Ureader.com  
Microsoft software help and Community
   home   |   control panel login   |   archive   |  
 
platform
active.directory
adsi
adsi.iis-admin
base
com_ole
complus_mts
component_svcs
database
directx
gdi
graphics_mm
internet.client
internet.server
internet.server.isapi-dev
localization
mapi
messaging
msi
mslayerforunicode
multimedia
networking
networking.ipv6
sdk_install
security
shell
telephony.tapi_2
telephony.tapi_3
telephony.tsp
telephony.wte
tools
ui
ui_shell
win_base_svcs
win16
  
 
date: Wed, 18 Jun 2008 14:26:00 -0700,    group: microsoft.public.platformsdk.security        back       


RE: Detached signature...    
Hi,

.NET does not add the hash to the signature if the property SignedAttributes 
of the CmsSigner used in the computation is empty. If you want the signature 
to contain the digest, you must add an element to the SignedAttributes 
collection. For example, you can add  a Pkcs9SigningTime instance : 

signer.SignedAttributes.Add(new Pkcs9SigningTime());

Here is a sample implementation of a signing method that will output a 
signature containing the hash of the data : 

public static byte[] Sign(byte[] data, X509Certificate2 certificate)
 {
   // setup the data to sign
   ContentInfo content = new ContentInfo(data);
   SignedCms signedCms = new SignedCms(content, true);
   CmsSigner signer = new CmsSigner(
                    SubjectIdentifierType.IssuerAndSerialNumber, 
                    certificate);
   // add a signingTime attribute 
   signer.SignedAttributes.Add(new Pkcs9SigningTime());
   // create the signature
   signedCms.ComputeSignature(signer);
   return signedCms.Encode();
}


Moreover, if you want to explorer the content of a p7m file, you can use the 
ViewBer tool that you can download from the following link :
   http://simpleauthority.com/viewber.html
To be useful, you must also read the Pkcs#7 specification that describes the 
ASN.1 format for the signature data.

Cheers,
-- 
Mounir IDRASSI
IDRIX
http://www.idrix.fr

to reach : mounir_idrix_fr (replace the underscores with the at and dot 
characters respectively)


"Paolo Mazzoni" wrote:

> I have the following problem:
> in Italy to give legal validity to documents you should
> give a reference time to the document and sign the document together with 
> the reference time.
> 
> But the most of the programs for digital signature on the market generate
> .p7m files, not giving the possibility to the receiver to read the document.
> 
> So using .NET Framework 2.0 i found the detatched signature way: see 
> attachements (Virus free).
> 
> So the receiver can read the original file and optionally check signature 
> with the detached file.
> 
> Now, in italy the signature is legal if and only if the detached .p7m file 
> contains at least
> the hash of the signed file, but i don't know how .NET Framework works.
> 
> Anyone knows if there is a hash of the pdf file inside ? Which function has 
> benn used ?
> 
> Can i "decode" the .p7m content ? How can i do ?
> 
> Thank you
> ----------------------------------------
> Ing. Paolo Mazzoni
>  IT-Expert di Paolo Mazzoni
>  www.it-expert.it 
>
date: Wed, 18 Jun 2008 14:26:00 -0700   author:   Mounir IDRASSI am

Re: Detached signature...    
First of all, thank you for your help.

The program was really usefull, and i'm reading the PKCS#7 RFC,
but i'm not understanding how .NET can correctly verify
the detatched signature with the original file.
Where is the reference in the p7m ? I ses the
Object Identifier, but it's a sequence that i can't understand, if it isn't 
a hash what id it ? :-P

And in your example code, i see you are adding a signing time in the p7m
not the hash of the original file, am i wrong ?

Anyway i think you answer to the question of the reference time needed in 
italy.
So a SignedAttribute is signed with the file, without being in the file 
itself, right ?

