EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Problem verifying a xades bes document

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
#32943
Posted: 04/04/2015 02:10:01
by Gaetano Lazzo (Basic support level)
Joined: 12/02/2014
Posts: 14

I'm trying to verify the attached document, but it fails.

My code is as simple as

Code
public static MemoryStream ReadXADESSignedBuffer(MemoryStream fsIn) {
    fsIn.Seek(0, System.IO.SeekOrigin.Begin);
    TElXMLDOMDocument doc = new TElXMLDOMDocument();
    doc.LoadFromStream(fsIn, "UTF-8", false);
    TElXAdESVerifier txad = new TElXAdESVerifier();
    TElXMLVerifier emv = new TElXMLVerifier();            
    emv.XAdESProcessor = txad;
    MemoryStream fsOut = new MemoryStream();
    try {
         emv.Load(doc.DocumentElement);
    }
    catch (Exception e) {
        return null;
    }
    bool result = emv.ValidateSignature();  //this fails
    if (!result) {
        return null;  //it exits here
    }
  ....

I've verified the document with some third party tools and it is valid:
https://www.firma.infocert.it/utenti/verifica.php

Is it a bug of the library?
Thanks in advance

Gaetano Lazzo


[ Download ]
#32944
Posted: 04/04/2015 02:21:52
by Eugene Mayevski (EldoS Corp.)

Thank you for the report.

We have a sample in <SecureBlackbox>\Samples\C#\XMLBlackbox\Desktop\AdvancedSigner directory. This sample lets you validate the signatures. It would help a lot if you could test the signature with the sample and see if the sample works for your signature.


Sincerely yours
Eugene Mayevski
#32945
Posted: 04/04/2015 03:01:45
by Gaetano Lazzo (Basic support level)
Joined: 12/02/2014
Posts: 14

I tried it and it states the Signature validation is ok.
It only says that signing certificate is invalid and that some references failed to validate.


Quote

Starting certificate validation
Certificate:
Subject: 2.5.4.46=1083-1168869294942, CN=NAME NAME SURNAME, 2.5.4.5=IT:XXXXXXXF205X, 2.5.4.42=SURNAME NAME, 2.5.4.4=SURNAME, O=FABER SYSTEM/07155170157, C=IT
Issuer: CN=Actalis Qualified Certificates CA G1, OU=Qualified Certification Service Provider, O=Actalis S.p.A./xxxxxxxxxx, C=IT
Serial: 2F5B8B4887D8EB8C
Certificate validation completed
Certificate:
Subject: 2.5.4.46=1083-1168869294942, CN=NAME NAME SURNAME, 2.5.4.5=IT:XXXXXXXXXXXXXXXX, 2.5.4.42=NAME NAME, 2.5.4.4=SURNAME, O=FABER SYSTEM/07155170157, C=IT
Issuer: CN=Actalis Qualified Certificates CA G1, OU=Qualified Certification Service Provider, O=Actalis S.p.A./03358520967, C=IT
Serial: 2F5B8B4887D8EB8C
CA Certificate:
No Certificate
Validity: Invalid
Reason: Unknown CA
#32946
Posted: 04/04/2015 03:16:23
by Gaetano Lazzo (Basic support level)
Joined: 12/02/2014
Posts: 14

I've noticed that if I uncheck "normalize newline certificates characters on load", the sample fails to check the sign too.
Now, I wonder what I'm supposed to do.... I'm verifying a document for using it under the standard ETSI TS 101 903 vers 1.4.1
#32947
Posted: 04/04/2015 03:21:18
by Dmytro Bogatskyy (EldoS Corp.)

Hello,

Possible your document has CR characters.
Different implementation canonicalize CR character in three different ways:
1. ignore it (usually a web applications, in fact it is okay if an application expect a canonicalized input),
2. canonicalize it as entity (a correct way as defined by specification, also SecureBlackbox do this, if a document loaded with disabled normalization option)
3. canonicalize it as is (some buggy applications).
In each case you will get a different digest value.

To solve this issue we recommend to normalize newline characters before loading and signing a document. (It is a third parameter in the TElXMLDOMDocument.LoadFromStream method).
See: http://www.eldos.com/documentation/sb...tream.html
If you set it to true the CRLF and CR characters will be replaced by LF character on loading. So, if you sign a document with normalized newlines, then all implementations should be able to verify it.
#32948
Posted: 04/04/2015 04:17:06
by Gaetano Lazzo (Basic support level)
Joined: 12/02/2014
Posts: 14

Ok, using true as the third parameter for LoadFromStream, the method TElXMLVerifier .ValidateSignature is returning true.
Now still remains a problem with the first reference. It fails to validates, also in the sample application.
The reference is like this:
Quote

<?xml version="1.0" encoding="UTF-16" standalone="no"?><?xml-stylesheet type="text/xsl" href="fatturapa_v1.1.xsl"?>
<p:FatturaElettronica xmlns:p="http://www.fatturapa.gov.it/sdi/fatturapa/v1.1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" versione="1.1">
....

