EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Upgrade form XAdES-T to XAdES-A

Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.
#35360
Posted: 01/04/2016 07:54:52
by AGM  (Standard support level)
Joined: 12/18/2015
Posts: 18

Hi!

We have purchased HttpClient and XML packages from SecureBlackBox, and I'm trying to sign with XAdES-A level.

At the moment I could sign with XAdES-T level without any problem following "Implementing XAdES signing of data using SecureBlackbox" tutorial, but when I try to sign with the next level (XAdES-C), including the line: TSBXAdESValidity Validity = XAdESSigner.AddValidationDataRefs();

When this line is going to be executed, I receive this message: "QualifyingProperties object not found (or signature is not calculated)"

This is my code:
Code
Dim Ref As New TElXMLReference
Ref.TransformChain.Add(New TElXMLEnvelopedSignatureTransform)
Ref.URI = ""
Ref.URINode = SigNode
Signer.References.Add(Ref)

' Setup Signer options.
' For example, using default ones: enveloped signature, RSA-SHA1 signature method and etc.

' Setup signer key data
Signer.KeyData = keyInfo


' calculate digest value for references
Signer.UpdateReferencesDigest()

' Filling XAdES info
' Setting XAdES version
XAdESSigner.XAdESVersion = SBXMLAdES.Unit.XAdES_v1_4_1

'XAdESSigner.AddCounterSignature(Signer)

XAdESSigner.PolicyId.SigPolicyHash.DigestMethod = SBXMLSec.Unit.DigestMethodToURI(SBXMLSec.Unit.xdmSHA1)
XAdESSigner.PolicyId.SigPolicyHash.DigestValue = SBXMLSec.Unit.CalculateDigest(crtIns.CertificateBinary, SBXMLSec.Unit.xdmSHA1)

' Place a code to setup Signed properties and Timestamp client
' [XAdES PLACE #1]
' setting up production place
XAdESSigner.Included = SBXMLAdESIntf.Unit.xipProductionPlace
XAdESSigner.ProductionPlace.City = "EL ESPINAR"
XAdESSigner.ProductionPlace.StateOrProvince = "SEGOVIA"
XAdESSigner.ProductionPlace.PostalCode = "40100"
XAdESSigner.ProductionPlace.CountryName = "SPAIN"

' adding claimed roles as text
XAdESSigner.Included = XAdESSigner.Included Or SBXMLAdESIntf.Unit.xipSignerRole
XAdESSigner.SignerRole.ClaimedRoles.AddText(XAdESSigner.XAdESVersion, doc, "Programmers")


'Set signing certificate
Dim signingCertList As New TElXMLCertIDList

signingCertList.AddCertificate(crtIns, SBXMLAdES.Unit.XAdES_C)

Dim signedSigProp As New TElXMLSignedSignatureProperties(SBXMLAdES.Unit.XAdES_C)

signedSigProp.SigningCertificate.Add(signingCertList.CertIDs(0))

Dim signedProp As New TElXMLSignedProperties(SBXMLAdES.Unit.XAdES_C)

signedProp.SignedSignatureProperties = signedSigProp

Dim qualProp As New TElXMLQualifyingProperties(SBXMLAdES.Unit.XAdES_C)

qualProp.SignedProperties = signedProp

XAdESSigner.QualifyingProperties = qualProp
' set signing time
XAdESSigner.SigningTime = DateTime.UtcNow


' Generating XAdES structure, specify desired XAdES form as parameter
XAdESSigner.Generate(SBXMLAdES.Unit.XAdES_C)

' Generating signature structure
Signer.GenerateSignature()
XAdESSigner.QualifyingProperties.SignedProperties.ID = "SignedPropertiesID"
' Creating timestamping components.

Try

tspClient.HTTPClient = httpClient
tspClient.URL = "http://tss.accv.es:8318/tsa"
httpClient.SocketTimeout = 20000 '20 seconds

' Adding signature time-stamp

k = XAdESSigner.AddSignatureTimestamp(tspClient)
If k <> 0 Then
Throw New Exception("Failed to time-stamp: " + k)
End If

Catch ex As Exception

End Try
' Signing and saving signature

' Place a code to extend XAdES form immediately after signing.
' Used, for example, if you want to specify own revocation info not auto collected one.
' [XAdES PLACE #2]

Dim attCertRefs As New TElXMLCompleteCertificateRefs(SBXMLAdES.Unit.XAdES_C)

XAdESSigner.QualifyingProperties.UnsignedProperties.UnsignedSignatureProperties.AttributeCertificateRefs = attCertRefs
XAdESSigner.AddValidationDataRefs()

Signer.Save(SigNode)


If I comment this new line and change XAdES-C to XAdES-T, the file is signed without errors.

So, where is my error? Should I set more properties before?

Regards!
#35361
Posted: 01/04/2016 08:22:40
by Dmytro Bogatskyy (EldoS Corp.)