So the solution is adding Signed attributes:
1) the hash of the file
2) the hash algorithm
3) signing time

Right? (but i still believe it's strange that the p7m doesn't have those 
informations)

Thank you again

-- 
----------------------------------------
Ing. Paolo Mazzoni
 IT-Expert di Paolo Mazzoni
 via Faustana, 40 Borgo Trevi (PG) 06032
 P.IVA 02919960548
 Tel. +39 0742 381726 / Cell. +39 333 2257125
 www.it-expert.it
"Mounir IDRASSI" <moonidra@newsgroups.nospam> ha scritto nel messaggio 
news:5B88AE17-D5EB-4801-B96A-924D57BB7287@microsoft.com...
> Hi,
>
> .NET does not add the hash to the signature if the property 
> SignedAttributes
> of the CmsSigner used in the computation is empty. If you want the 
> signature
> to contain the digest, you must add an element to the SignedAttributes
> collection. For example, you can add  a Pkcs9SigningTime instance :
>
> signer.SignedAttributes.Add(new Pkcs9SigningTime());
>
> Here is a sample implementation of a signing method that will output a
> signature containing the hash of the data :
>
> public static byte[] Sign(byte[] data, X509Certificate2 certificate)
> {
>   // setup the data to sign
>   ContentInfo content = new ContentInfo(data);
>   SignedCms signedCms = new SignedCms(content, true);
>   CmsSigner signer = new CmsSigner(
>                    SubjectIdentifierType.IssuerAndSerialNumber,
>                    certificate);
>   // add a signingTime attribute
>   signer.SignedAttributes.Add(new Pkcs9SigningTime());
>   // create the signature
>   signedCms.ComputeSignature(signer);
>   return signedCms.Encode();
> }
>
>
> Moreover, if you want to explorer the content of a p7m file, you can use 
> the
> ViewBer tool that you can download from the following link :
>   http://simpleauthority.com/viewber.html
> To be useful, you must also read the Pkcs#7 specification that describes 
> the
> ASN.1 format for the signature data.
>
> Cheers,
> -- 
> Mounir IDRASSI
> IDRIX
> http://www.idrix.fr
>
> to reach : mounir_idrix_fr (replace the underscores with the at and dot
> characters respectively)
>
>
> "Paolo Mazzoni" wrote:
>
>> I have the following problem:
>> in Italy to give legal validity to documents you should
>> give a reference time to the document and sign the document together with
>> the reference time.
>>
>> But the most of the programs for digital signature on the market generate
>> .p7m files, not giving the possibility to the receiver to read the 
>> document.
>>
>> So using .NET Framework 2.0 i found the detatched signature way: see
>> attachements (Virus free).
>>
>> So the receiver can read the original file and optionally check signature
>> with the detached file.
>>
>> Now, in italy the signature is legal if and only if the detached .p7m 
>> file
>> contains at least
>> the hash of the signed file, but i don't know how .NET Framework works.
>>
>> Anyone knows if there is a hash of the pdf file inside ? Which function 
>> has
>> benn used ?
>>
>> Can i "decode" the .p7m content ? How can i do ?
>>
>> Thank you
>> ----------------------------------------
>> Ing. Paolo Mazzoni
>>  IT-Expert di Paolo Mazzoni
>>  www.it-expert.it
>>
date: Thu, 19 Jun 2008 12:40:27 +0200   author:   Paolo Mazzoni

Re: Detached signature...    
Hi Paolo,

When you add any attribute to the SignedAttributes collection, .NET will 
automatically add the hash to the signature. In my example, it's sufficient 
to add the signingTime to have the hash inside the signature WITHOUT adding 
it yourself. Here is what MSDN says : 

"A Pkcs9ContentType object and a Pkcs9MessageDigest object will be 
automatically generated and placed in the SignerInfo.SignedAttributes 
property for the corresponding signer whenever the SignedAttributes property 
is not empty." 

I hope this clarifies things. Sorry if I was not clear enough in my first 
post. 

