EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Checking CompleteRevocationRefs

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
#4880
Posted: 02/07/2008 06:57:40
by Nuno Guedes (Basic support level)
Joined: 08/13/2007
Posts: 87

Hi,

i am implementig the validation of a XAdES X-L Signature.

I am at point G.2.2.13 "Checking CompleteRevocationRefs".

I extracted all the certificates necessary for build the certificate chain from the signature.

On the first step it says:
Quote
If RevocationValues is present, the verifier should check that they actually provide adequate revocation
information for all the certificates required for verifying the electronic signature.


I have RevocationValues and the certificates. For "provide adequate revocation
information for all the certificates required" i understand the need to have a RevocationValue (CRL) for each certificate in the certificate chain. How can i make the correspondence?

Quote
If so, the verifier should
check the references in CompleteRevocationRefs against the values in RevocationValues proceeding
as indicated in step 3.


For this step i am validating the RevocationValues against CompleteRevogationRefs. For each one i am doing the 4 tests. But i am having troubles implementing the last one:

Quote
If the aforementioned checks are successful, compute the digest of the CRL according to the
algorithm indicated in the ds:DigestMethod element, base64 encode the result and check if this
is the same as the contents of the ds:DigestValue element.


At this moment i have:
Code
byte[] buf;
revocation.SaveToBuffer(buf); //RevocationValue

// DigestValue vs (Base64Encode(DigestMethod CRL))
buf = SBXMLSec.Unit.CalculateDigest(buf, SBXMLSec.Unit.xdmSHA1); if(buf.Equals(revocationRefs[j].DigestAlgAndValue.DigestValue))


1. I can´t find one method for convert the DigestAlgAndValue.DigestMethod string to a short for use in the CalculateDigestMethod.

2. I have the calculated digest byte[] but i need to encode him to base64, how can i do this?

thanks
#4909
Posted: 02/07/2008 14:11:42
by Dmytro Bogatskyy (EldoS Corp.)

Quote
1. I can´t find one method for convert the DigestAlgAndValue.DigestMethod string to a short for use in the CalculateDigestMethod.

Please, use URIToDigestMethod:
short SBXMLSec.Unit.URIToDigestMethod(string DigestMethod);
Quote
2. I have the calculated digest byte[] but i need to encode him to base64, how can i do this?

You can use method from SBXMLSec:
string SBXMLSec.Unit.ConvertToBase64String(byte[] Buf);
or method from .Net framework:
Convert.ToBase64String
#4912
Posted: 02/08/2008 05:11:02
by Nuno Guedes (Basic support level)
Joined: 08/13/2007
Posts: 87

Hi,

Quote
Nuno Guedes wrote:
I am at point G.2.2.13 "Checking CompleteRevocationRefs".

I extracted all the certificates necessary for build the certificate chain from the signature.

On the first step it says: Quote If RevocationValues is present, the verifier should check that they actually provide adequate revocation information for all the certificates required for verifying the electronic signature.

I have RevocationValues and the certificates. For "provide adequate revocation information for all the certificates required" i understand the need to have a RevocationValue (CRL) for each certificate in the certificate chain. How can i make the correspondence?


"provide adequate revocation information for all the certificates required" means have a RevocationValue (CRL) for each certificate in the certificate chain?

How can i make the correspondence between a CRL and a certificate?

Quote
Bogatskyy wrote:
Quote 1. I can´t find one method for convert the DigestAlgAndValue.DigestM­ethod string to a short for use in the CalculateDigestMethod.

Please, use URIToDigestMethod: short SBXMLSec.Unit.URIToDigest­Method(string DigestMethod);


I cant find that method, i only find DigestmethodToURI...

thanks in advance
#4914
Posted: 02/08/2008 08:46:18
by Dmytro Bogatskyy (EldoS Corp.)

Quote
"provide adequate revocation information for all the certificates required" means have a RevocationValue (CRL) for each certificate in the certificate chain?

Yes, or OCSP responses.
Quote
How can i make the correspondence between a CRL and a certificate?