Thank you for contacting us,

First of all the following code:
Code
Dim signingCertList As New TElXMLCertIDList

signingCertList.AddCertificate(crtIns, SBXMLAdES.Unit.XAdES_C)

Dim signedSigProp As New TElXMLSignedSignatureProperties(SBXMLAdES.Unit.XAdES_C)

signedSigProp.SigningCertificate.Add(signingCertList.CertIDs(0))

Dim signedProp As New TElXMLSignedProperties(SBXMLAdES.Unit.XAdES_C)

signedProp.SignedSignatureProperties = signedSigProp

Dim qualProp As New TElXMLQualifyingProperties(SBXMLAdES.Unit.XAdES_C)

qualProp.SignedProperties = signedProp

XAdESSigner.QualifyingProperties = qualProp

will not work, as it added before XAdESSigner.Generate(..) method that clears QualifyingProperties data and generates it based on the TElXAdESSigner properties that you have set.
To add signing certificate use the following code:
Code
                    XAdESSigner.SigningCertificates = New TElMemoryCertStorage()
                    XAdESSigner.OwnSigningCertificates = True
                    XAdESSigner.SigningCertificatesDigestMethod = SBXMLSec.Unit.xdmSHA256
                    XAdESSigner.SigningCertificates.Add(SigningCertificate)


Second, the code:
Code
Dim attCertRefs As New TElXMLCompleteCertificateRefs(SBXMLAdES.Unit.XAdES_C)

XAdESSigner.QualifyingProperties.UnsignedProperties.UnsignedSignatureProperties.AttributeCertificateRefs = attCertRefs
XAdESSigner.AddValidationDataRefs()

It is not needed, as you have specified XAdES_C form to generate. In this case the component will automatically call AddValidationDataRefs() method. If you ever need to control how XAdES-C form is generated, then you need first to create signature with lower XAdES form (e.g. XAdES-T) then to call appropriate AddValidationDataRefs/AddCompleteCertificateRefs/AddCompleteRevocationRefs/... methods.
#35362
Posted: 01/04/2016 10:24:21
by AGM  (Standard support level)
Joined: 12/18/2015
Posts: 18

Thanks for the answer, it works but:

The TElMemoryCertStorage class is included in PKI Package which we haven't bought. Is there any problem with that?

In affirmative answer case, how can I solve it with the packages we have?

Anyway, as the code you suggested works, I've upgrade to XAdES-XL, but when I include XAdESSigner.AddArchiveTimestamp(tspClient) to reach the XAdES-A level I get an error: Add ArchiveTimestamp not supported after signing completion. Use TElXAdESVerifier.AddArchiveTimestamp() method.

Why should I use the method on TElXAdESVerifier if I havent any instance of it in my sign function? How can I solve it? I have also included XAdESSigner.IgnoreTimestampFailure = True line, precisely, to avoid theese type of errors.

Thanks a lot.

Regards!
#35368
Posted: 01/04/2016 12:20:20
by Dmytro Bogatskyy (EldoS Corp.)

Hi,

Quote
The TElMemoryCertStorage class is included in PKI Package which we haven't bought. Is there any problem with that?

No. TElMemoryCertStorage class is included in Base package that is included in all other packages.
Quote

Anyway, as the code you suggested works, I've upgrade to XAdES-XL, but when I include XAdESSigner.AddArchiveTimestamp(tspClient) to reach the XAdES-A level I get an error: Add ArchiveTimestamp not supported after signing completion. Use TElXAdESVerifier.AddArchiveTimestamp() method.

Why should I use the method on TElXAdESVerifier if I havent any instance of it in my sign function? How can I solve it? I have also included XAdESSigner.IgnoreTimestampFailure = True line, precisely, to avoid theese type of errors.

Archive timestamp usually added after some period of time, not immediately. So, please try to load the signature using TElXMLVerifier/TElXAdESVerifier classes and then add archive timestamp (prior adding timestamp, you would need to set TElXMLVerifier.References[index].URIData/URINode/URIStream properties, as archive timestamp requires them). For details, please refer to C#\XMLBlackbox\Desktop\AdvancedSigner sample (upgrade XAdES functionality).
#35375
Posted: 01/05/2016 04:39:19
by AGM  (Standard support level)
Joined: 12/18/2015
Posts: 18

Hi,

Thanks for the answer.

Quote

So, please try to load the signature using TElXMLVerifier/TElXAdESVerifier classes and then add archive timestamp (prior adding timestamp, you would need to set TElXMLVerifier.References[index].URIData/URINode/URIStream properties, as archive timestamp requires them). For details, please refer to C#\XMLBlackbox\Desktop\AdvancedSigner sample (upgrade XAdES functionality).


I loaded the signature using TElXAdESVerifier, and I added XAdESVerifier.AddArchiveTimestampV141(tspClient) getting Reference requires a context error. Then I took a large look to AdvancedSigner sample, but I can't understand what is done with the references, If I haven't any references at this moment... sorry but what exactly I need to set which let me add the archiveTimeStamp? What are URIData/URINode/URIStream if I already have set a tspClient?

Regards
#35378
Posted: 01/05/2016 05:39:45
by Dmytro Bogatskyy (EldoS Corp.)

