(C#) Signed Zip as Base64 with XAdES-BES

This example is to help companies implement a solution for sending XAdES-BES to the Polish government for reporting purposes. Specifically:

Przed podpisaniem deklaracja zbiorcza (PIT-11Z, PIT-8CZ, PIT-40Z, PIT-RZ) musi zostać
umieszczona w archiwum ZIP. W tym przypadku, podpisywany jest plik archiwum ZIP,
przyjmujący w podpisie XAdES-BES formę zakodowaną base64.

The example demonstrates the following:

1. Zip an XML file (PIT-11Z.xml is zipped to PIT-11Z.zip)
2. Create XML to be signed, where the XML contains the base64 encoded content of the PIT-11Z.zip archive.
3. XAdES-BES sign the XML containing the base64 zip.

This example will also show the reverse:

1. Verify the signed XML.
2. Extract the PIT-11z.zip from the signed XML.
3. Unzip the PIT-11Z.zip to get the original PIT-11Z.xml

Chilkat .NET Downloads Chilkat .NET Framework Chilkat for .NET Core

// This example assumes the Chilkat API to have been previously unlocked.
// See Global Unlock Sample for sample code.

// Zip the PIT-11Z.xml to create PIT-11Z.zip (not as a .zip file, but in-memory).
Chilkat.StringBuilder sbXmlToZip = new Chilkat.StringBuilder();
bool success = sbXmlToZip.LoadFile("qa_data/xml/PIT-11Z.xml","utf-8");
if (success != true) {
    Debug.WriteLine("Failed to load the XML to be zipped.");
    return;
}

Chilkat.Zip zip = new Chilkat.Zip();

// Initialize the zip object. No file is created in this call.
// It should always return true.
success = zip.NewZip("PIT-11Z.zip");

// Add the XML to be zipped.
Chilkat.ZipEntry entry = zip.AppendString("PIT-11Z.xml",sbXmlToZip.GetAsString());

// Write the zip to a BinData object.
Chilkat.BinData bdZip = new Chilkat.BinData();
zip.WriteBd(bdZip);
// The contents of the bdZip will be retrieved in base64 format when needed below..

Chilkat.XmlDSigGen gen = new Chilkat.XmlDSigGen();

gen.SigLocation = "";
gen.SigLocationMod = 0;

gen.SigId = "Signature_2a8df7f8-b958-40cc-83f6-edb53b837347_19";
gen.SigNamespacePrefix = "ds";
gen.SigNamespaceUri = "http://www.w3.org/2000/09/xmldsig#";
gen.SigValueId = "SignatureValue_2a8df7f8-b958-40cc-83f6-edb53b837347_52";
gen.SignedInfoId = "SignedInfo_2a8df7f8-b958-40cc-83f6-edb53b837347_41";
gen.SignedInfoCanonAlg = "C14N";
gen.SignedInfoDigestMethod = "sha1";

// Set the KeyInfoId before adding references..
gen.KeyInfoId = "KeyInfo_2a8df7f8-b958-40cc-83f6-edb53b837347_24";

