EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Counter Signature

Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.
#3865
Posted: 09/26/2007 08:55:09
by Nuno Guedes (Basic support level)
Joined: 08/13/2007
Posts: 87

Hi,

i am developing a system to sign documents (with text extensions like txt or ps2) for a university project. By now i am only implementing the signatures for xml documents using XAdES.

As base work i used the samples and, at this moment, i can add multiple signatures to a document.

On the verification side i have some doubts:

<root>
<name>
Eldos
</name>
....
....
....
</root>

1- how the verification should be done? I use validateSignature and validateReferences, its this enought?

2- in the interface i give the possibility for the user to validate one signature each time, using validations they only verify the first one of the document. I created a system based on removing n signatures to verify the choosen one. There exists a better method?

3- the validation method uses the public key from where? Key Info or interrogate the CA that produced the certificate used?

4- Each time i made a signature on the document and submit, i want that server countersign the signature to prove the existence. I see that exists a method countersign() but i cant discovery how can i use that, can u explain me how to do this?

Regards

Nuno Guedes
#3867
Posted: 09/26/2007 14:33:27
by Dmytro Bogatskyy (EldoS Corp.)

Quote
1- how the verification should be done? I use validateSignature and validateReferences, its this enought?

Yes. Also, check a public key if you use it from KeyInfo element.
Quote
2- in the interface i give the possibility for the user to validate one signature each time, using validations they only verify the first one of the document. I created a system based on removing n signatures to verify the choosen one. There exists a better method?

I think, better to load a signature by index. Why do you need to delete other signatures?
If you reference the whole xml document, then just use enveloped signature transform.
Quote
3- the validation method uses the public key from where? Key Info or interrogate the CA that produced the certificate used?

If the ElXMLVerifier.KeyData is set then it used to verify the signature, otherwise verifier try's to load public key from KeyInfo element, if it fails to load it then ElXMLVerifier.KeyDataNeeded will be set to true (on ValidateSignature call).
Quote
4- Each time i made a signature on the document and submit, i want that server countersign the signature to prove the existence. I see that exists a method countersign() but i cant discovery how can i use that, can u explain me how to do this?

Are you talking about TElMessageSigner.CounterSign method or SBXMLAdES.TElXMLCounterSignature class?
#3876
Posted: 09/27/2007 08:27:51
by Nuno Guedes (Basic support level)
Joined: 08/13/2007
Posts: 87

Quote
Bogatskyy wrote:
Quote
1- how the verification should be done? I use validateSignature and validateReferences, its this enought?

Yes. Also, check a public key if you use it from KeyInfo element.


what do u mean? I use KeyInfo element so that verifier can find the correct CA to get public key. isn´t it correct?

i will attach an example with various signatures that i produced and want to verify (first and last are invalid for test purpose)


[ Download ]
#3877
Posted: 09/27/2007 08:42:21
by Nuno Guedes (Basic support level)
Joined: 08/13/2007
Posts: 87

Quote
Bogatskyy wrote:
Quote
2- in the interface i give the possibility for the user to validate one signature each time, using validations they only verify the first one of the document. I created a system based on removing n signatures to verify the choosen one. There exists a better method?

I think, better to load a signature by index. Why do you need to delete other signatures?
If you reference the whole xml document, then just use enveloped signature transform.


I attached a preview from interface implemented. The user should choose the signature that he want to verify.
I load to verifier the XMLDocument.DocumentElement, when invoke the methods for verify signature and references they only verify the first signature.
So, i remove n signatures to get the wanted signature to verify in the first place.
It´s there another way to choose one signature to verify?




#3878
Posted: 09/27/2007 08:48:46
by Nuno Guedes (Basic support level)
Joined: 08/13/2007
Posts: 87

Quote
Bogatskyy wrote:
Quote
3- the validation method uses the public key from where? Key Info or interrogate the CA that produced the certificate used?

If the ElXMLVerifier.KeyData is set then it used to verify the signature, otherwise verifier try's to load public key from KeyInfo element, if it fails to load it then ElXMLVerifier.KeyDataNeeded will be set to true (on ValidateSignature call).


I don't set KeyData, then verifier will try to load public key from KeyInfo element.

In this case how it works? The KeyInfo don´t have the public key right? The verifier should read the keyInfo to know the CA that have public key right?

