(MFC) Signed Zip as Base64 with XAdES-BES

Important: This example requires Chilkat v9.5.0.80 or greater.

This example is to help companies implement a solution for sending XAdES-BES to the Polish government for reporting purposes. Specifically:

Przed podpisaniem deklaracja zbiorcza (PIT-11Z, PIT-8CZ, PIT-40Z, PIT-RZ) musi zostać
umieszczona w archiwum ZIP. W tym przypadku, podpisywany jest plik archiwum ZIP,
przyjmujący w podpisie XAdES-BES formę zakodowaną base64.

The example demonstrates the following:

Zip an XML file (PIT-11Z.xml is zipped to PIT-11Z.zip)
Create XML to be signed, where the XML contains the base64 encoded content of the PIT-11Z.zip archive.
XAdES-BES sign the XML containing the base64 zip.

This example will also show the reverse:

Verify the signed XML.
Extract the PIT-11z.zip from the signed XML.
Unzip the PIT-11Z.zip to get the original PIT-11Z.xml

Chilkat C/C++ Library Downloads

MS Visual C/C++ Libs

See Also: Using MFC CString in Chilkat

#include <CkStringBuilder.h>
#include <CkZip.h>
#include <CkZipEntry.h>
#include <CkBinData.h>
#include <CkXmlDSigGen.h>
#include <CkXml.h>
#include <CkCert.h>
#include <CkXmlDSig.h>

void ChilkatSample(void)
    {
    CkString strOut;

    // This example assumes the Chilkat API to have been previously unlocked.
    // See Global Unlock Sample for sample code.

    // Zip the PIT-11Z.xml to create PIT-11Z.zip (not as a .zip file, but in-memory).
    CkStringBuilder sbXmlToZip;
    bool success = sbXmlToZip.LoadFile("qa_data/xml/PIT-11Z.xml","utf-8");
    if (success != true) {
        strOut.append("Failed to load the XML to be zipped.");
        strOut.append("\r\n");
        SetDlgItemText(IDC_EDIT1,strOut.getUnicode());
        return;
    }

    CkZip zip;

    // Initialize the zip object. No file is created in this call.
    // It should always return true.
    success = zip.NewZip("PIT-11Z.zip");

    // Add the XML to be zipped.
    CkZipEntry *entry = zip.AppendString("PIT-11Z.xml",sbXmlToZip.getAsString());
    delete entry;

    // Write the zip to a BinData object.
    CkBinData bdZip;
    zip.WriteBd(bdZip);
    // The contents of the bdZip will be retrieved in base64 format when needed below..

    CkXmlDSigGen gen;

    gen.put_SigLocation("");
    gen.put_SigLocationMod(0);

    gen.put_SigId("Signature_2a8df7f8-b958-40cc-83f6-edb53b837347_19");
    gen.put_SigNamespacePrefix("ds");
    gen.put_SigNamespaceUri("http://www.w3.org/2000/09/xmldsig#");
    gen.put_SigValueId("SignatureValue_2a8df7f8-b958-40cc-83f6-edb53b837347_52");
    gen.put_SignedInfoId("SignedInfo_2a8df7f8-b958-40cc-83f6-edb53b837347_41");
    gen.put_SignedInfoCanonAlg("C14N");
    gen.put_SignedInfoDigestMethod("sha1");

    // Set the KeyInfoId before adding references..
    gen.put_KeyInfoId("KeyInfo_2a8df7f8-b958-40cc-83f6-edb53b837347_24");

