EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Signing XML - x509Data value

Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.
#35449
Posted: 01/08/2016 04:11:50
by Paolo  (Standard support level)
Joined: 12/15/2015
Posts: 30

Morning!

I'm still working on signing xml with TElXMLSigner.
All is going fine for the moment, but I have a question about TElXMLKeyInfoX509Data.

This code :

Code
Dim X509KeyData As TElXMLKeyInfoX509Data = Nothing
X509KeyData = New TElXMLKeyInfoX509Data(True)
X509KeyData.Certificate = sicurezza.certificatoFirma_SB
Signer.KeyData = X509KeyData

generate this xml (I will replace all the value of che certificate with "---")

Code
<KeyInfo>
   <KeyValue>
       <RSAKeyValue>
        <Modulus>---</Modulus>
            <Exponent>---</Exponent>
          </RSAKeyValue>
        </KeyValue>
        <X509Data>
          <X509IssuerSerial>
            <X509IssuerName>---</X509IssuerName>
            <X509SerialNumber>---</X509SerialNumber>
          </X509IssuerSerial>
          <X509SubjectName>---</X509SubjectName>
        <X509Certificate>---</X509Certificate>
    </X509Data>
</KeyInfo>


The question is : is there an option on your object to write only the value of

<X509Certificate>---</X509Certificate>

and not the other xml's tags? For a result, in example :

Code
<KeyInfo Id="idKeyInfo">
    <X509Data>
          <X509Certificate>---</X509Certificate>
     </X509Data>
</KeyInfo>


Best regards.
Paolo
#35450
Posted: 01/08/2016 04:29:13
by Dmytro Bogatskyy (EldoS Corp.)

Hi,

Quote
The question is : is there an option on your object to write only the value of

<X509Certificate>---</X509Certificate>
and not the other xml's tags?

Yes, you need to modify TElXMLKeyInfoX509Data.IncludeDataParams and IncludeKeyValue properties to match your requirements, please see: https://www.eldos.com/documentation/sb...arams.html and https://www.eldos.com/documentation/sb...value.html
For example:
Code
X509KeyInfoData.IncludeDataParams = SBXMLSec.Unit.xkidX509Certificate
X509KeyInfoData.IncludeKeyValue = false
#35542
Posted: 01/14/2016 04:50:08
by Paolo  (Standard support level)
Joined: 12/15/2015
Posts: 30

Hi, thanks Dmytro, your solution is perfect.

I have another question always on signer xml.

I need to sign a specific xmlDomNode, with already 3 child node. I have to insert the signer after the second child and before the third.

Is there an option on signer to do this? I see that the .save insert the signature after the third child.

Thank for help.

Sincerly
Paolo
#35543
Posted: 01/14/2016 04:54:39
by Dmytro Bogatskyy (EldoS Corp.)

Hi,

Quote
I need to sign a specific xmlDomNode, with already 3 child node. I have to insert the signer after the second child and before the third.

The enveloped signature is always saved as the last node of the parent node, but you can freely "move" the signature under the same parent.
Sample code:
Code
...
xmlSigner.Save(...);

TElXMLDOMElement SignatureElement = xmlSigner.Signature.XMLElement;
TElXMLDOMElement NewSignatureElement =  SignatureElement.CloneNode(true);
SignatureElement.ParentNode.InsertBefore(NewSignatureElement, Element2);
SignatureElement.ParentNode.RemoveChild(SignatureElement);
#35552
Posted: 01/14/2016 10:23:54
by Paolo  (Standard support level)
Joined: 12/15/2015
Posts: 30

Hi, your solution suite perfectly!

I have another question, regarding the signatureVerify.

I have added also a verifier for signature and one for references.

Signature's verify is ok, returning true.

References's verify is ok for 2 of 3 references.

