Problem with verification of xades signature

VCL TMS Cryptography Pack
1

Hi!

  1. I generated a SelfSigned certificate using X509CertificateGenerator.exe
  2. I signed the xml document using the code:

XAdES := TXAdES.Create ;

try
XAdES.KeyFilePath := '.\Cert\mykey3.key' ;
XAdES.CertFilePath := '.\Cert\mycert3.crt' ;
XAdES.PathToOriginalFile := '.\Inp' ;
XAdES.Packaging := enveloped ;

XAdES.GenerateSignature('.\Inp\Invoice.xml', '.\Out\Invoice.xml.xades') ;

Finally
XAdES.Free ;
end ; { try .. finally}

  1. I then tried to verify the signature with a code:

XAdES := TXAdES.Create ;

try
XAdES.PathToOriginalFile := '.' ;

VerCode := XAdES.VerifySignature('.\Out\Invoice.xml.xades') ;

VerText := XAdES.VerifyError(VerCode) ;

if VerCode < 0 then
  ErrText := XAdES.ErrorDetails ;

Finally
XAdES.Free;
end ; { try .. finally }

  1. Verification results in the following error
    .
    MessageError
    MessageError238×147 4.69 KB
    ]
2

Hi Andrzej,
Can you send me the project file, the certificate and private key by email? And the XML file too.

3

Issue: index in verification function pointing on the wrong XML node in the signed file, then not recognizing the signature block.
Fixed in 5.0.9.1

4

Bernard,
I am experiencing the same issue in the same function in version 5.0.9.5 when trying to sign with RSA private key.

image
image748×216 6.46 KB

A sample project file attached.

Secondly: When I try to use an EC private key I am getting an error message 'ECC methods are not implemented in this version.
Are you planning to implement them? We need them in the Polish market for the electronic invoicing project (KSeF) which must be implemented nationwide in the next 3 months.
Many thanks for your help!

XAdES sample.zip (1.4 MB)

5

Krzysztof,
I will release 5.0.9.6 that should fix the error message (tested with another Polish user).
Regarding ECC, I will update the library but it takes some time to implement and test curves in this context.
I have noted that KSeF has issued new guidance for keys/signatures and I'll try to comply.
Regards,

6

Hi Krzysztof,
ECC is back and works with ETSI (P-curves) in 5.1.0.2 to be released.
The signature of the AuthTokenRequest.xml was tested with KSef, by a registered user, and was successful.
Regards,
bernard

7

Note on XAdES with password-protected keys.

You need to set the password before loading the key, like this:

XAdES.Password     := 'y0urN1ceP@ssw0rd?' ;  <============== THIS NEEDS TO COME FIRST
XAdES.KeyFilePath  := '.\Cert\MyKey.pem' ;  // password protected
XAdES.CertFilePath := '.\Cert\MyCert.pem' ;

Also, there is a bug and the conversion type is no longer valid. You need to edit XAdESObj.pas at line 1120+:

    Signature := Signature.Substring(1, Signature.Length - 1);
    conv.AType := base64;  //////////////////////////// << ADD THIS LINE
    Signature := conv.CharToFormat(Signature);
8

Correction, the bug in line 1120+ is the consequence of a mistake in 763:


      finally
          conv.Free; ///////////// DELETE THIS
      end;