EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Reference to a manifest object

#37656
Posted: 09/08/2016 05:59:14
by Olivier Sannier (Basic support level)
Joined: 09/08/2016
Posts: 6

Hello,

I'm currently evaluating XMLBlackBox and the Advanced Signer demo has been of great help in getting to generate the kind of detached signature file that is required by one of my supplier.
However, I'm stuck at the step where I want to create a reference to a manifest that itself contains a reference to an external file.

Here is the code that I'm using:

Code
            TElXMLSigner Signer = new TElXMLSigner();
            FileStream SourceFileStream = new FileStream(SourceFileName, FileMode.Open, FileAccess.Read);
            try
            {
                // Base options
                Signer.SignatureType = SBXMLSec.Unit.xstDetached;
                Signer.CanonicalizationMethod = SBXMLDefs.Unit.xcmExclCanon;
                Signer.SignatureMethodType = SBXMLSec.Unit.xmtSig;
                Signer.SignatureMethod = SBXMLSec.Unit.xsmRSA_SHA256;

                // Manifest object
                TElXMLObject ManifestObject = new TElXMLObject();
                Signer.Signature.Objects.Add(ManifestObject);
                ManifestObject.ID = "manifestObject";

                // create manifest and add it to the object
                TElXMLManifest Manifest = new TElXMLManifest();
                Manifest.ID = "signedManifest";
                ManifestObject.DataList.Add(Manifest);

                // Reference to the source file, inside the manifest
                TElXMLReference ManifestRef = new TElXMLReference();
                ManifestRef.DigestMethod = SBXMLSec.Unit.xdmSHA256;
                ManifestRef.TransformChain.AddCanonicalizationTransform(SBXMLDefs.Unit.xcmExclCanon);
                ManifestRef.URI = Path.GetFileName(SourceFileName);
                ManifestRef.ID = ManifestRef.URI + "-Id";
                ManifestRef.URIStream = SourceFileStream;
                ManifestRef.UpdateDigestValue();
                Manifest.Add(ManifestRef);

                // Reference to the manifest inside the signature
                TElXMLReference Ref = new TElXMLReference();
                Ref.DigestMethod = SBXMLSec.Unit.xdmSHA256;
                Ref.TransformChain.AddCanonicalizationTransform(SBXMLDefs.Unit.xcmExclCanon);
                Ref.URI = '#' + Manifest.ID;
                Ref.URINode = Manifest.XMLElement;
                Ref.RefType = SBXMLDefs.Unit.xmlReferenceManifest;
                Ref.UpdateDigestValue();
                Signer.References.Add(Ref);

                // Key
                TElX509Certificate SigningCertificate = GetSigningCertificate(Signer, CertificateFileName, CertificatePassword);
                Signer.IncludeKey = true;
                Signer.KeyData = GetKeyData(Signer, SigningCertificate);

                // generate Signature structure
                Signer.GenerateSignature();

                TElXMLDOMDocument _XMLDocument = new TElXMLDOMDocument();
                TElXMLDOMNode SignatureNode = _XMLDocument;
                Signer.Save(ref SignatureNode);
                _XMLDocument.SaveToFile(OutputFileName);
            }
            finally
            {
                if (Signer.KeyData != null)
                    Signer.KeyData.Dispose();
                Signer.Dispose();
                if (XAdESSigner != null)
                    XAdESSigner.Dispose();
                SourceFileStream.Dispose();
            }


With the current code, I get an exception on the call to Ref.UpdateDigestValue() because it has no context (this comes from the fact that Manifest.XMLElement is null).

If I don't add Ref into Signer.References, then the signature is generated but my manifest object is nowhere to be seen in the file, the only ds:object element is for the qualifying properties.

I must be missing something obvious, but right now I can't figure out what this is. Any help would be most welcome.
#37660
Posted: 09/08/2016 08:30:36
by Dmytro Bogatskyy (Team)

Thank you for contacting us.

I’ve noticed there is no Support Access Ticket linked to your user account on EldoS site. Technical Support is provided to customers with the linked Support Access Ticket. You will find your Support Access Ticket together with all the details about how to use it in the registration e-mail that we’ve sent to you upon the purchase.

