EldoS | Feel safer!

Software components for data protection, secure storage and transfer

How to emulate this OpenSSL code:

Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.
#34142
Posted: 07/29/2015 09:12:01
by Daniel Schaer (Standard support level)
Joined: 02/16/2012
Posts: 40

Hello;

I have to move to SBB another code built with OpenSSL that does this:

Code
var
  p7: pPKCS7;
  msgin, msgout: pBIO;
  buff: PAnsiChar;
  buffsize, res: integer;
  FPos: Integer;
begin
  // Load private key if filename is defined
  ....

  // Load signer certificate
  ...

  msgin := BIO_new_mem_buf(PAnsiChar(fMessage), -1);
  msgout := BIO_new(BIO_s_mem);

  p7 := PKCS7_sign(fCertificate, fKey, fOtherCertificates, msgin, PKCS7_BINARY);

  BIO_reset(msgin);
  res := SMIME_write_PKCS7(msgout, p7, msgin, PKCS7_TEXT);
  if res=0 then
    raise EOpenSSL.Create('No se creo el mensaje MIME. ' + GetErrorMessage);

  // Count used byte
  buffsize := BIO_pending(msgout);
  GetMem(buff, buffsize+1);
  BIO_read(msgout, buff, buffsize);
  fSignedMessage := StrPas(buff);

  FPos := Pos( finmsg, fSignedMessage );
  FPos := Pos( finmsg, fSignedMessage, FPos+2 );
  if FPos > 0 then
    fSignedMessage := Copy(fSignedMessage, 1, FPos-1 );

  FreeMem(buff);
end;


The result (containted in fSignedMessage) is this:

Quote

MIME-Version: 1.0
Content-Disposition: attachment; filename="smime.p7m"
Content-Type: application/x-pkcs7-mime; smime-type=signed-data; name="smime.p7m"
Content-Transfer-Encoding: base64

