EldoS | Feel safer!

Software components for data protection, secure storage and transfer

XAdES-C

Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.
#4780
Posted: 01/24/2008 08:31:26
by Nuno Guedes (Basic support level)
Joined: 08/13/2007
Posts: 87

hi,

Quote
For XAdES (XAdES-BES, XAdES-EPES) and XAdES-T forms there is a simple interface available via classes.

Other forms of XAdES (till XAdES-A) are possible but implementing them requires certain work.


For implementig XAdES-C i have to insert on unsigned properties the CompleteCertificateRefs and CompleteRevocationRefs.

I used:

Code
xadesSigner.QualifyingProperties.UnsignedProperties.UnsignedSignatureProperties.CompleteCertificateRefs.CertRefs.AddCertificate(FCertificate, SBXMLAdES.Unit.XAdES_v1_3_2);
xadesSigner.QualifyingProperties.UnsignedProperties.UnsignedSignatureProperties.CompleteRevocationRefs.CRLRefs.Add(teste);


But the result xml doesnt contain that unsigned properties...

This is the "certain work"?

thanks in advance
#4782
Posted: 01/24/2008 08:49:53
by Dmytro Bogatskyy (EldoS Corp.)

You additionally need to set "ElXAdESSigner.XAdESForm = SBXMLAdES.Unit.XAdES_C" otherwise this properties are ignored.
#4784
Posted: 01/24/2008 09:05:13
by Nuno Guedes (Basic support level)
Joined: 08/13/2007
Posts: 87

ok, thanks
#4790
Posted: 01/24/2008 13:02:06
by Nuno Guedes (Basic support level)
Joined: 08/13/2007
Posts: 87

I build the certificate chain and add the reference of each one to the CompleteCertificateRef element.

Now i am trying to build the CompleteRevocationRefs element, but i am getting troubles.

Code
xadesSigner.QualifyingProperties.UnsignedProperties.UnsignedSignatureProperties.CompleteRevocationRefs.CRLRefs.Add();


This method receive a TElXMLCRLRef as parameter.
Code
[B]TElXMLCRLRef [/B]
DigestAlgAndValue
- DigestMethod
- DigestValue  
CRLIdentifier
- Issuer
- IssueTime
- IssueTimeUTC
- Number
- URI


How can i create a TElXMLCRLRef based on a certificate?

thanks
#4791
Posted: 01/24/2008 15:21:31
by Dmytro Bogatskyy (EldoS Corp.)

Quote
How can i create a TElXMLCRLRef based on a certificate?

Set them as follows:
Code
TElCertificateRevocationList CRL ...;
byte[] buf;
if (CRL.SaveToBuffer(buf) == 0)
{
CRLRef.DigestMethod = SBXMLDefs.Unit.xmlDigestMethodSHA1;
CRLRef.DigestValue = SBXMLSec.Unit.CalculateDigest(buf, SBXMLSec.Unit.xdmSHA1);
CRLRef.Issuer = SBXMLSec.Unit.FormatRDN(CRL.IssuerRDN);
CRLRef.IssueTimeUTC = CRL.ThisUpdate;
CRLRef.Number = CRL.Extensions.CRLNumber.Number;
}

As for URI check this:
http://www.eldos.com/documentation/sb..._id=234397
#4829
Posted: 01/31/2008 09:14:46
by Nuno Guedes (Basic support level)
Joined: 08/13/2007
Posts: 87

Hi,

i am validating the signature as it is specificated in the ETSI 1.3.2.

On page 89 it says:

Quote
G.2.2.2 Getting Certificates for verification
If CertificateValues is not present but CompleteCertificateRefs is present, the verifier should get the
certificates referenced there and check if they actually form a valid certification path. If not, the verifier should assume
that the verification process has failed.


My doubt is where i get the certificates referenced by CompleteCertificateRefs?

thanks
#4840
Posted: 02/01/2008 14:07:21
by Dmytro Bogatskyy (EldoS Corp.)

Quote
My doubt is where i get the certificates referenced by CompleteCertificateRefs?

I assume, you should check ds:KeyInfo certificates and CertificateValues only. According to G.2.2.14 you could check AttrAuthoritiesValues certificates also.
The similar written here:
http://www.iaik.tu-graz.ac.at/teachin...entner.pdf
Quote
3.9
Each certificate in the certificate chain-i.e. each certificate that is included in the <CompleteCertificateRefs> element—has to be present either in the <ds:KeyInfo> of the XMLDSig
signature or in the <CertificateValues> element.
#4927
Posted: 02/08/2008 11:59:34
by Nuno Guedes (Basic support level)
Joined: 08/13/2007
Posts: 87

For validate the certificates against CompleteCertificateRefs or SigningCertificate i am doing this way:

Code
lookup.CertificateHashAlgorithm = SBConstants.Unit.SB_ALGORITHM_DGST_SHA1;
lookup.Criteria = SBCustomCertStorage.Unit.lcCertificateHash;
lookup.Options = SBCustomCertStorage.Unit.loExactMatch | SBCustomCertStorage.Unit.loMatchAll;


then for each certificate it found i compare the serial and the issuerRDN.

Code
if (SBXMLSec.Unit.CompareRDNStringsNonstrict(XAdESVerifier.QualifyingProperties.SignedProperties.SignedSignatureProperties.SigningCertificate[i].IssuerSerial.IssuerRDN, certStorage.get_Certificates(index).IssuerRDN) &&
SBUtils.Unit.CompareMem(certStorage.get_Certificates(index).SerialNumber,SBXMLSec.Unit.ToCryptoBinary(XAdESVerifier.QualifyingProperties.SignedProperties.SignedSignatureProperties.SigningCertificate[i].IssuerSerial.SerialNumber)))


The method HasCertificate() from TelXMLCertIDList do the validation by the other side. Can i use it or i gone have problems by not using "SBXMLSec.Unit.CompareRDNStringsNonstrict" to IssuerRDN and "SBUtils.Unit.CompareMem" to SerialNumber?

thanks in advance
#4933
Posted: 02/08/2008 17:35:29
by Dmytro Bogatskyy (EldoS Corp.)

Yes, you can.
This new method (HasCertificate) compare certificate hash, serial number and IssuerRDN in the same way as you described above and returns the index of corresponding CertID or -1 if not found.
#4975
Posted: 02/12/2008 10:36:00
by Nuno Guedes (Basic support level)
Joined: 08/13/2007
Posts: 87

I have a problem verifying a XAdES-C signature and i can´t get a solution...

Signer Side:
I have a certificate chain with 2 certificates.
I add them both to KeyInfo and CompleteCertificateRefs.

Verifier Side:
Get certificates from KeyInfo to a memoryCertStorage.
I verify the CompleteCertificateRefs against the certificates in memoryCertStorage.
I use the method HasCertificate().

The signingCertificate he finds but the top certificate he can´t find.
I saw the certificates when i add them (signer side) and when i get them from signature.

These are the results:

Signer Side ---> Verifier Side(memoryCertStorage)
- SigningCertificate.SerialNumber = byte[10] ----> byte[12] (no problem, the left zeros dont affect)
- TopCertificate.SerialNumber = byte[15] ----> byte[16] it add a new byte ("185") at 4 position

then i verified with the completeCertificateRefs on Verifier Side
- SigningCertificate.SerialNumber have the same byte[12] value
- TopCertificate.SerialNumber have a new byte[16] value (only 2 last index are the same)

What is the problem? It´s my mistake passing some value?

thanks in advance
Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.

Reply

Statistics

Topic viewed 16800 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!