(C) Create XAdES-T Signed XML

See more XAdES Examples

This example signs XML using the XAdES-T profile. XAdES-T is a profile within the XAdES standard that adds support for secure timestamping of signatures.

Secure timestamping involves adding a timestamp to the signature, indicating the exact time when the signature was applied.

Timestamping enhances the long-term validity of signatures by providing evidence that the signature existed at a specific point in time, even if the signer's certificate has expired or been revoked.

XAdES-T signatures include elements for embedding timestamp data within the XML signature, along with information about the timestamp authority and the timestamp verification process.

XAdES-T signatures are suitable for scenarios where long-term validity and integrity of signatures are essential, such as in legal and regulatory contexts where archived documents may need to be validated years or decades later.

Chilkat C/C++ Library Downloads
MS Visual C/C++ Linux/CentOS C/C++ Alpine Linux C/C++ MAC OS X C/C++	armhf/aarch64 C/C++ C++ Builder iOS C/C++ Android C/C++	Solaris C/C++ MinGW C/C++

#include <C_CkXml.h>
#include <C_CkXmlDSigGen.h>
#include <C_CkCert.h>
#include <C_CkJsonObject.h>
#include <C_CkStringBuilder.h>
#include <C_CkXmlDSig.h>

void ChilkatSample(void)
    {
    BOOL success;
    HCkXml xmlToSign;
    HCkXmlDSigGen gen;
    HCkXml object1;
    HCkXml object2;
    HCkCert cert;
    HCkJsonObject jsonTsa;
    HCkStringBuilder sbXml;
    HCkXmlDSig verifier;
    int numSigs;
    int verifyIdx;
    BOOL verified;

    // This example requires the Chilkat API to have been previously unlocked.
    // See Global Unlock Sample for sample code.

    success = TRUE;
    // Create the XML to be signed...

    // Use this online tool to generate code from sample XML: 
    // Generate Code to Create XML

    // <?xml version="1.0" encoding="UTF-8"?>
    // <es:Dossier xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns="http://uri.etsi.org/01903/v1.3.2#" xmlns:es="https://www.microsec.hu/ds/e-szigno30#" xsi:schemaLocation="https://www.microsec.hu/ds/e-szigno30# https://www.microsec.hu/ds/e-szigno30.xsd">
    // 	<es:DossierProfile Id="PObject0" OBJREF="Object0">
    // 	<es:Title>e-akta.es3</es:Title>
    // 	<es:E-category>electronic dossier</es:E-category>
    // 	<es:CreationDate>2022-12-02T07:55:16Z</es:CreationDate>
    // 	</es:DossierProfile>
    // 	<es:Documents Id="Object0"/>
    // </es:Dossier>

    xmlToSign = CkXml_Create();
    CkXml_putTag(xmlToSign,"es:Dossier");
    CkXml_AddAttribute(xmlToSign,"xmlns:xsi","http://www.w3.org/2001/XMLSchema-instance");
    CkXml_AddAttribute(xmlToSign,"xmlns:ds","http://www.w3.org/2000/09/xmldsig#");
    CkXml_AddAttribute(xmlToSign,"xmlns","http://uri.etsi.org/01903/v1.3.2#");
    CkXml_AddAttribute(xmlToSign,"xmlns:es","https://www.microsec.hu/ds/e-szigno30#");
    CkXml_AddAttribute(xmlToSign,"xsi:schemaLocation","https://www.microsec.hu/ds/e-szigno30# https://www.microsec.hu/ds/e-szigno30.xsd");
    CkXml_UpdateAttrAt(xmlToSign,"es:DossierProfile",TRUE,"Id","PObject0");
    CkXml_UpdateAttrAt(xmlToSign,"es:DossierProfile",TRUE,"OBJREF","Object0");
    CkXml_UpdateChildContent(xmlToSign,"es:DossierProfile|es:Title","e-akta.es3");
    CkXml_UpdateChildContent(xmlToSign,"es:DossierProfile|es:E-category","electronic dossier");
    CkXml_UpdateChildContent(xmlToSign,"es:DossierProfile|es:CreationDate","2022-12-02T07:55:16Z");
    CkXml_UpdateAttrAt(xmlToSign,"es:Documents",TRUE,"Id","Object0");

    gen = CkXmlDSigGen_Create();

