EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Timestamping with propietary library

Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.
#29332
Posted: 04/27/2014 11:59:57
by José Bonilla (Standard support level)
Joined: 04/27/2014
Posts: 2

Hello, I am interested in buying a license, but found a problem I can't solve yet.

I need to use a client's library that implements a propietary protocol for timestamping. That library creates and transports the Request (it always hashes the input data), and I cannot change it. This means the input of this library is the data without being hashed.
At this time, I've tried using "TElFileTSPClient" setting "HashOnlyNeeded" to true:

https://www.eldos.com/documentation/sbb/documentation/ref_cl_filetspclient_prp_hashonlyneeded.html

This already calculates the hash of the data, but my client's library expects the data without hashing in order to calculate it internally.
Maybe if there were a "HashAlgorithm" that returns the same input as output, but I cannot see that "pseudo-algorithm" in your list:

https://www.eldos.com/documentation/sbb/documentation/ref_cl_customtspclient_prp_hashalgorithm.html

Another solution would be to extract the "SignerInfo" bytes from the "TElXMLSigner" and using "OnTimestampNeeded" but ignoring the "RequestStream", but I couldn't realize how to do that with your library.

Thanks for your help in advance.
#29333
Posted: 04/27/2014 12:15:50
by Eugene Mayevski (EldoS Corp.)

Unfortunately it's not possible to do what you want with SecureBlackbox and here's why: the signature is made over the hash of the data, and this signature is then timestamp. You don't timestamp the original data but a hash. Things become more complicated when the data whose hash is calculated is not the linear data block (eg. in PDF the signature is calculated over several blocks).

I suggest that you contact support of your custom library and check with them whether the library always calculates the hash itself or it can process just the hash somehow. The reason is that, as said, it's hash that is timestamped anyway (according to TSP, RFC 3161 specification).


It can be that you need not a timestamp based on RFC 3161, but some other timestamp, possibly included as a custom attribute or XML node. This is something you need to check as well.


Sincerely yours
Eugene Mayevski
#29334
Posted: 04/27/2014 15:33:04
by José Bonilla (Standard support level)
Joined: 04/27/2014
Posts: 2

Thanks for your answer, I understand what you said, but I think it could be done considering I am timestamping after Xades XML signature is calculated (extending XAdES-BES to XAdES-T would be the complete idea). It means, SignedInfo Element is already calculated and present in the XML.

The next step would be to canonicalize the SignedInfo element (get the bytes), and use OnTimestampNeeded event ignoring the RequestStream. This pseudo-code explains the idea:

Code
byte[] canonicalizedInfo; //global variable

TElXAdESSigner XAdESSigner; //...
//Process XAdES signature.
TElXMLSignedInfo sInfo = Signer.Signature.SignedInfo;

canonicalizedInfo = TransformToBytes(sInfo);

TElFileTSPClient tspClient = new TElFileTSPClient();
tspClient.HashOnlyNeeded = true;
tspClient.HashAlgorithm = SBConstants.Unit.SB_ALGORITHM_DGST_SHA1;

try
{
  
  tspClient.OnTimestampNeeded += tspClient_OnTimestampNeeded;

  // Adding signature time-stamp
  int k = XAdESSigner.AddSignatureTimestamp(tspClient);
  if (k != 0)
   throw new Exception("Failed to time-stamp: " + k.ToString());
}
finally
{
  // dispose components
  tspClient.Dispose();                      
}

private static void tspClient_OnTimestampNeeded(object Sender, Stream RequestStream, Stream ReplyStream, ref bool Succeeded)
{
   //Ignore RequestStream                  
   byte[] tsResponse = GetTSAResponse(canonicalizedInfo, "SHA-1"); //It should calculate the same SHA-1

   SBStreams.Unit.StreamWrite(ReplyStream, tsResponse, 0, tsResponse.Length);
}


Unfortunately, my client's library is closed source and somehow uses a hardware crypto module to calculate hashes, so it is not posible to change it at this time.

Please, let me know if it is posible to do what I want.

Thanks.

PD. It would be much easier if you implement a DoNothingDigest in your library, that returns same input as output, in a future version.
#29337
Posted: 04/28/2014 00:22:33
by Eugene Mayevski (EldoS Corp.)

The digest type is defined in the specifications, you can't define your own.

I suggest that you do contact your library's support for assistance.


Sincerely yours
Eugene Mayevski

Reply

Statistics

Topic viewed 657 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!