Qualified certificate

12/15/2014 8:07:13 PM
Gravatar
Total Posts 12

Qualified certificate

I am using your software to develop app which will be signing text using qualified certificate every 2 minutes.

I have card in reader connected to the computer all the time and it is accessible. I can sign my text using:

 

SignedDocument sd = dsign.Sign(Encoding.Default.GetBytes(myText), new QualifiedCertificateSelector());

 

I am wondering if it is possible to retrieve certificate when program starts and use it later to sign text. Now I need to have active session to user above statement. Signing text without opening session will speed up signing process in my solution.

 

12/16/2014 10:59:07 AM
Gravatar
Total Posts 300
Ugo Chirico http://www.ugochirico.com

Re: Qualified certificate

Digital Signature needs to use the private key in the smart card. The private key is not in the certificate (that contains the public key), but the private key is store securely in the smart card and can be used in a session.
Thus, to sign a document you need a valid session with the smart card.
You cannot read the private key at the beginning an storing it locally because the private key cannot be read but can only be used by the internal smart card microprocessor in a signature function.

The session is opened by the OpenSession method.
You can call this method once at the beginning and then call Sign every time you need.
You may also implement your own CertificateSelector by implementing your selection logic (eventually by reading the certificate once in a static field, at the beginning and supplying this one for each signature request.

12/21/2014 2:29:08 PM
Gravatar
Total Posts 12

Re: Qualified certificate

I need to sign given text using qualified certificate but do not need information about that certificate in the output file. The other part already has information about it. How can I make your software to do that?

I found dsign.Detached = true

But even when this option is 'true' I can see info about used certificate in the output file.

 

PS. I started one thread here on Friday and you replied to it but it has been removed.

12/21/2014 2:38:06 PM
Gravatar
Total Posts 300
Ugo Chirico http://www.ugochirico.com

Re: Qualified certificate

PKCS#7 signature needs certificate information in the signed file.

If you arae trying to di qualified signature the certificate info must be in the signed file.

See PKCS#7 specifications.

Detached is used to have signature file (PKCS#7) detached from the original file.

 

Then, in the pasta days we had some problem on our server and we lost your posts. Please post again your question because we have the answer.

 

Regards

12/21/2014 4:28:32 PM
Gravatar
Total Posts 12

Re: Qualified certificate

I was under impression that output file should have

-------BEGIN PKCS7 ---------

and correspondeing endong line.

 

I am looking for the answer why in my project the partner for which I have to sign given text does not recognizing signed string as PKCS#7.

I am doing signing process exactly as you have in your sample solution.

 

12/21/2014 4:55:21 PM
Gravatar
Total Posts 300
Ugo Chirico http://www.ugochirico.com

Re: Qualified certificate

PKCS#7 format is binary, DER encoded.

NDigitSign generates PKCS#7 DER encoded (binary)

When you see a file that starts with

-------BEGIN PKCS7 ---------

It is in PEM format that is, base64 encoded PKCS#7 DER encoded.

In other words the  binary PKCS#7 (DER encoded) is converted in base64 and a line like

-------BEGIN PKCS7 ---------

is added at the beginning of the file and a line like

-------END PKCS7 ---------

is added at the end of the file.

To generate a PEM file from the PKCS#7 supplied by NDigitSign convert the PKCS#7 in base64 and add the two lines above.

 

Please, to understand what I said, read PKCS#7 specifications, ASN1 DER encoding rules and PEM encoding rules.

 

12/23/2014 8:43:50 PM
Gravatar
Total Posts 12

Re: Qualified certificate

Ugo,

Now I understand the differences. I have a question which only you can answer, I think. I develop app in c#. I have to sign given string and return signed string to the other party. I am doing this using my old code which is asking my every time for password. Now I want to use your software to be able automatically login to card reader. My old code produces correct string while your code gives my slightly different result, which is wrong from my partner's point of view. Could you take a look at both codes and suggest what I am doing wrong in your software, please?

String tokenToSign = "12345677888==";            //just an example. Text in UTF-8 must be converted to UTF-16 prior to signing

 

--- code using NDigitSign

DigitalSigner dsign = new DigitalSigner("dll");

dsign.OpenSession (0);

dsign.Login("123456");

dsign.CAdES = false;

dsign.Multisignature = false;

dsign.Detached = false;

Encoding enc = Encoding.Unicode;

SignedDocument sd = dsign.Sign(enc.GetBytes(tokenToSign));

returnedText = Convert.ToBase64String(sd.ToByteArray());

 

-- now my old code which works

Encoding unicode = Encoding.Unicode;

byte [] tokenToSignBytes = unicode.GetBytes(tokenToSign);

X509Store storeMy = new X509Store(StoreName.My, StoreLocation.CurrentUser);

storeMy.Open(OpenFlags.ReadOnly);

X509Certificate2Collection certColl = storeMy.Certificates.Find(X509FindType.FindBySubjectName, MY_NAME, true));

storeMy.Close();

X509Certificate2 signerCert = certColl[0];

ContentInfo contentInfo = new ContentInfo(tokenToSignBytes);

SignedCms signedCms = new SignedCms(contentInfo, true);

CmsSigner cmsSigner = new CmsSigner(signerCert);

signedCms.ComputeSignature(cmsSigner, false);

byte [] encodedSignedCms = signedCms.Encode();

returnedText = Convert.ToBase64String(encodedSignedCms);

 

 

 

 

 

12/23/2014 11:28:01 PM
Gravatar
Total Posts 300
Ugo Chirico http://www.ugochirico.com

Re: Qualified certificate

Both codes return a valid, signed PKCS#7 file. Any verification software can verify the signature.

