EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Problem verifying a xades bes document

Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.
#32943
Posted: 04/04/2015 02:10:01
by Gaetano Lazzo (Basic support level)
Joined: 12/02/2014
Posts: 14

I'm trying to verify the attached document, but it fails.

My code is as simple as

Code
public static MemoryStream ReadXADESSignedBuffer(MemoryStream fsIn) {
    fsIn.Seek(0, System.IO.SeekOrigin.Begin);
    TElXMLDOMDocument doc = new TElXMLDOMDocument();
    doc.LoadFromStream(fsIn, "UTF-8", false);
    TElXAdESVerifier txad = new TElXAdESVerifier();
    TElXMLVerifier emv = new TElXMLVerifier();            
    emv.XAdESProcessor = txad;
    MemoryStream fsOut = new MemoryStream();
    try {
         emv.Load(doc.DocumentElement);
    }
    catch (Exception e) {
        return null;
    }
    bool result = emv.ValidateSignature();  //this fails
    if (!result) {
        return null;  //it exits here
    }
  ....

I've verified the document with some third party tools and it is valid:
https://www.firma.infocert.it/utenti/verifica.php

Is it a bug of the library?
Thanks in advance

Gaetano Lazzo


[ Download ]
#32944
Posted: 04/04/2015 02:21:52
by Eugene Mayevski (EldoS Corp.)

Thank you for the report.

We have a sample in <SecureBlackbox>\Samples\C#\XMLBlackbox\Desktop\AdvancedSigner directory. This sample lets you validate the signatures. It would help a lot if you could test the signature with the sample and see if the sample works for your signature.


Sincerely yours
Eugene Mayevski
#32945
Posted: 04/04/2015 03:01:45
by Gaetano Lazzo (Basic support level)
Joined: 12/02/2014
Posts: 14

I tried it and it states the Signature validation is ok.
It only says that signing certificate is invalid and that some references failed to validate.


Quote

Starting certificate validation
Certificate:
Subject: 2.5.4.46=1083-1168869294942, CN=NAME NAME SURNAME, 2.5.4.5=IT:XXXXXXXF205X, 2.5.4.42=SURNAME NAME, 2.5.4.4=SURNAME, O=FABER SYSTEM/07155170157, C=IT
Issuer: CN=Actalis Qualified Certificates CA G1, OU=Qualified Certification Service Provider, O=Actalis S.p.A./xxxxxxxxxx, C=IT
Serial: 2F5B8B4887D8EB8C
Certificate validation completed
Certificate:
Subject: 2.5.4.46=1083-1168869294942, CN=NAME NAME SURNAME, 2.5.4.5=IT:XXXXXXXXXXXXXXXX, 2.5.4.42=NAME NAME, 2.5.4.4=SURNAME, O=FABER SYSTEM/07155170157, C=IT
Issuer: CN=Actalis Qualified Certificates CA G1, OU=Qualified Certification Service Provider, O=Actalis S.p.A./03358520967, C=IT
Serial: 2F5B8B4887D8EB8C
CA Certificate:
No Certificate
Validity: Invalid
Reason: Unknown CA
#32946
Posted: 04/04/2015 03:16:23
by Gaetano Lazzo (Basic support level)
Joined: 12/02/2014
Posts: 14

I've noticed that if I uncheck "normalize newline certificates characters on load", the sample fails to check the sign too.
Now, I wonder what I'm supposed to do.... I'm verifying a document for using it under the standard ETSI TS 101 903 vers 1.4.1
#32947
Posted: 04/04/2015 03:21:18
by Dmytro Bogatskyy (EldoS Corp.)

Hello,

Possible your document has CR characters.
Different implementation canonicalize CR character in three different ways:
1. ignore it (usually a web applications, in fact it is okay if an application expect a canonicalized input),
2. canonicalize it as entity (a correct way as defined by specification, also SecureBlackbox do this, if a document loaded with disabled normalization option)
3. canonicalize it as is (some buggy applications).
In each case you will get a different digest value.

To solve this issue we recommend to normalize newline characters before loading and signing a document. (It is a third parameter in the TElXMLDOMDocument.LoadFromStream method).
See: http://www.eldos.com/documentation/sb...tream.html
If you set it to true the CRLF and CR characters will be replaced by LF character on loading. So, if you sign a document with normalized newlines, then all implementations should be able to verify it.
#32948
Posted: 04/04/2015 04:17:06
by Gaetano Lazzo (Basic support level)
Joined: 12/02/2014
Posts: 14

Ok, using true as the third parameter for LoadFromStream, the method TElXMLVerifier .ValidateSignature is returning true.
Now still remains a problem with the first reference. It fails to validates, also in the sample application.
The reference is like this:
Quote

<?xml version="1.0" encoding="UTF-16" standalone="no"?><?xml-stylesheet type="text/xsl" href="fatturapa_v1.1.xsl"?>
<p:FatturaElettronica xmlns:p="http://www.fatturapa.gov.it/sdi/fatturapa/v1.1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" versione="1.1">
....

