EldoS | Feel safer!

Software components for data protection, secure storage and transfer

XAdES-C

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
#10147
Posted: 05/25/2009 12:00:12
by Thanh Nguyen Trung (Priority Standard support level)
Joined: 09/12/2008
Posts: 73

Hi,

I call Generate() before doing the settings for QualifyingProperties! Have you got any suggestion?

Thanks
Thanh
#10148
Posted: 05/25/2009 14:24:44
by Dmytro Bogatskyy (EldoS Corp.)

Quote
I call Generate() before doing the settings for QualifyingProperties

Assigning any property after the Generate() method doesn't have any effects (except QualifyingProperties and QualifyingPropertiesReferences properties).
In your case it is assigning:
XAdESSigner.XAdESForm = SBXMLAdES.Unit.XAdES_A;
You should use this code before Generate() method or set XAdES from in the following way:
xadesSigner.QualifyingProperties.UnsignedProperties.UnsignedSignatureProperties.XAdESForm = SBXMLAdES.Unit.XAdES_A;
P.S. It seems, we need to raise exceptions in such situations to make it clear.

About the other code:
clrRef initalized only once (before for loop), but if you would have more then one CRLDistributionPoint in a certificate, the previous clrRef will be overwritten.
P.S. Personally, I would use MemoryStream or other code structure to get rid of FileStream (with temporary file).
#10150
Posted: 05/26/2009 03:33:00
by Thanh Nguyen Trung (Priority Standard support level)
Joined: 09/12/2008
Posts: 73

Bogatskyy, Thanks for your support!
#10168
Posted: 05/27/2009 06:07:46
by Thanh Nguyen Trung (Priority Standard support level)
Joined: 09/12/2008
Posts: 73

Hi,

I have a url of a OCSP service, could you please give me an example code to init a TElXMLOCSPRef object to put into the completeRevocationRefs.

Thanks
Thanh
#10173
Posted: 05/27/2009 07:01:09
by Thanh Nguyen Trung (Priority Standard support level)
Joined: 09/12/2008
Posts: 73

Hi,

Imaging that I have to ask OCSP service to return a response about the revocation status of my given cert. Then the hash value of the response will be assign to ocspRef.DigestAlgAndValue.DigestValue. Is that enough to create an object of TElXMLOCSPRef class to add the completeRevocationRef and RevocationValues.

Thanks
Thanh
#10174
Posted: 05/27/2009 07:07:15
by Dmytro Bogatskyy (EldoS Corp.)

Quote
I have a url of a OCSP service, could you please give me an example code to init a TElXMLOCSPRef object to put into the completeRevocationRefs.

Sample code:
Code
TElOCSPResponse OCSPResponse; // for example we have OCSP response already
int Size = 0;
byte[] OCSPResponseBuf;
OCSPResponse.Save(ref OCSPResponseBuf, 0, ref Size);
OCSPResponseBuf = new Byte[Size]
if (OCSPResponse.Save(ref OCSPResponseBuf, 0, ref Size))
{
  SBUtils.Unit.SetLength(OCSPResponseBuf, Size);
  TElXMLEncapsulatedPKIData PKIData = new TElXMLEncapsulatedPKIData(XAdESSigner.XAdESVersion);
  PKIData.Encoding = SBXMLAdES.Unit.xemDER;
  PKIData.Data = BufPKI;                
  XAdESSigner.QualifyingProperties.UnsignedProperties.UnsignedSignatureProperties.RevocationValues.OCSPValues.Add(PKIData);

  TElXMLOCSPRef OCSPRef = new TElXMLOCSPRef(XAdESSigner.XAdESVersion);
  if (FResponderID.Name.Count > 0)
  {
  OCSPRef.OCSPIdentifier.ResponderID = SBXMLSec.Unit.FormatRDN(OCSPResponse.ResponderID.Name);
  OCSPIdentifier.ResponderIDType = SBXMLAdES.Unit.xrtByName // or xrtByKey
  }
  if (FResponderID.FSHA1KeyHash.Length() > 0)
  {
  OCSPRef.DigestAlgAndValue.DigestMethod = xmlDigestMethodSHA1;
  OCSPRef.DigestAlgAndValue.DigestValue = OCSPResponse.ResponderID.SHA1KeyHash;
  OCSPIdentifier.ResponderIDType = SBXMLAdES.Unit.xrtByKey
  }
  OCSPRef.OCSPIdentifier.ProducedAtUTC = OCSPResponse.ProducedAt;
  XAdESSigner.QualifyingProperties.UnsignedProperties.UnsignedSignatureProperties.CompleteRevocationRefs.OCSPRefs.Add(OCSPRef);
}

From XAdES specification (about the OCSPRef element):
Quote
• a set of data (OCSPIdentifier element) that includes an identifier of the responder and an indication of the time when the response was generated. The responder may be identified by its name, using the Byname element within ResponderID. It may also be identified by the digest of the server"s public key computed as mandated in RFC 2560 [9] , using the ByKey element. In this case the content of the ByKey element will be the DER value of the byKey field defined in RFC 2560, base64-encoded. The contents of ByName element
MUST follow the rules established by XMLDSIG [3] in its clause 4.4.4 for strings representing Distinguished Names. The generation time indication appears in the ProducedAt element and corresponds to the "ProducedAt" field of the referenced response. The optional URI attribute could serve to indicate where the OCSP response identified is archived;
• the digest computed on the DER encoded OCSPResponse defined in RFC 2560 [9], appearing within DigestAlgAndValue element, since it MAY be needed to differentiate between two OCSP responses by the same server with their "ProducedAt" fields within the same second.
#10224
Posted: 05/29/2009 07:26:33
by Dmytro Bogatskyy (EldoS Corp.)

Quote
Can serverReply consider as a response and can be passed to the TElOCSPResponse through the Load function as the following:

No, serverReply is raw data reply from the server, it is ASN.1 sequence that consist from responseStatus and OCSP response data itself.
You should use Response property of TElHTTPOCSPClient class to get TElOCSPResponse instance.
Quote
Could you show me a piece of code to add a ClaimedRole into the SignerRole. I use the following line of code, but it failed.

Did you enable SignerRole?
Code
xadesSigner.Included = xadesSigner.Included | SBXMLAdESIntf.Unit.xipSignerRole;
#10227
Posted: 05/29/2009 08:13:59
by Thanh Nguyen Trung (Priority Standard support level)
Joined: 09/12/2008
Posts: 73

Hi,

Thank you very much!!!
Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.

Reply

Statistics

Topic viewed 16776 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!