Generated Code for XAdES Signing Certificates
Question:
I am user of your component and I have problem with signing XML files.
I got (invalid) ds:Signature with same not replaced text “TO BE GENERATED BY CHILKAT” in tree node (SigningCertificate|xades:Cert[1] and SigningCertificate|xades:Cert[2])
The SigningCertificate|xades:Cert[0] is valid.
... CkXml object1; object1.put_Tag("xades:QualifyingProperties"); object1.AddAttribute("xmlns:xades","http://uri.etsi.org/01903/v1.3.2#"); object1.AddAttribute("xmlns:xades141","http://uri.etsi.org/01903/v1.4.1#"); object1.AddAttribute("Target","#xmldsig-0d264d45-0a6a-4431-8e74-35463a71756c"); object1.UpdateAttrAt("xades:SignedProperties",true,"Id","xmldsig-0d264d45-0a6a-4431-8e74-35463a71756c-signedprops"); object1.UpdateChildContent("xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningTime","TO BE GENERATED BY CHILKAT"); object1.UpdateAttrAt("xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificate|xades:Cert|xades:CertDigest|ds:DigestMethod",true,"Algorithm","http://www.w3.org/2000/09/xmldsig#sha1"); object1.UpdateChildContent("xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificate|xades:Cert|xades:CertDigest|ds:DigestValue","TO BE GENERATED BY CHILKAT"); object1.UpdateChildContent("xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificate|xades:Cert|xades:IssuerSerial|ds:X509IssuerName","TO BE GENERATED BY CHILKAT"); object1.UpdateChildContent("xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificate|xades:Cert|xades:IssuerSerial|ds:X509SerialNumber","TO BE GENERATED BY CHILKAT"); object1.UpdateAttrAt("xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificate|xades:Cert[1]|xades:CertDigest|ds:DigestMethod",true,"Algorithm","http://www.w3.org/2000/09/xmldsig#sha1"); object1.UpdateChildContent("xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificate|xades:Cert[1]|xades:CertDigest|ds:DigestValue","TO BE GENERATED BY CHILKAT"); object1.UpdateChildContent("xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificate|xades:Cert[1]|xades:IssuerSerial|ds:X509IssuerName","TO BE GENERATED BY CHILKAT"); object1.UpdateChildContent("xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificate|xades:Cert[1]|xades:IssuerSerial|ds:X509SerialNumber","TO BE GENERATED BY CHILKAT"); object1.UpdateAttrAt("xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificate|xades:Cert[2]|xades:CertDigest|ds:DigestMethod",true,"Algorithm","http://www.w3.org/2000/09/xmldsig#sha1"); object1.UpdateChildContent("xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificate|xades:Cert[2]|xades:CertDigest|ds:DigestValue","TO BE GENERATED BY CHILKAT"); object1.UpdateChildContent("xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificate|xades:Cert[2]|xades:IssuerSerial|ds:X509IssuerName","TO BE GENERATED BY CHILKAT"); object1.UpdateChildContent("xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificate|xades:Cert[2]|xades:IssuerSerial|ds:X509SerialNumber","TO BE GENERATED BY CHILKAT"); gen.AddObject("",object1.getXml(),"",""); ...
Answer:
The online tool at https://tools.chilkat.io/xmlDsigGen.cshtml will generate code for the number of certs it finds in the sample already-signed XML that was provided as input. The sample code is just generally showing how you would add certs to the SignedSignatureProperties. The SigningCertificates, as specified at https://www.w3.org/TR/XAdES/#Syntax_for_XAdES_The_SigningCertificate_element specify that you would potentially include the certificates in the chain of authentication up to the point of trust: “The certificate used to verify the signature shall be identified in the sequence; the signature policy may mandate other certificates be present, that may include all the certificates up to the point of trust.” The number of certs in the chain of authentication can vary, depending on the cert. Also, the server/receivor may or may not require the chain of authentication. It could be that the receiving service only requires the cert used for signing, without the remainder of the certs in the chain of authentication.