EldoS | Feel safer!

Software components for data protection, secure storage and transfer

EBICS Signature Not Valid

Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages
#29772
Posted: 06/12/2014 19:13:10
by Fran Thomas (Standard support level)
Joined: 05/22/2014
Posts: 13

Me again sorry - I can't seem to reliably generate a signature to sign an EBICS request.

I've been comparing my results against a known working java client and it looks like the serialization/de-serialization of my document via TElXMLDomDocument results in altered whitespace of the signed element which surley is going to cause an error?

My current (not working) process is;
Code
private void signXmlDoc3(String pSource, String pDest) {

            var xmlDoc = new TElXMLDOMDocument();
            using (var fileReader = new FileStream(pSource, FileMode.Open))
                xmlDoc.LoadFromStream(fileReader, "utf-8", true);
            
            // hack around to tidy up to match sample
            xmlDoc.DocumentElement.SetAttributeNS("", "xmlns:ds", "http://www.w3.org/2000/09/xmldsig#");
            xmlDoc.DocumentElement.RemoveAttribute("xmlns:xsi");
            xmlDoc.DocumentElement.RemoveAttribute("xmlns:xsd");
            var x = xmlDoc.FindNode("OrderDetails", true);
            x.Attributes.Destroy();

            var nodeSet = new TElXMLNodeSet(true);
            var headerNode = xmlDoc.DocumentElement.FindNode("header");
            nodeSet.Add(headerNode);

            // build references
            // @todo: fix xpath to sign multiple nodes, something like
            //var lNodeSet = lDocument.SelectNodes("//*[@authenticate='true']");
            var xmlRef= new TElXMLReference() {
                URINodes = nodeSet,
                URI = "#xpointer(//*[@authenticate='true'])",
                DigestMethod = SBXMLSec.Unit.xdmSHA256
            };
            var c14NTransform = new TElXMLC14NTransform() {
                CanonicalizationMethod = SBXMLDefs.Unit.xcmCanon
            };
            xmlRef.TransformChain.Add(c14NTransform);
            var xmlRefList = new TElXMLReferenceList();
            xmlRefList.Add(xmlRef);

            // get certificate
            var keyInfo = new TElXMLKeyInfoX509Data(true) {
                Certificate = SigningCert.AsUnderlyingCertificate() // this is just my cert. abstraction to simplify key management/genreation - the actual key in use works fine if used with the java client so i'm pretty sure this bit is OK
            };
            keyInfo.Update();

            // build the TElXMLSigner
            var xmlSigner = new TElXMLSigner() {
                SignatureType = SBXMLSec.Unit.xstEnveloped,
                CanonicalizationMethod = SBXMLDefs.Unit.xcmCanon,
                SignatureMethodType = SBXMLSec.Unit.xmtSig,
                SignatureMethod = SBXMLSec.Unit.xsmRSA_SHA256,
                References = xmlRefList,
                IncludeKey = false,
                KeyData = keyInfo,
                SignatureCompliance = SBXMLSec.Unit.xscEBICS
            };
            
            xmlSigner.UpdateReferencesDigest();
            xmlSigner.GenerateSignature();

            // save the Signature move <body /> after <AuthSignature />
            var oldBodyNode = xmlDoc.LastChild.FindNode("body");
            var newBodyNode = oldBodyNode.CloneNode(true);
            xmlDoc.LastChild.RemoveChild(oldBodyNode);
            var signatureNode = xmlDoc.LastChild;
            xmlSigner.Save(ref signatureNode);
            xmlDoc.LastChild.AppendChild(newBodyNode);
            
            // output to a file
            using (var outStream = new FileStream(pDest, FileMode.Create))
                xmlDoc.SaveToStream(outStream, 0, "");

            // tidy up
            xmlSigner.Dispose();
            if (keyInfo != null)
                keyInfo.Dispose();
        }

I was wondering (as it comes after GenerateSignature) whether the SignaturePrefix property alters anything?
I know a few other people are using your libraries for this purpose so any pointers greatly appreciated!
#29777
Posted: 06/13/2014 07:30:24
by Dmytro Bogatskyy (EldoS Corp.)

Hello,
Quote

I was wondering (as it comes after GenerateSignature) whether the SignaturePrefix property alters anything?

