Hi
When I try to generate Xades signature on Demo project i get error
Error: unsupported OID in certificate: 1.2.840.113549.1.5.13.
TestCert.zip (1.3 KB)
TestCert.zip (1.3 KB)
Hi,
There are a couple of issues here with the demo.
First issue, 1.2.840.113549.1.5.13 is the OID for pkcs5PBKDF2, meaning that a password has been used to derive a key and encrypt the private key with OID 2.16.840.1.101.3.4.1.42, i.e., aes256 in CBC mode.
The demo doesn't address this scenario (password for private key) and calls 'ExtractRSAPrivateKey'.
If you look at the code in ASN1Core ca. line 450, you can find:
if Password <> '' then begin
KeyStr := ExtractEncryptedPrivateKey(KeyStr);
end;
Because 'password' is empty, the function doesn't call TASN1.ExtractEncryptedPrivateKey(KeyStr: string) and then doesn't recognized the OID that is processed in this function (see around line 300).
Second issue, I need to add a property in TAdES to set password values for imported keys.
Note that for PFX certificates, the user is asked for a password with 'FromPFXAskPassword' at line 4909 of the demo and no 'password' property is used.
I have uploaded a revised demo at https://www.cyberens.fr/wp-content/uploads/2025/11/CryptoDemo.zip
If you put your key password instead of the PIN, you should be able to decrypt the private key. However, you may not be able to sign any document as the key is likely for RSA 1024.
Thanks for quick reply.
I tried your demo and now i got
"AssertAsnTag: Unexpected ASN.1 tag value."
Password for the key i sent before is TestCert123456!
PKIX objects follow a specific format/sequence. Sometimes, a sequence can contain a "choice" of options (especially for strings encoding) and I may not have coded all possible options in the decoder.
I will check what's causing this.
Can you try this version?
https://www.cyberens.fr/wp-content/uploads/2025/11/CryptoDemo.zip
It signs document now, but signed XML structure is incorrect.
At the end it has
</AuthTokenRequest ID="D5068050DABFC385768B2560378CF66A">
XML.zip (2.5 KB)
I installed newest version [v5.1.0.1] and when doing the same thing i got
"Bad Type (116)"
That's because
<?xml version="1.0" encoding="utf-8"?><AuthTokenRequest xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://ksef.mf.gov.pl/auth/token/2.0">
is on one line. Just do this:
<?xml version="1.0" encoding="utf-8"?>
<AuthTokenRequest xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://ksef.mf.gov.pl/auth/token/2.0">
Ok, Now Id is added to
But it is not compliant with XSD. Why it is added?
So far, TMS CP only signs XML files with a specific format: spaces to ident each node statement and each node starting on a new line. The reason is to avoid rewriting a full XML decoder, that will take some time.
Signing document change
this
<AuthTokenRequest xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://ksef.mf.gov.pl/auth/token/2.0">
into this
<AuthTokenRequest xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://ksef.mf.gov.pl/auth/token/2.0" ID="D5068050DABFC385768B2560378CF66A">
It adds an Id property, which is not compliant with the XSD and therefore I cannot use it.
Is there any way to avoid this?
Yes, I fixed this issue yesterday for another Polish user as it is specific to KSEF.
The modification will be in 5.1.0.2 to be released soon.
If you requirement is urgent, send me an email to get the updated XAdESObj file.
NOTE: there are plenty of specific 'national' requirements that are difficult to address without detailed explanations on what is expected. Reading the XSD files (when they are available) does help but is not always enough.
Fixed in 5.1.0.2 with a XAdES Polish profile for EC signatures.
1 Like