3

I'm struggling with message signatures using XAdES. I've searched for the solution which brought me to the code below. But the service that I'm trying to connect to is telling me that the signature is wrong. What am I doing wrong?

public static class Signature
    {
        #region Private fields
        public const string XmlDsigSignatureProperties = "http://uri.etsi.org/01903#SignedProperties";
        public const string XadesProofOfApproval = "http://uri.etsi.org/01903/v1.2.2#ProofOfApproval";
        public const string XadesPrefix = "xades";
        public const string SignaturePrefix = "ds";
        public const string SignatureNamespace = "http://www.w3.org/2000/09/xmldsig#";
        public const string XadesNamespaceUrl = "http://uri.etsi.org/01903/v1.3.2#";

        private const string SignatureId = "Signature";
        private const string SignaturePropertiesId = "SignedProperties";
        #endregion Private fields

        #region Public methods
        public static XmlElement SignWithXades(X509Certificate2 signingCertificate, string xml)
        {
            var xmlDocument = new XmlDocument();
            xmlDocument.LoadXml(xml);

            AddSignatureProperties(xmlDocument, signingCertificate);

            var signedXml = new SignedXml(xmlDocument);
            signedXml.Signature.Id = SignatureId;
            signedXml.SigningKey = signingCertificate.PrivateKey;

            var signatureReference = new Reference { Uri = "", };
            signatureReference.AddTransform(new XmlDsigEnvelopedSignatureTransform());
            signedXml.AddReference(signatureReference);

            var parametersSignature = new Reference
            {
                Uri = $"#{SignaturePropertiesId}",
                Type = XmlDsigSignatureProperties,
            };
            signedXml.AddReference(parametersSignature);

            var keyInfo = new KeyInfo();
            keyInfo.AddClause(new KeyInfoX509Data(signingCertificate));
            signedXml.KeyInfo = keyInfo;

            signedXml.ComputeSignature();

            var signatureNode = signedXml.GetXml();

            AssignNameSpacePrefixToElementTree(signatureNode, SignaturePrefix);

            var signedInfoNode = signatureNode.SelectSingleNode("//*[local-name()='SignedInfo']");
            var signatureValue = signatureNode.SelectSingleNode("//*[local-name()='SignatureValue']");
            var keyInfoNode = xmlDocument.SelectSingleNode("//*[local-name()='KeyInfo']");

            var finalSignatureNode = xmlDocument.SelectSingleNode("//*[local-name()='Signature']");
            finalSignatureNode.InsertBefore(signatureValue, keyInfoNode);
            finalSignatureNode.InsertBefore(signedInfoNode, signatureValue);

            return (XmlElement)finalSignatureNode;
        }
        #endregion Public methods

        #region Private methods
        private static void AddSignatureProperties(XmlDocument document, X509Certificate2 signingCertificate)
        {
            // <Signature>
            var signatureNode = document.CreateElement(SignaturePrefix, "Signature", SignatureNamespace);
            var signatureIdAttribute = document.CreateAttribute("Id");
            signatureIdAttribute.InnerText = SignatureId;
            signatureNode.Attributes.Append(signatureIdAttribute);
            document.DocumentElement.AppendChild(signatureNode);

            AddKeyInfo(document, signatureNode, signingCertificate);
            AddCertificateObject(document, signatureNode, signingCertificate);
        }

        private static void AddKeyInfo(XmlDocument document, XmlElement signatureNode, X509Certificate2 signingCertificate)
        {
            // <KeyInfo>
            var keyInfoNode = document.CreateElement(SignaturePrefix, "KeyInfo", SignatureNamespace);
            signatureNode.AppendChild(keyInfoNode);