Cheers,
-- 
Mounir IDRASSI
IDRIX
http://www.idrix.fr

to reach : mounir_idrix_fr (replace the underscores with the at and dot 
characters respectively)


"Paolo Mazzoni" wrote:

> First of all, thank you for your help.
> 
> The program was really usefull, and i'm reading the PKCS#7 RFC,
> but i'm not understanding how .NET can correctly verify
> the detatched signature with the original file.
> Where is the reference in the p7m ? I ses the
> Object Identifier, but it's a sequence that i can't understand, if it isn't 
> a hash what id it ? :-P
> 
> And in your example code, i see you are adding a signing time in the p7m
> not the hash of the original file, am i wrong ?
> 
> Anyway i think you answer to the question of the reference time needed in 
> italy.
> So a SignedAttribute is signed with the file, without being in the file 
> itself, right ?
> 
> So the solution is adding Signed attributes:
> 1) the hash of the file
> 2) the hash algorithm
> 3) signing time
> 
> Right? (but i still believe it's strange that the p7m doesn't have those 
> informations)
> 
> Thank you again
> 
> --
date: Thu, 19 Jun 2008 04:16:01 -0700   author:   Mounir IDRASSI am

Re: Detached signature...    
Probably it was my misunderstanding.
English it's not my mother language. :-)

Now it's all clear,
Thank you
I try it as soon as i can

Bye

-- 
----------------------------------------
Ing. Paolo Mazzoni
 IT-Expert di Paolo Mazzoni
 via Faustana, 40 Borgo Trevi (PG) 06032
 P.IVA 02919960548
 Tel. +39 0742 381726 / Cell. +39 333 2257125
 www.it-expert.it
"Mounir IDRASSI" <moonidra@newsgroups.nospam> ha scritto nel messaggio 
news:70FE0699-A1F6-412A-BE7A-1442A8500C4D@microsoft.com...
> Hi Paolo,
>
> When you add any attribute to the SignedAttributes collection, .NET will
> automatically add the hash to the signature. In my example, it's 
> sufficient
> to add the signingTime to have the hash inside the signature WITHOUT 
> adding
> it yourself. Here is what MSDN says :
>
> "A Pkcs9ContentType object and a Pkcs9MessageDigest object will be
> automatically generated and placed in the SignerInfo.SignedAttributes
> property for the corresponding signer whenever the SignedAttributes 
> property
> is not empty."
>
> I hope this clarifies things. Sorry if I was not clear enough in my first
> post.
>
> Cheers,
> -- 
> Mounir IDRASSI
> IDRIX
> http://www.idrix.fr
>
> to reach : mounir_idrix_fr (replace the underscores with the at and dot
> characters respectively)
>
>
> "Paolo Mazzoni" wrote:
>
>> First of all, thank you for your help.
>>
>> The program was really usefull, and i'm reading the PKCS#7 RFC,
>> but i'm not understanding how .NET can correctly verify
>> the detatched signature with the original file.
>> Where is the reference in the p7m ? I ses the
>> Object Identifier, but it's a sequence that i can't understand, if it 
>> isn't
>> a hash what id it ? :-P
>>
>> And in your example code, i see you are adding a signing time in the p7m
>> not the hash of the original file, am i wrong ?
>>
>> Anyway i think you answer to the question of the reference time needed in
>> italy.
>> So a SignedAttribute is signed with the file, without being in the file
>> itself, right ?
>>
>> So the solution is adding Signed attributes:
>> 1) the hash of the file
>> 2) the hash algorithm
>> 3) signing time
>>
>> Right? (but i still believe it's strange that the p7m doesn't have those
>> informations)
>>
>> Thank you again
>>
>> --
date: Thu, 19 Jun 2008 14:45:43 +0200   author:   Paolo Mazzoni

Google
 
Web ureader.com


    COPYRIGHT 2007, YARDI TECHNOLOGY LIMITED, ALL RIGHT RESERVE  |   contact us