EldoS | Feel safer!

Software components for data protection, secure storage and transfer


Posted: 01/24/2008 08:31:26
by Nuno Guedes (Basic support level)
Joined: 08/13/2007
Posts: 87


For XAdES (XAdES-BES, XAdES-EPES) and XAdES-T forms there is a simple interface available via classes.

Other forms of XAdES (till XAdES-A) are possible but implementing them requires certain work.

For implementig XAdES-C i have to insert on unsigned properties the CompleteCertificateRefs and CompleteRevocationRefs.

I used:

xadesSigner.QualifyingProperties.UnsignedProperties.UnsignedSignatureProperties.CompleteCertificateRefs.CertRefs.AddCertificate(FCertificate, SBXMLAdES.Unit.XAdES_v1_3_2);

But the result xml doesnt contain that unsigned properties...

This is the "certain work"?

thanks in advance
Posted: 01/24/2008 08:49:53
by Dmytro Bogatskyy (Team)

You additionally need to set "ElXAdESSigner.XAdESForm = SBXMLAdES.Unit.XAdES_C" otherwise this properties are ignored.
Posted: 01/24/2008 09:05:13
by Nuno Guedes (Basic support level)
Joined: 08/13/2007
Posts: 87

ok, thanks
Posted: 01/24/2008 13:02:06
by Nuno Guedes (Basic support level)
Joined: 08/13/2007
Posts: 87

I build the certificate chain and add the reference of each one to the CompleteCertificateRef element.

Now i am trying to build the CompleteRevocationRefs element, but i am getting troubles.


This method receive a TElXMLCRLRef as parameter.
- DigestMethod
- DigestValue  
- Issuer
- IssueTime
- IssueTimeUTC
- Number

How can i create a TElXMLCRLRef based on a certificate?

Posted: 01/24/2008 15:21:31
by Dmytro Bogatskyy (Team)

How can i create a TElXMLCRLRef based on a certificate?

Set them as follows:
TElCertificateRevocationList CRL ...;
byte[] buf;
if (CRL.SaveToBuffer(buf) == 0)
CRLRef.DigestMethod = SBXMLDefs.Unit.xmlDigestMethodSHA1;
CRLRef.DigestValue = SBXMLSec.Unit.CalculateDigest(buf, SBXMLSec.Unit.xdmSHA1);
CRLRef.Issuer = SBXMLSec.Unit.FormatRDN(CRL.IssuerRDN);
CRLRef.IssueTimeUTC = CRL.ThisUpdate;
CRLRef.Number = CRL.Extensions.CRLNumber.Number;

As for URI check this:
Posted: 01/31/2008 09:14:46
by Nuno Guedes (Basic support level)
Joined: 08/13/2007
Posts: 87


i am validating the signature as it is specificated in the ETSI 1.3.2.

On page 89 it says:

G.2.2.2 Getting Certificates for verification
If CertificateValues is not present but CompleteCertificateRefs is present, the verifier should get the
certificates referenced there and check if they actually form a valid certification path. If not, the verifier should assume
that the verification process has failed.

My doubt is where i get the certificates referenced by CompleteCertificateRefs?

Posted: 02/01/2008 14:07:21
by Dmytro Bogatskyy (Team)

My doubt is where i get the certificates referenced by CompleteCertificateRefs?

I assume, you should check ds:KeyInfo certificates and CertificateValues only. According to G.2.2.14 you could check AttrAuthoritiesValues certificates also.
The similar written here:
Each certificate in the certificate chain-i.e. each certificate that is included in the <CompleteCertificateRefs> element—has to be present either in the <ds:KeyInfo> of the XMLDSig
signature or in the <CertificateValues> element.
Posted: 02/08/2008 11:59:34
by Nuno Guedes (Basic support level)
Joined: 08/13/2007
Posts: 87

For validate the certificates against CompleteCertificateRefs or SigningCertificate i am doing this way:

lookup.CertificateHashAlgorithm = SBConstants.Unit.SB_ALGORITHM_DGST_SHA1;
lookup.Criteria = SBCustomCertStorage.Unit.lcCertificateHash;
lookup.Options = SBCustomCertStorage.Unit.loExactMatch | SBCustomCertStorage.Unit.loMatchAll;

then for each certificate it found i compare the serial and the issuerRDN.

if (SBXMLSec.Unit.CompareRDNStringsNonstrict(XAdESVerifier.QualifyingProperties.SignedProperties.SignedSignatureProperties.SigningCertificate[i].IssuerSerial.IssuerRDN, certStorage.get_Certificates(index).IssuerRDN) &&

The method HasCertificate() from TelXMLCertIDList do the validation by the other side. Can i use it or i gone have problems by not using "SBXMLSec.Unit.CompareRDNStringsNonstrict" to IssuerRDN and "SBUtils.Unit.CompareMem" to SerialNumber?

thanks in advance
Posted: 02/08/2008 17:35:29
by Dmytro Bogatskyy (Team)

Yes, you can.
This new method (HasCertificate) compare certificate hash, serial number and IssuerRDN in the same way as you described above and returns the index of corresponding CertID or -1 if not found.
Posted: 02/12/2008 10:36:00
by Nuno Guedes (Basic support level)
Joined: 08/13/2007
Posts: 87

I have a problem verifying a XAdES-C signature and i can´t get a solution...

Signer Side:
I have a certificate chain with 2 certificates.
I add them both to KeyInfo and CompleteCertificateRefs.

Verifier Side:
Get certificates from KeyInfo to a memoryCertStorage.
I verify the CompleteCertificateRefs against the certificates in memoryCertStorage.
I use the method HasCertificate().

The signingCertificate he finds but the top certificate he can´t find.
I saw the certificates when i add them (signer side) and when i get them from signature.

These are the results:

Signer Side ---> Verifier Side(memoryCertStorage)
- SigningCertificate.SerialNumber = byte[10] ----> byte[12] (no problem, the left zeros dont affect)
- TopCertificate.SerialNumber = byte[15] ----> byte[16] it add a new byte ("185") at 4 position

then i verified with the completeCertificateRefs on Verifier Side
- SigningCertificate.SerialNumber have the same byte[12] value
- TopCertificate.SerialNumber have a new byte[16] value (only 2 last index are the same)

What is the problem? It´s my mistake passing some value?

thanks in advance



Topic viewed 17878 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!