            // <KeyInfo><X509Data>
            var x509DataNode = document.CreateElement(SignaturePrefix, "X509Data", SignatureNamespace);
            keyInfoNode.AppendChild(x509DataNode);

            var x509CertificateNode = document.CreateElement(SignaturePrefix, "X509Certificate", SignatureNamespace);
            x509CertificateNode.InnerText = Convert.ToBase64String(signingCertificate.GetRawCertData());
            x509DataNode.AppendChild(x509CertificateNode);
        }

        private static void AddCertificateObject(XmlDocument document, XmlElement signatureNode, X509Certificate2 signingCertificate)
        {
            // <Object>
            var objectNode = document.CreateElement(SignaturePrefix, "Object", SignatureNamespace);
            signatureNode.AppendChild(objectNode);

            // <Object><QualifyingProperties>
            var qualifyingPropertiesNode = document.CreateElement(XadesPrefix, "QualifyingProperties", XadesNamespaceUrl);
            qualifyingPropertiesNode.SetAttribute("Target", $"#{SignatureId}");
            objectNode.AppendChild(qualifyingPropertiesNode);

            // <Object><QualifyingProperties><SignedProperties>
            var signedPropertiesNode = document.CreateElement(XadesPrefix, "SignedProperties", XadesNamespaceUrl);
            signedPropertiesNode.SetAttribute("Id", SignaturePropertiesId);
            qualifyingPropertiesNode.AppendChild(signedPropertiesNode);

            // <Object><QualifyingProperties><SignedProperties><SignedSignatureProperties>
            var signedSignaturePropertiesNode = document.CreateElement(XadesPrefix, "SignedSignatureProperties", XadesNamespaceUrl);
            signedPropertiesNode.AppendChild(signedSignaturePropertiesNode);

            // <Object><QualifyingProperties><SignedProperties><SignedSignatureProperties> </SigningTime>
            var signingTime = document.CreateElement(XadesPrefix, "SigningTime", XadesNamespaceUrl);
            signingTime.InnerText = $"{DateTime.UtcNow.ToString("s")}Z";
            signedSignaturePropertiesNode.AppendChild(signingTime);

            // <Object><QualifyingProperties><SignedProperties><SignedSignatureProperties><SigningCertificate>
            var signingCertificateNode = document.CreateElement(XadesPrefix, "SigningCertificate", XadesNamespaceUrl);
            signedSignaturePropertiesNode.AppendChild(signingCertificateNode);

            // <Object><QualifyingProperties><SignedProperties><SignedSignatureProperties><SigningCertificate><Cert>
            var certNode = document.CreateElement(XadesPrefix, "Cert", XadesNamespaceUrl);
            signingCertificateNode.AppendChild(certNode);

            // <Object><QualifyingProperties><SignedProperties><SignedSignatureProperties><SigningCertificate><Cert><CertDigest>
            var certDigestNode = document.CreateElement(XadesPrefix, "CertDigest", XadesNamespaceUrl);
            certNode.AppendChild(certDigestNode);

            // <Object><QualifyingProperties><SignedProperties><SignedSignatureProperties><SigningCertificate><Cert><CertDigest> </DigestMethod>
            var digestMethod = document.CreateElement("ds", "DigestMethod", SignedXml.XmlDsigNamespaceUrl);
            var digestMethodAlgorithmAtribute = document.CreateAttribute("Algorithm");
            digestMethodAlgorithmAtribute.InnerText = SignedXml.XmlDsigSHA1Url;
            digestMethod.Attributes.Append(digestMethodAlgorithmAtribute);
            certDigestNode.AppendChild(digestMethod);

            // <Object><QualifyingProperties><SignedProperties><SignedSignatureProperties><SigningCertificate><Cert><CertDigest> </DigestMethod>
            var digestValue = document.CreateElement("ds", "DigestValue", SignedXml.XmlDsigNamespaceUrl);
            digestValue.InnerText = Convert.ToBase64String(signingCertificate.GetCertHash());
            certDigestNode.AppendChild(digestValue);

            // <Object><QualifyingProperties><SignedProperties><SignedSignatureProperties><SigningCertificate><Cert><IssuerSerial>
            var issuerSerialNode = document.CreateElement(XadesPrefix, "IssuerSerial", XadesNamespaceUrl);
            certNode.AppendChild(issuerSerialNode);

