EldoS | Feel safer!

Software components for data protection, secure storage and transfer

XML /SOAP Digital Sign

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
#29209
Posted: 04/10/2014 08:31:04
by sudhir kulkarni (Basic support level)
Joined: 04/10/2014
Posts: 7

Hi,

In Following code, I am trying to digital sign a XML, but it is giving error
of access violation Signer.GenerateSignature. I have just downloaded eldos
and trying to add
</ds:SignedInfo>
<ds:SignatureValue>
<ds:X509Data>
<ds:X509Certificate>
<ds:RSAKeyValue>

in the xml packet for ssl accessing of a WEB Service. Please help.



Code
procedure TForm3.Button1Click(Sender: TObject);
var
  ref  :    TElXMLReference;
  Signer : TElXMLSigner;
  FXMLDocument  : TElXMLDOMDocument;
  SigNode        : TElXMLDOMNode;
  X509KeyData :  TElXMLKeyInfoX509Data;
  Cert :TElX509Certificate;
  f,xml : TFilestream;
  RSAKeyData :  TElXMLKeyInfoRSAData;
  k:integer;
begin

  FXMLDocument :=   TElXMLDOMDocument.Create;

  xml:=TFileStream.Create('z.xml',fmOpenRead);

  FXMLDocument.LoadFromStream(xml);
  Ref := TElXMLReference.Create;

  Ref.DigestMethod := xdmSHA1;
  Ref.URINode := FXMLDocument.DocumentElement.FindNode('<soapenv:Body xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">',True);
  Ref.URI := '#Body';
  //Memo1.Lines.Add(Ref.URINode.NodeValue);
// Ref.TransformChain.Add(TElXMLEnvelopedSignatureTransform.Create);
  Refs.Add(Ref);
  Signer := TElXMLSigner.Create(Self);


  try
    Signer.SignatureType := xstEnveloped;
    Signer.CanonicalizationMethod := xcmCanon;
    Signer.SignatureMethodType := xmtSig;
    Signer.SignatureMethod := xsmRSA_SHA1;
    Signer.MACMethod := xmmHMAC_SHA1;
  //  Signer.References := Refs;
    Signer.KeyName := 'Key';
    Signer.IncludeKey := True;
    Signer.OnFormatElement := FormatElement;
    Signer.OnFormatText := FormatText;
    k := cert.LoadFromFileAuto('d:\testssl\xyz.crt','')  ;
    //if Assigned(Cert) and Cert.PrivateKeyExists then begin
    X509KeyData := TElXMLKeyInfoX509Data.Create(False);
    X509KeyData.Certificate:=cert;
    Signer.KeyData := X509KeyData;

    //F := TFileStream.Create('d:\testssl\xyz.crt',fmOpenRead);
    // trying to load file as RSA key material
    //RSAKeyData := TElXMLKeyInfoRSAData.Create(true);
    //RSAKeyData.RSAKeyMaterial.Passphrase := ''  ;
    //F.Position := 0;

    //try
    //  RSAKeyData.RSAKeyMaterial.LoadSecret(F);
    //except
    //end;

    Signer.UpdateReferencesDigest;
    Signer.GenerateSignature;
    SigNode := FXMLDocument.DocumentElement;
    try
      Signer.Save(SigNode );
    except
      on E: Exception do
        raise EElXMLError.CreateFmt('Signed data saving failed. (%s)', [E.Message]);
    end;
  finally



  end;
end;
#29212
Posted: 04/10/2014 10:03:15
by Eugene Mayevski (EldoS Corp.)

1) Are you trying to add XMLDSig signature or SOAP? We have separate components for SOAP message signing and signature validation.

2) Did you try our XML samples (those in Samples\Delphi\XMLBlackbox folder)? Did they work for you?


Sincerely yours
Eugene Mayevski
#29213
Posted: 04/10/2014 12:10:39
by Dmytro Bogatskyy (EldoS Corp.)

Hello,

Quote
k := cert.LoadFromFileAuto('d:\testssl\xyz.crt','') ;

Did you create TElX509Certificate instance? I don't see this in your code above.
#29214
Posted: 04/11/2014 01:51:02
by sudhir kulkarni (Basic support level)
Joined: 04/10/2014
Posts: 7

Hello

My Orignal message is like below

Quote

[soapenv:Body xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"][xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx][/soapenv:Body]


which I want to send to the SSL Webserver in the following format.