The differences may be in some optional PKCS#7 signed or unsigned attributes such as signingTime, etc.

12/24/2014 1:53:29 AM
Gravatar
Total Posts 12

Re: Qualified certificate

The most significant differences are:

1. When using your software output contains original string at the beginning of file. String in output file is the same as original string. When I write sd.ToByteArray() to txt file I can read original string in that file. In my code when I write signedCms.Encode() I cannot find that string in output file even dough it is attached to output file. Looks like it is scrambled somehow. 

2. Your software generates output file which contains less information about certificate than output file generated by my code.

 

Is there any chance to use your library with my code to bypass needs of entering pin code?

Is there any chance to use the optional parameters you mentioned with your software?

 

 

12/24/2014 10:06:01 AM
Gravatar
Total Posts 300
Ugo Chirico http://www.ugochirico.com

Re: Qualified certificate

the statement

SignedCms signedCms = new SignedCms(contentInfo, true);

generates a detached signature.

To have the same behavior set Detached = true

 

Anyway, consider that NDigitSign is compliant with Digital Signature standards: PKCS#7, PKCS#1, PKCS#11, CAdES.

Any difference from NDigitSign is not standard.

12/29/2014 3:40:35 PM
Gravatar
Total Posts 12

Re: Qualified certificate

I found out why my partner cannot check my signature generated by your software.

They require me to use SHA-1. Is there any chance to use it with NDigitSign?

12/29/2014 4:03:47 PM
Gravatar
Total Posts 300
Ugo Chirico http://www.ugochirico.com

Re: Qualified certificate

Set CAdES = false.

In this way NDigitSign will use SHA-1

1/5/2015 5:00:39 PM
Gravatar
Total Posts 12

Re: Qualified certificate

Ugo,

Now everything is fine with algorithm.

You use 1.2.840.113549.1.1.5 encoding.

But I have to use one of the following encodings:

- 1.2.840.113549.1.1.1 (RSA)

- 1.2.840.10040.4.1 (DSA)

- 1.2.840.10045.1 (ECDSA)

 

Is there a chance to use one of the above with your software?

1/7/2015 12:11:56 AM
Gravatar
Total Posts 12

Re: Qualified certificate

Is there any chance to use one of the following encodings with your software:

- 1.2.840.113549.1.1.1 (RSA)

- 1.2.840.10040.4.1 (DSA)

- 1.2.840.10045.1 (ECDSA)

 

 

1/7/2015 9:42:37 AM
Gravatar
Total Posts 300
Ugo Chirico http://www.ugochirico.com

Re: Qualified certificate

- 1.2.840.113549.1.1.1 (RSA) is not for digital signature. It is RSA encryption and is used for encryption not for signature.

Then

- 1.2.840.10040.4.1 (DSA)

- 1.2.840.10045.1 (ECDSA)

are for signature but they are not supported by NDigitSign to generate digital signature because they require a PKCS#11 token that supports such algorithms

1/7/2015 3:42:06 PM
Gravatar
Total Posts 12

Re: Qualified certificate

I am sorry for bothering you but I really like your software and would like to buy it for my project.

The company which I need to communicate with says that they are receiving signed string encrypted with 1.2.840.113549.1.1.5 but they can only accept 1.2.840.113549.1.1.1

 

I am signing string using your software and converting result to Base64 string.

 

Is there anything I can do with nDigitSign to have desired encryption?

1/8/2015 3:27:27 PM
Gravatar
Total Posts 12

Re: Qualified certificate

Ugo,

Could you please answer my question above? I promise that this is my last question. I need to decide if I will buy your product or will have to look for another solution.

Thank you.

1/8/2015 3:35:14 PM
Gravatar
Total Posts 300
Ugo Chirico http://www.ugochirico.com

Re: Qualified certificate

First of all those numbers are not encoding.

They are PKI algorithms:

1.2.840.113549.1.1.5 stands for SHA1withRSA and it is used for digital signature PKCS#7

1.2.840.113549.1.1.1 stands for RSA and it is used for encryption in PKCS#1 format.

This means that Digital Signature cannot use 1.2.840.113549.1.1.1. This does'nt make sense.

Because NDigitSign does Qualified Digital Signauture it uses 1.2.840.113549.1.1.5

 

If you need RSA encryption instead of Digital Signature you need another software (that we have but we didn't published on this site).

In this case give me your requirements an we'll give you a estimation to customize our software for your needs.

 

1/8/2015 4:10:59 PM
Gravatar
Total Posts 12

Re: Qualified certificate

Thank you for your answer.

I am not a guru in encryption matter but I have to do what my partner need. So please excuse my misunderstandings when asking.

I have to figure out what exactly they need, because all my questions here came from them. I just need to write client app which will sign given text (with qualified certificate) and send back to the server.

 

BTW.

In my latest question I did not use word "encoding" :)