            // <Object><QualifyingProperties><SignedProperties><SignedSignatureProperties><SigningCertificate><Cert><IssuerSerial> </X509IssuerName>
            var x509IssuerName = document.CreateElement("ds", "X509IssuerName", SignedXml.XmlDsigNamespaceUrl);
            x509IssuerName.InnerText = signingCertificate.Issuer;
            issuerSerialNode.AppendChild(x509IssuerName);

            // <Object><QualifyingProperties><SignedProperties><SignedSignatureProperties><SigningCertificate><Cert><IssuerSerial> </X509SerialNumber>
            var x509SerialNumber = document.CreateElement("ds", "X509SerialNumber", SignedXml.XmlDsigNamespaceUrl);
            x509SerialNumber.InnerText = ToDecimalString(signingCertificate.SerialNumber);
            issuerSerialNode.AppendChild(x509SerialNumber);

            // <Object><QualifyingProperties><SignedProperties><SignedDataObjectProperties>
            var signedDataObjectPropertiesNode = document.CreateElement(XadesPrefix, "SignedDataObjectProperties", XadesNamespaceUrl);
            signedPropertiesNode.AppendChild(signedDataObjectPropertiesNode);

            // <Object><QualifyingProperties><SignedProperties><SignedDataObjectProperties><CommitmentTypeIndication>
            var commitmentTypeIndicationNode = document.CreateElement(XadesPrefix, "CommitmentTypeIndication", XadesNamespaceUrl);
            signedDataObjectPropertiesNode.AppendChild(commitmentTypeIndicationNode);

            // <Object><QualifyingProperties><SignedProperties><SignedDataObjectProperties><CommitmentTypeIndication><CommitmentTypeId>
            var commitmentTypeIdNode = document.CreateElement(XadesPrefix, "CommitmentTypeId", XadesNamespaceUrl);
            commitmentTypeIndicationNode.AppendChild(commitmentTypeIdNode);

            // <Object><QualifyingProperties><SignedProperties><SignedDataObjectProperties><CommitmentTypeIndication><CommitmentTypeId><Identifier>
            var identifierNode = document.CreateElement(XadesPrefix, "Identifier", XadesNamespaceUrl);
            identifierNode.InnerText = XadesProofOfApproval;
            commitmentTypeIdNode.AppendChild(identifierNode);

            // <Object><QualifyingProperties><SignedProperties><SignedDataObjectProperties><CommitmentTypeIndication><AllSignedDataObjects>
            var allSignedDataObjectsNode = document.CreateElement(XadesPrefix, "AllSignedDataObjects", XadesNamespaceUrl);
            commitmentTypeIndicationNode.AppendChild(allSignedDataObjectsNode);
        }

        private static string ToDecimalString(string serialNumber)
        {
            BigInteger bi;

            if (BigInteger.TryParse(serialNumber, NumberStyles.HexNumber, CultureInfo.InvariantCulture, out bi))
            {
                return bi.ToString(CultureInfo.InvariantCulture);
            }
            else
            {
                return serialNumber;
            }
        }

        private static void AssignNameSpacePrefixToElementTree(XmlElement element, string prefix)
        {
            element.Prefix = prefix;

            foreach (var child in element.ChildNodes)
            {
                if (child is XmlElement)
                    AssignNameSpacePrefixToElementTree(child as XmlElement, prefix);
            }
        }
        #endregion Private methods
    }

Message that service is required should look like this

<Tag1>
  <Tag2>...</Tag2>
  <ds:Signature ...> ... </ds:Signature>
</Tag1>

And the signed part of the message has to be:

<Tag1>
    <Tag2>...</Tag2>
</Tag1>
halfer
  • 19,824
  • 17
  • 99
  • 186
pokrz26
  • 111
  • 1
  • 12

1 Answers1

6

I finally solved my problem. The issue was adding prefix "ds" after signing process which was breaking reference digest value. It terns out that this prefix is not required. I'm posting working code below.

