signature handler (which should be XMLDSig in your case).

Note that the samples don't load certificates from JKS format . You will need to modify the code in order to load certificates from your keystore file.

Sincerely yours
Eugene Mayevski
Posted: 04/15/2014 00:20:42
by sudhir kulkarni (Basic support level)
Joined: 04/10/2014
Posts: 7


I have done till TElMemoryCertStorage.LoadFromStreamJKS() and create x509 certificate data, now for RSAKEy following is the code in SOAP sample

F := TFileStream.Create(KeyFile, fmOpenRead or fmShareDenyWrite);
F := FileStream.Create(KeyFile, FileMode.Open, FileAccess.Read);

// trying to load file as RSA key material
RSAKeyData := TElXMLKeyInfoRSAData.Create(True);
RSAKeyData.RSAKeyMaterial.Passphrase := Passphrase;
F.Position := 0;


if RSAKeyData.RSAKeyMaterial.SecretKey then
Result := RSAKeyData;

As I have the .KEystore , what will be my keyfile in above filestream, In short
how can i get RSAKeydata from my keystore.
Posted: 04/15/2014 01:21:03
by Dmytro Bogatskyy (Team)


I have done till TElMemoryCertStorage.LoadFromStreamJKS() and create x509 certificate data, now for RSAKEy following is the code in SOAP sample

As you already have loaded certificate and using TElXMLKeyInfoX509Data for signing, to include KeyValue element you just need to enable TElXMLKeyInfoX509Data.IncludeKeyValue property.
Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.



Topic viewed 4761 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!