Расширение подписи XAdES-XL на XAdES-A

Расширение подписи XAdES-XL на XAdES-A ⇐ C#

1 сообщение • Страница 1 из 1

Anonymous

Цитата

Сообщение Anonymous » 25 сен 2024, 09:48

Я хочу расширить подпись XAdES-XL до XAdES-A, добавив временную метку архива. Я выполнил каждый шаг раздела 5.5.2.2 стандарта ETSI EN 319 132-1 V1.2.1 (2022-02), но все равно получаю сообщение об ошибке, сообщающее, что хэш-значение метки времени архива неверно.
Вот ссылка на файл подписи: XAdES-XL

Код: Выделить всё

using var finalOctetStream = new MemoryStream();

// ETSI EN 319 132-1 V1.2.1 (2022-02)

// 5.5.2.2 >> Article 3
// Take all the ds:Reference elements in their order of appearance within ds:SignedInfo referencing whatever the signer wants to sign including the SignedProperties element.
// Process each one as indicated below:

foreach (Reference reference in XL_signatureDocument.XadesSignature.SignedInfo.References)
{
var uri = reference.Uri;

byte[] referenceData;

if (string.IsNullOrEmpty(uri))
{
//Full document
referenceData = Encoding.UTF8.GetBytes(xmlDoc.OuterXml);
}
else
{
//Select Uri target element
var referencedNode = xmlDoc.SelectSingleNode($"//*[@Id='{uri.Substring(1)}']");
referenceData = Encoding.UTF8.GetBytes(referencedNode.OuterXml);
}

if (reference.TransformChain != null && reference.TransformChain.Count > 0)
{
// 5.5.2.2 >> Artcile 3-C
// If the ds:Reference element contains the ds:Transforms element, then apply all the transforms indicated within the ds:Transform children elements. After that:
foreach (var transform in reference.TransformChain)
referenceData = XMLUtil.ApplyTransform(referenceData, (System.Security.Cryptography.Xml.Transform)transform);

// c) if the output of the last transform is a XML node-set according to XMLDSIG [1], canonicalize it as specified in clause 4.5 of the present document;
if (IsXmlNodeSet(referenceData))
referenceData = XMLUtil.ApplyTransform(referenceData, new XmlDsigC14NTransform());
}
else
{
//b) if the retrieved data object is an XML node-set, then canonicalize it as specified in clause 4.5 of the present document;
if (IsXmlNodeSet(referenceData))
referenceData = XMLUtil.ApplyTransform(referenceData, new XmlDsigC14NTransform());
}

//d) Concatenate the resulting octets to the final octet stream.
finalOctetStream.Write(referenceData, 0, referenceData.Length);
}

// 5.5.2.2 >>> Article 4
// Take the following XMLDSIG elements in the order they are listed below, canonicalize each one as specified in clause 4.5, and concatenate each resulting octet stream to the final octet stream:
// The ds:SignedInfo element.
// The ds:SignatureValue element.
// The ds:KeyInfo element, if present.

var signatureValueElementXpaths = new ArrayList() { "ds:SignedInfo", "ds:SignatureValue", "ds:KeyInfo" };

// 5.5.2.2 >>> Article 5 and 6
// Take the unsigned signature qualifying properties that appear before the current ArchiveTimeStamp in the order they appear within the UnsignedSignatureProperties,
// canonicalize each one as specified in clause 4.5, and concatenate each resulting octet stream to the final octet stream.  While concatenating, the following rules apply:

