EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Signature Certificates

Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.
#4779
Posted: 01/23/2008 11:12:59
by Nuno Guedes (Basic support level)
Joined: 08/13/2007
Posts: 87

Quote
Bogatskyy wrote:
Quote
So i should set KeyData to KeyInfo.TelKeyInfoX509Data right?

To set ElXMLVerifier.KeyData? Yes, if you want to control which key/certificate will be used in verification process.


I reflected about this and i think that i can do the verification by 2 different ways:

- ElXMLVerifier.KeyData set to null, the validateSignature uses KeyInfoRSAData.
If the SignerB sign the file by this way:
KeyInfoRSAData = CertificateB public key value
KeyInfoX509Data = CertificateA
The validateSignature returns true and the receiver think that was SignerA that sign the file.
I think that is valid if i search in the KeyInfoX509Data for the Certificate with that KeyInfoRSAData. And then generate and validate the chain based on that certificate.

- ElXMLVerifier.KeyData set to KeyInfo from signingCertificate (base certificate for chain) can occurs similar problem like the fist one. So i check the KeyInfoRSAData with KeyInfo from signingCertificate.

What to you think? My thinking path is wrong in some step?

After this step, i should verify if every chain certificates are referenced in SigningCertificates signed propertie and the digest is correct right?

But if signingCertificates does not exists the KeyInfo should be Referenced by SignedInfo (as i understand form page 14 of ETSI 1.3.2.) right?

thanks in advance


#4787
Posted: 01/24/2008 11:16:56
by Dmytro Bogatskyy (EldoS Corp.)

Quote
- ElXMLVerifier.KeyData set to KeyInfo from signingCertificate (base certificate for chain) can occurs similar problem like the fist one. So i check the KeyInfoRSAData with KeyInfo from signingCertificate.

If you'll set ElXMLVerifier.KeyData then verification is done using KeyData value only, it willn't check KeyInfoRSAData or KeyInfoX509Data items from KeyInfo element.
Quote
After this step, i should verify if every chain certificates are referenced in SigningCertificates signed propertie and the digest is correct right?

Generally yes.
From XAdES spec. v1.3.2, "7.2.2 The SigningCertificate element":
The certificate used to verify the signature SHALL be identified in the sequence (sequence of CertID elements in SigningCertificate element).

Quote
But if signingCertificates does not exists the KeyInfo should be Referenced by SignedInfo (as i understand form page 14 of ETSI 1.3.2.) right?

Generally no. From xmldsig: "if the signer wishes to bind the keying information to the signature, a Reference can easily identify and include the KeyInfo as part of the signature".
But, for XAdES it seems to be true.
#4788
Posted: 01/24/2008 11:36:45
by Nuno Guedes (Basic support level)
Joined: 08/13/2007
Posts: 87

I said that after read some times ETSI 1.3.2.

Quote
For this form it is mandatory to protect the signing certificate with the signature, in one of the two following ways:
• Either incorporating the SigningCertificate signed property; or
• Not incorporating the SigningCertificate but incorporating the signing certificate within the
ds:KeyInfo element and signing it.
#4789
Posted: 01/24/2008 11:52:28
by Dmytro Bogatskyy (EldoS Corp.)

Quote
I said that after read some times ETSI 1.3.2.

Yeah, I saw that.
It could be a problematic to create such xml document, because no reference type is defined for such case. I'll check this.
#4922
Posted: 02/08/2008 10:19:18
by Nuno Guedes (Basic support level)
Joined: 08/13/2007
Posts: 87

for finish this subject, i think...

I do not set KeyData.
I have on KeyInfo a KeyInfoRSAData and a KeyInfoX509Data (including the signingCertificate)

At this moment the verifier process uses the first he finds, KeyInfoRSAData. As you said the KeyInfoX509Data should have priority, and this would be changed in next versions, dunno if it has been modified already.

My question is about checking KeyInfoRSAData against SigningCertificate in KeyInfoX509Data. I want to ensure that that key is from that certificate.

how can i do this?

i am watching X509Certificate method
Code
bool ValidateRSA([in] byte[] PRSAModulus, [in] byte[] PRSAPublicKey);

Is this the correct one, or i should try another way?

thanks

#4935
Posted: 02/08/2008 18:28:02
by Dmytro Bogatskyy (EldoS Corp.)

Quote
As you said the KeyInfoX509Data should have priority, and this would be changed in next versions, dunno if it has been modified already.

Yes, it should be so in the last beta build.

Quote
i am watching X509Certificate method

There is no such method.
You should compare public exponent and modulus manually.
use:
if (Certificate.KeyMaterial is TElRSAKeyMaterial)
{
TElRSAKeyMaterial km = (TElRSAKeyMaterial)Certificate.KeyMaterial;
Boolean b = SBUtils.Unit.CompareMem(SBXMLSec.Unit.ToCryptoBinary(KeyInfoRSAData.Exponent), SBXMLSec.Unit.ToCryptoBinary(km.PublicExponent)) &
SBUtils.Unit.CompareMem(SBXMLSec.Unit.ToCryptoBinary(KeyInfoRSAData.Modulus), SBXMLSec.Unit.ToCryptoBinary(km.PublicModulus));
}

Note: call to SBXMLSec.Unit.ToCryptoBinary method necessary (needed to remove starting zeroes).
Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.

Reply

Statistics

Topic viewed 6287 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!