    CkXmlDSigGen_putSigLocation(gen,"es:Dossier");
    CkXmlDSigGen_putSigLocationMod(gen,0);
    CkXmlDSigGen_putSigId(gen,"S9fe8096e-2cac-415d-9222-f6cf2ecb314b");
    CkXmlDSigGen_putSigValueId(gen,"VS9fe8096e-2cac-415d-9222-f6cf2ecb314b");
    CkXmlDSigGen_putSignedInfoId(gen,"SIS9fe8096e-2cac-415d-9222-f6cf2ecb314b");
    CkXmlDSigGen_putSignedInfoCanonAlg(gen,"EXCL_C14N");
    CkXmlDSigGen_putSignedInfoDigestMethod(gen,"sha256");

    // Set the KeyInfoId before adding references..
    CkXmlDSigGen_putKeyInfoId(gen,"KS9fe8096e-2cac-415d-9222-f6cf2ecb314b");

    // Create an Object to be added to the Signature.
    object1 = CkXml_Create();
    CkXml_putTag(object1,"es:SignatureProfile");
    CkXml_AddAttribute(object1,"Id","PS9fe8096e-2cac-415d-9222-f6cf2ecb314b");
    CkXml_AddAttribute(object1,"OBJREF","Object0");
    CkXml_AddAttribute(object1,"SIGREF","S9fe8096e-2cac-415d-9222-f6cf2ecb314b");
    CkXml_AddAttribute(object1,"SIGREFLIST","#Object0 #PS9fe8096e-2cac-415d-9222-f6cf2ecb314b #PObject0 #XS9fe8096e-2cac-415d-9222-f6cf2ecb314b");
    CkXml_UpdateChildContent(object1,"es:SignerName","EC Minsített-Tesztel Péterke");
    CkXml_UpdateChildContent(object1,"es:SDPresented","false");
    CkXml_UpdateChildContent(object1,"es:Type","signature");
    CkXml_UpdateAttrAt(object1,"es:Generator|es:Program",TRUE,"name","e-Szigno");
    CkXml_UpdateAttrAt(object1,"es:Generator|es:Program",TRUE,"version","3.3.6.8");
    CkXml_UpdateAttrAt(object1,"es:Generator|es:Device",TRUE,"name","OpenSSL 1.1.1n  15 Mar 2022");
    CkXml_UpdateAttrAt(object1,"es:Generator|es:Device",TRUE,"type","");

    CkXmlDSigGen_AddObject(gen,"O1S9fe8096e-2cac-415d-9222-f6cf2ecb314b",CkXml_getXml(object1),"","");

    // Create an Object to be added to the Signature.
    object2 = CkXml_Create();
    CkXml_putTag(object2,"QualifyingProperties");
    CkXml_AddAttribute(object2,"Target","#S9fe8096e-2cac-415d-9222-f6cf2ecb314b");
    CkXml_AddAttribute(object2,"Id","QPS9fe8096e-2cac-415d-9222-f6cf2ecb314b");
    CkXml_UpdateAttrAt(object2,"SignedProperties",TRUE,"Id","XS9fe8096e-2cac-415d-9222-f6cf2ecb314b");
    CkXml_UpdateChildContent(object2,"SignedProperties|SignedSignatureProperties|SigningTime","TO BE GENERATED BY CHILKAT");
    CkXml_UpdateAttrAt(object2,"SignedProperties|SignedSignatureProperties|SigningCertificateV2|Cert|CertDigest|ds:DigestMethod",TRUE,"Algorithm","http://www.w3.org/2001/04/xmlenc#sha256");
    CkXml_UpdateChildContent(object2,"SignedProperties|SignedSignatureProperties|SigningCertificateV2|Cert|CertDigest|ds:DigestValue","TO BE GENERATED BY CHILKAT");
    CkXml_UpdateChildContent(object2,"SignedProperties|SignedSignatureProperties|SigningCertificateV2|Cert|IssuerSerialV2","TO BE GENERATED BY CHILKAT");
    CkXml_UpdateChildContent(object2,"SignedProperties|SignedSignatureProperties|SignaturePolicyIdentifier|SignaturePolicyImplied","");
    CkXml_UpdateChildContent(object2,"SignedProperties|SignedSignatureProperties|SignerRoleV2|ClaimedRoles|ClaimedRole","tesztel");