</FatturaElettronicaBody>
<ds:Signature Id="S-5ac25b7b-e70d-4f16-b0ab-d75f35743553">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference Id="R-60014112-651d-43f7-be55-5d585c476761" URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2">
<dsig-xpath:XPath xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2" Filter="subtract">/descendant::ds:Signature</dsig-xpath:XPath>
</ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>T6dtP5FYSiW2oNcFe7g0Kb5cwIXSQu1/eY/X0ciRqr4=</ds:DigestValue>
</ds:Reference>
<ds:Reference Type="http://uri.etsi.org/01903#SignedProperties" URI="#SP-528a7188-9160-4f52-bd66-f572684646fe">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>mewNR/69IatCAJT/IAsMKpLZvLOElqswRODT3quy+xU=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#KI-0918cf3d-9c24-4a66-bcbe-b799892db3fd">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>j0ZUH8TYFT4SHtnmH63Y7tuGIX7u16CHn5+khznXs04=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
oAEL7SohOLBFdyy6mHmNi91dh8VG9Lyw3LPyT+mhLskVH0lcgidmHq/F/aF/k7A6t76G9bja0ONE
5m7VjyIctvj5wTHW72x2jlQrk/vdW0HNFDVJXkX3rO/v8LO5brAu8fXmpMQhVDdnZKIZ+htwvPQ6
av2nnSrRKSSpB2uft/I=
</ds:SignatureValue>
<ds:KeyInfo Id="KI-0918cf3d-9c24-4a66-bcbe-b799892db3fd">
<ds:X509Data> <ds:X509Certificate>..</ds:X509Certificate> </ds:X509Data>
</ds:KeyInfo>
<ds:Object>
<xades:QualifyingProperties xmlns:xades="http://uri.etsi.org/01903/v1.3.2#" Target="#S-5ac25b7b-e70d-4f16-b0ab-d75f35743553">
<xades:SignedProperties Id="SP-528a7188-9160-4f52-bd66-f572684646fe">
<xades:SignedSignatureProperties>
<xades:SigningTime>2015-04-02T16:16:12Z</xades:SigningTime>
<xades:SigningCertificate>
<xades:Cert>
<xades:CertDigest>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>MfQn+9lyiZZnFtY/9+pT4WvHfGqWd4VuIkQBqKZaasM=</ds:DigestValue>
</xades:CertDigest>
<xades:IssuerSerial>
<ds:X509IssuerName>CN=Actalis Qualified Certificates CA G1,OU=Qualified Certification Service Provider,O=Actalis S.p.A./03358520967,C=IT</ds:X509IssuerName>
<ds:X509SerialNumber>3412474286296329100</ds:X509SerialNumber>
</xades:IssuerSerial>
</xades:Cert>
</xades:SigningCertificate>
</xades:SignedSignatureProperties>
<xades:SignedDataObjectProperties>
<xades:DataObjectFormat ObjectReference="#R-60014112-651d-43f7-be55-5d585c476761">
<xades:MimeType>application/xml</xades:MimeType>
</xades:DataObjectFormat>
</xades:SignedDataObjectProperties>
</xades:SignedProperties>
</xades:QualifyingProperties>
</ds:Object>
</ds:Signature></p:FatturaElettronica>



At the moment I'm using this code to update and validate references:

Code
for (int i = 0; i < emv.References.Count; i++)  {
   TElXMLReference Ref = emv.References.get_Reference(i);
   if (Ref.URINode == null) {
      if (Ref.URI == "")
           Ref.URINode = removeSign(doc).DocumentElement;
      else {
            try {
                 string s = SBXMLUtils.Unit.ExtractIdFromLocalURI(Ref.URI);
                 if (s != "")      Ref.URINode = SBXMLUtils.Unit.FindElementById(doc.DocumentElement, s);
                 }
            catch { }
       }
    }
}

for (int i = 0; i < emv.References.Count; i++) {
   TElXMLReference rr = emv.References.get_Reference(i);

    if (!emv.ValidateReference( rr )) {
         return null;
    }
}



where removeSign is an helper function :
Code
public static TElXMLDOMDocument removeSign(TElXMLDOMDocument x) {
            TElXMLDOMDocument xx = new TElXMLDOMDocument();
            xx.AppendChild(xx.ImportNode(x.DocumentElement,true));
            TElXMLNamespaceMap ns = new TElXMLNamespaceMap();
            ns.AddNamespace("ds", "http://www.w3.org/2000/09/xmldsig#");
            TElXMLNodeSet signList = xx.SelectNodes("//ds:Signature", ns);
            if (signList.Count == 0)
                return xx;
            TElXMLDOMNode sign = signList.get_Node(0);
            sign.ParentNode.RemoveChild(sign);          
            return xx;
        }


This function is necessary to handle the filter in the reference:
Quote

<dsig-xpath:XPath xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2" Filter="subtract">/descendant::ds:Signature</dsig-xpath:XPath>



Note that the same code is working well for many other documents that have the same syntactical structure.
It is only failing for the first reference.
#32949
Posted: 04/04/2015 06:50:36
by Dmytro Bogatskyy (EldoS Corp.)

Hello,

Quote
xx.AppendChild(xx.ImportNode(x.DocumentElement,true));

This line copies only a document element, but for URI="" you need to copy xml-stylesheet node too.
You can do this in the following way:
Code
TElXMLDOMNode node = x.FirstChild;
while (node != null)
{
  xx.AppendChild(xx.ImportNode(node,true));
  node = node.NextSibling;
}


By the way, the latest SecureBlackbox versions should support "subtract" filter for XPath Filter 2.0 transform, so removeSign() method is not needed.
#32950
Posted: 04/04/2015 07:14:47
by Gaetano Lazzo (Basic support level)
Joined: 12/02/2014
Posts: 14

Many thanks, it is perfectly ok now.
I don't know enough english words to thank you.

Gaetano Lazzo
Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.

Reply

Statistics

Topic viewed 1468 times

Number of guests: 3, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!