m227

I found Xerces to be industry standard for XML validaion against XSD-s (Oxygen XML Editor and probably Altova XMLSpy use it). Along with generous Apache license it is the only choice. I use it by DI XML (paid) wrapper. It covers most XML tasks, however to fiddle with XML I use Ondrejs Pokorny OXML which by nature is lightning fast (pure Delphi).

I don't urge to implement XAdES in ICS, as I already handle small part of it which I need (with help of ICS/OpenSSL). However handling XAdES-es by some popular library like ICS would be nice feature. To parse XMLs I use OXML for many years with success. My current not too consistent code looks like: function GetSignaturesBase64FromXAdES(const AFileName: String; AFormat: X509CertificateFormat = X509CF_BASE64): TStringDynArray; function AddHeader(AString: String): String; begin Result := '-----BEGIN CERTIFICATE-----' + sLineBreak + AString + sLineBreak + '-----END CERTIFICATE-----'; end; var FXML : IXMLDocument; ANodeList : IXMLNodeList; i : Integer; Base64 : String; begin SetLength(Result, 0); FXML := CreateXMLDoc; try FXML.ReaderSettings.StrictXML := False; FXML.LoadFromFile(AFileName); FXML.DocumentElement.SelectNodesNS('http://www.w3.org/2000/09/xmldsig#', '//Signature/KeyInfo/X509Data/X509Certificate' , ANodeList); for i := 0 to ANodeList.Count - 1 do begin Base64 := Trim(ANodeList[i].ChildNodes[0].NodeValue); // 2020-03-30 del CRLF at start and end ChopToLines(Base64); case AFormat of X509CF_BASE64: Result := Result + [Base64]; X509CF_BASE64_WITH_HEADER: Result := Result + [AddHeader(Base64)]; X509CF_BINARY: Result := Result + [DecodeBase64(Base64)]; end; // StringToFile(Format('Cert%d.txt', [i]), Result[i]); end; finally FXML := nil; end; end;

Thanx, I'm not a low level component writer neither I aspire to. For now we have no need to sign/verify signatures so it is not in my scope of view.

Well, work is more complicated. I parse and visualize special kind of financial XML files (in a semi tree structure), sometimes they are signed with XAdES, sometimes XAdES file has my XML in it, sometimes it is as additional node to my XML Files. But when my XML files are in XAdES or XAdES is part of them, I am to read XAdES signatures to show their signers. I extract also attachments and decode them, I also validate XML files using Xerces (DI XML). Screen attached. Some XML files (with millions of rows) I render to SQLite database with some tables (when Excel is too short to visualize them).

Come on Angus. https://en.wikipedia.org/wiki/XAdES It is one of a standards of signing files (an fie extension as well). Based on XML.

Kas Ob., I get my base64 from XAdES files from: Signature\KeyInfo\X509Data\X509Certificate so it should be always a valid single line base64 string. The only difference is that in XAdES has it without linebreaks.

Well done, I chopped my base64 with a nifty code: procedure ChopToLines(var AString: String; const AEveryChars: Integer = 64; ASeparator: String = #13#10); var i: Integer; begin i := AEveryChars; while Length(AString) > i do begin Insert(ASeparator, AString, i + 1); inc(i, AEveryChars + Length(ASeparator)); end; end; and it Works with OpenSSL 1.1.1 !!! Thank you for help

Thank you for further investigation. Does it mean that if I programmatically wrap them every 64 ASCII characters, OpenSSL 1.1.1 will accept them all?

Angus, thank you for help. Maybe Kas Ob. is right, that if I chopped them out from XAdES I ommited some other necessary data in chain? Kas Ob. I sent you files on priv. If you still require XAdES I'll find it and send. Michal

Those certificates I extracted form XAdES file form X509 nodes. And they are successfully read (the credentials) by some web services as well as using ICS and OpenSSL 1.1.0. As a matter of fact I don't want to check validity of certificates or if they are forged, but extract names of signers. OpenSSL 1.1.0 does the job while 1.1.1 does not. I sent the files to Angus but if you are able and kind to check their contents I can send them on priv. I am myself not too fluent in security topics.

Do these certificates contain any sensitive private data? If not I/we/you can send them to proper OpenSSL programmers.

What can I say? Does it mean that if no error found so OpenSSL 1.1.1 is spoiled? They are read using 1.1.0 with no problem and 1.1.1 does not read them. I don't know what library you use to have your Error Cert 1 and if it is error or not.

My only activity is to parse them and extract signer first and last name, and country. ICS does it well. Michal

My clients notify that other gates/programs read these signatures with no errors (probably they use older OpenSSL) and I cannot argue with it. If the certificate is spoiled it should be read as it is with 1.1.0 and some annotation could be added. Current 1.1.1 is in this field useless. If you find any reliable site which will revoke these certificates, I eagerly cite it to my clients.

I'd like to remind that all four files are read using OpenSSL 1.1.0 (so I use it now instead of 1.1.1). This makes me suggest that something went wrong in 1.1.1 (if the error communicate does not clarify what).