November 18, 2019

Generated Code for XAdES Signing Certificates

Question:

I am user of your component and I have problem with signing XML files.
I got (invalid) ds:Signature with same not replaced text “TO BE GENERATED BY CHILKAT” in tree node (SigningCertificate|xades:Cert[1] and SigningCertificate|xades:Cert[2])
The SigningCertificate|xades:Cert[0] is valid.

...
CkXml object1;
object1.put_Tag("xades:QualifyingProperties");
object1.AddAttribute("xmlns:xades","http://uri.etsi.org/01903/v1.3.2#");
object1.AddAttribute("xmlns:xades141","http://uri.etsi.org/01903/v1.4.1#");
object1.AddAttribute("Target","#xmldsig-0d264d45-0a6a-4431-8e74-35463a71756c");
object1.UpdateAttrAt("xades:SignedProperties",true,"Id","xmldsig-0d264d45-0a6a-4431-8e74-35463a71756c-signedprops");
object1.UpdateChildContent("xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningTime","TO BE GENERATED BY CHILKAT");
object1.UpdateAttrAt("xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificate|xades:Cert|xades:CertDigest|ds:DigestMethod",true,"Algorithm","http://www.w3.org/2000/09/xmldsig#sha1");
object1.UpdateChildContent("xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificate|xades:Cert|xades:CertDigest|ds:DigestValue","TO BE GENERATED BY CHILKAT");
object1.UpdateChildContent("xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificate|xades:Cert|xades:IssuerSerial|ds:X509IssuerName","TO BE GENERATED BY CHILKAT");
object1.UpdateChildContent("xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificate|xades:Cert|xades:IssuerSerial|ds:X509SerialNumber","TO BE GENERATED BY CHILKAT");
object1.UpdateAttrAt("xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificate|xades:Cert[1]|xades:CertDigest|ds:DigestMethod",true,"Algorithm","http://www.w3.org/2000/09/xmldsig#sha1");
object1.UpdateChildContent("xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificate|xades:Cert[1]|xades:CertDigest|ds:DigestValue","TO BE GENERATED BY CHILKAT");
object1.UpdateChildContent("xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificate|xades:Cert[1]|xades:IssuerSerial|ds:X509IssuerName","TO BE GENERATED BY CHILKAT");
object1.UpdateChildContent("xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificate|xades:Cert[1]|xades:IssuerSerial|ds:X509SerialNumber","TO BE GENERATED BY CHILKAT");
object1.UpdateAttrAt("xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificate|xades:Cert[2]|xades:CertDigest|ds:DigestMethod",true,"Algorithm","http://www.w3.org/2000/09/xmldsig#sha1");
object1.UpdateChildContent("xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificate|xades:Cert[2]|xades:CertDigest|ds:DigestValue","TO BE GENERATED BY CHILKAT");
object1.UpdateChildContent("xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificate|xades:Cert[2]|xades:IssuerSerial|ds:X509IssuerName","TO BE GENERATED BY CHILKAT");
object1.UpdateChildContent("xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificate|xades:Cert[2]|xades:IssuerSerial|ds:X509SerialNumber","TO BE GENERATED BY CHILKAT");
gen.AddObject("",object1.getXml(),"","");
...

Answer:

The online tool at https://tools.chilkat.io/xmlDsigGen.cshtml will generate code for the number of certs it finds in the sample already-signed XML that was provided as input.   The sample code is just generally showing how you would add certs to the SignedSignatureProperties.    The SigningCertificates, as specified at https://www.w3.org/TR/XAdES/#Syntax_for_XAdES_The_SigningCertificate_element    specify that you would potentially include the certificates in the chain of authentication up to the point of trust:   “The certificate used to verify the signature shall be identified in the sequence; the signature policy may mandate other certificates be present, that may include all the certificates up to the point of trust.”   The number of certs in the chain of authentication can vary, depending on the cert.   Also, the server/receivor may or may not require the chain of authentication.  It could be that the receiving service only requires the cert used for signing, without the remainder of the certs in the chain of authentication.

 

admin
0
Tags :

Tags

ActiveX asp async asynchronous C# callbacks charset Delphi email Encryption error messages events exchange server FTP GMail HTTP IMAP IOS Java Linking MHT MIME oauth2 Office365 pfx PHP pop3 port-forwarding regsvr32 release notes RSA SFTP SMTP socket SSH SSL TLS tunnel upload vb6 VC++ x64 xades XML zip