MIIHPgYJKoZIhvcNAQcCoIIHLzCCBysCAQExCzAJBgUrDgMCGgUAMIIBcwYJKoZI
hvcNAQcBoIIBZASCAWA8P3htbCB2ZXJzaW9uPSIxLjAiIGVuY29kaW5nPSJVVEYt
OCI/Pjxsb2dpblRpY2tldFJlcXVlc3QgdmVyc2lvbj0iMS4wIj48aGVhZGVyPjxk
ZXN0aW5hdGlvbj5jbj13c2FhaG9tbyxvPWFmaXAsYz1hcixzZXJpYWxOdW1iZXI9
Q1VJVCAzMzY5MzQ1MDIzOTwvZGVzdGluYXRpb24+PHVuaXF1ZUlkPjIzPC91bmlx
dWVJZD48Z2VuZXJhdGlvblRpbWU+MjAxNS0wNy0yOVQxMDowNDoyMi0wMzowMDwv
Z2VuZXJhdGlvblRpbWU+PGV4cGlyYXRpb25UaW1lPjIwMTUtMDctMjlUMjI6MDQ6
MjItMDM6MDA8L2V4cGlyYXRpb25UaW1lPjwvaGVhZGVyPjxzZXJ2aWNlPndzZmU8
L3NlcnZpY2U+PC9sb2dpblRpY2tldFJlcXVlc3Q+oIIDzDCCA8gwggKwoAMCAQIC
CEi+FTMwCSA7MA0GCSqGSIb3DQEBBQUAMEMxJTAjBgNVBAMMHEFGSVAgVGVzdGlu
ZyBDb21wdXRhZG9yZXMgQ0ExDTALBgNVBAoMBEFGSVAxCzAJBgNVBAYTAkFSMB4X
DTE0MTAxNjE5NDUwNloXDTE3MDcxMjE5NDUwNlowZjEZMBcGA1UEAwwQTWFyaWFu
byBSZWluZ2FydDEZMBcGA1UEBRMQQ1VJVCAyMDI2NzU2NTM5MzEhMB8GA1UECgwY
UHlBZmlwV3MtU2lzdGVtYXMgQWdpbGVzMQswCQYDVQQGEwJBUjCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAmvkw0GkoC9f8HDMxSV4tYqXNlbqxTseC5T9d6SKw
tIV9sT/iPqjXg9r2ZWogNGzAGX8esP/iozj7CWkF63vkwujVOxHexVehmTumtmTP
yo5KCUiSBv2lZ/o5YzpJJdgDYk4IYvbU94TytZOikM+l9rgR2iJyjK74tgo/f074
ulECAwEAAaOCAR8wggEbMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXgMB0G
A1UdDgQWBBSetSorwkMCr/xZxOjiYQYM+J847DAfBgNVHSMEGDAWgBREdO60nCbf
VuHBDetXC5AZNj2WATCBugYDVR0gBIGyMIGvMIGsBg4rBgEEAYG7YwECAQIBATCB
mTCBlgYIKwYBBQUHAgIwgYkegYYAQwBlAHIAdABpAGYAaQBjAGEAZABvACAAcABh
AHIAYQAgAGMAbwBtAHAAdQB0AGEAZABvAHIAZQBzACAAcwBvAGwAbwAgAHYAYQBs
AGkAZABvACAAZQBuACAAZQBuAHQAbwByAG4AbwBzACAAZABlACAAZABlAHMAYQBy
AHIAbwBsAGwAbzANBgkqhkiG9w0BAQUFAAOCAQEAjPz5gOobZWP1/FyvfFzrUMYz
mi7eTIBXRosMqKdd18od53PWpOChT+qm8+oCswnpZGKD4BS63j/pby+thGKzWi2n
DS2VG5KO8GaLY0UcWaNPnzpIyTCGn4DOZsnHVb3CNbsyCj1m2uRecPDWsHC/G5aE
qg1l9XSUcL4bNoZnDd4iH2mKLG1VCPwzC8rNcRagjEga01+MbXy/NkzoPpklWkVt
+2hA/LWu403AU5/tNNZ6LHP9a16wdKgUGuxCg+1SSki5J+EVfx8DvEdTzlXscq5O
08zXmpnEDCCo5IR810rDmwUTqqbQsVA4eEFHS0DUbcLCQpbn6+gYInYN+ySvuDGC
AdAwggHMAgEBME8wQzElMCMGA1UEAwwcQUZJUCBUZXN0aW5nIENvbXB1dGFkb3Jl
cyBDQTENMAsGA1UECgwEQUZJUDELMAkGA1UEBhMCQVICCEi+FTMwCSA7MAkGBSsO
AwIaBQCggdgwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUx
DxcNMTUwNzI5MTMwNDU0WjAjBgkqhkiG9w0BCQQxFgQU0KwfulHOyr9hw4PLvbIz
hpvEHnwweQYJKoZIhvcNAQkPMWwwajALBglghkgBZQMEASowCwYJYIZIAWUDBAEW
MAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZI
hvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwDQYJKoZIhvcNAQEBBQAE
gYCVZ9v8XEfi1C/ksBw0WYvB+xPwhjDL4zua54WBzg7b3KZZgzDg2DlmJngNY34Z
NWWBCs8wsOjHPgBr2muPtRK9Y3MYAz/+dB4JZPpIsL8Ku6PzHgE/e9reRD+FrI+a
51MWqwWi7erFtdcE2WWvHsCqKfqjZMtM7uRMcWKkvlSoXQ==


My question is, what components do I have to use for doing this, for getting exactly the same result?

Thank you very much!

Dany
#34144
Posted: 07/29/2015 09:54:11
by Eugene Mayevski (EldoS Corp.)

What we have here is a PKCS#7-signed data, which is encoded with base64, and then concatenated with the standard header.

All those operations are trivial.
1) Use TElMessageSigner component to sign the data. There's a sample for this in Samples\Delphi\PKIBlackbox\PKCS7 folder
2) call SBEncoding.Base64EncodeArray function to base64-encode the data.
3) concatenate the header and the result.

On a side note it would help a lot if you used CODE and QUOTE buttons located above the text entry box (alternatively you can write [ CODE ] and [ /CODE ] tags by hand) to mark the beginning and the end of the code blocks or quotes in your messages. This would enable syntax highlighting and line numbering on the code and make it easier for analysis.

I have marked the data in your message by hand.


Sincerely yours
Eugene Mayevski
#34146
Posted: 07/29/2015 10:02:09
by Daniel Schaer (Standard support level)
Joined: 02/16/2012
Posts: 40

Oh!!! I see Eugene, I did´t know about those forum features and it is very nice to show my post fixed !!! Thank you for the tips!.

And also thank you a lot for the tips for doing my code, I will work with the steps 1 y 2; I don´t need step 3 as in my case I don´t need this header :)

Thank you very much!

Dany
#34150
Posted: 07/29/2015 11:35:14
by Daniel Schaer (Standard support level)
Joined: 02/16/2012
Posts: 40

Hi Eugene;

I am testing with your example project. It gives me options for singnig. One is SHA1. But the specification I have to use says "SHA1+RSA". Is that combination available in SBB?

Best regards,

Dany
#34151
Posted: 07/29/2015 12:09:09
by Eugene Mayevski (EldoS Corp.)

