EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Signature Certificates

Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.
#4756
Posted: 01/21/2008 06:20:24
by Nuno Guedes (Basic support level)
Joined: 08/13/2007
Posts: 87

Hi,

i can´t understand the signing and verifying process relative to the certificates used.

1 - If i add the signing certificate to Certificate and to CertStorage, and some more ones to CertStorage. I will be in the 3º case, but on verifying process the Certificate is null. So the 3º case never occurs. Signing by 3º case, will result on 2º case verifying.

Quote
// if CertStorage is nil, Certificate points to the certificate to be used for signing.
// if CertStorage is not nil and Certificate is nil, the certificate to be used for signing is searched using the signature algorithm
// if CertStorage is not nil and Certificate is set to one of CertStorage certificates, the chain is built starting from Certificate


2 - Verifying one signature that have 5 certificates on CertStorage, but Certificate is null, how i find the signing one? I know that´s by signature algorithm, but how i code that?

Thanks in advance.
#4758
Posted: 01/21/2008 17:02:37
by Dmytro Bogatskyy (EldoS Corp.)

Quote
So the 3º case never occurs. Signing by 3º case, will result on 2º case verifying.

If you set ElXMLVerifier.KeyData property with ElXMLKeyInfoX509Data object then all rules could be applied. 3 rule will be also possible like in signing process.
If ElXMLVerifier search for certificate in KeyInfo element, then 3 rule isn't possible. X509Data from KeyInfo element could have either Certificate or CertStorage property set.
Quote
Verifying one signature that have 5 certificates on CertStorage, but Certificate is null, how i find the signing one?

Please, use the following code to obtain certificate:
k := X509Data.CertStorage.Chains[0];
if k >= 0 then
Cert := X509Data.CertStorage.Certificates[k];
#4769
Posted: 01/22/2008 08:28:24
by Nuno Guedes (Basic support level)
Joined: 08/13/2007
Posts: 87

hi,

i didnt understand your answer.
In the signer i add to KeyInfo Certificate the signingCertificate (cert1) and the some one with anothers to the CertStorage:

Signer.KeyData.Certificate = cert1
Signer.KeyData.CertStorage = cert1, cert2, cert3

On the verifier side i access
((SBXMLSec.TElXMLKeyInfoX509Data)(((SBXMLSig.TElXMLSigProcessor)(Verifier)).Signature.KeyInfo[3]))
and the Certificate is null and CertStorage have 3 certificates.

So, you are saying that i should do the below instruction:
Verifier.KeyData = ((SBXMLSec.TElXMLKeyInfoX509Data)(((SBXMLSig.TElXMLSigProcessor)(Verifier)).Signature.KeyInfo[3]))
right?


Quote
Bogatskyy wrote:
Please, use the following code to obtain certificate:
k := X509Data.CertStorage.Chai­ns[0];
if k >= 0 then
Cert := X509Data.CertStorage.Cert­ificates[k];


I can´t call the .Chai­ns[0] propertie. It doesn´t appear, only chaincount.


One more question, if i add 5 certificates to Key Info, what is the certificate used to sign?

thanks in advance

#4770
Posted: 01/22/2008 09:08:03
by Dmytro Bogatskyy (EldoS Corp.)

Quote
Signer.KeyData.Certificate = cert1
Signer.KeyData.CertStorage = cert1, cert2, cert3

The xml structure of KeyInfo element will be following:
Code
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate> Cert 1 data </ds:X509Certificate>
<ds:X509Certificate> Cert 2 data </ds:X509Certificate>
<ds:X509Certificate> Cert 3 data </ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>

The Certificate property (cert1) willn't be saved second time.
So, the verifier could load those certificates to CertStorage class, but it can't detect the correct certificate according to xml structure and Certificate will be null (when you call Verifier.Load method).
Then, when you call Verifier.ValidateSignature method and KeyData is null it search for a certificate in X509Data using 2 rule.

Quote
So, you are saying that i should do the below instruction:
Verifier.KeyData = (SBXMLSec.TElXMLKeyInfoX509Data)(Verifier.Signature.KeyInfo[3])
right?

if you want to verify using specific X509Data.
Does it have third index?
And elements before are have TElXMLKeyInfoRSAData/TElXMLKeyInfoDSAData type?
Then it could be a problem on veryfying when Verifier.KeyData is null, because Verifier also search for TElXMLKeyInfoRSAData/TElXMLKeyInfoDSAData/TElXMLKeyInfoX509Data/TElXMLKeyInfoPGPData elements in KeyInfo and it verifies only with first matched.
I will make that TElXMLKeyInfoX509Data/TElXMLKeyInfoPGPData have higher priority then TElXMLKeyInfoRSAData/TElXMLKeyInfoDSAData elements.

