EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Problem with SigningCertificate/.../X509IssuerName format

Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.
#36300
Posted: 03/23/2016 18:03:41
by Luis Pardo (Basic support level)
Joined: 03/23/2016
Posts: 17

I have found this in xmldsig:

Quote
4.4.4.1 Distinguished Name Encoding Rules
To encode a distinguished name (X509IssuerSerial,X509SubjectName, and KeyName if appropriate), the encoding rules in section 2 of RFC 4514 [LDAP-DN] SHOULD be applied, except that the character escaping rules in section 2.4 of RFC 4514 [LDAP-DN] MAY be augmented as follows:


And in RFC4514:

Quote
2.4. Converting an AttributeValue from ASN.1 to a String

If the AttributeType is of the dotted-decimal form, the
AttributeValue is represented by an number sign ('#' U+0023)
character followed by the hexadecimal encoding of each of the octets
of the BER encoding of the X.500 AttributeValue.


So 2.5.4.5=\#1309413832373433323837 could be correct form, because 1309413832373433323837 is the hex BER encoded of PrintableString(A82743287)

Quote
The only possible solution is to implement TElXMLSigner.OnFormatText event


About this solution, I would need the asn1 value of Issuer certificate, so I can get #1309413832373433323837 value, but TElX509Certificate don't have a method to access this info, do it?

BR
#36301
Posted: 03/23/2016 18:12:21
by Luis Pardo (Basic support level)
Joined: 03/23/2016
Posts: 17

Quote
About this solution, I would need the asn1 value of Issuer certificate, so I can get #1309413832373433323837 value, but TElX509Certificate don't have a method to access this info, do it?


Sorry, I think TElRelativeDistinguishedName could do the job!
#36302
Posted: 03/23/2016 18:37:57
by Luis Pardo (Basic support level)
Joined: 03/23/2016
Posts: 17

Quote
The only possible solution is to implement TElXMLSigner.OnFormatText event


This event is fired when Save method is executed, but I have to change te IssuerSerial value before signature is generated, haven't I?
#36308
Posted: 03/24/2016 05:50:15
by Dmytro Bogatskyy (EldoS Corp.)

Hi,

Quote
And in RFC4514:
2.4. ...

Thank you for pointing this out. We will recheck this.
Quote

This event is fired when Save method is executed, but I have to change te IssuerSerial value before signature is generated, haven't I?

Save() method save the signature into the xml document and fires OnFormatElement and OnFormatText event handlers, and only after that it signs (calculate SignatureValue).
#36309
Posted: 03/24/2016 06:49:18
by Luis Pardo (Basic support level)
Joined: 03/23/2016
Posts: 17

OK, Thanks again.

Yesterday I try another way using TElRelativeDistinguishedName:

Code
TElXMLCertIDList* certIdList = XAdESSigner.get_QualifyingProperties()->get_SignedProperties()->get_SignedSignatureProperties()->get_SigningCertificate();
   if (certIdList->get_Count()>0){
      TElXMLCertID* certId = certIdList->get_CertIDs(0);
      TElRelativeDistinguishedName *dn = certId->get_IssuerSerial()->get_IssuerRDN();
      dn->Clear();
      std::string s("CN=AC Camerfirma Certificados Camerales/O=AC Camerfirma SA/2.5.4.5=\#1309413832373433323837/L=Madrid (see current address at www.camerfirma.com/address),1.2.840.113549.1.9.1=\#161f...6f6d/C=ES");
      dn->LoadFromDNString(s,true);


It doesn't work because I have a "/" char in the DN, but if I set every DN element with the value I think that it would be posible.

BS
Luis
#36310
Posted: 03/24/2016 07:37:47
by Dmytro Bogatskyy (EldoS Corp.)

Hi,

Quote
I try another way using TElRelativeDistinguishedName:
dn->Clear();

You can try not to clear the RDN value, but simply traverse it using Count and OIDs properties, and then replace a value for the desired OID using Values property (see: https://www.eldos.com/documentation/sb...dname.html , also you may need to use OIDToStr() and StrToOID() functions for this).
#37744
Posted: 09/19/2016 07:41:14
by Carlos Mora (Basic support level)
Joined: 09/19/2016
Posts: 1
Hi,

The software that we use to sign a xml with xades EPES, SecureBlackBox, has a known issue, already reported in this thread, in the X509IssuerName format: It doesn't convert to Hex BER encoded the string representation. X509IssuerName formatSo 2.5.4.5=\#1309413832373433323837 could be correct form, because 1309413832373433323837 is the hex BER encoded of PrintableString(A82743287)

Have you fixed this issue?

Thanks,
Carlos
#37745
Posted: 09/19/2016 10:01:45
by Eugene Mayevski (EldoS Corp.)

This is not exactly an issue, but something that the developer needs to do himself as described above. In any case, right now this is not done. You might need to contact the vendor of the software with this question -- we don't provide direct support to end users, neither we would be able to change the third-party software for you.


Sincerely yours
Eugene Mayevski
Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.

Reply

Statistics

Topic viewed 4110 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!