    // Create an Object to be added to the Signature.
    CkXml object1;
    object1.put_Tag("xades:QualifyingProperties");
    object1.AddAttribute("xmlns:xades","http://uri.etsi.org/01903/v1.3.2#");
    object1.AddAttribute("Id","QualifyingProperties_2a8df7f8-b958-40cc-83f6-edb53b837347_43");
    object1.AddAttribute("Target","#Signature_2a8df7f8-b958-40cc-83f6-edb53b837347_19");
    object1.UpdateAttrAt("xades:SignedProperties",true,"Id","SignedProperties_2a8df7f8-b958-40cc-83f6-edb53b837347_4e");
    object1.UpdateAttrAt("xades:SignedProperties|xades:SignedSignatureProperties",true,"Id","SignedSignatureProperties_2a8df7f8-b958-40cc-83f6-edb53b837347_0a");
    // Chilkat will replace the strings "TO BE GENERATED BY CHILKAT" with actual values when the signature is created.
    object1.UpdateChildContent("xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningTime","TO BE GENERATED BY CHILKAT");
    object1.UpdateAttrAt("xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificate|xades:Cert|xades:CertDigest|ds:DigestMethod",true,"Algorithm","http://www.w3.org/2000/09/xmldsig#sha1");
    object1.UpdateChildContent("xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificate|xades:Cert|xades:CertDigest|ds:DigestValue","TO BE GENERATED BY CHILKAT");
    object1.UpdateChildContent("xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificate|xades:Cert|xades:IssuerSerial|ds:X509IssuerName","TO BE GENERATED BY CHILKAT");
    object1.UpdateChildContent("xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificate|xades:Cert|xades:IssuerSerial|ds:X509SerialNumber","TO BE GENERATED BY CHILKAT");
    object1.UpdateAttrAt("xades:SignedProperties|xades:SignedDataObjectProperties",true,"Id","SignedDataObjectProperties_2a8df7f8-b958-40cc-83f6-edb53b837347_4b");
    object1.UpdateAttrAt("xades:SignedProperties|xades:SignedDataObjectProperties|xades:DataObjectFormat",true,"ObjectReference","#Reference1_2a8df7f8-b958-40cc-83f6-edb53b837347_27");
    object1.UpdateChildContent("xades:SignedProperties|xades:SignedDataObjectProperties|xades:DataObjectFormat|xades:Description","MIME-Version: 1.0\r\nContent-Type: application/zip\r\nContent-Transfer-Encoding: binary\r\nContent-Disposition: filename=&quot;PIT-11Z.zip&quot;");
    object1.UpdateAttrAt("xades:SignedProperties|xades:SignedDataObjectProperties|xades:DataObjectFormat|xades:ObjectIdentifier|xades:Identifier",true,"Qualifier","OIDAsURI");
    object1.UpdateChildContent("xades:SignedProperties|xades:SignedDataObjectProperties|xades:DataObjectFormat|xades:ObjectIdentifier|xades:Identifier","http://www.certum.pl/OIDAsURI/signedFile/1.2.616.1.113527.3.1.1.3.1");
    object1.UpdateChildContent("xades:SignedProperties|xades:SignedDataObjectProperties|xades:DataObjectFormat|xades:ObjectIdentifier|xades:Description","Opis formatu dokumentu oraz jego pelna nazwa");
    object1.UpdateChildContent("xades:SignedProperties|xades:SignedDataObjectProperties|xades:DataObjectFormat|xades:ObjectIdentifier|xades:DocumentationReferences|xades:DocumentationReference","http://www.certum.pl/OIDAsURI/signedFile.pdf");
    object1.UpdateChildContent("xades:SignedProperties|xades:SignedDataObjectProperties|xades:DataObjectFormat|xades:MimeType","application/zip");
    object1.UpdateChildContent("xades:SignedProperties|xades:SignedDataObjectProperties|xades:CommitmentTypeIndication|xades:CommitmentTypeId|xades:Identifier","http://uri.etsi.org/01903/v1.2.2#ProofOfApproval");
    object1.UpdateChildContent("xades:SignedProperties|xades:SignedDataObjectProperties|xades:CommitmentTypeIndication|xades:AllSignedDataObjects","");
    object1.UpdateAttrAt("xades:UnsignedProperties",true,"Id","UnsignedProperties_2a8df7f8-b958-40cc-83f6-edb53b837347_55");

    // Emit XML in compact (single-line) format to avoid whitespace problems.
    object1.put_EmitCompact(true);
    gen.AddObject("",object1.getXml(),"","");

    // Create an Object to be added to the Signature.
    // This is where we add the base64 representation of the PIT-11Z.zip
    gen.AddObject("Object1_2a8df7f8-b958-40cc-83f6-edb53b837347",bdZip.getEncoded("base64"),"","http://www.w3.org/2000/09/xmldsig#base64");

    // -------- Reference 1 --------
    gen.AddObjectRef("Object1_2a8df7f8-b958-40cc-83f6-edb53b837347","sha1","C14N_WithComments","","");
    gen.SetRefIdAttr("Object1_2a8df7f8-b958-40cc-83f6-edb53b837347","Reference1_2a8df7f8-b958-40cc-83f6-edb53b837347_27");