This is the portion of the xml where the reference are :

Code
<Reference Id="rootReference" URI="#xpointer(/)">
          <Transforms>
            <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
          </Transforms>
          <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
          <DigestValue>qno173+HRCkeiarw371RdlUJTvMiIg9xvtnVZbD3cso=</DigestValue>
        </Reference>
        <Reference Id="idSignedPropertiesReference" URI="#idSignedProperties">
          <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
          <DigestValue>tsSnMwLyaGPp7RjnZpZ6SYGSs8uIi0l7QCoekUqyYPU=</DigestValue>
        </Reference>
        <Reference Type="http://uri.etsi.org/01903#SignedProperties" URI="#idSignedProperties">
          <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
          <DigestValue>djIw22ol5o3xegDXWKVyZDn626E=</DigestValue>
        </Reference>


The validation false return on the first one
Code
<Reference Id="rootReference" URI="#xpointer(/)">
          <Transforms>
            <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
          </Transforms>
          <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
          <DigestValue>qno173+HRCkeiarw371RdlUJTvMiIg9xvtnVZbD3cso=</DigestValue>
        </Reference>


Do you have any suggestion? Or do you need something more to know?

Sincerly
#35560
Posted: 01/14/2016 12:50:08
by Dmytro Bogatskyy (EldoS Corp.)

Hi,

Quote

<Reference Id="rootReference" URI="#xpointer(/)">
The validation false return on the first one

The TElXMLVerifier component and the sample could not resolve this URI automatically. So, after loading the signature into TElXMLVerifier class you need to traverse all references and set TElXMLReference.URIData/URINode/URIStream properties based on their URI property. For the sample code please see this message https://www.eldos.com/forum/read.php?F...ssage35378
Quote
<Reference Id="idSignedPropertiesReference" URI="#idSignedProperties">
<Reference Type="http://uri.etsi.org/01903#SignedProperties" URI="#idSignedProperties">

Why do you need to reference that points to the same data?
If you need to change the digest method for auto generated reference, then please see this message: https://www.eldos.com/forum/read.php?F...ssage20570
#35561
Posted: 01/14/2016 13:02:24
by Paolo  (Standard support level)
Joined: 12/15/2015
Posts: 30

Binding to this problem above I have to insert the xmldsig- inside ID in every references like this :

Code
<Reference Id="xmldsig-96e21a1f-8bfe-4019-9a91-703353f6f680" URI="#idKeyInfo">
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>ZhSpFkc=…</DigestValue>
</Reference>


is there an automatic function to do this?
#35562
Posted: 01/14/2016 13:27:39
by Dmytro Bogatskyy (EldoS Corp.)

Hi,

Quote
Binding to this problem above I have to insert the xmldsig- inside ID in every references like this :

Please refer to this article http://www.eldos.com/security/articles/6094.php

Or, use the following code:
Code
Signer.UpdateReferencesDigest();
...
// add the reference after UpdateReferencesDigest call, otherwise exception will be thrown
TElXMLReference Ref2 = new TElXMLReference();
Ref2.URI = "#KeyInfo1";
// Ref2.URINode = // ignore this, the node will be located in Save method after it will be generated and added to xml document. It is done automatically for all elements under Signature element.
Signer.References.Add(Ref2);
...
Signer.GenerateSignature(); // this method generates Signature structure that could be modified using Signer.Signature property
...
Signer.Signature.KeyInfo.ID = "KeyInfo1"; // set an Id for KeyInfo element
#35579
Posted: 01/15/2016 11:04:31
by Paolo  (Standard support level)
Joined: 12/15/2015
Posts: 30

Hi Dmytro, I still have a problem on signing Reference.

I'm following your guide above, but still cant insert the digest inside the ID.

I have, as you see in the xml sample, 3 reference to add.

I have add one by one and add to signer's object with

Code
Signer.References.Add(ref3)


but when I try to sign with

Code
Signer.GenerateSignature()


I catch this exception :

"Reference requires a context"

What I still miss?

Thanks
Sincerly
#35585
Posted: 01/15/2016 12:40:25
by Dmytro Bogatskyy (EldoS Corp.)

Hi,

Quote

I'm following your guide above, but still cant insert the digest inside the ID.

Did you use exactly the same code as above?
Quote
Signer.GenerateSignature()
I catch this exception :

"Reference requires a context"

Are you sure that this method throws this exception?
Because, this exception could be thrown by either Signer.UpdateReferencesDigest() or Signer.Save*() method.
Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.

Reply

Statistics

Topic viewed 4918 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!