SHA is a hash algorithm. RSA is signing algorithm. You can't sign the document without using a signing algorithm.

The signing algorithm in your case is determined by the key contained in your certificate. In most cases nowadays it's RSA (though ECDSA certificates gain popularity in some cases).


Sincerely yours
Eugene Mayevski
#34153
Posted: 07/29/2015 13:55:27
by Daniel Schaer (Standard support level)
Joined: 02/16/2012
Posts: 40

Thank you Eugene. I am using the same certificate & key that I used in the OpenSSL aproach, but the result is different, and the WebService that have to read it says it is an invalid format. The test I am doing is:

STEP 1: I digital sign the same source file with your TElMessageSigner.

STEP 2:
Code
sSignedString := FRead(appdir + 'signedfile.txt');
iLen := Length(sSignedString);
SetLength(bb, iLen);
for i := 1 to iLen do bb[i-1] := Ord(sSignedString[i]);
sBase64 := SBEncoding.Base64EncodeArray(bb);


After that 2 steps, the result I get is:
Quote

MKwGCSogSCD3DQEHAqCsMKwCAQExCzAJBgUrDgMCGgUAMKwGCSogSCD3DQEHAaCs
BBoBZDw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IlVURi04Ij8+DQo8bG9n
aW5UaWNrZXRSZXF1ZXN0IHZlcnNpb249IjEuMCI+PGhlYWRlcj48ZGVzdGluYXRp
b24+Y249d3NhYWhvbW8sbz1hZmlwLGM9YXIsc2VyaWFsTnVtYmVyPUNVSVQgMzM2
OTM0NTAyMzk8L2Rlc3RpbmF0aW9uPjx1bmlxdWVJZD4yNjwvdW5pcXVlSWQ+PGdl
bmVyYXRpb25UaW1lPjIwMTUtMDctMjlUMTQ6Mzk6MzUtMDM6MDA8L2dlbmVyYXRp
b25UaW1lPjxleHBpcmF0aW9uVGltZT4yMDE1LTA3LTMwVDAyOjM5OjM1LTAzOjAw
PC9leHBpcmF0aW9uVGltZT48L2hlYWRlcj48c2VydmljZT53c2ZlPC9zZXJ2aWNl
PjwvbG9naW5UaWNrZXRSZXF1ZXN0Pg0KAAAAAKAaA8wwGgPIMBoCsKADAgECAghI
vhUzMAkgOzANBgkqIEgg9w0BAQUFADBDMSUwIwYDVQQDDBxBRklQIFRlc3Rpbmcg
Q29tcHV0YWRvcmVzIENBMQ0wCwYDVQQKDARBRklQMQswCQYDVQQGEwJBUjAeFw0x
NDEwMTYxOTQ1MDZaFw0xNzA3MTIxOTQ1MDZaMGYxGTAXBgNVBAMMEE1hcmlhbm8g
UmVpbmdhcnQxGTAXBgNVBAUTEENVSVQgMjAyNjc1NjUzOTMxITAfBgNVBAoMGFB5
QWZpcFdzLVNpc3RlbWFzIEFnaWxlczELMAkGA1UEBhMCQVIwgXgwDQYJKiBIIPcN
AQEBBQADgY0AMIEwAoGBAGH5MNBpKAvX/BwzMUleLWKlzSK6sU7HGuU/XekisLQm
fbE/4j6o15La9mVqIDRswBl/HrD/4qM4+wlpBet75MLo1TsR3sVXoSI7prZkz8p9
SglIGQb9pWf6OWM6SSXYA2JOCGL21Pce8rUcopDPpfa4EdoiclKu+LYKP39O+LpR
AgMBAAGjGgEfMBoBGzAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF4DAdBgNV
HQ4EFgQUfrUqK8JDAq/8WcTo4mEGDPh4OOwwHwYDVR0jBBgwFqwURHTutFMm31bh
wQ3rVwuQGTY9EwEwgboGA1UdIASBsjCBrzCBrAYOKwYBBAGBu2MBAgECAQEwgSIw
gRMGCCsGAQUFBwICMIEwHoEgAEMAZQByAHQAaQBmAGkAYwBhAGQAbwAgAHAAYQBy
AGEAIABjAG8AbQBwAHUAdABhAGQAbwByAGUAcwAgAHMAbwBsAG8AIAB2AGEAbABp
AGQAbwAgAGUAbgAgAGUAbgB0AG8AcgBuAG8AcwAgAGQAZQAgAGQAZQBzAGEAcgBy
AG8AbABsAG8wDQYJKiBIIPcNAQEFBQADGgEBAFL8+azqG2Vj9fxcr3xc61DGM2Eu
3kysV0Y5DKinXdfKHedz1qTgoU/qpvPqArMJ6WRikuAUut4/6W8vrR5is1otpw0t
IhsZffBmOWNFHFmjT3g6SMkwIHiszmbJx1W9wjW7Mgo9ZtrkXnDw1rBwvxsTHqoN
ZfV0HXC+GzYgZw3eIh9pYCxtVQj8MwvKzXEWoFJIGtNfUm18vzZM6D4iJVpFbfto
QPy1ruNNwFN47TTWeixz/WtesHSoFBrsQpLtUkpIuSfhFX8fA7xHU85V7HKuTtPM
12EixAwgqOQefNdKwzoFE6qm0LFQOHhBR0tA1G3CwkIT5+voGCJ2Dfskr7gxgfQw
gfECAQEwTzBDMSUwIwYDVQQDDBxBRklQIFRlc3RpbmcgQ29tcHV0YWRvcmVzIENB
MQ0wCwYDVQQKDARBRklQMQswCQYDVQQGEwJBUgIISL4VMzAJIDswCQYFKw4DAhoF
ADANBgkqIEgg9w0BAQEFAASBrDt8cn7konsPkqmsYRDCkCwiFjKQe6EYMghjUrMs
alcztf1LN/4YNlLVxj8RGTenS19XRFLZsqZ6eUP0WbBh1MdTJlQCxURfxx2xGhaq
uSEwzDrL3Gbu6CHcvzjXaLN5QPBgIyuP5rpexqyPy1l5bWrbGCa4kLf9IvFM6ldg
tu5rAAAAAAAA


