EldoS | Feel safer!

Software components for data protection, secure storage and transfer

XAdES-BES signature in Office Document

Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.
#30415
Posted: 08/19/2014 05:20:06
by David Eršil (Standard support level)
Joined: 01/15/2013
Posts: 34

Hi,

is it possible to create XAdES-BES signature in an Office document (docx)?

Based on your SecureOffice sample I use TElOfficeOpenXMLSignatureHandler for signing, but I am still unable to involve the TElXMLXAdESSigner (from the article https://www.eldos.com/security/articles/7895.php?page=all) into the process.

I am trying something like this, which sure is not correct, because it always results in a XMLDSIG in the end:

Code
TElOfficeDocument _OfficeDocument = new TElOfficeDocument();
_OfficeDocument.Open(pathToDOCX);

TElXAdESSigner XAdESSigner = new TElXAdESSigner();
XAdESSigner.XAdESVersion = 3;       //XAdES 1.3.2
XAdESSigner.XAdESForm = 2;   //XAdES-BES

TElMemoryCertStorage CertStorage = new TElMemoryCertStorage();
CertStorage.Add(selectedCert, false);
XAdESSigner.SigningCertificates = CertStorage;
XAdESSigner.SigningTime = DateTime.UtcNow;

TElOfficeOpenXMLSignatureHandler OpenXMLSigHandler = new TElOfficeOpenXMLSignatureHandler();
OpenXMLSigHandler.XAdESProcessor = XAdESSigner;

_OfficeDocument.AddSignature(OpenXMLSigHandler, true);

OpenXMLSigHandler.AddDocument();

SetSignatureInfo(OpenXMLSigHandler.SignatureInfoV1);

OpenXMLSigHandler.GenerateXAdES(2, selectedCert);
OpenXMLSigHandler.Sign(selectedCert);

_OfficeDocument.Flush();
_OfficeDocument.Close();


I must be missing something important here.
Could you please give me some advice how to get this working properly (if possible)?
I am using .NET version of SBB 12.0.258.

Thank you very much in advance.
#30418
Posted: 08/19/2014 07:00:37
by Dmytro Bogatskyy (EldoS Corp.)

Thank you for contacting us.

You should either use the code:
Code
TElXAdESSigner XAdESSigner = new TElXAdESSigner();
OpenXMLSigHandler.XAdESProcessor = XAdESSigner;
XAdESSigner.XAdESVersion = SBXMLAdES.Unit.XAdES_v1_3_2;
XAdESSigner.XAdESForm = SBXMLAdES.Unit.XAdES_BES;

TElMemoryCertStorage CertStorage = new TElMemoryCertStorage();
CertStorage.Add(selectedCert, false);
XAdESSigner.SigningCertificates = CertStorage;
XAdESSigner.SigningTime = DateTime.UtcNow;

or the code:
Code
OpenXMLSigHandler.GenerateXAdES(SBXMLAdES.Unit.XAdES_BES, selectedCert);

As GenerateXAdES() method recreate XAdESSigner object. And the codes above are equivalent.

Anyway, I have tested your code (as is), and the correct XAdES signature was created. Could you please post a sample signed document to helpdesk ( http://www.eldos.com/helpdesk/ ) for checking.
#30502
Posted: 08/27/2014 07:37:38
by David Eršil (Standard support level)
Joined: 01/15/2013
Posts: 34

Finally I managed to reach the state I was looking for.

It turned out one of the problems was that (due to many changes in code) I have not been adding the signing certificate to the XAdESSigner.SigningCertificates variable properly and thus it did not get to the SignedProperties node of the signature, resulting in Web Service stating the signature is just a plain XMLDSIG.

Another issue was that the QualifyingPorperties Target attribute was not corresponding with the Signature ID. I solved this by changing it in OpenXMLSigHandler's OnBeforeSign event.

Code
void OpenXMLSigHandler_OnBeforeSign(object Sender, TElXMLSigner Signer)
{
  Signer.Signature.QualifyingProperties.Target = "#" + Signer.Signature.ID;
}
#30513
Posted: 08/27/2014 13:08:46
by Dmytro Bogatskyy (EldoS Corp.)

Thank you for the info.

As for the QualifyingProperties.Target attribute: by default the component generates Signature.ID attribute and set the appropriate QualifyingProperties.Target attribute, if you change Signature.ID property then you will need to change QualifyingProperties.Target property too (the values should be synced). It is okay to change this property in OnBeforeSign event handler.
#31354
Posted: 11/06/2014 03:29:22
by Martin Icha (Premium support level)
Joined: 10/31/2014
Posts: 9

Hello, I am using the C++ version of Secure Blackbox for iOS. I am not able to produce XAdES-BES signature. It produces only the "basic" xmldsig signature.

