Signin data, certificate, and signed properties.
769 views
Skip to first unread message
jordiw...@gmail.com
Mar 7, 2016, 5:54:50 AM3/7/16
to xmlseclibs
Hi everyone,
Firstly thank you for your job.
My problem is that I'm trying to sign invoices, and the structure of signned info should be like this:
<ds:SignedInfo Id="Signature-SignedInfo">
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference Id="SignedProperties" Type="http://uri.etsi.org/01903#SignedProperties" URI="#Signature-SignedProperties">
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>A ... 4=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#Certificate">
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>q ... E=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>5 ...cY=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
I need reference the certificate and the signed properties plus invoice content, I can use etsi or xades it doesn't matter.
This is my certificate:
<ds:KeyInfo Id="Certificate">
<ds:X509Data>
<ds:X509Certificate>MIIFPj ... o= </ds:X509Certificate>
</ds:X509Data>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>nX .. .Q==</ds:Modulus>
<ds:Exponent>A..B</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
And this my signed properties:
<ds:Object Id="Signature-Object">
<xades:QualifyingProperties xmlns:xades="http://uri.etsi.org/01903/v1.3.2#" Target="#Signature">
<xades:SignedProperties Id="Signature-SignedProperties">
<xades:SignedSignatureProperties>
<xades:SigningTime>2016-03-07T09:04:15+01:00</xades:SigningTime>
<xades:SigningCertificate>
<xades:Cert>
<xades:CertDigest>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>un ... 4=</ds:DigestValue>
</xades:CertDigest>
<xades:IssuerSerial>
<ds:X509IssuerName>OU=FNMT Clase 2 CA,O=FNMT,C=ES</ds:X509IssuerName>
<ds:X509SerialNumber>1...3</ds:X509SerialNumber>
</xades:IssuerSerial>
</xades:Cert>
</xades:SigningCertificate>
<xades:SignaturePolicyIdentifier>
<xades:SignaturePolicyId>
<xades:SigPolicyId>
<xades:Identifier>http://www.facturae.es/politica_de_firma_formato_facturae/politica_de_firma_formato_facturae_v3_1.pdf</xades:Identifier>
<xades:Description>Política de Firma FacturaE v3.1</xades:Description>
</xades:SigPolicyId>
<xades:SigPolicyHash>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>Ohi ... M=</ds:DigestValue>
</xades:SigPolicyHash>
</xades:SignaturePolicyId>
</xades:SignaturePolicyIdentifier>
<xades:SignerRole>
<xades:ClaimedRoles>
<xades:ClaimedRole>Third party</xades:ClaimedRole>
</xades:ClaimedRoles>
</xades:SignerRole>
</xades:SignedSignatureProperties>
<xades:SignedDataObjectProperties>
<xades:DataObjectFormat ObjectReference="#Reference">
<xades:Description>Factura electrónica</xades:Description>
<xades:MimeType>text/xml</xades:MimeType>
</xades:DataObjectFormat>
</xades:SignedDataObjectProperties>
</xades:SignedProperties>
</xades:QualifyingProperties>
</ds:Object>
</ds:Signature>
I had been trying reference with addreference method the object signedProperties added with addObject and the cert added with addStatiCert, and this is my results:
-If I don't reference the certificate and the signed properties this is te result. -> (Warning: It has not been validated politics. Error signature) (warning.png)
-But when i put the reference, this is the result -> ("The data has been altered or there is an error in the firm") (error.png)
Can you help me?
Thank you again.
Excuse me for my english it isn't my native language.
Rob Richards
Mar 8, 2016, 12:54:54 PM3/8/16
to xmlse...@googlegroups.com
On 3/7/16 5:54 AM, jordiw...@gmail.com wrote:
> *Hi everyone*,
>
> Firstly *thank you* for your job.
>
>
> My problem is that I'm trying to*sign invoices*, and the structure of
> signned info *should be like this*:
>
> <*ds:SignedInfo *Id="Signature-SignedInfo">
> <*ds:CanonicalizationMethod*
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <*ds:SignatureMethod
> Algorithm*="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <*ds:Reference* Id="SignedProperties"
> <*ds:DigestMethod* Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <*ds:DigestValue*>A ... 4=<*/ds:DigestValue*>
> <*/ds:Reference*>
> <*ds:Reference* URI="#Certificate">
> <*ds:DigestMethod *Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <*ds:DigestValue*>q ... E=<*/ds:DigestValue*>
> <*/ds:Reference*>
> <*ds:Reference* URI="">
> <*ds:Transforms*>
> <*ds:Transform*
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> <*/ds:Transforms*>
> <*ds:DigestMethod* Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <*ds:DigestValue*>5 ...cY=<*/ds:DigestValue*>
> <*/ds:Reference*>
> <*/ds:SignedInfo*>
>
> I *need reference the certificate and the signed properties* plus
> invoice content, I can use *etsi or xades* it doesn't matter.