// Create an Object to be added to the Signature.
Chilkat.Xml object1 = new Chilkat.Xml();
object1.Tag = "xades:QualifyingProperties";
object1.AddAttribute("xmlns:xades","http://uri.etsi.org/01903/v1.3.2#");
object1.AddAttribute("Id","QualifyingProperties_2a8df7f8-b958-40cc-83f6-edb53b837347_43");
object1.AddAttribute("Target","#Signature_2a8df7f8-b958-40cc-83f6-edb53b837347_19");
object1.UpdateAttrAt("xades:SignedProperties",true,"Id","SignedProperties_2a8df7f8-b958-40cc-83f6-edb53b837347_4e");
object1.UpdateAttrAt("xades:SignedProperties|xades:SignedSignatureProperties",true,"Id","SignedSignatureProperties_2a8df7f8-b958-40cc-83f6-edb53b837347_0a");
// Chilkat will replace the strings "TO BE GENERATED BY CHILKAT" with actual values when the signature is created.
object1.UpdateChildContent("xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningTime","TO BE GENERATED BY CHILKAT");
// Note: It may be that http://www.w3.org/2001/04/xmlenc#sha256 is needed in the following line instead of http://www.w3.org/2000/09/xmldsig#sha1
object1.UpdateAttrAt("xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificate|xades:Cert|xades:CertDigest|ds:DigestMethod",true,"Algorithm","http://www.w3.org/2000/09/xmldsig#sha1");
object1.UpdateChildContent("xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificate|xades:Cert|xades:CertDigest|ds:DigestValue","TO BE GENERATED BY CHILKAT");
object1.UpdateChildContent("xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificate|xades:Cert|xades:IssuerSerial|ds:X509IssuerName","TO BE GENERATED BY CHILKAT");
object1.UpdateChildContent("xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificate|xades:Cert|xades:IssuerSerial|ds:X509SerialNumber","TO BE GENERATED BY CHILKAT");
object1.UpdateAttrAt("xades:SignedProperties|xades:SignedDataObjectProperties",true,"Id","SignedDataObjectProperties_2a8df7f8-b958-40cc-83f6-edb53b837347_4b");
object1.UpdateAttrAt("xades:SignedProperties|xades:SignedDataObjectProperties|xades:DataObjectFormat",true,"ObjectReference","#Reference1_2a8df7f8-b958-40cc-83f6-edb53b837347_27");
object1.UpdateChildContent("xades:SignedProperties|xades:SignedDataObjectProperties|xades:DataObjectFormat|xades:Description","MIME-Version: 1.0\r\nContent-Type: application/zip\r\nContent-Transfer-Encoding: binary\r\nContent-Disposition: filename="PIT-11Z.zip"");
object1.UpdateAttrAt("xades:SignedProperties|xades:SignedDataObjectProperties|xades:DataObjectFormat|xades:ObjectIdentifier|xades:Identifier",true,"Qualifier","OIDAsURI");
object1.UpdateChildContent("xades:SignedProperties|xades:SignedDataObjectProperties|xades:DataObjectFormat|xades:ObjectIdentifier|xades:Identifier","http://www.certum.pl/OIDAsURI/signedFile/1.2.616.1.113527.3.1.1.3.1");
object1.UpdateChildContent("xades:SignedProperties|xades:SignedDataObjectProperties|xades:DataObjectFormat|xades:ObjectIdentifier|xades:Description","Opis formatu dokumentu oraz jego pelna nazwa");
object1.UpdateChildContent("xades:SignedProperties|xades:SignedDataObjectProperties|xades:DataObjectFormat|xades:ObjectIdentifier|xades:DocumentationReferences|xades:DocumentationReference","http://www.certum.pl/OIDAsURI/signedFile.pdf");
object1.UpdateChildContent("xades:SignedProperties|xades:SignedDataObjectProperties|xades:DataObjectFormat|xades:MimeType","application/zip");
object1.UpdateChildContent("xades:SignedProperties|xades:SignedDataObjectProperties|xades:CommitmentTypeIndication|xades:CommitmentTypeId|xades:Identifier","http://uri.etsi.org/01903/v1.2.2#ProofOfApproval");
object1.UpdateChildContent("xades:SignedProperties|xades:SignedDataObjectProperties|xades:CommitmentTypeIndication|xades:AllSignedDataObjects","");
object1.UpdateAttrAt("xades:UnsignedProperties",true,"Id","UnsignedProperties_2a8df7f8-b958-40cc-83f6-edb53b837347_55");

// Emit XML in compact (single-line) format to avoid whitespace problems.
object1.EmitCompact = true;
gen.AddObject("",object1.GetXml(),"","");

// Create an Object to be added to the Signature.
// This is where we add the base64 representation of the PIT-11Z.zip
gen.AddObject("Object1_2a8df7f8-b958-40cc-83f6-edb53b837347",bdZip.GetEncoded("base64"),"","http://www.w3.org/2000/09/xmldsig#base64");

