EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Signing XML - x509Data value

Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.
#35619
Posted: 01/20/2016 03:57:39
by Paolo  (Standard support level)
Joined: 12/15/2015
Posts: 30

Quote
Dmytro Bogatskyy wrote:
Hi,

Quote

I'm following your guide above, but still cant insert the digest inside the ID.

Did you use exactly the same code as above?
Quote
Signer.GenerateSignature()
I catch this exception :

"Reference requires a context"

Are you sure that this method throws this exception?
Because, this exception could be thrown by either Signer.UpdateReferencesDigest() or Signer.Save*() method.


Hi,

you are correct! the exception is thrown by Signer.save method.

Sorry for that.

Any suggestion?
#35625
Posted: 01/20/2016 05:28:59
by Dmytro Bogatskyy (EldoS Corp.)

Hi,

Quote
you are correct! the exception is thrown by Signer.save method.

Did you change the new reference URI or Id attribute of the KeyInfo element in the sample above? If so, then you need to keep them synced (URI = '#' + KeyInfo.Id)
#35695
Posted: 01/26/2016 12:34:31
by Paolo  (Standard support level)
Joined: 12/15/2015
Posts: 30

Hi Dmytro,

I'm going forward on this solution, still blocked on 2 steps :

Either of problems are on reference, I've tried some solutions but I'm not so prepared either on signing and your objects.

Here a list, with the snippet of my code and the xml output and what I expected from output.

Snippet :
Code
Try

            Dim doc_daFirmare As New XmlDocument
            Dim objReader As StreamReader
            objReader = New StreamReader(pathDocumentoDaFirmare)
            Dim strContent As String = objReader.ReadToEnd()
            Dim memoryBuffer As MemoryStream = New MemoryStream()
            doc_daFirmare.LoadXml(strContent)
            doc_daFirmare.PreserveWhitespace = True
            doc_daFirmare.Save(memoryBuffer)
            memoryBuffer.Position = 0
            FXMLDocument.LoadFromStream(memoryBuffer, "utf-8", True)
            memoryBuffer.Dispose()

            cNod = "legalAuthenticator"

            Signer = New TElXMLSigner
            xadesSigner = New TElXAdESSigner

            Signer.XAdESProcessor = xadesSigner

            Dim ref1 As TElXMLReference = New TElXMLReference
            ref1.TransformChain.Add(New TElXMLEnvelopedSignatureTransform)
            ref1.URI = "#xpointer(/)"
            ref1.ID = "rootReference"
            ref1.URINode = FXMLDocument.DocumentElement.FindNode(cNod)
            ref1.DigestMethod = SBXMLSec.Unit.xsmRSA_SHA256
            Signer.References.Add(ref1)

            If sicurezza.certificatoFirma_SB.PrivateKeyExists Then
                X509KeyData = New TElXMLKeyInfoX509Data(True)
                X509KeyData.Certificate = sicurezza.certificatoFirma_SB
                X509KeyData.IncludeDataParams = SBXMLSec.Unit.xkidX509Certificate
                X509KeyData.IncludeKeyValue = False
                Signer.Signature.KeyInfo.ID = "#idKeyInfo"
                Signer.KeyData = X509KeyData
            End If

            Signer.CanonicalizationMethod = SBXMLDefs.Unit.xcmCanonComment_v1_1
            Signer.SignatureMethodType = SBXMLSec.Unit.xmtSig
            Signer.SignatureType = SBXMLSec.Unit.xstEnveloped
            Signer.SignatureMethod = SBXMLSec.Unit.xsmRSA_SHA256

            Signer.IncludeKey = True

            Signer.UpdateReferencesDigest()

            xadesSigner.XAdESVersion = SBXMLAdES.Unit.XAdES_v1_3_2
            xadesSigner.SigningTime = DateTime.UtcNow
            xadesSigner.SigningCertificatesDigestMethod = SBXMLSec.Unit.xdmSHA256

