EldoS | Feel safer!

Software components for data protection, secure storage and transfer

xades enveloping manifest

Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.
#29906
Posted: 06/24/2014 10:03:58
by Fernando Del Canio (Standard support level)
Joined: 06/24/2014
Posts: 14

Hello,

we have a regulator's requeriment to apply xades-Bes signature to some xml files.
They lets us chose two ways:

XAdES-BES 1.3.2 "enveloped" or
XAdES-BES 1.3.2 "enveloping of a manifest"


We have done the first one.

They say that the second one is designed for optimize the signature process, and the signature will be over the manifest of the xml file, as is described in http://www.w3.org/TR/xmldsig-core/#sec-o-Manifest and http://www.w3.org/TR/xmldsig-core/#def-SignatureEnveloping.

They expect that we finish the signature proces with two files one for the source file xml and the second for the signature of the manifest.

The manifest references to the source xml by the URI <Reference> and contains the hash SHA-256 of the source file.

Could you think that we can do this with the components?
We don't know if we have to create the manifest file and how or if the signer process will create it for us.
[B]
#29913
Posted: 06/24/2014 10:32:09
by Dmytro Bogatskyy (EldoS Corp.)

Thank you for contacting us.

Yes, it is possible. There is a TElXMLManifest and TElXMLObject classes that you can use. For example:
Code
Signer.UpdateReferencesDigest()
...
Ref = New TElXMLReference
Ref.DigestMethod = SBXMLSec.Unit.xdmSHA1
Ref.URI = "#ManifestId"
Signer.References.Add(Ref)
...
Signer.GenerateSignature()
...
Obj = new TElXMLObject()
Signer.Signature.Objects.Add(Obj)
Manifest = new TElXMLManifest()
Manifest.ID = "ManifestId"
Obj.DataList.Add(Manifest)
// add references
Ref = New TElXMLReference
Ref.URI = "ObjId1"
Ref.URINode = ObjNode
Ref.UpdateDigestValue // calculate digest value based on URINode/URIData/URIStream property or set DigestValue directly
Manifest.Add(Ref)
#30565
Posted: 09/01/2014 09:18:02
by Fernando Del Canio (Standard support level)
Joined: 06/24/2014
Posts: 14

thank you for your reply.

Do you think that this method is faster or opitimizer than enveloped?
#30567
Posted: 09/01/2014 11:09:27
by Dmytro Bogatskyy (EldoS Corp.)

Hello,

Quote
Do you think that this method is faster or opitimizer than enveloped?

The speed is almost the same.
Please refer to the clause (2.3) below for possible usage scenarios:
http://www.w3.org/TR/xmldsig-core/#sec-o-Manifest
#30568
Posted: 09/01/2014 11:54:11
by Fernando Del Canio (Standard support level)
Joined: 06/24/2014
Posts: 14

Hello,

I think there is anything that i don't understand.
I sign the manifest of a xml and store it in a attached file (SignatureType is 4 Detached) then i verify the signature with your advance signer example and the signature is valid always also the references.

If i do the same signer process but instead of the manifest, the source xml file, the validation of the reference fails until i modify the reference data pointing to the main file then the validation is ok. If i change some bytes in the main file the validation fails.

But how can i check if the original xml file is modified, when i sign with a manifest?

Sorry for my english.


SignatureType is 4 (Detached)

Code
  
            TElXMLReference tref = new TElXMLReference();
            TElXMLDOMDocument xmlDocument = new TElXMLDOMDocument();

            xmlDocument.LoadFromFile(origenName, "utf-16", true);

            //calculate the digest which will be signed
            signer.UpdateReferencesDigest();
            tref.DigestMethod = SBXMLSec.Unit.xdmSHA256;
            tref.URI = "#ManifestId";
            signer.References.Add(tref);
            signer.GenerateSignature();

            var obj = new SBXMLSig.TElXMLObject();
            signer.Signature.Objects.Add(obj);
            var manifest = new SBXMLSig.TElXMLManifest();            
            manifest.ID = "ManifestId";
            obj.DataList.Add(manifest);

            tref = new TElXMLReference();
            tref.URI = URI;
            tref.URINode = xmlDocument.DocumentElement;
            tref.UpdateDigestValue();

            manifest.Add(tref);

            xmlDocument.Dispose();
            xmlDocument = new TElXMLDOMDocument();
            node = xmlDocument;

            signer.Save(ref node);
            using (FileStream F = new FileStream(SignFileDestName, FileMode.Create, FileAccess.ReadWrite))
            {
                xmlDocument.SaveToStream(F, SBXMLDefs.Unit.xcmNone, "utf-16");
            }
#30569
Posted: 09/01/2014 13:15:08
by Dmytro Bogatskyy (EldoS Corp.)