Quote

[?xml version="1.0" encoding="UTF-8"?][soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"][soapenv:Header][ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
[ds:SignedInfo]
[ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/]
[ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/]
[ds:Reference URI="#Body"]
[ds:Transforms]
[ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/]
[ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/]
[/ds:Transforms]
[ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/]
[ds:DigestValue]xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx[/ds:DigestValue]
[/ds:Reference]
[/ds:SignedInfo]
[ds:SignatureValue]
xxxx...0hjV+
xxxx...HHzg
xxxxxxxxxxxxxxxxxxU=
[/ds:SignatureValue]
[ds:KeyInfo]
[ds:X509Data]
[ds:X509Certificate]
xxxx...xQww
xxxx...xx0x
xxxx...xXIx
xxxx...xxtp
[/ds:X509Certificate]
[/ds:X509Data]
[ds:KeyValue]
[ds:RSAKeyValue]
[ds:Modulus]
xxxx...OlEz
xxxx...xAqC/nhwz/j
xxxxxxxxxxxxxxxxxxxxx
[/ds:Modulus]
[ds:Exponent]AQAB[/ds:Exponent]
[/ds:RSAKeyValue]
[/ds:KeyValue]
[/ds:KeyInfo]
[/ds:Signature][/soapenv:Header][soapenv:Body Id="Body"]xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx[/soapenv:Envelope]


Web Server people has provide us with .keystore and server.crt file.

Please let me know how to go about it. I have gone through XMLBlackbox sample, but got confuse as too many options are there to set. Any sample code available to achive this.
#29215
Posted: 04/11/2014 02:10:27
by Eugene Mayevski (EldoS Corp.)

My colleague will answer regarding SOAP signing, meanwhile I'd like to comment about certificates:

server.crt file is unrelated as it is used to identify the server during the SSL communication. As for .keystore file, you need to clarify with the server admin, what exactly the file contains and what to do with it. My assumption is that the file is in JKS Format (use TElMemoryCertStorage.LoadFromStreamJKS() method to read it) with one X.509 certificate inside, and you must use this certificate to sign the data.


Sincerely yours
Eugene Mayevski
#29216
Posted: 04/11/2014 04:37:05
by Dmytro Bogatskyy (EldoS Corp.)

Hello,

Quote
I have gone through XMLBlackbox sample, but got confuse as too many options are there to set. Any sample code available to achive this.

You can use SecureSOAP or AdvancedSigner sample as a reference.
SecureSOAP sample might be simpler, to create a similar signature as above you need:
1. load SOAP message
2. click "Add signature"
3. Select "XML-DSIG signature handler"
4. Select Envelope\Header element (where to place a signature)
5. click "References", then "Modify" and then add "canonical transform with comments". (the SecureSOAP/AdvancedSigner sample can have a small bug with selecting this particular transform, to fix it please open ReferenceForm in designer select cmbTransform control and modify Items property: after the name of this transform remove an extra space).
Also, you can add "Enveloped signature transform" as in your sample, but it is not needed, because signature is placed not under Body element (that is referenced, but in sibling element).
6. select a signing certificate and sign.

Quote
Ref.URINode := FXMLDocument.DocumentElement.FindNode('<soapenv:Body xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">',True);
...
SigNode := FXMLDocument.DocumentElement;

FindNode method search for element using a node name, not a tag content. In your case it will return nil.
Second, you have select (SigNode) a document element as a place for a signature, based on your sample you need to place it under a Header element.
#29217
Posted: 04/11/2014 06:05:07
by sudhir kulkarni (Basic support level)
Joined: 04/10/2014
Posts: 7

Hi,


I have a .keystore file, so which signature handler option I shall use?
#29218
Posted: 04/11/2014 06:11:22
by Eugene Mayevski (EldoS Corp.)

The keystore file has no relation to signature handler (which should be XMLDSig in your case).

Note that the samples don't load certificates from JKS format . You will need to modify the code in order to load certificates from your keystore file.


Sincerely yours
Eugene Mayevski
#29253
Posted: 04/15/2014 00:20:42
by sudhir kulkarni (Basic support level)
Joined: 04/10/2014
Posts: 7

Hello,

I have done till TElMemoryCertStorage.LoadFromStreamJKS() and create x509 certificate data, now for RSAKEy following is the code in SOAP sample

F := TFileStream.Create(KeyFile, fmOpenRead or fmShareDenyWrite);
{$else}
F := FileStream.Create(KeyFile, FileMode.Open, FileAccess.Read);
{$endif}

// trying to load file as RSA key material
RSAKeyData := TElXMLKeyInfoRSAData.Create(True);
RSAKeyData.RSAKeyMaterial.Passphrase := Passphrase;
F.Position := 0;

try
RSAKeyData.RSAKeyMaterial.LoadSecret(F);
except
end;

if RSAKeyData.RSAKeyMaterial.SecretKey then
begin
FreeAndNil(F);
Result := RSAKeyData;
Exit;
end;


As I have the .KEystore , what will be my keyfile in above filestream, In short
how can i get RSAKeydata from my keystore.
#29254
Posted: 04/15/2014 01:21:03
by Dmytro Bogatskyy (EldoS Corp.)

Hello,

Quote
I have done till TElMemoryCertStorage.LoadFromStreamJKS() and create x509 certificate data, now for RSAKEy following is the code in SOAP sample

As you already have loaded certificate and using TElXMLKeyInfoX509Data for signing, to include KeyValue element you just need to enable TElXMLKeyInfoX509Data.IncludeKeyValue property.
Also by EldoS: CallbackDisk
Create virtual disks backed by memory or custom location, expose disk images as disks and more.

Reply

Statistics

Topic viewed 4326 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!