>
> This is my *certificate*:
> <*ds:KeyInfo* Id="Certificate">
> <*ds:X509Data*>
> <*ds:X509Certificate*>MIIFPj ... o= <*/ds:X509Certificate*>
> <*/ds:X509Data*>
> <*ds:KeyValue*>
> <*ds:RSAKeyValue*>
> <*ds:Modulus*>nX .. .Q==<*/ds:Modulus*>
> <*ds:Exponent*>A..B<*/ds:Exponent*>
> <*/ds:RSAKeyValue*>
> <*/ds:KeyValue*>
> <*/ds:KeyInfo*>
>
> And this my*signed properties*:
> <*ds:Object* Id="Signature-Object">
> <*xades:QualifyingProperties
> *xmlns:xades="http://uri.etsi.org/01903/v1.3.2#" Target="#Signature">
> <*xades:SignedPropertie*s Id="Signature-SignedProperties">
> <*xades:SignedSignatureProperties*>
> <*xades:SigningTime*>2016-03-07T09:04:15+01:00<*/xades:SigningTime*>
> <*xades:SigningCertificate*>
> <*xades:Cert*>
> <*xades:CertDigest*>
> <*ds:DigestMethod* Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <*ds:DigestValue*>un ... 4=<*/ds:DigestValue*>
> <*/xades:CertDigest*>
> <*xades:IssuerSerial*>
> <*ds:X509IssuerName*>OU=FNMT Clase 2 CA,O=FNMT,C=ES<*/ds:X509IssuerName*>
> <*ds:X509SerialNumber*>1...3<*/ds:X509SerialNumber*>
> <*/xades:IssuerSerial*>
> <*/xades:Cert*>
> <*/xades:SigningCertificate*>
> <*xades:SignaturePolicyIdentifier*>
> <*xades:SignaturePolicyId*>
> <*xades:SigPolicyId*>
> <*xades:Identifier*>http://www.facturae.es/politica_de_firma_formato_facturae/politica_de_firma_formato_facturae_v3_1.pdf<*/xades:Identifier*>
> <*xades:Description*>Política de Firma FacturaE v3.1<*/xades:Description*>
> <*/xades:SigPolicyId*>
> <*xades:SigPolicyHash*>
> <*ds:DigestMethod* Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <*ds:DigestValue*>Ohi ... M=<*/ds:DigestValue*>
> <*/xades:SigPolicyHash*>
> <*/xades:SignaturePolicyId*>
> <*/xades:SignaturePolicyIdentifier*>
> <*xades:SignerRole*>
> <*xades:ClaimedRoles*>
> <*xades:ClaimedRole*>Third party<*/xades:ClaimedRole*>
> <*/xades:ClaimedRoles*>
> <*/xades:SignerRole*>
> <*/xades:SignedSignatureProperties*>
> <*xades:SignedDataObjectProperties*>
> <*xades:DataObjectFormat* ObjectReference="#Reference">
> <*xades:Description*>Factura electrónica<*/xades:Description*>
> <*xades:MimeType*>text/xml<*/xades:MimeType*>
> <*/xades:DataObjectFormat*>
> <*/xades:SignedDataObjectProperties*>
> <*/xades:SignedProperties*>
> <*/xades:QualifyingProperties*>
> <*/ds:Object*>
> <*/ds:Signature*>
>
> I had been trying reference with *addreference* method the object
> signedProperties added with *addObject* and the cert added with
> *addStatiCert*, and this is my results:
> signature) (/warning.png/)
support XAdES so it would have needed to be created externally and then
used with the rest of the library to create the signature document -
even then I am not sure wether or not it would conform as I havent
looked at what all needs to be done when working with the advanced
signatures.
Rob
> *Hi everyone*,
>
> Firstly *thank you* for your job.