This is overridden class of SignedXml which I need to access XAdES QualifyingProperties, that are stored in DataObject instead of the actual message.

public class XadesSignedXml : SignedXml
    {
        #region Public fields
        public const string XmlDsigSignatureProperties = "http://uri.etsi.org/01903#SignedProperties";
        public const string XadesProofOfApproval = "http://uri.etsi.org/01903/v1.2.2#ProofOfApproval";
        public const string XadesPrefix = "xades";
        public const string XadesNamespaceUrl = "http://uri.etsi.org/01903/v1.3.2#";
        public XmlElement PropertiesNode { get; set; }
        #endregion Public fields

        #region Private fields
        private readonly List<DataObject> _dataObjects = new List<DataObject>();
        #endregion Private fields

        #region Constructor
        public XadesSignedXml(XmlDocument document) : base(document) { }
        #endregion Constructor

        #region SignedXml
        public override XmlElement GetIdElement(XmlDocument document, string idValue)
        {
            if (string.IsNullOrEmpty(idValue))
                return null;

            var xmlElement = base.GetIdElement(document, idValue);
            if (xmlElement != null)
                return xmlElement;

            if (_dataObjects.Count == 0)
                return null;

            foreach (var dataObject in _dataObjects)
            {
                var nodeWithSameId = XmlHelper.FindNodeWithAttributeValueIn(dataObject.Data, "Id", idValue);
                if (nodeWithSameId != null)
                    return nodeWithSameId;
            }

            return null;
        }

        public new void AddObject(DataObject dataObject)
        {
            base.AddObject(dataObject);
            _dataObjects.Add(dataObject);
        }
        #endregion SignedXml
    }

And this is signing method.

public static class Signature
    {
        #region Private fields
        private const string SignatureId = "Signature";
        private const string SignaturePropertiesId = "SignedProperties";
        #endregion Private fields

        #region Public methods
        public static XmlElement SignWithXAdES(X509Certificate2 signingCertificate, XmlDocument xmlDocument)
        {
            var signedXml = new XadesSignedXml(xmlDocument);
            signedXml.Signature.Id = SignatureId;
            signedXml.SigningKey = signingCertificate.PrivateKey;

            var signatureReference = new Reference { Uri = "", };
            signatureReference.AddTransform(new XmlDsigEnvelopedSignatureTransform());
            signedXml.AddReference(signatureReference);

            var keyInfo = new KeyInfo();
            keyInfo.AddClause(new KeyInfoX509Data(signingCertificate));
            signedXml.KeyInfo = keyInfo;

            AddXAdESProperties(xmlDocument, signedXml, signingCertificate);

            signedXml.ComputeSignature();

            return signedXml.GetXml();
        }
        #endregion Public methods

        #region Private methods
        private static void AddXAdESProperties(XmlDocument document, XadesSignedXml xadesSignedXml, X509Certificate2 signingCertificate)
        {
            var parametersSignature = new Reference
            {
                Uri = $"#{SignaturePropertiesId}",
                Type = XadesSignedXml.XmlDsigSignatureProperties,
            };
            xadesSignedXml.AddReference(parametersSignature);

            // <Object>
            var objectNode = document.CreateElement("Object", SignedXml.XmlDsigNamespaceUrl);

            // <Object><QualifyingProperties>
            var qualifyingPropertiesNode = document.CreateElement(XadesSignedXml.XadesPrefix, "QualifyingProperties", XadesSignedXml.XadesNamespaceUrl);
            qualifyingPropertiesNode.SetAttribute("Target", $"#{SignatureId}");
            objectNode.AppendChild(qualifyingPropertiesNode);

            // <Object><QualifyingProperties><SignedProperties>
            var signedPropertiesNode = document.CreateElement(XadesSignedXml.XadesPrefix, "SignedProperties", XadesSignedXml.XadesNamespaceUrl);
            signedPropertiesNode.SetAttribute("Id", SignaturePropertiesId);
            qualifyingPropertiesNode.AppendChild(signedPropertiesNode);