Quote
I can´t call the .Chains[0] propertie. It doesn´t appear, only chaincount.

Use get_Chains(index) and get_Certificates(index) for C#

Quote
One more question, if i add 5 certificates to Key Info, what is the certificate used to sign?

With first certificate in first chain if it contains a private key, if no then CertStorage searched for first certificate with a private key.
#4771
Posted: 01/22/2008 09:49:50
by Nuno Guedes (Basic support level)
Joined: 08/13/2007
Posts: 87

Quote
Bogatskyy wrote:
The Certificate property (cert1) willn't be saved second time. So, the verifier could load those certificates to CertStorage class, but it can't detect the correct certificate according to xml structure and Certificate will be null (when you call Verifier.Load method). Then, when you call Verifier.ValidateSignatur­e method and KeyData is null it search for a certificate in X509Data using 2 rule.


thanks, now i understand

Quote

if you want to verify using specific X509Data.
Does it have third index?
And elements before are have TElXMLKeyInfoRSAData/TElX­MLKeyInfoDSAData type?


Yes it have 4 index.
[0] - '\n\t\t'
[1] - TElXMLKeyInfoRSAData
[2] - '\n\t\t'
[3] - TElXMLKeyInfoX509Data
[4] - '\n\t'


Where the Verifier.ValidateSignature() catch the public key?
i changed KeyInfoRSAData Modulus -> Verifier.ValidateSignature() = true
i changed KeyInfoX509Data SigningCertificate KeyMaterial Modulus -> Verifier.ValidateSignature() = true
i tryed KeyInfoRSAData RSAKeyMaterial Modulus -> Verifier.ValidateSignature() = false

So i supose that ValidateSignature use only KeyInfoRSAData RSAKeyMaterial.

thanks
#4772
Posted: 01/22/2008 11:19:10
by Dmytro Bogatskyy (EldoS Corp.)

Quote
So i supose that ValidateSignature use only KeyInfoRSAData RSAKeyMaterial.

Yes, KeyInfoRSAData.Modulus and KeyInfoRSAData.RSAKeyMaterial.Modulus are the same when xml document parsed.
#4773
Posted: 01/22/2008 11:30:11
by Nuno Guedes (Basic support level)
Joined: 08/13/2007
Posts: 87

Quote
Bogatskyy wrote:
Quote
So i supose that ValidateSignature use only KeyInfoRSAData RSAKeyMaterial.

Yes, KeyInfoRSAData.Modulus and KeyInfoRSAData.RSAKeyMaterial.Modulus are the same when xml document parsed.


ok, but is the KeyInfoRSAData.RSAKeyMaterial.Modulus that is used do validateSignature.

What is the validateSignature running path?
If exists validate with KeyInfoRSAData.RSAKeyMaterial.Modulus
else
If exists validate with KeyInfoX509Data SigningCertificate KeyMaterial Modulus
else
If exists SignedPropertie SigningCertificate and found the correct certificate on windowsCertStorage validate with it...



#4775
Posted: 01/22/2008 16:02:04
by Dmytro Bogatskyy (EldoS Corp.)

Quote
What is the validateSignature running path?

ValidateSignature method if "KeyData set to null" try to validate using first child of KeyInfo element, in your case it is KeyInfoRSAData. It is not so good, if X509Data exists it should be checked first (as I mentioned before it will be changed so in the next build), because usually RSAData is simply generated from signing certificate for compatibility.
ValidateSignature method willn't check any other location for a certificate like system storage.
#4777
Posted: 01/23/2008 06:17:42
by Nuno Guedes (Basic support level)
Joined: 08/13/2007
Posts: 87

So i should set KeyData to KeyInfo.TelKeyInfoX509Data right?
#4778
Posted: 01/23/2008 07:09:52
by Dmytro Bogatskyy (EldoS Corp.)

Quote
So i should set KeyData to KeyInfo.TelKeyInfoX509Data right?

To set ElXMLVerifier.KeyData? Yes, if you want to control which key/certificate will be used in verification process.
Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.

Reply

Statistics

Topic viewed 6284 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!