>
>
> My problem is that I'm trying to*sign invoices*, and the structure of
> signned info *should be like this*:
>
> <*ds:SignedInfo *Id="Signature-SignedInfo">
> <*ds:CanonicalizationMethod*
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <*ds:SignatureMethod
> Algorithm*="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <*ds:Reference* Id="SignedProperties"
> <*ds:DigestMethod* Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <*ds:DigestValue*>A ... 4=<*/ds:DigestValue*>
> <*/ds:Reference*>
> <*ds:Reference* URI="#Certificate">
> <*ds:DigestMethod *Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <*ds:DigestValue*>q ... E=<*/ds:DigestValue*>
> <*/ds:Reference*>
> <*ds:Reference* URI="">
> <*ds:Transforms*>
> <*ds:Transform*
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> <*/ds:Transforms*>
> <*ds:DigestMethod* Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <*ds:DigestValue*>5 ...cY=<*/ds:DigestValue*>
> <*/ds:Reference*>
> <*/ds:SignedInfo*>
>
> I *need reference the certificate and the signed properties* plus
> invoice content, I can use *etsi or xades* it doesn't matter.
>
> This is my *certificate*:
> <*ds:KeyInfo* Id="Certificate">
> <*ds:X509Data*>
> <*ds:X509Certificate*>MIIFPj ... o= <*/ds:X509Certificate*>
> <*/ds:X509Data*>
> <*ds:KeyValue*>
> <*ds:RSAKeyValue*>
> <*ds:Modulus*>nX .. .Q==<*/ds:Modulus*>
> <*ds:Exponent*>A..B<*/ds:Exponent*>
> <*/ds:RSAKeyValue*>
> <*/ds:KeyValue*>
> <*/ds:KeyInfo*>
>
> And this my*signed properties*:
> <*ds:Object* Id="Signature-Object">
> <*xades:QualifyingProperties
> *xmlns:xades="http://uri.etsi.org/01903/v1.3.2#" Target="#Signature">
> <*xades:SignedPropertie*s Id="Signature-SignedProperties">
> <*xades:SignedSignatureProperties*>
> <*xades:SigningTime*>2016-03-07T09:04:15+01:00<*/xades:SigningTime*>
> <*xades:SigningCertificate*>
> <*xades:Cert*>
> <*xades:CertDigest*>
> <*ds:DigestMethod* Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <*ds:DigestValue*>un ... 4=<*/ds:DigestValue*>
> <*/xades:CertDigest*>
> <*xades:IssuerSerial*>
> <*ds:X509IssuerName*>OU=FNMT Clase 2 CA,O=FNMT,C=ES<*/ds:X509IssuerName*>
> <*ds:X509SerialNumber*>1...3<*/ds:X509SerialNumber*>
> <*/xades:IssuerSerial*>
> <*/xades:Cert*>
> <*/xades:SigningCertificate*>
> <*xades:SignaturePolicyIdentifier*>
> <*xades:SignaturePolicyId*>
> <*xades:SigPolicyId*>
> <*xades:Identifier*>http://www.facturae.es/politica_de_firma_formato_facturae/politica_de_firma_formato_facturae_v3_1.pdf<*/xades:Identifier*>
> <*xades:Description*>Política de Firma FacturaE v3.1<*/xades:Description*>
> <*/xades:SigPolicyId*>
> <*xades:SigPolicyHash*>
> <*ds:DigestMethod* Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <*ds:DigestValue*>Ohi ... M=<*/ds:DigestValue*>
> <*/xades:SigPolicyHash*>
> <*/xades:SignaturePolicyId*>
> <*/xades:SignaturePolicyIdentifier*>
> <*xades:SignerRole*>
> <*xades:ClaimedRoles*>
> <*xades:ClaimedRole*>Third party<*/xades:ClaimedRole*>
> <*/xades:ClaimedRoles*>
> <*/xades:SignerRole*>
> <*/xades:SignedSignatureProperties*>
> <*xades:SignedDataObjectProperties*>
> <*xades:DataObjectFormat* ObjectReference="#Reference">
> <*xades:Description*>Factura electrónica<*/xades:Description*>
> <*xades:MimeType*>text/xml<*/xades:MimeType*>
> <*/xades:DataObjectFormat*>
> <*/xades:SignedDataObjectProperties*>
> <*/xades:SignedProperties*>
> <*/xades:QualifyingProperties*>
> <*/ds:Object*>
> <*/ds:Signature*>
>
> I had been trying reference with *addreference* method the object
> signedProperties added with *addObject* and the cert added with
> *addStatiCert*, and this is my results:
>
> -If I don't reference the certificate and the signed properties this
> is te result. -> (*Warning*: It has not been validated politics. Error
> -If I don't reference the certificate and the signed properties this
> signature) (/warning.png/)
>
> -But when i put the reference, this is the result -> ("The data has
> been altered or there is an error in the firm") (/error.png/)
> -But when i put the reference, this is the result -> ("The data has
>
>
> Can you help me?
