EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Camerfirma certs

Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.
#31735
Posted: 12/22/2014 08:05:55
by Javier Puig (Basic support level)
Joined: 12/22/2014
Posts: 4

Hi,

I'm evaluating SecureBlackbox (12.0.263) to sign and verify XML documents with XAdES-XL 1.3.2. Signing certificate is from Camerfirma (http://www.camerfirma.com/en/area-de-usuario/consulta-de-certificados/).

I'm using the provided sample (Advanced XML Signer) and run into the following problems:

1.- Chain validation error (1004) is reported when trying to verify XmlDsig signature (may be this is related to point 2).
2.- Signature:KeyInfo:X509Data:X509IssuerSerial:X509SerialNumber has a different value than the one set in cert (a long decimal value instead of an apparently hex value, like 00A3DA427EA4B1AEDA).
3.- For XAdES-C, CompleteCertificateRefs:CertRefs:Cert:CertDigest:DigestValue of signing cert does not match the one in XmlDsig.

Thanks in advance for your support.
JPG
#31739
Posted: 12/22/2014 10:30:04
by Dmytro Bogatskyy (EldoS Corp.)

Thank you for contacting us.

Quote
2.- Signature:KeyInfo:X509Data:X509IssuerSerial:X509SerialNumber has a different value than the one set in cert (a long decimal value instead of an apparently hex value, like 00A3DA427EA4B1AEDA).

According to XML-DSig standard the X509SerialNumber has type integer (decimal value).
But some tools requires X509SerialNumber to be in hex form, to do this please set TElXMLKeyInfoX509Data.HexSerialNumber property to true.
Quote
3.- For XAdES-C, CompleteCertificateRefs:CertRefs:Cert:CertDigest:DigestValue of signing cert does not match the one in XmlDsig.

There is an overloaded method AddCompleteCertificateRefs() that accepts DigestMethod as parameter, see: https://www.eldos.com/documentation/sb...erefs.html
Quote
1.- Chain validation error (1004) is reported when trying to verify XmlDsig signature (may be this is related to point 2).

1004 is SB_VALIDATOR_CRL_ERROR_NO_CRLS_RETRIEVED error code, see: https://www.eldos.com/documentation/sb...error.html
If you are verifying a signature with AdvancedSigner sample then you can get extended validation log by clicking "Show Detailed Log" button.
#31752
Posted: 12/23/2014 04:31:42
by Javier Puig (Basic support level)
Joined: 12/22/2014
Posts: 4

Hi,

thanks for your quick answer.

1.- Please find the attached cert verification log. Signing cert is not self-signed but issued by a CA.

2.- I've managed to find the place in Advanced XML Signer sample to set the HexSerialNumber property. Now the result is much better but still does not match the value set in certificate (one octet is missing, instead of 00BBCC5712522A04AF it appears 0BBCC5712522A04AF). I know the XmlDsig schema requires an integer but the fact is that many CAs set arbitrary values in this property (i have seen even guids).
For Xades however I was not able to find the proper place in the code to set the HexSerialNumber property, therefore a decimal integer appears in xades:SigningCertificate. Could you please point me where in the code this must be set?

3.- I will investigate further but digest method used is the same for all certs.

Kind Regards,


[ Download ]
#31753
Posted: 12/23/2014 07:36:22
by Dmytro Bogatskyy (EldoS Corp.)

Hello,
Quote
2.- I've managed to find the place in Advanced XML Signer sample to set the HexSerialNumber property. Now the result is much better but still does not match the value set in certificate (one octet is missing, instead of 00BBCC5712522A04AF it appears 0BBCC5712522A04AF). I know the XmlDsig schema requires an integer but the fact is that many CAs set arbitrary values in this property (i have seen even guids).
For Xades however I was not able to find the proper place in the code to set the HexSerialNumber property, therefore a decimal integer appears in xades:SigningCertificate. Could you please point me where in the code this must be set?

