EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Double signature xml

Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.
#37285
Posted: 07/21/2016 19:34:48
by Alfonso Madariaga V. (Standard support level)
Joined: 07/28/2015
Posts: 6

Hello, perform a double signature to an XML file but the receiver rejects me, let me know if this well done or if I should do otherwise since I've checked everything and can find no other reason, I hope you can help me.
regards.

Code

Memory_Stream.Position:= 0;
XML_Doc.LoadFromStream(Memory_Stream, 'ISO-8859-1', true);
try
   XML_Signer1.References:= XML_RefLis;
   XML_Signer1.SignatureMethodType:= xmtSig;
   XML_Signer1.SignatureType:= xstEnveloped;
   XML_Signer1.CanonicalizationMethod:= xcmCanon;
   XML_Signer1.SignatureMethod:= xsmRSA_SHA1;
   XML_Signer1.IncludeKey := True;
   XML_Signer1.OnFormatElement := FormatElement;
   XML_Signer1.OnFormatText := FormatText;
    Cert := nil;
   WinCertStorage := TElWinCertStorage.Create(nil);
   WinCertStorage.SystemStores.Text := 'MY';
   for nI := 0 to WinCertStorage.Count-1 do
    begin
      Cert := WinCertStorage.Certificates[nI];
      if BinaryToString(Cert.SerialNumber) = '9AFF1800000003E1DB00' then
        begin
         break;
        end;
     end;
   if Assigned(Cert) and Cert.PrivateKeyExists then
     begin
       X509_KeyData.IncludeKeyValue := True;
       X509_KeyData.IncludeDataParams := [xkidX509Certificate, xkidX509CRL];
       X509_KeyData.Certificate := Cert;
       XML_Signer1.KeyData := X509_KeyData;
     end
   else
     begin
       MessageDlg('! El Certificado digital NO ha sido encontrado ! ',mtInformation,[mbOk], 0);
       Exit;
     end;
     XML_RefDocu.DigestMethod := xdmSHA1;
     XML_RefDocu.URINode := XML_Doc.DocumentElement.FindNode('DCTO', True);
     XML_RefDocu.URI := S_Uri;
     XML_RefDocu.TransformChain.Add(TElXMLC14NTransform.Create);
     XML_RefLis.Add(XML_RefDocu);
     XML_Signer1.UpdateReferencesDigest;  //Actualizo el digest
     XML_Signer1.Sign;
     XML_Signer1.Signature.SignaturePrefix := '#default';
     XML_Nodo := XML_Doc.DocumentElement.FindNode('DTR', True);
     XML_Signer1.Save(XML_Nodo);
//*************  SECOND SIGN *******************************
     XML_RefDocu.URINode := nil;
     XML_RefDocu.URINode := XML_Doc.DocumentElement.FindNode('SDTR', True);
     XML_RefDocu.URI := '#STD';
     XML_Signer1.UpdateReferencesDigest;  //Actualizo el digest
     XML_Signer1.Sign;
     XML_Signer1.Signature.SignaturePrefix := '#default';
     XML_Nodo := XML_Doc.DocumentElement;
     XML_Signer1.Save(XML_Nodo);
     Nom_Fac := 'C:\' + S_Path + '.xml';
     F := TFileStream.Create(Nom_Fac, fmCreate or fmOpenWrite);
     XML_Doc.SaveToStream(F, xcmNone, 'ISO-8859-1');
#37293
Posted: 07/24/2016 18:20:44
by Dmytro Bogatskyy (EldoS Corp.)

Thank you for contacting us,

Quote
Hello, perform a double signature to an XML file but the receiver rejects me, let me know if this well done or if I should do otherwise since I've checked everything and can find no other reason

At first, did you try to validate your signatures using XMLBlackbox\AdvancedSigner sample? Does both signatures valid?
Then, what is your structure of XML document? Maybe you are missing enveloped signature transform for the references? Or, if placeholder element for the signatures is independent to the referenced nodes then you don't need enveloped signature transform.
Do you have a sample signed XML document that is accepted by this service. Does all signatures in it are valid with AdvancedSigner sample? Are there any differences between those signatures?
#37304
Posted: 07/25/2016 12:32:51
by Alfonso Madariaga V. (Standard support level)
Joined: 07/28/2015
Posts: 6

Hello, thanks for your response, validate my signatures using XMLBlackbox\AdvancedSigner sample and this is the result, a problem whith certificate, "Unknown CA" :

#37306
Posted: 07/25/2016 13:00:32
by Eugene Mayevski (EldoS Corp.)

The message is quite clear - the CA of one of certificates in the chain is not known to the validator, and so the chain up to the trusted root can not be built.

We have several articles, related to validation of certificates and to diagnostics of possible problems. The articles are:
1) "Validation of certificates in SecureBlackbox (mini-FAQ)" (https://www.eldos.com/security/articles/7545.php ),
2) "Diagnosing certificate chain validation errors when validating a certificate or signature with *AdES components" (https://www.eldos.com/security/articles/7639.php ),
3) "Additional tune-up of retrievers in TElX509CertificateValidator" (https://www.eldos.com/security/articles/8115.php )

You can use these articles for self-help. Your log and the posts on this forum contain enough information for resolving the validation problems.


Sincerely yours
Eugene Mayevski
#37309
Posted: 07/25/2016 17:57:08
by Alfonso Madariaga V. (Standard support level)
Joined: 07/28/2015
Posts: 6

Hello Eugene, thanks for your response, but my post was directed to know if the instructions for the double signature were correct or should change.

Regards
#37312
Posted: 07/26/2016 18:03:12
by Dmytro Bogatskyy (EldoS Corp.)

Hi,

Quote
my post was directed to know if the instructions for the double signature were correct or should change.

The XML digital signature standard doesn't define any special instructions for adding secondary, n-ary signature. The best approach is to put the signatures in the element that doesn't intersect with the data that you have signed (referenced). In this case, you don't need to do anything special.
Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.

Reply

Statistics

Topic viewed 907 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!