            '2 = XADES_BES
            xadesSigner.Generate(SBXMLAdES.Unit.XAdES_v1_3_2)

            Signer.XAdESProcessor = xadesSigner

            Signer.GenerateSignature()

            Signer.Signature.SignaturePrefix = "#default"

            legalAuthenticator = FXMLDocument.DocumentElement.FindNode(cNod)

            assignedEntityXML = FXMLDocument.DocumentElement.FindNode("assignedEntity", True)

            Signer.Save(legalAuthenticator)

            Dim signatureElement As TElXMLDOMElement = Signer.Signature.XMLElement

            Dim newSignatureElement As TElXMLDOMElement = signatureElement.CloneNode(True)

            signatureElement.ParentNode.InsertBefore(newSignatureElement, assignedEntityXML)

            signatureElement.ParentNode.RemoveChild(signatureElement)

            FXMLDocument.SaveToFile(pathDocumentoFirmato)

            Dim xmlVerifier As TElXMLVerifier = New TElXMLVerifier

            xmlVerifier.Load(newSignatureElement)

            Dim resultSignature As Boolean

            resultSignature = xmlVerifier.ValidateSignature()

            Debug.Print(IIf(resultSignature, "Signature OK", "Signature KO"))

            xmlVerifier.KeyData = X509KeyData

            resultSignature = xmlVerifier.ValidateSignature()

            Debug.Print(IIf(resultSignature, "Signature OK with X509KeyData", "Signature KO with X509KeyData"))

            Dim xmlReferences As TElXMLReferenceList
            Dim singleReference As TElXMLReference
            Dim resultVerifyRefs As Boolean

            xmlReferences = xmlVerifier.References

            For x = 0 To xmlReferences.Count - 1
                singleReference = xmlReferences.Reference(x)
                If Not singleReference Is Nothing Then
                    resultVerifyRefs = xmlVerifier.ValidateReference(singleReference)
                    Debug.Print(IIf(resultVerifyRefs, "Signature Reference OK " & singleReference.URI, "Signature Reference KO " & singleReference.URI))
                End If
            Next

        Catch ex As Exception
            If Not ex Is Nothing Then
                log.Error("Si è verificato un errore in FirmaDocumento_SB: " & ex.Message)
                errors.SetErrors("Si è verificato un errore in FirmaDocumento_SB: " & ex.Message)
                Debug.Print("Si è verificato un errore in FirmaDocumento_SB: " & ex.Message)
            End If
        Finally
            FXMLDocument = Nothing
            Signer = Nothing
            xadesSigner = Nothing
            X509KeyData = Nothing
        End Try


Here what the code above have in output :
Code
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#" Id="Signature-2129254997">
      <SignedInfo>
        <CanonicalizationMethod Algorithm="http://www.w3.org/2006/12/xml-c14n11#WithComments"/>
        <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
        <Reference ID="rootReference" URI="#xpointer(/)">
          <Transforms>
            <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
          </Transforms>
          <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
          <DigestValue>C1E2v7TPcP//5ntBYpj4me1iW4dPpxD5sFg3oI2vaek=</DigestValue>
        </Reference>
        <Reference Type="http://uri.etsi.org/01903#SignedProperties" URI="#SignedProperties-326013566">
          <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
          <DigestValue>nMgOrzLoKtlI2Sto5GCZlmfVpbU=</DigestValue>
        </Reference>
      </SignedInfo>
      <SignatureValue>MrR8..</SignatureValue>
      <KeyInfo>
        <X509Data>
          <X509Certificate>MIIE5TCC...</X509Certificate>
        </X509Data>
      </KeyInfo>
      <Object>
        <QualifyingProperties xmlns="http://uri.etsi.org/01903/v1.3.2#" Target="#Signature-2129254997">
          <SignedProperties Id="SignedProperties-326013566">
            <SignedSignatureProperties>
              <SigningTime>2016-01-26T17:06:29.361Z</SigningTime>
              <SignaturePolicyIdentifier>
                <SignaturePolicyImplied/>
              </SignaturePolicyIdentifier>
            </SignedSignatureProperties>
          </SignedProperties>
        </QualifyingProperties>
      </Object>
    </Signature>


On #SignedProperties Reference, set by xadesSigner I've to set sha256 digestMethod instead of sha1 but seems that code above cant do it (i'm pretty sure to wrote the correct's code.. following some other forum's post and FAQ).

