Home / Questions / 102351
Accepted
Efrain Mejias C
Asked: 2020-09-15 08:46:45 +0800 CST 2020-09-15 08:46:45 +0800 CST

How to sign XML document with XADES-EPES?

  • 772

I develop an application where I sign an XML document, in the following way, but I have to add the signature policy (Certificate provided by the company) and I don't know how to do it. This is how I sign the XML document:

public string  CreateCspParameters (string path)
        {
            error = "true";
            try
            {
                CspParameters cspParams = new CspParameters();
                cspParams.KeyContainerName = "XML_DSIG_RSA_KEY";
                RSACryptoServiceProvider rsaKey = new RSACryptoServiceProvider(cspParams);
                XmlDocument xmlDoc = new XmlDocument();
                xmlDoc.PreserveWhitespace = true;
                xmlDoc.Load(path);
                SignXml(xmlDoc, rsaKey);
                xmlDoc.Save(path);
            }
            catch (Exception ex) { error = ex.ToString(); }
            return error;
        }

        public void SignXml(XmlDocument xmlDoc, RSA Key)
        {
            if (xmlDoc == null)
                throw new ArgumentException("xmlDoc");
            if (Key == null)
                throw new ArgumentException("Key");

            SignedXml signedXml = new SignedXml(xmlDoc);
            signedXml.SigningKey = Key;
            Reference reference = new Reference();
            reference.Uri = "";
            XmlDsigEnvelopedSignatureTransform env = new XmlDsigEnvelopedSignatureTransform();
            reference.AddTransform(env);
            signedXml.AddReference(reference);
            signedXml.ComputeSignature();
            XmlElement xmlDigitalSignature = signedXml.GetXml();
            xmlDoc.DocumentElement.AppendChild(xmlDoc.ImportNode(xmlDigitalSignature, true));

        }

This way I can choose the certificate provided by the company but I don't know how to add it to the previous SignXml() method to complete the Xade-Epes

 public  X509Certificate2Collection ElejirCertificado()
        {

            X509Store store = new X509Store(StoreLocation.CurrentUser);
            store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);

            X509Certificate2Collection certificates = store.Certificates;
            X509Certificate2Collection foundCertificates = certificates.Find(X509FindType.FindByTimeValid, DateTime.Now, false);
            X509Certificate2Collection selectedCertificates = X509Certificate2UI.SelectFromCollection(foundCertificates,
                "Selecciona un certificado.",
                "Selecciona un certificado de la siguiente lista:",
                X509SelectionFlag.SingleSelection);

            return selectedCertificates;
        }
c#

1 Answers

  1. Best Answer
    1. - Seleccion del certificado 

     public X509Certificate2 ElegirCertificado()
    {
       X509Store store = new X509Store(StoreLocation.CurrentUser);
        store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
        X509Certificate2Collection certificates = store.Certificates;
        X509Certificate2Collection foundCertificates = certificates.Find(X509FindType.FindByTimeValid, DateTime.Now, false);
        X509Certificate2 cert = foundCertificates.OfType<X509Certificate2>().Where(x => x.Subject == "CN=NEOTECNOLOGIAS SOCIEDAD ANONIMA, OU=CPJ, O=PERSONA JURIDICA, C=CR, G=NEOTECNOLOGIAS SOCIEDAD ANONIMA, SN=\"\", SERIALNUMBER=CPJ-3-101-408861").First();
        return cert;
    }

    public string PreviaXadesEpes(string path)
    {
        error = "true";
        try
        {
           X509Certificate2 certificado = new X509Certificate2();
            certificado = ElegirCertificado();
            XmlDocument xmlDoc = new XmlDocument();
            xmlDoc.PreserveWhitespace = true;

            xmlDoc.Load(path);
            xmlDoc=FirmarXadesEPES(xmlDoc, certificado);
            xmlDoc.Save(path);
        }
        catch (Exception ex) { error = ex.ToString(); }
        return error;
    }

    2. - Ejecuto los siguientes metodos :

        private XmlDocument FirmarXadesEPES(XmlDocument xmlDoc, X509Certificate2 certificate)
    {

