EldoS | Feel safer!

Software components for data protection, secure storage and transfer

CAdES/PAdES/XAdES signing the same file with multiple signatures

Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.
#37035
Posted: 06/21/2016 03:44:40
by Kadir Akdeniz (Basic support level)
Joined: 06/21/2016
Posts: 9

Hi there,

I have been successfully signed files starting with Cades Bes up To Cades XL, Pades and PadesT (for pdf files) and also Xades and XadesT(for xml files).

What I'm trying to do next is signing the same files with multiple private keys using different pkcs11 tokens.

The signing operation seems quite simple.
1 - Create a message from the file stream.
2 - Add a signature to the message.
3 - Give the signature to the processor/handler.
4 - Sign it with the processor/handler.

Since the procedure involves adding signatures and deals with indexes, I assumed adding another signature would be simply to repeat steps 2-3-4 or even 2-3 and sign them all at once at the end on step 4.

But when I tried to repeat steps 2-3-4 twice (with the same private key by the way), it threw this:
PKCS#11 error CKR_FUNCTION_CANCELED in function C_Sign ---> SBPKCS11Base.EElPKCS11Error: PKCS#11 error CKR_FUNCTION_CANCELED in function C_Sign

When I tried repeating 2-3 and signing them all at once, it didn't throw any error but neither seem to work properly cuz I cannot see the it as signed in another application that I use to crosscheck. This 3rd party application successfully sees the signatures when I single sign the files.

What I am doing wrong? How can I sign the same file with multiple pkcs11 tokens at once?

Thanks for your help in advance.
#37038
Posted: 06/21/2016 05:05:46
by Kadir Akdeniz (Basic support level)
Joined: 06/21/2016
Posts: 9

I just noticed that I do not log out or close session and try to open session again when I try to get the certificate from the same device on 2nd try.

Should I handle the sessions, log ins and outs carefully for this type of operations?

PS: I can provide the code snippets of my implementation but I wanted to explain my purpose and what I did briefly first. Just say when you need to.
#37086
Posted: 06/23/2016 05:33:43
by Kadir Akdeniz (Basic support level)
Joined: 06/21/2016
Posts: 9

Copy Pasting the answer from helpdesk just in case someone else might need the answer.

Quote
Hi Kadir,

In general, your understanding is correct. In most cases several parallel signatures can be added to the same document in iterative way, by adding signatures one after another. However, in certain more complicated scenarios you might need to close and re-open the document between signing operations, as a subsequent signature might need to know the exact binary representation of the document from the previous step (and you can't get that without serializing the document). This particularly concerns some types of PDF and AdES documents.

As for your particular problem, it seems to be specific not to the signing code itself but to some constraints of the hardware device. It might be that the device can't use the same private key within the same session twice and throws an exception on the second signing attempt. We saw similar behavior in the past with some HSMs. The straightforward solution would be to close the storage and open it again for the next signing.

What I suggest you to do (it's the most robust way of achieving your goal) is to encapsulate the signing logic in one method that will do the whole job from the start to the end (schematically):

Code
void AddSignature(document)
{
    OpenPKCS11Storage();
    {
        OpenDocument(document);
        try
        {
            InsertSingleSignature();
        }
        finally
        {
            CloseDocument();
        }
    }
    finally
    {
        ClosePKCS11Storage();
    }
}



If you need to add multiple signatures you will simply call the above AddSignature() method several times, adding one signature on each step.

Ken
#37087
Posted: 06/23/2016 05:34:01
by Kadir Akdeniz (Basic support level)
Joined: 06/21/2016
Posts: 9

And my answer was:

Quote
Opening and closing the storage for each signature operation worked perfect. thanks :)

I didn't close the file between signatures, After creating the signatures, I just saved the resulting signed file to a stream.

I also tried opening and closing the file for each signature but that way, it signs a "signed document". I do not know if this the valid case for serial signings. But I'll keep that in mind for PDF and XML signature operations.

Thanks a lot :)

Reply

Statistics

Topic viewed 321 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!