EldoS | Feel safer!

Software components for data protection, secure storage and transfer

XML Signature

Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.
#185
Posted: 05/12/2006 07:15:54
by Haris Zujo (Standard support level)
Joined: 05/12/2006
Posts: 33

Hi

I'm trying to sign XML document with trial XMLBlackbox VCL package and I have some questions.

1. If the certificate is in MS Crypto Sotre signing is OK, but if I whant to sign the document with certificate stored on ActiveCard (through MS Crypto Store) the error message is thrown: "Signing failed, Error code: 0x58FF".
2. I'm having troubles verifying the signed XML document because for example canonicalization algorithem is not valid. It is specified like <CanonicalizationMethod Algorithm="http://www.w3.org/TR/xml-c14n"/> but it should be specified something like that: <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
3. Is it posible to sign XML document template?
4. Is it posible to choose whitch conditional tags from XMLDsig specification are inserted to signed document?

Ok. That will be all for now. Thanks for the answers.

Regards Haris
#191
Posted: 05/12/2006 10:34:55
by Eugene Mayevski (EldoS Corp.)

Quote
Haris Zujo wrote:
If the certificate is in MS Crypto Sotre signing is OK, but if I whant to sign the document with certificate stored on ActiveCard (through MS Crypto Store) the error message is thrown: "Signing failed, Error code: 0x58FF".


Does the first certificate (in CryptoAPI store) has exportable private key? Can you please check this?

We will check the issue on our side in order to provide more meaningful error codes (58FF is "unknown error", very informative :().

Quote
Haris Zujo wrote:
2. I'm having troubles verifying the signed XML document because for example canonicalization algorithem is not valid. It is specified like <CanonicalizationMethod Algorithm="http://www.w3.org/TR/xml-c14n"/> but it should be specified something like that: <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>


Thank you for pointing at this. Will be fixed in next update.

The developer will answer the other questions


Sincerely yours
Eugene Mayevski
#192
Posted: 05/12/2006 11:19:31
by Dmytro Bogatskyy (EldoS Corp.)

Quote
1. If the certificate is in MS Crypto Store signing is OK, but if I whant to sign the document with certificate stored on ActiveCard (through MS Crypto Store) the error message is thrown: "Signing failed, Error code: 0x58FF".

Did you use the same certificate in both tests?

Quote
2. I'm having troubles verifying the signed XML document because for example canonicalization algorithem is not valid. It is specified like <CanonicalizationMethod Algorithm="http://www.w3.org/TR/xml-c14n"/> but it should be specified something like that: <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>

"http://www.w3.org/TR/xml-c14n" - this is a "latest version" URI for canonicalization algorithm identifier.
Unfortunately, you can not change (TElXMLSigner).Signature.SignedInfo.CanonicalizationMethod property, because SignatureValue should be recalculated. Will fix.

Quote
3. Is it posible to sign XML document template?

You can create detached signature with a Reference which identifies your XML document template. Use (TElXMLReference).URI and URIData properties.

Quote
4. Is it posible to choose whitch conditional tags from XMLDsig specification are inserted to signed document?

Yes, use "Signature" property of TElXMLSigner.
#195
Posted: 05/12/2006 15:20:24
by Haris Zujo (Standard support level)
Joined: 05/12/2006
Posts: 33

Quote
Does the first certificate (in CryptoAPI store) has exportable private key? Can you please check this?

If the certificate is in MS Crypto Store then it is not important if the private key is exportable or not. The signature vorks OK. The problem is with the certificates on the cards. The are only visible throught MS Crypto Store (usualy they are moved there with some kind of certificate mover) but the private key never leaves the card and usualy you need to eneter a PIN to access them. System displayes a dialog to enter a PIN automaticaly every time you access the private key.

Quote
Did you use the same certificate in both tests?

No.

The certificates on cards are very important when signing documents. A lot of people use them for safety reasons.

Quote
Unfortunately, you can not change (TElXMLSigner).Signature.SignedInfo.CanonicalizationMethod property, because SignatureValue should be recalculated. Will fix.

Yes I know. But the fix will be nice. Specialy if we can choose from multiple versions of canonicalization.
#196
Posted: 05/12/2006 15:41:52
by Eugene Mayevski (EldoS Corp.)

Quote
Haris Zujo wrote:
If the certificate is in MS Crypto Store then it is not important if the private key is exportable or not.


It IS important - if the key is not exportable, then SecureBlackbox must call CryptoAPI functions to perform signing (otherwise SecureBlackbox signs the data itself). At the moment XML signer doesn't call CryptoAPI in case of non-exportable certificates. We will add this for release.

As for crypto devices, -- we've been working with them for a long time and good crypto hardware driver makes the work via CryptoAPI transparent, i.e. it doesn't (in theory) matter whether the certificate is in Windows Certificate Storage or in external storage. It is possible, of course, that some homemade CSP for the hardware will not behave correctly and will cause problems.


Sincerely yours
Eugene Mayevski
#197
Posted: 05/12/2006 16:47:02
by Haris Zujo (Standard support level)
Joined: 05/12/2006
Posts: 33

Ok. Then I think that when you'll add support for calling CryptoAPI my problem with crypto devices will be solved.
#198
Posted: 05/12/2006 16:50:35
by Eugene Mayevski (EldoS Corp.)

Yes, we will test the implementation with the USB cryptotokens that we have (rainbow, eToken, Eutron).


Sincerely yours
Eugene Mayevski
#211
Posted: 05/15/2006 06:57:34
by Haris Zujo (Standard support level)
Joined: 05/12/2006
Posts: 33

Quote
We will add this for release


When do you expect the final release will be available?
#212
Posted: 05/15/2006 10:23:27
by Eugene Mayevski (EldoS Corp.)

New build will be available in 2 days. I can't say whether it is release or release candidate, cause we are busy with mysterious SSH transfer slowdown on some systems. As soon as we solve this, there will be release available.


Sincerely yours
Eugene Mayevski
#268
Posted: 05/17/2006 16:21:31
by Haris Zujo (Standard support level)
Joined: 05/12/2006
Posts: 33

Hi again!

First of all thanks for your fast answers and fixes.
Thing with 'CanonicalizationMethod' is now OK, but I think that I (and everybody elese who will use and buy this component) need more fixes to make thing work ok, because the signature still can't be verifyed. I don't know how to explain all that but I'll send you attachement with signed xml document witch is ok and one witch is not ok. Unfortunately that one witch is not ok is signed with XMLBlackBox. I'm sending you my test certificate too. You can check if the XML signature is valid on: [URL=http://www.aleksey.com/xmlsec/xmldsig-verifier.html]XML Digital Signature Validation[/URL]


[ Download ]
Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.

Reply

Statistics

Topic viewed 21371 times

Number of guests: 5, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!