        XadesSignedXml signedXml = new XadesSignedXml(xmlDoc);
        signedXml.Signature.Id = "SignatureId";
        signedXml.SignedInfo.CanonicalizationMethod = SignedXml.XmlDsigExcC14NTransformUrl;
        signedXml.SignedInfo.SignatureMethod = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";

        string URI = "http://uri.etsi.org/01903/v1.3.2#";
        XmlElement qualifyingPropertiesRoot = xmlDoc.CreateElement("xades", "QualifyingProperties", URI);
        qualifyingPropertiesRoot.SetAttribute("Target", "#SignatureId",URI);

        XmlElement signaturePropertiesRoot = xmlDoc.CreateElement("xades", "SignedProperties", URI);
        signaturePropertiesRoot.SetAttribute("Id", "SignedPropertiesId",URI);

        XmlElement SignedSignatureProperties = xmlDoc.CreateElement("xades", "SignedSignatureProperties", URI);

        XmlElement timestamp = xmlDoc.CreateElement("xades", "SigningTime", URI);
        timestamp.InnerText = DateTime.Now.ToString("yyyy-MM-ddTHH:mm:ss.fffZ"); //2011-09-05T09:11:24.268Z
        SignedSignatureProperties.AppendChild(timestamp);

        XmlElement SigningCertificate = xmlDoc.CreateElement("xades", "SigningCertificate", URI);
        XmlElement Cert = xmlDoc.CreateElement("xades", "Cert", URI);
        XmlElement CertDigest = xmlDoc.CreateElement("xades", "CertDigest", URI);
        SHA1 cryptoServiceProvider = new SHA1CryptoServiceProvider();
        byte[] sha1 = cryptoServiceProvider.ComputeHash(certificate.RawData);

        XmlElement DigestMethod = xmlDoc.CreateElement("ds", "DigestMethod", URI);

        DigestMethod.SetAttribute("Algorithm", SignedXml.XmlDsigSHA1Url);
        XmlElement DigestValue = xmlDoc.CreateElement("ds", "DigestValue", URI);
        DigestValue.InnerText = Convert.ToBase64String(sha1);
        CertDigest.AppendChild(DigestMethod);
        CertDigest.AppendChild(DigestValue);
        Cert.AppendChild(CertDigest);

        XmlElement IssuerSerial = xmlDoc.CreateElement("xades", "IssuerSerial", URI);
        XmlElement X509IssuerName = xmlDoc.CreateElement("ds", "X509IssuerName", "http://www.w3.org/2000/09/xmldsig#");
        X509IssuerName.InnerText = certificate.IssuerName.Name;
        XmlElement X509SerialNumber = xmlDoc.CreateElement("ds", "X509SerialNumber", "http://www.w3.org/2000/09/xmldsig#");
        X509SerialNumber.InnerText = certificate.SerialNumber;
        IssuerSerial.AppendChild(X509IssuerName);
        IssuerSerial.AppendChild(X509SerialNumber);
        Cert.AppendChild(IssuerSerial);

        SigningCertificate.AppendChild(Cert);
        SignedSignatureProperties.AppendChild(SigningCertificate);

        signaturePropertiesRoot.AppendChild(SignedSignatureProperties);
        qualifyingPropertiesRoot.AppendChild(signaturePropertiesRoot);

        // /////////////////////////////////
        XmlElement SignaturePolicyIdentifier = xmlDoc.CreateElement("xades", "SignaturePolicyIdentifier", URI);
        SignedSignatureProperties.AppendChild(SignaturePolicyIdentifier);

        XmlElement SignaturePolicyId = xmlDoc.CreateElement("xades", "SignaturePolicyId", URI);
        SignaturePolicyIdentifier.AppendChild(SignaturePolicyId);

        XmlElement SigPolicyId = xmlDoc.CreateElement("xades", "SigPolicyId", URI);
        SignaturePolicyId.AppendChild(SigPolicyId);

        XmlElement Identifier = xmlDoc.CreateElement("xades", "Identifier", URI);
        Identifier.InnerText = "https://tribunet.hacienda.go.cr/docs/esquemas/2016/v4.1/Resolucion_Comprobantes_Electronicos_DGT-R-48-2016.pdf";
        SigPolicyId.AppendChild(Identifier);

