EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Problem with SigningCertificate/.../X509IssuerName format

Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.
#36286
Posted: 03/23/2016 15:24:42
by Luis Pardo (Basic support level)
Joined: 03/23/2016
Posts: 17

Hello,

I have a problem trying to verify a xml xades signature (generated with eldos c++ library) with third party validator. When I generate the signature I get this node in the xml:

...
<ds:X509IssuerName>CN=AC Camerfirma Certificados Camerales, O=AC Camerfirma SA, 2.5.4.5=A82743287, L=Madrid (see current address at www.camerfirma.com/address), E=ac_camerfirma_cc@camerfirma.com, C=ES</ds:X509IssuerName>
...

But when I generate the signature with third party platform I get this one:

...
<ds:X509IssuerName>CN=AC Camerfirma Certificados Camerales,O=AC Camerfirma SA,2.5.4.5=\#1309413832373433323837,L=Madrid (see current address at www.camerfirma.com/address),1.2.840.113549.1.9.1=\#161f...6f6d,C=ES</ds:X509IssuerName>
...

I am pretty sure that the problem is in this node because if I use another certificate without OIDs, I can successfully verify the signature.

Can I change the X509IssuerName element for a custom generation format for this OIDs?

Thanks in advance.
#36287
Posted: 03/23/2016 15:40:15
by Dmytro Bogatskyy (EldoS Corp.)

Thank you for contacting us,

Quote
I am pretty sure that the problem is in this node because if I use another certificate without OIDs, I can successfully verify the signature.

If you need to unmap some specific OID descriptor from it string representation, then you would need to use a global instance RDNDescriptorMap from SBXMLSec unit that controls generation of RDN string, for example:
Code
RDNDescriptorMap.ClearOID(SB_CERT_OID_EMAIL);

place this code before loading a document, or in initialization section.
#36289
Posted: 03/23/2016 15:51:31
by Eugene Mayevski (EldoS Corp.)

Also I’ve noticed there is no Support Access Ticket linked to your user account on EldoS site. Technical Support is provided to customers with the linked Support Access Ticket. You will find your Support Access Ticket together with all the details about how to use it in the registration e-mail that we’ve sent to you upon the purchase.

If you are evaluating the product and don't have a license yet, please let us know and then you can have support according to Basic support level. Basic support level includes answering basic technical questions that appear during product evaluation period. We also offer Premium support for a purchase from https://www.eldos.com/support/calc.php . You can use Premium Support to get higher level of assistance during your evaluation of our products.


Sincerely yours
Eugene Mayevski
#36290
Posted: 03/23/2016 15:57:09
by Luis Pardo (Basic support level)
Joined: 03/23/2016
Posts: 17

Thank you very much. Yes, I am evaluating the c++ library.

I could not find an C++ example for RDNDescriptorMap in samples directory. Could you show me how can I access this method in C++.

Best regards
Luis
#36291
Posted: 03/23/2016 16:02:38
by Luis Pardo (Basic support level)
Joined: 03/23/2016
Posts: 17

Maybe this way??

TElXMLDescriptorMap DescriptorMap(RDNDescriptorMap(), false);
#36292
Posted: 03/23/2016 16:05:31
by Dmytro Bogatskyy (EldoS Corp.)

Hi,

Quote
I could not find an C++ example for RDNDescriptorMap in samples directory. Could you show me how can I access this method in C++.

In C++ this is not a variable but the function that returns a handle of the class instance, sample code:
Code
TElXMLDescriptorMap Map (RDNDescriptorMap(), false);
Map.ClearOID(..);

Also, please see this article:
https://www.eldos.com/documentation/sb...l_cpp.html
#36295
Posted: 03/23/2016 16:33:18
by Luis Pardo (Basic support level)
Joined: 03/23/2016
Posts: 17

I think that this is not what I need. I have initialized clearing all OIDs and I gto this:

<ds:X509IssuerName>2.5.4.3=AC Camerfirma Certificados Camerales, 2.5.4.10=AC Camerfirma SA, 2.5.4.5=A82743287, 2.5.4.7=Madrid (see current address at www.camerfirma.com/address), 1.2.840.113549.1.9.1=ac_camerfirma_cc@camerfirma.com, 2.5.4.6=ES</ds:X509IssuerName>

So this feature change the left side of each RDN pair but I need to change the right side, change this:

2.5.4.5=A82743287

for this one:

2.5.4.5=\#1309413832373433323837

I need to format the right side to hexadecimal string of asn1 representation of "A82743287". I can check a couple third party DN generators and they generates DN this way. Can I change this behavior in eldos c++?
#36296
Posted: 03/23/2016 17:16:49
by Dmytro Bogatskyy (EldoS Corp.)

Hi,

Quote
So this feature change the left side of each RDN pair but I need to change the right side, change this:

2.5.4.5=A82743287

for this one:

2.5.4.5=\#1309413832373433323837

It seems that hexadecimal value is converted to big integer value here. It is not standard behaviour for formatting RDN string. The only possible solution is to implement TElXMLSigner.OnFormatText event handler to replace a text for this particular element. Please see ConsoleSigner sample for its implementation, there you would need to filter and replace a Text based on the Path parameter.
#36297
Posted: 03/23/2016 17:27:08
by Luis Pardo (Basic support level)
Joined: 03/23/2016
Posts: 17

Ok, thanks. I will try to implement it and send you some feedback. I will find info about this RDN format, because if you are right, other third party generators are doing something wrong.

Best Regards
#36299
Posted: 03/23/2016 17:39:06
by Dmytro Bogatskyy (EldoS Corp.)

Quote
I will find info about this RDN format, because if you are right, other third party generators are doing something wrong.

It would be great. I think, this is service-specific feature.
From XML-DSig standard:
Quote
The X509IssuerSerial element, which contains an X.509 issuer distinguished name/serial number pair. The distinguished name SHOULD be represented as a string that complies with section 3 of RFC4514 [LDAP-DN], to be generated according to the Distinguished Name Encoding Rules section below,
...
To encode a distinguished name (X509IssuerSerial,X509SubjectName, and KeyName if appropriate), the encoding rules in section 2 of RFC 4514 [LDAP-DN] SHOULD be applied, except that the character escaping rules in section 2.4 of RFC 4514 [LDAP-DN] MAY be augmented as follows:

Escape all occurrences of ASCII control characters (Unicode range \x00 - \x1f) by replacing them with "\" followed by a two digit hex number showing its Unicode number.
Escape any trailing space characters (Unicode \x20) by replacing them with "\20", instead of using the escape sequence "\ ".
Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.

Reply

Statistics

Topic viewed 4130 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!