Hi,

Quote
I loaded the signature using TElXAdESVerifier, and I added XAdESVerifier.AddArchiveTimestampV141(tspClient) getting Reference requires a context error. Then I took a large look to AdvancedSigner sample, but I can't understand what is done with the references, If I haven't any references at this moment... sorry but what exactly I need to set which let me add the archiveTimeStamp? What are URIData/URINode/URIStream if I already have set a tspClient?

As mentioned above, archive timestamp requires that all references in the signature has a context (data that they are referencing). So, after loading signature into TElXMLVerifier class you need to traverse all references and set TElXMLReference.URIData/URINode/URIStream properties based on their URI property. AdvancedSigner sample implements special class (ReferenceHelper) that helps to resolve the reference based on its URI.
Here it is the simple code:
Code
for (int i = 0; i < Verifier.References.Count; i++)
{
  TElXMLReference Ref = Verifier.References[i];
  if (!Ref.IsURIResolved())
  {
     if (Ref.URI == "")
       Ref.URINode = FXMLDocument.DocumentElement;
     else
     {
       string s = "";
       if (SBXMLUtils.Unit.ExtractIdFromLocalURI(Ref.URI, out s) && !string.IsNullOrEmpty(s))
       {
         Ref.URINode = SBXMLUtils.Unit.FindElementById(FXMLDocument.DocumentElement, s);
       }
       // else // set URIData/URIStream property if URI points to file/web resource
     }
  }
}
#35389
Posted: 01/05/2016 09:07:13
by AGM  (Standard support level)
Joined: 12/18/2015
Posts: 18

Hi,

Sorry about my insistence.

That's my code:

Code
               For i As Integer = 0 To Verifier.References.Count - 1
                    Dim Ref As TElXMLReference = Verifier.References(i)
                    If Not Ref.IsURIResolved() Then
                        If Ref.URI = "" Then
                            Ref.URINode = doc.DocumentElement
                        Else
                            Dim s As String = ""
                            If SBXMLUtils.Unit.ExtractIdFromLocalURI(Ref.URI, s) AndAlso Not String.IsNullOrEmpty(s) Then
                                Ref.URINode = SBXMLUtils.Unit.FindElementById(doc.DocumentElement, s)
                                'Else set URIData/URIStream property if URI points to file/web resource

                            End If
                        End If
                    End If
                Next
                XAdESVerifier.AddArchiveTimestampV141(tspClient)


And I get the same error again. Using the advancedSigner sample I get without problems

Quote
archive timestamp requires that all references in the signature has a context (data that they are referencing)


What is a reference? How could be a reference without context? I cannot understand it.

Regards!
#35391
Posted: 01/05/2016 09:39:42
by Dmytro Bogatskyy (EldoS Corp.)

Hi,

Quote
What is a reference? How could be a reference without context? I cannot understand it.

Here it is the sample xml of the Reference element:
Code
<Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/">
     <Transforms>
       <Transform Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>
     </Transforms>
     <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
     <DigestValue>dGhpcyBpcyBub3QgYSBzaWduYXR1cmUK...</DigestValue>
   </Reference>

Reference element includes the digest method and resulting digest value calculated over the identified data object. The URI attribute of Reference identifies the data object to be signed.
The component could resolve the URI in some cases. But, in most cases you should do it by yourself, as URI could have an application specific format.
Quote

And I get the same error again. Using the advancedSigner sample I get without problems

It is difficult to say anything without a sample signature. Please use Helpdesk ( https://www.eldos.com/helpdesk/ ) to post the documents to us privately.
Please check that for all references you have set URIData/URINode/URIStream properties.
#35392
Posted: 01/05/2016 10:03:58
by AGM  (Standard support level)
Joined: 12/18/2015
Posts: 18

Hi!

Let see...

These are my references in file:
Code
<ds:Reference URI="">
            <ds:Transforms>
               <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>ZN6QfdaKCxq0tOsBVwxMvlFPXkM=</ds:DigestValue>
         </ds:Reference>
         <ds:Reference Type="http://uri.etsi.org/01903#SignedProperties" URI="#SignedProperties-1841429929">
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <ds:DigestValue>seurBUncOkeSX2L/aocFK/2cdp0=</ds:DigestValue>
         </ds:Reference>


The code is failing with the second one, because SBXMLUtils.Unit.ExtractIdFromLocalURI(Ref.URI, s) returns: "Unable to evaluate expresion" value for s, so, the next instruction gives me an empty URINode.

Anyway, which node is the URINode in each case?.

Thanks.

Regards!
#35394
Posted: 01/05/2016 10:24:00
by Dmytro Bogatskyy (EldoS Corp.)

Hi,

Quote
The code is failing with the second one, because SBXMLUtils.Unit.ExtractIdFromLocalURI(Ref.URI, s) returns: "Unable to evaluate expresion" value for s, so, the next instruction gives me an empty URINode.

It's strange. So, the code below fails for you?
Code
Dim t As String = ""
SBXMLUtils.Unit.ExtractIdFromLocalURI("#SignedProperties-1841429929", t)

What SecureBlackbox version are you using?
Quote

Anyway, which node is the URINode in each case?.

For the first reference it is a document element, for the second reference it is an element with Id attribute "SignedProperties-1841429929".
Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.

Reply

Statistics

Topic viewed 2066 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!