No. The GenerateSignature() method generates signature structure that could be accessed using TElXMLSigner.Signature property, it doesn't save a signature in xml at this moment, and signature value is not calculated yet. Then you can modify signature properties that is not widely used (like Id attributes). After that the Save() saves a signature in xml, and then all internal references are calculated (if needed), and only after that a signature value is calculated and inserted in the xml.
Quote

// save the Signature move <body /> after <AuthSignature />
var oldBodyNode = xmlDoc.LastChild.FindNode("body");
var newBodyNode = oldBodyNode.CloneNode(true);
xmlDoc.LastChild.RemoveChild(oldBodyNode);
var signatureNode = xmlDoc.LastChild;
xmlSigner.Save(ref signatureNode);
xmlDoc.LastChild.AppendChild(newBodyNode);

It is better to swap nodes after signing. But as you are referencing only a header element it shouldn't be important.
It is better to use not xmlDoc.LastChild property but xmlDoc.DocumentElement.
Quote
I've been comparing my results against a known working java client and it looks like the serialization/de-serialization of my document via TElXMLDomDocument results in altered whitespace of the signed element which surley is going to cause an error?

Could you please attach here or to helpdesk ( https://www.eldos.com/helpdesk/ ) the signed xml documents.
#29786
Posted: 06/13/2014 08:39:48
by Fran Thomas (Standard support level)
Joined: 05/22/2014
Posts: 13

Following three files:


  • HPBRequest is an unsigned file loaded by the above code.
  • HPBRequest_signed.xml is a signed file using the above code:
  • HPBRequest_signed-example.xml is a file signed by a working java client using the same certificate


Note the removal of whitespace behind the mutable tag.

(The file is actually a zip containing the three XML files as the file type wasn't supported, no point copy/pasting as they'll change...)


[ Download ]
#29790
Posted: 06/13/2014 13:29:58
by Dmytro Bogatskyy (EldoS Corp.)

Thank you for the xml document samples.

As I understand, you want to format a signature/AuthSignature element to match a signature generated by java client. In this case you need to use OnFormatElement/OnFormatText event handlers, please see XMLBlackbox\Signer or AdvancedSigner samples.
#29794
Posted: 06/13/2014 19:20:17
by Fran Thomas (Standard support level)
Joined: 05/22/2014
Posts: 13

No, I'm just trying to work out why the XMLSigner in SBX won't generate/verify a signature for me no matter what I do (I've tried every variation available of the examples provided on this support site, v11 and v12 and I get an invalid signature from the server AND it won't pass the verifier locally).

The issue points to a problem with generation vs verification as it fails verification at both sides. Is there anything you can see in the code above which could cause a problem?
#29795
Posted: 06/14/2014 12:12:03
by Dmytro Bogatskyy (EldoS Corp.)

Hello,

Quote
No, I'm just trying to work out why the XMLSigner in SBX won't generate/verify a signature for me no matter what I do (I've tried every variation available of the examples provided on this support site, v11 and v12 and I get an invalid signature from the server AND it won't pass the verifier locally).

References for both signatures in those xml documents are valid (also digest value and referenced data matched). I can't say anything about a signatures itself, as a signature doesn't contain a public key.
Does "HPBRequest_signed-example.xml" passes validation on server? Did you sign "HPBRequest_signed.xml" with the same certificate?
#31431
Posted: 11/19/2014 01:28:17
by Roland Kossow (Standard support level)
Joined: 05/16/2013
Posts: 29

@Fran Thomas ... Did you solve the EBICS client problem. I would be very interested to know if it possible to develop an EBICS client with SB and if so, what components you have been using.

@Eldos: A component or tutorial to use EBICS is high on my SB wishlist. Any plans on that?
#31436
Posted: 11/19/2014 04:13:03
by Dmytro Bogatskyy (EldoS Corp.)

Thank you for contacting us.
Quote
@Eldos: A component or tutorial to use EBICS is high on my SB wishlist. Any plans on that?

At the moment, there is no plans for EBICS component.
The main difference between XML-DSig and EBICS signatures that a signature is placed in "AuthSignature" element, in XML-DSig it is "ds:Signature" element (it is controlled by TElXMLSigner.SignatureCompliance property), all other signature customizations are the same as for XML-DSig.
If you have a problem implementing EBICS signature please create a ticket in helpdesk ( https://www.eldos.com/helpdesk/ ) with a sample signature that you need to create.
#31440
Posted: 11/19/2014 06:07:58
by Roland Kossow (Standard support level)
Joined: 05/16/2013
Posts: 29

Ok.
Thanks a lot for your response.
If I understood it right, it should be possible to use SB for EBICS with a little bit of customization.

Best regards

Roland
#31442
Posted: 11/19/2014 06:52:13
by marco hagen (Standard support level)
Joined: 11/09/2013
Posts: 33

Just to let you know we have created an EBICS client with SBB in vb.Net.

SBB helped us to easily overcome .Net difficulties like SHA256 and signature prefixes. So I can confirm it's very well possible.

Cheers,
Marco
Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.

Reply

Statistics

Topic viewed 2073 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!