> Thank you again.
>
> Excuse me for my english it isn't my native language.
>
How are you creating the XAdES object? The library currently doesn't
>
> Can you help me?
> Thank you again.
>
> Excuse me for my english it isn't my native language.
>
support XAdES so it would have needed to be created externally and then
used with the rest of the library to create the signature document -
even then I am not sure wether or not it would conform as I havent
looked at what all needs to be done when working with the advanced
signatures.
Rob
jordiw...@gmail.com
Mar 9, 2016, 3:43:16 AM3/9/16
to xmlseclibs
How are you creating the XAdES object? The library currently doesn't
support XAdES so it would have needed to be created externally and then
used with the rest of the library to create the signature document -
even then I am not sure wether or not it would conform as I havent
looked at what all needs to be done when working with the advanced
signatures.
Rob
Hello Rob,
I appreciate your answer :)
Yes, you're right, I have an external method in my class. I create the domElements with DomDocument, just like this:
public function createSignedPropertiesNode()
{
$dom = new DOMDocument( "1.0",'utf-8');
$ancestor = $dom->createElementNS('http://uri.etsi.org/01903/v1.3.2#','xades:QualifyingProperties');
$ancestor->setAttribute('Target', '#Signature');
$dom->appendChild($ancestor);
$root = $dom->createElement('xades:SignedProperties', '');
$root->setAttribute('Id','Signature-SignedProperties');
$ancestor->appendChild($root);
.
.
.
return $dom->documentElement;
}
I knew that the library didn't support xades but I need it urgently :( For this reason I have been trying my own implementation.
I add the signedProperties with addObject correctly, but I don't know how to reference them.
$contentSignedProp = $this->createSignedPropertiesNode();
$objDSig->addObject($contentSignedProp);
And something similar for modulus rsa-key for certificate.
$objDSig->add509Cert(file_get_contents('C:/.../certificado.pem'));
$contentKey = $this->createKeyNode();
$objDSig->sigNode->getElementsByTagName('X509Data')->item(0)->parentNode->appendChild($objDSig->sigNode->ownerDocument->importNode($contentKey,true));
I think that I'm referencing it bad, because if I use the addReference method, I always put transform tags, which I don't need.
And if I try to reference in my external class, I create the reference tags correctly but probably the digest values are wrong, because the signature is not correct and the validator of the Spanish goverment always fails. ("The data has been altered or there is an error in the firm")
I attach my SignXml Code using your library. (signXml.png)
And an example of my xml result. (invoice.xml)
Pd. I tried use that way to reference but doesn't work either.________________________________________________
//$env_sig = "http://www.w3.org/2000/09/xmldsig#enveloped-signature";
/////* Create an XPath based transform */
//$arr0 = ["query" => "ancestor-or-self::*[local-name() = 'Signature-SignedProperties']"];
//$arr1 = ["http://www.w3.org/TR/1999/REC-xpath-19991116" => $arr0];
///* Set an enveloped signature transform and an xpath transform */
//$tranform = [$env_sig, $arr1];
///* force creation of URI attribute even if empty */
//$options = ['id_name'=>'Signature-SignedProperties', "overwrite"=>false];
//$objDSig->addReference($doc, XMLSecurityDSig::SHA1, $tranform, $options);
//$objDSig->addReference($doc, XMLSecurityDSig::SHA1, array('http://www.w3.org/2000/09/xmldsig#enveloped-signature', array('http://www.w3.org/TR/1999/REC-xpath-19991116' => array("query" => "ancestor-or-self::*[Id='Signature-SignedProperties']"))));
____________________________________________________________________________________________________
Thank you for your help Rob.
Jordi.
Luigi Salas
Aug 10, 2016, 11:42:28 AM8/10/16
to xmlseclibs
Hi Jordi...
You finally sign the XML using xades_bes standard?
Thanks,
Reply all
Reply to author
Forward
0 new messages