        XmlElement SigPolicyHash = xmlDoc.CreateElement("xades", "SigPolicyHash", URI);
        SignaturePolicyId.AppendChild(SigPolicyHash);

        DigestMethod = xmlDoc.CreateElement("ds", "DigestMethod", URI);
        DigestMethod.SetAttribute("Algorithm", "http://www.w3.org/2001/04/xmlenc#sha256");
        DigestValue = xmlDoc.CreateElement("ds", "DigestValue", URI);
        byte[] shaCertificate = { 0xf1, 0x48, 0x03, 0x50, 0x5c, 0x33, 0x64, 0x29, 0x07, 0x84, 0x43, 0xca, 0x79, 0x6e, 0x59, 0xcc, 0xac, 0xf5, 0x85, 0x4c };
        DigestValue.InnerText = Convert.ToBase64String(shaCertificate);
        SigPolicyHash.AppendChild(DigestMethod);
        SigPolicyHash.AppendChild(DigestValue);

        XmlElement SignedDataObjectProperties = xmlDoc.CreateElement("xades", "SignedDataObjectProperties", URI);
        XmlElement DataObjectFormat = xmlDoc.CreateElement("xades", "DataObjectFormat", URI);
        DataObjectFormat.SetAttribute("ObjectReference", "#r-id-1");
        signaturePropertiesRoot.AppendChild(SignedDataObjectProperties);
        SignedDataObjectProperties.AppendChild(DataObjectFormat);
        XmlElement MimeType = xmlDoc.CreateElement("xades", "MimeType", URI);
        MimeType.InnerText = "application/octet-stream";
        DataObjectFormat.AppendChild(MimeType);
        // /////////////////////////////////////////////////////////////

        DataObject dataObject = new DataObject
        {
            Data = qualifyingPropertiesRoot.SelectNodes("."),
        };

        signedXml.AddObject(dataObject);

        signedXml.SigningKey = certificate.PrivateKey;

        KeyInfo keyInfo = new KeyInfo();
        KeyInfoX509Data keyInfoX509Data = new KeyInfoX509Data(certificate, X509IncludeOption.ExcludeRoot);
        keyInfo.AddClause(keyInfoX509Data);
        signedXml.KeyInfo = keyInfo;

        //Reference 1
        Reference reference2 = new Reference();
        reference2.Id = "R1";
        reference2.Type = "http://uri.etsi.org/01903#SignedProperties";
        reference2.Uri = "";
        XmlDsigXPathTransform XPathTransform = CreateXPathTransform("ValorPath");
        reference2.AddTransform(XPathTransform);
        reference2.DigestMethod = "http://www.w3.org/2001/04/xmlenc#sha256";
        reference2.AddTransform(new XmlDsigExcC14NTransform());
        signedXml.AddReference(reference2);

       //Reference 2
        reference2 = new Reference();
       // reference2.Id = "R2";
        reference2.Type = "http://uri.etsi.org/01903#SignedProperties";
        reference2.Uri = "";
        // reference2.AddTransform(new XmlDsigExcC14NTransform());
        XPathTransform = CreateXPathTransform("ValorPath");
       // reference2.AddTransform(XPathTransform);
        reference2.DigestMethod = "http://www.w3.org/2001/04/xmlenc#sha256";
        reference2.AddTransform(new XmlDsigExcC14NTransform());
        signedXml.AddReference(reference2); 

        signedXml.ComputeSignature();

        // Get the XML representation of the signature and save
        // it to an XmlElement object.
        XmlElement xmlDigitalSignature = signedXml.GetXml();

        xmlDoc.DocumentElement.AppendChild(xmlDoc.ImportNode(xmlDigitalSignature, true));

        bool checkSign = signedXml.CheckSignature();

        //return xmlDoc.OuterXml;
        return xmlDoc;

    }
    private static XmlDsigXPathTransform CreateXPathTransform(string XPathString)
    {
        XmlDocument doc = new XmlDocument();
        XmlElement xPathElem = doc.CreateElement("XPath");
        xPathElem.InnerText = XPathString;
        XmlDsigXPathTransform xForm = new XmlDsigXPathTransform();
        xForm.LoadInnerXml(xPathElem.SelectNodes("."));
        return xForm;
    }
    • 3