0

Iā€™m trying to sign XML files via a USB Token in the XAdES format.

Documentation on System.Security.Cryptography.Xml is scarce. I can only find how to sign an XML with basic/default options (https://learn.microsoft.com/en-us/dotnet/standard/security/how-to-sign-xml-documents-with-digital-signatures).

It works. However it's missing several elements, e.g.: some References, Transforms and the Object element.

This is the XAdES XML structure I need.

<?xml version='1.0' encoding='utf-8'?>

<MyRootTag xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

    <MainElement>
        <!--xml_payload_goes_here-->
    </MainElement>
    
    <ds:Signature xmlns:xadesv1410="http://uri.etsi.org/01903/v1.4.1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xades="http://uri.etsi.org/01903/v1.3.2#" Id="signature-5743-9455-8953-3682">
    
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <ds:Reference URI="">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2">
                        <dsig-xpath:XPath xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2" Filter="subtract">/descendant::ds:Signature</dsig-xpath:XPath>
                    </ds:Transform>
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <ds:DigestValue><!--Base64--></ds:DigestValue>
            </ds:Reference>
            <ds:Reference URI="#signed-properties-0967-6800-5986-4853" Type="http://uri.etsi.org/01903#SignedProperties">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <ds:DigestValue><!--Base64--></ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        
        <ds:SignatureValue Id="signature-value-3400-3038-9836-4335"><!--Base64--></ds:SignatureValue>
        
        <ds:KeyInfo Id="key-info-3540-2157-4472-8413">
            <ds:X509Data>
                <ds:X509Certificate><!--Base64--></ds:X509Certificate>
            </ds:X509Data>
            <ds:KeyValue>
                <ds:RSAKeyValue>
                    <ds:Modulus><!--Base64--></ds:Modulus>
                    <ds:Exponent>AQAB</ds:Exponent>
                </ds:RSAKeyValue>
            </ds:KeyValue>
        </ds:KeyInfo>
        
        <ds:Object Id="signature-object-0000-0000-0000-0000">
            <xades:QualifyingProperties Target="#signature-0000-0000-0000-0000">
                <xades:SignedProperties Id="signed-properties-0000-0000-0000-0000">
                    <xades:SignedSignatureProperties>
                        <xades:SigningTime>2021-11-03T08:25:08Z</xades:SigningTime>
                        <xades:SigningCertificate>
                            <xades:Cert>
                                <xades:CertDigest>
                                    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                                    <ds:DigestValue><!--Base64--></ds:DigestValue>
                                </xades:CertDigest>
                                <xades:IssuerSerial>
                                    <ds:X509IssuerName>Issuer_Name</ds:X509IssuerName>
                                    <ds:X509SerialNumber>000000000000000000000000000000000000000</ds:X509SerialNumber>
                                </xades:IssuerSerial>
                            </xades:Cert>
                        </xades:SigningCertificate>
                    </xades:SignedSignatureProperties>
                </xades:SignedProperties>
            </xades:QualifyingProperties>
        </ds:Object>
        
    </ds:Signature>
    
</MyRootTag>

I need to figure out how to add these elements to SignedXml using AddReference (+AddTransform), AddObject, etc.

Where can I find some c# code examples for XAdES signing, particularly regarding different SignedXml formatting options?

Dalmo
  • 1
  • 2
  • If you are looking to access USB token in Web Application from modern web browser, you may also like to check https://stackoverflow.com/a/63173083/9659885 ā€“ Bharat Vasant Nov 16 '21 at 05:12
  • Update: I managed add the Object tag by manually building the XmlNodeList and assigning it to Object.Data. I still cannot add its related Reference element. It says it cannot find the referenced Id. ā€“ Dalmo Nov 19 '21 at 13:43

1 Answers1

0

It's better to use a NuGet package for it. there is good on here FirmaXadesNetCore. if you try to implement it by yourself you have a very hard way because there are many details in XAdES. by the way the only problem that you'll face with FirmaXadesNetCore is that it just implements signing with the windows certificate store and you have to clone it and implement Signer class with PKCS#11. it's easy because there is a good NuGet package for it also. you can find it here Pkcs11Interop.

amir zahed
  • 1
  • 3