            // <Object><QualifyingProperties><SignedProperties><SignedSignatureProperties>
            var signedSignaturePropertiesNode = document.CreateElement(XadesSignedXml.XadesPrefix, "SignedSignatureProperties", XadesSignedXml.XadesNamespaceUrl);
            signedPropertiesNode.AppendChild(signedSignaturePropertiesNode);

            // <Object><QualifyingProperties><SignedProperties><SignedSignatureProperties> </SigningTime>
            var signingTime = document.CreateElement(XadesSignedXml.XadesPrefix, "SigningTime", XadesSignedXml.XadesNamespaceUrl);
            signingTime.InnerText = $"{DateTime.UtcNow.ToString("s")}Z";
            signedSignaturePropertiesNode.AppendChild(signingTime);

            // <Object><QualifyingProperties><SignedProperties><SignedSignatureProperties><SigningCertificate>
            var signingCertificateNode = document.CreateElement(XadesSignedXml.XadesPrefix, "SigningCertificate", XadesSignedXml.XadesNamespaceUrl);
            signedSignaturePropertiesNode.AppendChild(signingCertificateNode);

            // <Object><QualifyingProperties><SignedProperties><SignedSignatureProperties><SigningCertificate><Cert>
            var certNode = document.CreateElement(XadesSignedXml.XadesPrefix, "Cert", XadesSignedXml.XadesNamespaceUrl);
            signingCertificateNode.AppendChild(certNode);

            // <Object><QualifyingProperties><SignedProperties><SignedSignatureProperties><SigningCertificate><Cert><CertDigest>
            var certDigestNode = document.CreateElement(XadesSignedXml.XadesPrefix, "CertDigest", XadesSignedXml.XadesNamespaceUrl);
            certNode.AppendChild(certDigestNode);

            // <Object><QualifyingProperties><SignedProperties><SignedSignatureProperties><SigningCertificate><Cert><CertDigest> </DigestMethod>
            var digestMethod = document.CreateElement("DigestMethod", SignedXml.XmlDsigNamespaceUrl);
            var digestMethodAlgorithmAtribute = document.CreateAttribute("Algorithm");
            digestMethodAlgorithmAtribute.InnerText = SignedXml.XmlDsigSHA1Url;
            digestMethod.Attributes.Append(digestMethodAlgorithmAtribute);
            certDigestNode.AppendChild(digestMethod);

            // <Object><QualifyingProperties><SignedProperties><SignedSignatureProperties><SigningCertificate><Cert><CertDigest> </DigestMethod>
            var digestValue = document.CreateElement("DigestValue", SignedXml.XmlDsigNamespaceUrl);
            digestValue.InnerText = Convert.ToBase64String(signingCertificate.GetCertHash());
            certDigestNode.AppendChild(digestValue);

            // <Object><QualifyingProperties><SignedProperties><SignedSignatureProperties><SigningCertificate><Cert><IssuerSerial>
            var issuerSerialNode = document.CreateElement(XadesSignedXml.XadesPrefix, "IssuerSerial", XadesSignedXml.XadesNamespaceUrl);
            certNode.AppendChild(issuerSerialNode);

            // <Object><QualifyingProperties><SignedProperties><SignedSignatureProperties><SigningCertificate><Cert><IssuerSerial> </X509IssuerName>
            var x509IssuerName = document.CreateElement("X509IssuerName", SignedXml.XmlDsigNamespaceUrl);
            x509IssuerName.InnerText = signingCertificate.Issuer;
            issuerSerialNode.AppendChild(x509IssuerName);

            // <Object><QualifyingProperties><SignedProperties><SignedSignatureProperties><SigningCertificate><Cert><IssuerSerial> </X509SerialNumber>
            var x509SerialNumber = document.CreateElement("X509SerialNumber", SignedXml.XmlDsigNamespaceUrl);
            x509SerialNumber.InnerText = ToDecimalString(signingCertificate.SerialNumber);
            issuerSerialNode.AppendChild(x509SerialNumber);