Code snippet:
Code
try
    {
        Certificate = new SecureBlackbox::TElX509Certificate(NULL);
        int ret = Certificate->LoadFromBufferPFX((void*)[pkcs12 bytes], [pkcs12 length], TEMP_PASSWORD);
        NSLog(@"ret: %d", ret);
        
        if (OfficeDocument->get_OpenXMLDocument() != NULL)
        {
            SecureBlackbox::TElOfficeOpenXMLSignatureHandler *OpenXMLSigHandler = new SecureBlackbox::TElOfficeOpenXMLSignatureHandler(NULL);
            
            SecureBlackbox::TElMemoryCertStorage* certStorage = new SecureBlackbox::TElMemoryCertStorage(nil);
            ret = certStorage->LoadFromBufferPFX((void*)[pkcs12 bytes], [pkcs12 length], TEMP_PASSWORD);
            NSLog(@"ret: %d", ret);
            
            SecureBlackbox::TElXAdESSigner* xadesSigner = new SecureBlackbox::TElXAdESSigner(nil);
            xadesSigner->SetXAdESVersion(SecureBlackbox::XAdES_v1_3_2);
            xadesSigner->SetXAdESForm(SecureBlackbox::XAdES_BES);
            xadesSigner->SetSigningCertificates(certStorage);
            NSDate *date = [NSDate date];
            xadesSigner->set_SigningTime([date timeIntervalSince1970]);
            
            OpenXMLSigHandler->set_XAdESProcessor(xadesSigner);
            OfficeDocument->AddSignature(OpenXMLSigHandler, true);
            OpenXMLSigHandler->AddDocument();
            xadesSigner->Generate(SecureBlackbox::XAdES_BES);
           OpenXMLSigHandler->Sign(Certificate);
        }
        OfficeDocument->Flush();
        OfficeDocument->Close();
    }
    catch(SecureBlackbox::SBException E)
    {
        NSLog(@"Failed to sign: %s", E.what());
        return;
    }

No exception is thrown, int ret is always 0. Would you help me, please? What am I missing in the code?
#31355
Posted: 11/06/2014 03:57:21
by Dmytro Bogatskyy (EldoS Corp.)

Hello,

Quote
OfficeDocument->AddSignature(OpenXMLSigHandler, true);

Please add this line as a first line (after initializing OpenXMLSigHandler variable), as internally it resets a signature handler to the default values. And after that set XAdESProcessor property.

Quote

Code
            SecureBlackbox::TElXAdESSigner* xadesSigner = new SecureBlackbox::TElXAdESSigner(nil);
            xadesSigner->SetXAdESVersion(SecureBlackbox::XAdES_v1_3_2);
            xadesSigner->SetXAdESForm(SecureBlackbox::XAdES_BES);
            xadesSigner->SetSigningCertificates(certStorage);
            
            OpenXMLSigHandler->set_XAdESProcessor(xadesSigner);
            xadesSigner->Generate(SecureBlackbox::XAdES_BES);


You can replace this code, with OpenXMLSigHandler->GenerateXAdES(XAdES_EPES, certificate) method.

Note: The MS Office treats the XAdES-BES signatures as XAdES-EPES. And the minimal XAdES form that MS Office could create is XAdES-EPES (if XAdES is enabled). So, it is better to create XAdES-EPES signatures by default, as some third party services may not understand XAdES-BES signature.
#31356
Posted: 11/06/2014 04:21:55
by Martin Icha (Premium support level)
Joined: 10/31/2014
Posts: 9

Thank you for your fast reply. I am using the OpenXMLSigHandler->GenerateXAdES(XAdES_EPES, certificate) method now. Unfortunately the document is not signed as XAdES-EPES.

Code snippet:
Code
try
{
        Certificate = new SecureBlackbox::TElX509Certificate(NULL);
        int ret = Certificate->LoadFromBufferPFX((void*)[pkcs12 bytes], [pkcs12 length], TEMP_PASSWORD);
        NSLog(@"ret: %d", ret);
        
        if (OfficeDocument->get_OpenXMLDocument() != NULL)
        {
            SecureBlackbox::TElOfficeOpenXMLSignatureHandler *OpenXMLSigHandler = new SecureBlackbox::TElOfficeOpenXMLSignatureHandler(NULL);
            OfficeDocument->AddSignature(OpenXMLSigHandler, true);
            OpenXMLSigHandler->AddDocument();
            OpenXMLSigHandler->GenerateXAdES(SecureBlackbox::XAdES_EPES, Certificate);
            OpenXMLSigHandler->Sign(Certificate);
        }
}

No exception thrown...
#31357
Posted: 11/06/2014 04:30:04
by Dmytro Bogatskyy (EldoS Corp.)

I've moved the question to the helpdesk for investigation ( https://www.eldos.com/helpdesk/ ). You will see your (and only your) support tickets by following this URL. You will also get e-mail notifications about updates related to your support ticket.
Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.

Reply

Statistics

Topic viewed 1326 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!