signatureValueElementXpaths.Add("ds:Object/xades:QualifyingProperties/xades:UnsignedProperties/xades:UnsignedSignatureProperties/xades:SignatureTimeStamp");
signatureValueElementXpaths.Add("ds:Object/xades:QualifyingProperties/xades:UnsignedProperties/xades:UnsignedSignatureProperties/xades:CompleteCertificateRefs");
signatureValueElementXpaths.Add("ds:Object/xades:QualifyingProperties/xades:UnsignedProperties/xades:UnsignedSignatureProperties/xades:CompleteRevocationRefs");
signatureValueElementXpaths.Add("ds:Object/xades:QualifyingProperties/xades:UnsignedProperties/xades:UnsignedSignatureProperties/xades:CertificateValues");
signatureValueElementXpaths.Add("ds:Object/xades:QualifyingProperties/xades:UnsignedProperties/xades:UnsignedSignatureProperties/xades:RevocationValues");
var canonizeData = XMLUtil.ComputeCanonicalizedValueOfElementList1(XL_signatureDocument.XadesSignature, signatureValueElementXpaths, new XmlDsigC14NTransform());

finalOctetStream.Write(canonizeData, 0, canonizeData.Length);

// And send to timestamp server
var tstoken = GetTimeStampToken(SignatureTsa, finalOctetStream.ToArray(), SignatureType != SignatureType.XAdES_A);

var archiveTimeStamp = new TimeStamp("ArchiveTimeStamp") {

Id = "ArchiveTimeStamp-" + XL_signatureDocument.XadesSignature.Signature.Id,
CanonicalizationMethod = new CanonicalizationMethod()
{
Algorithm = new XmlDsigC14NTransform().Algorithm
}
};

archiveTimeStamp.EncapsulatedTimeStamp.PkiData = tstoken;

archiveTimeStamp.EncapsulatedTimeStamp.Id = "ArchiveTimeStamp-" + Guid.NewGuid();

unsignedProperties = XL_signatureDocument.XadesSignature.UnsignedProperties;

unsignedProperties.UnsignedSignatureProperties.ArchiveTimeStampCollection.Add(archiveTimeStamp);

XL_signatureDocument.XadesSignature.UnsignedProperties = unsignedProperties;

XL_signatureDocument.UpdateDocument();

Я пытаюсь выполнить проверку с помощью средства проверки соответствия XAdES и DSS

Подробнее здесь: https://stackoverflow.com/questions/789 ... to-xades-a

1727246903

Anonymous

Я хочу расширить подпись XAdES-XL до XAdES-A, добавив временную метку архива. Я выполнил каждый шаг раздела 5.5.2.2 стандарта ETSI EN 319 132-1 V1.2.1 (2022-02), но все равно получаю сообщение об ошибке, сообщающее, что хэш-значение метки времени архива неверно.
Вот ссылка на файл подписи: XAdES-XL
[code]using var finalOctetStream = new MemoryStream();

// ETSI EN 319 132-1 V1.2.1 (2022-02)

// 5.5.2.2 >> Article 3
// Take all the ds:Reference elements in their order of appearance within ds:SignedInfo referencing whatever the signer wants to sign including the SignedProperties element.
// Process each one as indicated below:

foreach (Reference reference in XL_signatureDocument.XadesSignature.SignedInfo.References)
{
var uri = reference.Uri;

byte[] referenceData;

if (string.IsNullOrEmpty(uri))
{
//Full document
referenceData = Encoding.UTF8.GetBytes(xmlDoc.OuterXml);
}
else
{
//Select Uri target element
var referencedNode = xmlDoc.SelectSingleNode($"//*[@Id='{uri.Substring(1)}']");
referenceData = Encoding.UTF8.GetBytes(referencedNode.OuterXml);
}

if (reference.TransformChain != null && reference.TransformChain.Count > 0)
{
// 5.5.2.2 >> Artcile 3-C
// If the ds:Reference element contains the ds:Transforms element, then apply all the transforms indicated within the ds:Transform children elements. After that:
foreach (var transform in reference.TransformChain)
referenceData = XMLUtil.ApplyTransform(referenceData, (System.Security.Cryptography.Xml.Transform)transform);