            // <Object><QualifyingProperties><SignedProperties><SignedDataObjectProperties>
            var signedDataObjectPropertiesNode = document.CreateElement(XadesSignedXml.XadesPrefix, "SignedDataObjectProperties", XadesSignedXml.XadesNamespaceUrl);
            signedPropertiesNode.AppendChild(signedDataObjectPropertiesNode);

            // <Object><QualifyingProperties><SignedProperties><SignedDataObjectProperties><CommitmentTypeIndication>
            var commitmentTypeIndicationNode = document.CreateElement(XadesSignedXml.XadesPrefix, "CommitmentTypeIndication", XadesSignedXml.XadesNamespaceUrl);
            signedDataObjectPropertiesNode.AppendChild(commitmentTypeIndicationNode);

            // <Object><QualifyingProperties><SignedProperties><SignedDataObjectProperties><CommitmentTypeIndication><CommitmentTypeId>
            var commitmentTypeIdNode = document.CreateElement(XadesSignedXml.XadesPrefix, "CommitmentTypeId", XadesSignedXml.XadesNamespaceUrl);
            commitmentTypeIndicationNode.AppendChild(commitmentTypeIdNode);

            // <Object><QualifyingProperties><SignedProperties><SignedDataObjectProperties><CommitmentTypeIndication><CommitmentTypeId><Identifier>
            var identifierNode = document.CreateElement(XadesSignedXml.XadesPrefix, "Identifier", XadesSignedXml.XadesNamespaceUrl);
            identifierNode.InnerText = XadesSignedXml.XadesProofOfApproval;
            commitmentTypeIdNode.AppendChild(identifierNode);

            // <Object><QualifyingProperties><SignedProperties><SignedDataObjectProperties><CommitmentTypeIndication><AllSignedDataObjects>
            var allSignedDataObjectsNode = document.CreateElement(XadesSignedXml.XadesPrefix, "AllSignedDataObjects", XadesSignedXml.XadesNamespaceUrl);
            commitmentTypeIndicationNode.AppendChild(allSignedDataObjectsNode);

            var dataObject = new DataObject();
            dataObject.Data = qualifyingPropertiesNode.SelectNodes(".");
            xadesSignedXml.AddObject(dataObject);
        }

        private static string ToDecimalString(string serialNumber)
        {
            BigInteger bi;

            if (BigInteger.TryParse(serialNumber, NumberStyles.HexNumber, CultureInfo.InvariantCulture, out bi))
            {
                return bi.ToString(CultureInfo.InvariantCulture);
            }
            else
            {
                return serialNumber;
            }
        }
        #endregion Private methods
    }
pokrz26
  • 111
  • 1
  • 12
  • Could you publish XmlHelper class? And from where you import BigInteger ? – colorgreen Sep 13 '18 at 10:40
  • I'am using BigInteger from System.Numerics namespace. And this method i used from XmlHelper is only searching for node wchich has specific attribute with specific value. – pokrz26 Nov 15 '18 at 19:40
  • 1
    Thank you for the solution, however, when I try to verify, the digest value of the second reference(signedproperties) does not match. Have you encountered this problem? – aeb-dev Aug 30 '19 at 21:39
  • what about using EC certificates for making xades signature . Microsoft System. Cryptography does not support EC certificate Private key . The certificate key algorithm is not supported.' – Freeedy Jun 03 '20 at 14:08
  • @Freeedy: there's no easy solution but if you switch to [alternate SignedXml](https://github.com/kmvi/bc-xml-security) that uses Bouncy Castle, you can have documents signed with ECDSa certificates. – Wiktor Zychla Jul 22 '20 at 14:30
  • @MrMuMu: To anyone reading this and having the validation problem: the code doesn't validate the second reference if the XML root has an explicit namespace (` – Wiktor Zychla Aug 21 '20 at 14:38