    // -------- Reference 2 --------
    gen.AddObjectRef("SignedProperties_2a8df7f8-b958-40cc-83f6-edb53b837347_4e","sha1","","","http://uri.etsi.org/01903#SignedProperties");
    gen.SetRefIdAttr("SignedProperties_2a8df7f8-b958-40cc-83f6-edb53b837347_4e","SignedProperties-Reference_2a8df7f8-b958-40cc-83f6-edb53b837347_28");

    // Provide a certificate + private key. (PFX password is test123)
    CkCert cert;
    success = cert.LoadPfxFile("qa_data/pfx/cert_test123.pfx","test123");
    if (success != true) {
        strOut.append(cert.lastErrorText());
        strOut.append("\r\n");
        SetDlgItemText(IDC_EDIT1,strOut.getUnicode());
        return;
    }

    gen.SetX509Cert(cert,true);

    gen.put_KeyInfoType("X509Data");
    gen.put_X509Type("Certificate");

    // This will be an enveloping signature where the Signature element
    // is the XML document root, the signed data is contained within Object
    // tag(s) within the Signature.
    // Therefore, pass an empty sbXml to CreateXmlDsigSb.
    CkStringBuilder sbXml;

    // The Polish government's XmlDSig implementation requires that we reproduce an attribute-sorting error.
    // (This is an error in the XML canonicalization that is not noticed when both the signature-creation code and signature-verification code use
    // the same XML canonicalization implementation w/ the bug.)
    gen.put_Behaviors("AttributeSortingBug,CompactSignedXml");

    // Sign the XML...
    success = gen.CreateXmlDSigSb(sbXml);
    if (success != true) {
        strOut.append(gen.lastErrorText());
        strOut.append("\r\n");
        SetDlgItemText(IDC_EDIT1,strOut.getUnicode());
        return;
    }

    // -----------------------------------------------

    // Save the signed XML to a file.
    success = sbXml.WriteFile("qa_output/signedXml.xml","utf-8",false);

    strOut.append(sbXml.getAsString());
    strOut.append("\r\n");

    // ----------------------------------------
    // Verify the signature we just produced...
    CkXmlDSig verifier;
    success = verifier.LoadSignatureSb(sbXml);
    if (success != true) {
        strOut.append(verifier.lastErrorText());
        strOut.append("\r\n");
        SetDlgItemText(IDC_EDIT1,strOut.getUnicode());
        return;
    }

    bool verified = verifier.VerifySignature(true);
    if (verified != true) {
        strOut.append(verifier.lastErrorText());
        strOut.append("\r\n");
        SetDlgItemText(IDC_EDIT1,strOut.getUnicode());
        return;
    }

    strOut.append("This signature was successfully verified.");
    strOut.append("\r\n");

    // ------------------------------------
    // Finally, let's extract the .zip from the signed XML, and then unzip the original PIT-11Z.xml from the in-memory zip.
    CkXml xml;
    xml.LoadSb(sbXml,true);

    // The base64 image of the PIT-11Z.zip is in the 2nd ds:Object child of the ds:Signature (the ds:Signature is the root element of the signed XML).
    // (ds:Object[0] would be the 1st ds:Object child.  Index 1 is the 2nd ds:Object child.)
    const char *strZipBase64 = xml.getChildContent("ds:Object[1]");

    bdZip.Clear();
    bdZip.AppendEncoded(strZipBase64,"base64");
    if (bdZip.get_NumBytes() == 0) {
        strOut.append("Something went wrong.. we dont' have any data..");
        strOut.append("\r\n");
        SetDlgItemText(IDC_EDIT1,strOut.getUnicode());
        return;
    }

    success = zip.OpenBd(bdZip);
    if (success != true) {
        strOut.append(zip.lastErrorText());
        strOut.append("\r\n");
        SetDlgItemText(IDC_EDIT1,strOut.getUnicode());
        return;
    }

    // Get the 1st file in the zip, which should be the PIT-11Z.xml
    entry = zip.GetEntryByIndex(0);
    if (zip.get_LastMethodSuccess() != true) {
        strOut.append("Zip contains no files...");
        strOut.append("\r\n");
        SetDlgItemText(IDC_EDIT1,strOut.getUnicode());
        return;
    }

    // Get the XML:
    const char *origXml = entry->unzipToString(0,"utf-8");
    strOut.append("Original XML extracted from base64 zip:");
    strOut.append("\r\n");
    strOut.append(origXml);
    strOut.append("\r\n");

    delete entry;


    SetDlgItemText(IDC_EDIT1,strOut.getUnicode());

    }