</FatturaElettronicaBody>
<ds:Signature Id="S-5ac25b7b-e70d-4f16-b0ab-d75f35743553">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference Id="R-60014112-651d-43f7-be55-5d585c476761" URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2">
<dsig-xpath:XPath xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2" Filter="subtract">/descendant::ds:Signature</dsig-xpath:XPath>
</ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>T6dtP5FYSiW2oNcFe7g0Kb5cwIXSQu1/eY/X0ciRqr4=</ds:DigestValue>
</ds:Reference>
<ds:Reference Type="http://uri.etsi.org/01903#SignedProperties" URI="#SP-528a7188-9160-4f52-bd66-f572684646fe">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>mewNR/69IatCAJT/IAsMKpLZvLOElqswRODT3quy+xU=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#KI-0918cf3d-9c24-4a66-bcbe-b799892db3fd">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>j0ZUH8TYFT4SHtnmH63Y7tuGIX7u16CHn5+khznXs04=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
oAEL7SohOLBFdyy6mHmNi91dh8VG9Lyw3LPyT+mhLskVH0lcgidmHq/F/aF/k7A6t76G9bja0ONE
5m7VjyIctvj5wTHW72x2jlQrk/vdW0HNFDVJXkX3rO/v8LO5brAu8fXmpMQhVDdnZKIZ+htwvPQ6
av2nnSrRKSSpB2uft/I=
</ds:SignatureValue>
<ds:KeyInfo Id="KI-0918cf3d-9c24-4a66-bcbe-b799892db3fd">
<ds:X509Data> <ds:X509Certificate>..</ds:X509Certificate> </ds:X509Data>
</ds:KeyInfo>
<ds:Object>
<xades:QualifyingProperties xmlns:xades="http://uri.etsi.org/01903/v1.3.2#" Target="#S-5ac25b7b-e70d-4f16-b0ab-d75f35743553">
<xades:SignedProperties Id="SP-528a7188-9160-4f52-bd66-f572684646fe">
<xades:SignedSignatureProperties>
<xades:SigningTime>2015-04-02T16:16:12Z</xades:SigningTime>
<xades:SigningCertificate>
<xades:Cert>
<xades:CertDigest>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>MfQn+9lyiZZnFtY/9+pT4WvHfGqWd4VuIkQBqKZaasM=</ds:DigestValue>
</xades:CertDigest>
<xades:IssuerSerial>
<ds:X509IssuerName>CN=Actalis Qualified Certificates CA G1,OU=Qualified Certification Service Provider,O=Actalis S.p.A./03358520967,C=IT</ds:X509IssuerName>
<ds:X509SerialNumber>3412474286296329100</ds:X509SerialNumber>
</xades:IssuerSerial>
</xades:Cert>
</xades:SigningCertificate>
</xades:SignedSignatureProperties>
<xades:SignedDataObjectProperties>
<xades:DataObjectFormat ObjectReference="#R-60014112-651d-43f7-be55-5d585c476761">
<xades:MimeType>application/xml</xades:MimeType>
</xades:DataObjectFormat>
</xades:SignedDataObjectProperties>
</xades:SignedProperties>
</xades:QualifyingProperties>
</ds:Object>
</ds:Signature></p:FatturaElettronica>



At the moment I'm using this code to update and validate references:

Code
for (int i = 0; i < emv.References.Count; i++)  {
   TElXMLReference Ref = emv.References.get_Reference(i);
   if (Ref.URINode == null) {
      if (Ref.URI == "")
           Ref.URINode = removeSign(doc).DocumentElement;
      else {
            try {
                 string s = SBXMLUtils.Unit.ExtractIdFromLocalURI(Ref.URI);
                 if (s != "")      Ref.URINode = SBXMLUtils.Unit.FindElementById(doc.DocumentElement, s);
                 }
            catch { }
       }
    }
}

for (int i = 0; i < emv.References.Count; i++) {
   TElXMLReference rr = emv.References.get_Reference(i);

    if (!emv.ValidateReference( rr )) {
         return null;
    }
}



where removeSign is an helper function :
Code
public static TElXMLDOMDocument removeSign(TElXMLDOMDocument x) {
            TElXMLDOMDocument xx = new TElXMLDOMDocument();
            xx.AppendChild(xx.ImportNode(x.DocumentElement,true));
            TElXMLNamespaceMap ns = new TElXMLNamespaceMap();
            ns.AddNamespace("ds", "http://www.w3.org/2000/09/xmldsig#");
            TElXMLNodeSet signList = xx.SelectNodes("//ds:Signature", ns);
            if (signList.Count == 0)
                return xx;
            TElXMLDOMNode sign = signList.get_Node(0);
            sign.ParentNode.RemoveChild(sign);          
            return xx;
        }


This function is necessary to handle the filter in the reference:
Quote

<dsig-xpath:XPath xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2" Filter="subtract">/descendant::ds:Signature</dsig-xpath:XPath>



Note that the same code is working well for many other documents that have the same syntactical structure.
It is only failing for the first reference.
#32949
Posted: 04/04/2015 06:50:36
by Dmytro Bogatskyy (EldoS Corp.)

Hello,

Quote
xx.AppendChild(xx.ImportNode(x.DocumentElement,true));

This line copies only a document element, but for URI="" you need to copy xml-stylesheet node too.
You can do this in the following way:
Code
TElXMLDOMNode node = x.FirstChild;
while (node != null)
{
  xx.AppendChild(xx.ImportNode(node,true));
  node = node.NextSibling;
}


By the way, the latest SecureBlackbox versions should support "subtract" filter for XPath Filter 2.0 transform, so removeSign() method is not needed.
#32950
Posted: 04/04/2015 07:14:47
by Gaetano Lazzo (Basic support level)
Joined: 12/02/2014
Posts: 14

Many thanks, it is perfectly ok now.
I don't know enough english words to thank you.

Gaetano Lazzo
Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.

Reply

Statistics

Topic viewed 1387 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!