// c) if the output of the last transform is a XML node-set according to XMLDSIG [1], canonicalize it as specified in clause 4.5 of the present document;
if (IsXmlNodeSet(referenceData))
referenceData = XMLUtil.ApplyTransform(referenceData, new XmlDsigC14NTransform());
}
else
{
//b) if the retrieved data object is an XML node-set, then canonicalize it as specified in clause 4.5 of the present document;
if (IsXmlNodeSet(referenceData))
referenceData = XMLUtil.ApplyTransform(referenceData, new XmlDsigC14NTransform());
}

//d) Concatenate the resulting octets to the final octet stream.
finalOctetStream.Write(referenceData, 0, referenceData.Length);
}

// 5.5.2.2 >>> Article 4
// Take the following XMLDSIG elements in the order they are listed below, canonicalize each one as specified in clause 4.5, and concatenate each resulting octet stream to the final octet stream:
// The ds:SignedInfo element.
// The ds:SignatureValue element.
// The ds:KeyInfo element, if present.

var signatureValueElementXpaths = new ArrayList() { "ds:SignedInfo", "ds:SignatureValue", "ds:KeyInfo" };

// 5.5.2.2 >>> Article 5 and 6
// Take the unsigned signature qualifying properties that appear before the current ArchiveTimeStamp in the order they appear within the UnsignedSignatureProperties,
// canonicalize each one as specified in clause 4.5, and concatenate each resulting octet stream to the final octet stream.  While concatenating, the following rules apply:

signatureValueElementXpaths.Add("ds:Object/xades:QualifyingProperties/xades:UnsignedProperties/xades:UnsignedSignatureProperties/xades:SignatureTimeStamp");
signatureValueElementXpaths.Add("ds:Object/xades:QualifyingProperties/xades:UnsignedProperties/xades:UnsignedSignatureProperties/xades:CompleteCertificateRefs");
signatureValueElementXpaths.Add("ds:Object/xades:QualifyingProperties/xades:UnsignedProperties/xades:UnsignedSignatureProperties/xades:CompleteRevocationRefs");
signatureValueElementXpaths.Add("ds:Object/xades:QualifyingProperties/xades:UnsignedProperties/xades:UnsignedSignatureProperties/xades:CertificateValues");
signatureValueElementXpaths.Add("ds:Object/xades:QualifyingProperties/xades:UnsignedProperties/xades:UnsignedSignatureProperties/xades:RevocationValues");
var canonizeData = XMLUtil.ComputeCanonicalizedValueOfElementList1(XL_signatureDocument.XadesSignature, signatureValueElementXpaths, new XmlDsigC14NTransform());

finalOctetStream.Write(canonizeData, 0, canonizeData.Length);

// And send to timestamp server
var tstoken = GetTimeStampToken(SignatureTsa, finalOctetStream.ToArray(), SignatureType != SignatureType.XAdES_A);

var archiveTimeStamp = new TimeStamp("ArchiveTimeStamp") {

Id = "ArchiveTimeStamp-" + XL_signatureDocument.XadesSignature.Signature.Id,
CanonicalizationMethod = new CanonicalizationMethod()
{
Algorithm = new XmlDsigC14NTransform().Algorithm
}
};

archiveTimeStamp.EncapsulatedTimeStamp.PkiData = tstoken;

archiveTimeStamp.EncapsulatedTimeStamp.Id = "ArchiveTimeStamp-" + Guid.NewGuid();

unsignedProperties = XL_signatureDocument.XadesSignature.UnsignedProperties;

unsignedProperties.UnsignedSignatureProperties.ArchiveTimeStampCollection.Add(archiveTimeStamp);

XL_signatureDocument.XadesSignature.UnsignedProperties = unsignedProperties;

XL_signatureDocument.UpdateDocument();
[/code]
Я пытаюсь выполнить проверку с помощью средства проверки соответствия XAdES и DSS  

Подробнее здесь: [url]https://stackoverflow.com/questions/78906079/extending-an-xades-xl-signature-to-xades-a[/url]