Quote

But how can i check if the original xml file is modified, when i sign with a manifest?

The AdvancedSigner sample doesn't check the manifest references, as those references are usually application dependent. You should check them by yourself.
For example:
Code
for (int i = 0; i < XMLVerifier.Signature.Objects.Count; i++)
// check the object by Id or process all objects
{
  TElXMLObject Obj = XMLVerifier.Signature.get_Objects(i);
  for (int j = 0; j < Obj.DataList.Count; j++)
    if (Obj.DataList[j] is TElXMLManifest)
    {
       TElXMLManifest manifest = (TElXMLManifest)Obj.DataList[j];
       for (int k = 0; k < manifest.Count; k++)
       {
          TElXMLReference Ref = manifest.get_Reference(k);
          // based on Ref.URI value validate reference
          // for example compare DigestValue with a pre-caclulated digest value of the file/object
          // or set appropriate Ref.URIData/URINode/URIStream property and recalculate the digest value, for example:
          byte[] RefDigest = Ref.DigestValue;
          try
            Ref.UpdateDigestValue();
            ValidationResult = SBUtils.Unit.CompareMem(RefDigest, Reference.DigestValue);
          finally
            Ref.DigestValue = RefDigest;
          end;
       }
    }
}
#30578
Posted: 09/02/2014 03:40:47
by Fernando Del Canio (Standard support level)
Joined: 06/24/2014
Posts: 14

One question more,

the Xades Validation in the AdvancedSigner always say:
Failed to validate Xades Info
Reason: No signing Certificate

But the sign certificate is present (i think)

please see the image attached.

my code to attached xadesSignature:
Code
            TElMemoryCertStorage certStorage = new TElMemoryCertStorage();
            _xadesSigner = new TElXAdESSigner();

            _xadesSigner.Included = SBXMLAdESIntf.Unit.xipProductionPlace;
            _xadesSigner.ProductionPlace.City = Properties.Settings.Default.XadesSignerProductionPlaceCity;
            _xadesSigner.ProductionPlace.StateOrProvince = Properties.Settings.Default.XadesSignerProductionPlaceStateOrProvince;
            _xadesSigner.ProductionPlace.CountryName = Properties.Settings.Default.XadesSignerProductionPlaceCountryName;
            certStorage.Add(_certificadoX509, true);
            _xadesSigner.SigningCertificates = certStorage;
            _xadesSigner.XAdESVersion = 3; // XAdES_v1_3_2 = 3
            _xadesSigner.XAdESForm = 2;    // XAdES_EPES = 3  XAdES_BES = 2    
            _xadesSigner.SigningTime = DateTime.UtcNow;
            _xadesSigner.Generate(2); //XAdES_BES = 2  


...

            if (_xadesSigner != null)
            {
                Signer.XAdESProcessor = _xadesSigner;
            }

Thank you.
#30579
Posted: 09/02/2014 03:41:37
by Fernando Del Canio (Standard support level)
Joined: 06/24/2014
Posts: 14

Sorry, please see the screenshot attached:


#30580
Posted: 09/02/2014 03:54:59
by Fernando Del Canio (Standard support level)
Joined: 06/24/2014
Posts: 14

I think i have found the reasons,

first is not included de public key, and second the certificate is Expired,

Sorry!

Starting certificate validation
Certificate:
Issuer: CN=KirolSoftCA, DC=ca, DC=kiroljokoa
Subject: CN=sign.kirolsoft.com
Serial: 24503BFF000000000335
Certificate validation completed
Certificate:
Issuer: CN=KirolSoftCA, DC=ca, DC=kiroljokoa
Subject: CN=sign.kirolsoft.com
Serial: 24503BFF000000000335
CA Certificate:
Issuer: CN=KirolSoftCA, DC=ca, DC=kiroljokoa
Subject: CN=KirolSoftCA, DC=ca, DC=kiroljokoa
Serial: 16352072FDC43A9A4DF8BA727DDA3EE5
Validity: Invalid
Reason: Expired
#30581
Posted: 09/02/2014 04:11:16
by Dmytro Bogatskyy (EldoS Corp.)

Hello,
Quote
Reason: No signing Certificate
certStorage.Add(_certificadoX509, true);

Did you include this certificate in KeyInfo element?
See TElXMLSigner.IncludeKey property.
Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.

Reply

Statistics

Topic viewed 1895 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!