tags:

views:

401

answers:

2

Hi!

I am struggling with the following scenario:

  1. an XML-message is created client-side and digitally signed using mozilla's window.crypto.signText. After signing, the message and the signature are transmitted via a webservice (.net) to the server. Everything is fine until this point.

  2. on the server, the XML shall be included in another XML-document, which is publicly accessible. The signature should be published as well in order to grant non-repudiation.

Q: Is there a smooth option to convert the detached Pkcs#7 into XML-DSIG (e.g. functionality within the .net framework)?

Q2: Or is it possible to create the XML-DSIG already client-side without using external plugins?

Tnx for your help!

Alois Paulin

A: 

Hello! Do you find how to do it, I have a similar problem.

Thanks

Indigo
hi!nop, i didn't find any clear solution for this issue. thus i publish both the signature (base-64 encoded) as produced by .signText as well as the the base-64 enc. message within the clear-text XML message. so anyone who wants to verify the signature can verify it upon the raw message. a quite "dirty" solution, but sufficient for my needs.but i would still appreciate an answer to this problem :-)cheers!Alois
Alois
+1  A: 

Due to the nature of both digital signature formats XML and PKCS#7, it is not possible to convert from one to the other.

In a very simplified explanation, the signature in PKCS#7 format contains, among other stuff, some specific data structure called DigestInfo that contains the data digest and an OID (object identifier), and has been ciphered with the user's private key. The XML-Dsig format applies the final step of the cryptographic algorithm (again with the user's private key) to a different data value calculated from digesting the original XML data and some specific XML-DSig data structures. Therefore, since both ciphered values will not be the same, it is only possible to generate the XML-DSig signature by signing the data with the user's private key, which you will not have access to (thus the name private).

From that explanation, the answer to your first question is "No, there is no smooth option, it is not possible at all".

Therefore the only option is to generate the XML-DSig directly at the client side. That is not possible using standard Javascript, definitely not with Firefox's window.crypto (which only generates PKCS7 detached signatures). At my company (www.isigma.es), we solve that by using an applet, it is a common solution in the digital signature industry (there are many commercial and also some open source solutions). That may not be an option in your case, if you do not want browser plugins.

CAPICOM (the windows-based active/X component that you may use in a Microsoft setup) also does not generate XML-DSig, only CMS/PKCS7.

Carles Barrobés