// -------- Reference 1 --------
gen.AddObjectRef("Object1_2a8df7f8-b958-40cc-83f6-edb53b837347","sha1","C14N_WithComments","","");
gen.SetRefIdAttr("Object1_2a8df7f8-b958-40cc-83f6-edb53b837347","Reference1_2a8df7f8-b958-40cc-83f6-edb53b837347_27");

// -------- Reference 2 --------
gen.AddObjectRef("SignedProperties_2a8df7f8-b958-40cc-83f6-edb53b837347_4e","sha1","","","http://uri.etsi.org/01903#SignedProperties");
gen.SetRefIdAttr("SignedProperties_2a8df7f8-b958-40cc-83f6-edb53b837347_4e","SignedProperties-Reference_2a8df7f8-b958-40cc-83f6-edb53b837347_28");

// Provide a certificate + private key. (PFX password is test123)
Chilkat.Cert cert = new Chilkat.Cert();
success = cert.LoadPfxFile("qa_data/pfx/cert_test123.pfx","test123");
if (success != true) {
    Debug.WriteLine(cert.LastErrorText);
    return;
}

gen.SetX509Cert(cert,true);

gen.KeyInfoType = "X509Data";
gen.X509Type = "Certificate";

// This will be an enveloping signature where the Signature element
// is the XML document root, the signed data is contained within Object
// tag(s) within the Signature.
// Therefore, pass an empty sbXml to CreateXmlDsigSb.
Chilkat.StringBuilder sbXml = new Chilkat.StringBuilder();

// The Polish government's XmlDSig implementation requires that we reproduce an attribute-sorting error.
// (This is an error in the XML canonicalization that is not noticed when both the signature-creation code and signature-verification code use
// the same XML canonicalization implementation w/ the bug.)
gen.Behaviors = "AttributeSortingBug,CompactSignedXml";

// Sign the XML...
success = gen.CreateXmlDSigSb(sbXml);
if (success != true) {
    Debug.WriteLine(gen.LastErrorText);
    return;
}

// -----------------------------------------------

// Save the signed XML to a file.
success = sbXml.WriteFile("qa_output/signedXml.xml","utf-8",false);

Debug.WriteLine(sbXml.GetAsString());

// ----------------------------------------
// Verify the signature we just produced...
Chilkat.XmlDSig verifier = new Chilkat.XmlDSig();
success = verifier.LoadSignatureSb(sbXml);
if (success != true) {
    Debug.WriteLine(verifier.LastErrorText);
    return;
}

bool verified = verifier.VerifySignature(true);
if (verified != true) {
    Debug.WriteLine(verifier.LastErrorText);
    return;
}

Debug.WriteLine("This signature was successfully verified.");

// ------------------------------------
// Finally, let's extract the .zip from the signed XML, and then unzip the original PIT-11Z.xml from the in-memory zip.
Chilkat.Xml xml = new Chilkat.Xml();
xml.LoadSb(sbXml,true);

// The base64 image of the PIT-11Z.zip is in the 2nd ds:Object child of the ds:Signature (the ds:Signature is the root element of the signed XML).
// (ds:Object[0] would be the 1st ds:Object child.  Index 1 is the 2nd ds:Object child.)
string strZipBase64 = xml.GetChildContent("ds:Object[1]");

bdZip.Clear();
bdZip.AppendEncoded(strZipBase64,"base64");
if (bdZip.NumBytes == 0) {
    Debug.WriteLine("Something went wrong.. we dont' have any data..");
    return;
}

success = zip.OpenBd(bdZip);
if (success != true) {
    Debug.WriteLine(zip.LastErrorText);
    return;
}

// Get the 1st file in the zip, which should be the PIT-11Z.xml
entry = zip.GetEntryByIndex(0);
if (zip.LastMethodSuccess != true) {
    Debug.WriteLine("Zip contains no files...");
    return;
}

// Get the XML:
string origXml = entry.UnzipToString(0,"utf-8");
Debug.WriteLine("Original XML extracted from base64 zip:");
Debug.WriteLine(origXml);