To find a CRL from list for the specific certificate use: ElCertificateRevocationList.Validate method.
Also, a useful article: Use CRLs in certificate validation
Quote
I cant find that method, i only find DigestmethodToURI...

Sorry, it was marked as private method. It is written as follows:
Code
short URIToDigestMethod(string DigestMethod)
{
  if (DigestMethod == SBXMLDefs.Unit.xmlDigestMethodMD5)
    return SBXMLSec.Unit.xdmMD5;
  if (DigestMethod == SBXMLDefs.Unit.xmlDigestMethodSHA1)
    return SBXMLSec.Unit.xdmSHA1;
  if (DigestMethod == SBXMLDefs.Unit.xmlDigestMethodSHA224)
    return SBXMLSec.Unit.xdmSHA224;
  if (DigestMethod == SBXMLDefs.Unit.xmlDigestMethodSHA256)
    return SBXMLSec.Unit.xdmSHA256;
  if (DigestMethod == SBXMLDefs.Unit.xmlDigestMethodSHA384)
    return SBXMLSec.Unit.xdmSHA384;
  if (DigestMethod == SBXMLDefs.Unit.xmlDigestMethodSHA512)
    return SBXMLSec.Unit.xdmSHA512;
  if (DigestMethod == SBXMLDefs.Unit.xmlDigestMethodRIPEMD160)
    return SBXMLSec.Unit.xdmRIPEMD160;
  throw new EXMLError("Unsupported hash algorithm");
}

#4915
Posted: 02/08/2008 09:06:15
by Nuno Guedes (Basic support level)
Joined: 08/13/2007
Posts: 87

thanks
#4955
Posted: 02/11/2008 10:39:28
by Nuno Guedes (Basic support level)
Joined: 08/13/2007
Posts: 87

Quote
Bogatskyy wrote:
Sorry, it was marked as private method. It is written as follows:

Code
short URIToDigestMethod(string DigestMethod) { if (DigestMethod == SBXMLDefs.Unit.xmlDigestM­ethodMD5) return SBXMLSec.Unit.xdmMD5; if (DigestMethod == SBXMLDefs.Unit.xmlDigestM­ethodSHA1) return SBXMLSec.Unit.xdmSHA1; if (DigestMethod == SBXMLDefs.Unit.xmlDigestM­ethodSHA224) return SBXMLSec.Unit.xdmSHA224; if (DigestMethod == SBXMLDefs.Unit.xmlDigestM­ethodSHA256) return SBXMLSec.Unit.xdmSHA256; if (DigestMethod == SBXMLDefs.Unit.xmlDigestM­ethodSHA384) return SBXMLSec.Unit.xdmSHA384; if (DigestMethod == SBXMLDefs.Unit.xmlDigestM­ethodSHA512) return SBXMLSec.Unit.xdmSHA512; if (DigestMethod == SBXMLDefs.Unit.xmlDigestM­ethodRIPEMD160) return SBXMLSec.Unit.xdmRIPEMD16­0; throw new EXMLError("Unsupported hash algorithm"); }


It works but i had to modify, for example, SBXMLSec.Unit.xdmSHA1 to SBConstants.Unit.SB_ALGORITHM_DGST_SHA1 to return values from lookup.

But when i have to calculate the digest i have to pass the SBXMLSec.Unit.xdmSHA1 value.

Why are they different? Doesnt they indicate the same?

thanks
#4967
Posted: 02/11/2008 18:11:25
by Dmytro Bogatskyy (EldoS Corp.)

Quote
It works but i had to modify, for example, SBXMLSec.Unit.xdmSHA1 to SBConstants.Unit.SB_ALGORITHM_DGST_SHA1 to return values from lookup.
But when i have to calculate the digest i have to pass the SBXMLSec.Unit.xdmSHA1 value.
Why are they different? Doesnt they indicate the same?

They are similar.
The first one describes hash algorithms available for XML, and the second one is global one.
Internally all cryptographic operations performed with a second group of constants (e.g. SB_ALGORITHM_DGST_SHA1).
Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.

Reply

Statistics

Topic viewed 2119 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!