"if it fails to load it then ElXMLVerifier.KeyDataNeeded will be set to true (on ValidateSignature call)" And validate will fail right?
#3880
Posted: 09/27/2007 08:52:28
by Nuno Guedes (Basic support level)
Joined: 08/13/2007
Posts: 87

Quote
Bogatskyy wrote:
Quote
4- Each time i made a signature on the document and submit, i want that server countersign the signature to prove the existence. I see that exists a method countersign() but i cant discovery how can i use that, can u explain me how to do this?

Are you talking about TElMessageSigner.CounterSign method or SBXMLAdES.TElXMLCounterSignature class?


i think that is TElMessageSigner.CounterSign method. I don´t know how to create a countersign, i want that the receiver after verify the signature countersign to prove the existence of the first.
#3884
Posted: 09/27/2007 12:35:27
by Dmytro Bogatskyy (EldoS Corp.)

Quote
I use KeyInfo element so that verifier can find the correct CA to get public key. isn´t it correct?
I don't set KeyData, then verifier will try to load public key from KeyInfo element.
In this case how it works? The KeyInfo don´t have the public key right? The verifier should read the keyInfo to know the CA that have public key right?
"if it fails to load it then ElXMLVerifier.KeyDataNeeded will be set to true (on ValidateSignature call)" And validate will fail right?

In that case, the verifier loads a public key from a KeyInfo element (KeyInfo/X509Data/X509Certificate or KeyInfo/KeyValue/RSAKeyValue elements) and check the signature with it. The verifier doesn't search for a public key in another locations.
You can access KeyInfo items using Verifier.Signature.KeyInfo.Items/Count properties.
If you don't check a public key and rely on public key that stored in KeyInfo element, then an attacker can remove your signature, modify and re-sign with a own fake certificate that has the same subject and issuer, but from another CA.
Quote
I attached a preview from interface implemented. The user should choose the signature that he want to verify.
I load to verifier the XMLDocument.DocumentElement, when invoke the methods for verify signature and references they only verify the first signature.
So, i remove n signatures to get the wanted signature to verify in the first place.
It´s there another way to choose one signature to verify?

Enumerate the child elements of document element and search for Signature elements:
Code
TElXMLDOMNode Node = XMLDocument.DocumentElement.FirstChild;
while (Node != null)
{
  if ((Node.NodeType == SBXMLCore.Unit.ntElement) && (Node.LocalName == "Signature") && (Node.NamespaceURI == SBXMLDefs.Unit.xmlSignatureNamespace))
  {
     Verifier.Load((TElXMLDOMElement)Node);
     // checks
  }
  Node = Node.NextSibling;
}

or use XPath query:
XMLDocument.DocumentElement.SelectNodes(...)
Quote
i think that is TElMessageSigner.CounterSign method. I don´t know how to create a countersign, i want that the receiver after verify the signature countersign to prove the existence of the first

TElMessageSigner.CounterSign method is not related to xml classes.
I think, you need to create another signature. Possible xml structure:
Code
<root>
<data>
</data>
<ClientSignature1>
  <Info>
  </Info>
  <ds:Signature>
    // reference data and info elements
  </ds:Signature>
</ClientSignature1>
<ServerSignature1>
  <Info>    
  </Info>
  <ds:Signature>
    // reference data, info and ClientSignature elements
  </ds:Signature>
</ServerSignature1>
  // ...
</root>
#14533
Posted: 09/22/2010 06:53:19
by mitja lojk (Basic support level)
Joined: 08/26/2010
Posts: 6

Hi!

How can I get the KeyInfo.X509Data.X509Certificate value from a TElX509Certificate ? If I sign a xml document the value is stored in:


Quote

<KeyInfo>
<X509Data>
<X509Certificate>MIIFK....</X509Data>
</KeyInfo>



So, I have an certificate loaded from win storage:
Quote

Cert.Assign(ElWinCertStorage1.Certificates[0]);


I can't find the way to get the <X509Certificate> string from Cert.

Help please!
#14535
Posted: 09/22/2010 07:13:50
by Eugene Mayevski (EldoS Corp.)

Use Cert.SaveToStream or Cert.SaveToBuffer, then SBUtils.Base64Encode the saved buffer.


Sincerely yours
Eugene Mayevski
Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.

Reply

Statistics

Topic viewed 2989 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!