The webservice that process it, says it is not a valid CMS format.

Do you see an error in my test?

Best regards,

Dany
#34155
Posted: 07/29/2015 14:25:11
by Eugene Mayevski (EldoS Corp.)

Quote
Daniel Schaer wrote:
I am using the same certificate & key that I used in the OpenSSL aproach, but the result is different


How different is different? You won't get the identical sequence of bytes, that's for sure. The signature itself is always different (there's random padding added to it), and there can be minor differences in the ASN.1 sequence which makes the PKCS#7 packet.

Quote
Daniel Schaer wrote:
the WebService that have to read it says it is an invalid format.


First of all, the code snippet you've shown doesn't seem to do what we need. Please discard it completely.

TElMessageSigner writes the data to the stream in binary format. It doesn't matter if you signed a string or binary - the result is always binary.

What you need to do is
1) use TMemoryStream and let TElMessageSigner put all data to the instance of TMemoryStream.
2) read all data back from the stream to the byte array
3) call Base64EncodeArray on this single byte array.

After step 3 you have a properly encoded data block


Sincerely yours
Eugene Mayevski
#34156
Posted: 07/29/2015 17:00:26
by Daniel Schaer (Standard support level)
Joined: 02/16/2012
Posts: 40

Hi Eugene;

I modified your example project in this way:

Code
   STEP_PROCESS :
    begin
      AssignFile(F, edtInputFile.Text);
      Reset(F, 1);
      SetLength(InBuf, FileSize(F));
      BlockRead(F, InBuf[0], Length(InBuf));
      System.CloseFile(F);
      Sz := 0;
      btnBack.Enabled := false;
      btnNext.Enabled := false;
      btnCancel.Caption := 'Finish';
      btnCancel.Default := true;
      ElMessageSigner1.Sign(@InBuf[0], Length(InBuf), nil, Sz);
      SetLength(OutBuf, Sz);
      Cursor := crHourGlass;
      I := ElMessageSigner1.Sign(@InBuf[0], Length(InBuf), @OutBuf[0], Sz);
      if I = 0 then
      begin
        SetLength(OutBuf, Sz);
        AssignFile(F, edtOutputFile.Text);
        Rewrite(F, 1);
        BlockWrite(F, OutBuf[0], Sz);
        System.CloseFile(F);

        with TStringStream.Create(SBEncoding.Base64EncodeArray(ByteArray(OutBuf))) do
        begin
          SaveToFile('c:\B\final.txt');
          Free;
        end;

        lblOperationResult.Caption := 'The operation was completed successfully';
      end


And when I sign my source file, I get in final.txt exactly what I need, it works perfect!.

Thank you for your help!.

Dany
#34157
Posted: 07/29/2015 17:02:31
by Vsevolod Ievgiienko (EldoS Corp.)

Thank you for code snippet.

It may be useful for other users.
Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.

Reply

Statistics

Topic viewed 2207 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!