Good point, I have made a change that is supposed to eliminate the issue with leading zero in hex form. The change will go to the next build.
As for setting HexSerialNumber property for xades:SigningCertificate elements, there is no property for this in TElXAdESSigner/TElXAdESVerifier at the moment.
You can replace the code:
Code
signerXades.SigningCertificates.Add(ACertificate, false);

with:
Code
signerXades.Generate();
...
TElXMLCertID CertID = new TElXMLCertID(signerXades.XAdESVersion);
CertID.CertDigest.DigestMethod = SBXMLDefs.Unit.xmlDigestMethodSHA1;
CertID.CertDigest.DigestValue = SBUtils.Unit.DigestToBinary160(ACertificate.GetHashSHA1);
CertID.IssuerSerial.SerialNumber = ACertificate.SerialNumber;
CertID.IssuerSerial.HexSerialNumber = false; // change to true
CertID.IssuerSerial.IssuerRDN.Assign(ACertificate.IssuerRDN);
signerXades.QualifyingProperties.SignedProperties.SignedSignatureProperties.SigningCertificate.Add(CertID);

Quote
1.- Please find the attached cert verification log. Signing cert is not self-signed but issued by a CA.

Is this CA certificate trusted? For example, is it installed in CA/ROOT system storages.
Code
Subject: CN=Chambers of Commerce Root - 2008, O=AC Camerfirma S.A., 2.5.4.5=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU
Serial: 00A3DA427EA4B1AEDA

In the AdvancedSigner sample you can manually trust selected certificates: in the validation options form check "Use Custom Validation Data" and then add this certificate in "Custom Validation Data" form, and then check a checkbox to make the certificate trusted.
Quote
3.- I will investigate further but digest method used is the same for all certs.

Do you need to use different thumbprint digest method for different certificates in CompleteCertificateRefs element?
#31754
Posted: 12/23/2014 10:20:21
by Javier Puig (Basic support level)
Joined: 12/22/2014
Posts: 4

Hi,

1.- Yes, CA cert is installed as root in system storage. Intermediate cert also does exist in Intermediate system storage. I've tried also setting manually these certs as trusted but without success.

2.- Thanks! Could you please give me a similar advice for setting hex serial number for xades:CompleteCertificateRefs?

Quote
Do you need to use different thumbprint digest method for different certificates in CompleteCertificateRefs element?

No, I don't.

Do you have an estimated time for next build?

Regards,
#31755
Posted: 12/23/2014 14:12:15
by Dmytro Bogatskyy (EldoS Corp.)

Hello,

Quote

1.- Yes, CA cert is installed as root in system storage. Intermediate cert also does exist in Intermediate system storage. I've tried also setting manually these certs as trusted but without success.

Could you please attach the signed XML file that we could use to reproduce the issue locally. Please use Helpdesk ( https://www.eldos.com/helpdesk/ ) to post the documents to us privately.
Quote
2.- Thanks! Could you please give me a similar advice for setting hex serial number for xades:CompleteCertificateRefs?

Setting HexSerialNumber property for this element is more complicated then a code for xades:SigningCertificate elements. So, we have added additional xoUseHexSerialNumber option to TElXAdESSigner/Verifier.XAdESOptions property that will control generation of SerialNumber element for xades:SigningCertificate and xades:CompleteCertificateRefs, xades:AttributeCertificateRefs elements.
This change will also go to the next build.
Quote

Do you have an estimated time for next build?

Usually the new build is released within a month from the last build.
Notifications about new builds are posted to the news feed on https://www.eldos.com/news/ (RSS is available too) and on our Google+, Facebook and Twitter pages.
#31759
Posted: 12/24/2014 04:55:39
by Javier Puig (Basic support level)
Joined: 12/22/2014
Posts: 4

Hi,

I have attached sample signed xml file in ticket 26731.

Regards,
#31760
Posted: 12/24/2014 06:10:18
by Dmytro Bogatskyy (EldoS Corp.)

Quote
I have attached sample signed xml file in ticket 26731.

Thank you. I have answered in HelpDesk
Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.

Reply

Statistics

Topic viewed 817 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!