After that #xpointer(/) Reference isnt validated with Reference validator.

Finally, this is my goal :

Code
<Signature Id="xmldsig-fcea150a-756a-4c6c-8d84-7b4dba0edd33" xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
      <CanonicalizationMethod Algorithm=" http://www.w3.org/2006/12/xml-c14n11#WithComments "/>
      <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
      <Reference Id="xmldsig-0f2d8b6e-dfd9-4337-93b5-1e9d962d1516" URI="#xpointer(/)">
        <Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
        <DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue>
      </Reference>
      <Reference Id="xmldsig-96e21a1f-8bfe-4019-9a91-703353f6f680" URI="#idKeyInfo">
        <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
        <DigestValue>ZhSpFkc=…</DigestValue>
      </Reference>
      <Reference Id="xmldsig-32d7165f-dc21-4a0f-9e3e-57f69785e873" URI="#idSignedProperties" Type="http://uri.etsi.org/01903#SignedProperties">
        <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
        <DigestValue>TKsaJT5p=…</DigestValue>
      </Reference>
    </SignedInfo>
    <SignatureValue>MC0CFFrVLtRlk=...</SignatureValue>
    <KeyInfo Id="#idKeyInfo">
      <X509Data>
        <X509Certificate>MIICXTCCA..</X509Certificate>
      </X509Data>
    </KeyInfo>
    <Object Id="idObject">
      <QualifyingProperties Target="#xmldsig-fcea150a-756a-4c6c-8d84-7b4dba0edd33" xmlns="http://uri.etsi.org/01903/v1.3.2#">
        <SignedProperties Id="idSignedProperties" xmlns:voc="urn:hl7-org:v3/voc" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
          <SignedSignatureProperties>
            <SigningTime>2008-07-08T17:20:30Z</SigningTime>
          </SignedSignatureProperties>
        </SignedProperties>
      </QualifyingProperties>
    </Object>
  </Signature>


Hope you can have some tips or something, 'cause I'm stuck on it for too much time now.

Thanks for help.

Sincerly
Paolo
#35697
Posted: 01/26/2016 13:08:20
by Dmytro Bogatskyy (EldoS Corp.)

Hi,

Quote

Here a list, with the snippet of my code and the xml output and what I expected from output.

As per the Support Policy this service (analysis and fixing of your code) requires Premium support level. Premium support is included with the purchased license (for 3 or 12 months, as purchased). Also we offer short-term (3 months) Premium support available for purchase separately from product licenses. Within Premium support we offer extended support services that cover diagnostics of errors that happen with third-party software and diagnostics of errors in your code. Premium support package can be ordered on https://www.eldos.com/support/calc.php
Quote
On #SignedProperties Reference, set by xadesSigner I've to set sha256 digestMethod instead of sha1 but seems that code above cant do it (i'm pretty sure to wrote the correct's code.. following some other forum's post and FAQ).

If you need to change digest method for the reference pointing to SignedProperties element then please refer to this message: https://www.eldos.com/forum/read.php?F...ssage20570
Quote

After that #xpointer(/) Reference isnt validated with Reference validator.

This kind of reference's URI is not resolved automatically by TElXMLVerifier class or sample application. So, after loading the signature into TElXMLVerifier class you'll need to traverse all references and set corresponding TElXMLReference.URIData/URINode/URIStream properties based on their URI property to resolve it.
For the sample code please check XMLBlackbox\Signer or AdvancedSigner samples, or check this message https://www.eldos.com/forum/read.php?F...ssage35378

Reply

Statistics

Topic viewed 4883 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!