If you are evaluating the product and don't have a license yet, please let us know and then you can have support according to Basic support level. Basic support level includes answering basic technical questions that appear during product evaluation period. We also offer Premium support for a purchase from https://www.eldos.com/support/calc.php . You can use Premium Support to get higher level of assistance during your evaluation of our products.

Quote
With the current code, I get an exception on the call to Ref.UpdateDigestValue() because it has no context (this comes from the fact that Manifest.XMLElement is null).
...

Please refer to the following How-Tos for adding and verifying manifest:
https://www.eldos.com/documentation/sb...ifest.html
and
https://www.eldos.com/documentation/sb...trefs.html
#37662
Posted: 09/08/2016 09:05:53
by Olivier Sannier (Basic support level)
Joined: 09/08/2016
Posts: 6

As I said at the beginning of my post, I'm currently evaluating the product.

I think I found a solution as I now have the expected elements in the file and the signature seems to be valid nonetheless.

Basically, I moved all the code that adds the object and its various references after the call to GenerateSignature.

Initially, I thought that after GenerateSignature is called, nothing should be changed to avoid invalidating the signature itself.

Apparently this is not the case, but I did not find any reference to that.

Can you confirm that any change that I made after a call to GenerateSignature are taken into account and get reflected into the hash for the signature itself ?
#37670
Posted: 09/08/2016 17:16:40
by Dmytro Bogatskyy (Team)

Hi,

Quote

Can you confirm that any change that I made after a call to GenerateSignature are taken into account and get reflected into the hash for the signature itself ?

Yes. GenerateSignature() method generates signature structure that could be accessed using TElXMLSigner.Signature property. So, you can freely modify its options.
The signing (SignatureValue calculation) and references calculation (for references that points to internal elements) are done in TElXMLSigner.Save*() method.
#38859
Posted: 03/16/2017 08:59:16
by Tomaž Tušar (Standard support level)
Joined: 11/11/2015
Posts: 6

Hi,

I have used the upper knowlage to create the Manifest node and it works fine,
but the result is not structured the way I need it to be.

My result must look like:
Quote


<ds:Object Id="object">
<xad:QualifyingProperties/>
<ds:Manifest Id="IHEManifest"/>
<ds:SignatureProperties/>
</ds:Object>




And what I get is:
Quote


<ds:Object>
<xad:QualifyingProperties/>
</ds:Object>
<ds:Object Id="object">
<ds:Manifest Id="IHEManifest"/>
<ds:SignatureProperties/>
</ds:Object>




So, my goal is to have only one ds:Object node with the attribute Id="object" and child nodes: xad:QualifyingProperties, ds:Manifest, ds:SignatureProperties.

The probelm is that if I add one object, I get two of them as a result.
Quote

Obj := TElXMLObject.Create;
Signer.Signature.Objects.Add(Obj);
Obj.ID := 'object';

Manifest := TElXMLManifest.Create;
Manifest.ID := 'IHEManifest';
Obj.DataList.Add(Manifest);


So I've tried to add the Manifest to an existing Object and therefore I've searched for an existing object in the Signer.Signature.Objects list, but the list is empty...

At this point I'm stuck, so I hope you can help me.

Thank you in advance for your help.

Best regards
#38862
Posted: 03/16/2017 15:48:27
by Dmytro Bogatskyy (Team)

Thank you for contacting us.

Quote
So, my goal is to have only one ds:Object node with the attribute Id="object" and child nodes: xad:QualifyingProperties, ds:Manifest, ds:SignatureProperties.

Why do you need this?
ds:Object element may contain any data, that's true. However, one ds:Object element usually contains similar data. So, it's more easy to work with it.
I never saw any standard that based on XML-DSig or any xml signature in which one ds:Object element contained several elements of different type (such as xades:QualifyingProperties, ds:Manifest, ds:SignatureProperties). Also, XAdES standard explicitly define that the signature can contain other ds:Object elements with different contents, but it doesn't say anything that other content is allowed under the same ds:Object element.

Reply

Statistics

Topic viewed 2203 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!