    // Here we have the EncapsulatedTimestamp found in the unsigned signature properties.
    CkXml_UpdateAttrAt(object2,"UnsignedProperties|UnsignedSignatureProperties|SignatureTimeStamp",TRUE,"Id","T72cb4961-4326-4319-857a-7cf55e7ef899");
    CkXml_UpdateAttrAt(object2,"UnsignedProperties|UnsignedSignatureProperties|SignatureTimeStamp|ds:CanonicalizationMethod",TRUE,"Algorithm","http://www.w3.org/2001/10/xml-exc-c14n#");
    CkXml_UpdateAttrAt(object2,"UnsignedProperties|UnsignedSignatureProperties|SignatureTimeStamp|EncapsulatedTimeStamp",TRUE,"Id","ET72cb4961-4326-4319-857a-7cf55e7ef899");
    CkXml_UpdateChildContent(object2,"UnsignedProperties|UnsignedSignatureProperties|SignatureTimeStamp|EncapsulatedTimeStamp","TO BE GENERATED BY CHILKAT");
    CkXml_UpdateAttrAt(object2,"UnsignedProperties|UnsignedSignatureProperties|TimeStampValidationData",TRUE,"xmlns","http://uri.etsi.org/01903/v1.4.1#");
    CkXml_UpdateAttrAt(object2,"UnsignedProperties|UnsignedSignatureProperties|CertificateValues",TRUE,"Id","CV18c7702d-d45b-44bc-853a-a720f41053cd");
    CkXml_UpdateAttrAt(object2,"UnsignedProperties|UnsignedSignatureProperties|CertificateValues|EncapsulatedX509Certificate",TRUE,"Id","EC42db04c8-1422-407b-8c42-189353a55268");
    CkXml_UpdateChildContent(object2,"UnsignedProperties|UnsignedSignatureProperties|CertificateValues|EncapsulatedX509Certificate","BASE64_CONTENT");
    CkXml_UpdateAttrAt(object2,"UnsignedProperties|UnsignedSignatureProperties|CertificateValues|EncapsulatedX509Certificate[1]",TRUE,"Id","EC04728b44-a32c-46c1-b9bb-85b1f6b3c7d3");
    CkXml_UpdateChildContent(object2,"UnsignedProperties|UnsignedSignatureProperties|CertificateValues|EncapsulatedX509Certificate[1]","BASE64_CONTENT");

    CkXmlDSigGen_AddObject(gen,"O2S9fe8096e-2cac-415d-9222-f6cf2ecb314b",CkXml_getXml(object2),"","");

    // -------- Reference 1 --------
    CkXmlDSigGen_AddSameDocRef(gen,"Object0","sha256","EXCL_C14N","","");
    CkXmlDSigGen_SetRefIdAttr(gen,"Object0","Re1f816c4-7898-4544-9b41-f4156dc0c528");

    // -------- Reference 2 --------
    CkXmlDSigGen_AddObjectRef(gen,"PS9fe8096e-2cac-415d-9222-f6cf2ecb314b","sha256","EXCL_C14N","","");
    CkXmlDSigGen_SetRefIdAttr(gen,"PS9fe8096e-2cac-415d-9222-f6cf2ecb314b","Ra873b616-e568-4c38-ae94-27fbff67cc43");

    // -------- Reference 3 --------
    CkXmlDSigGen_AddSameDocRef(gen,"PObject0","sha256","EXCL_C14N","","");
    CkXmlDSigGen_SetRefIdAttr(gen,"PObject0","Ra5d85948-5d6a-4914-8c32-242f5d6d9e81");

    // -------- Reference 4 --------
    CkXmlDSigGen_AddObjectRef(gen,"XS9fe8096e-2cac-415d-9222-f6cf2ecb314b","sha256","EXCL_C14N","","http://uri.etsi.org/01903#SignedProperties");
    CkXmlDSigGen_SetRefIdAttr(gen,"XS9fe8096e-2cac-415d-9222-f6cf2ecb314b","Ra7412a43-dc05-4e0a-ac84-e9a070214757");

    // Provide a certificate + private key. (PFX password is test123)
    cert = CkCert_Create();
    success = CkCert_LoadPfxFile(cert,"qa_data/pfx/cert_test123.pfx","test123");
    if (success != TRUE) {
        printf("%s\n",CkCert_lastErrorText(cert));
        CkXml_Dispose(xmlToSign);
        CkXmlDSigGen_Dispose(gen);
        CkXml_Dispose(object1);
        CkXml_Dispose(object2);
        CkCert_Dispose(cert);
        return;
    }

    CkXmlDSigGen_SetX509Cert(gen,cert,TRUE);

    CkXmlDSigGen_putKeyInfoType(gen,"X509Data");
    CkXmlDSigGen_putX509Type(gen,"Certificate");

    // -------------------------------------------------------------------------------------------
    // To have the EncapsulatedTimeStamp automatically added, we only need to do 2 things.
    // 1) Add the <xades:EncapsulatedTimeStamp Encoding="http://uri.etsi.org/01903/v1.2.2#DER">TO BE GENERATED BY CHILKAT</xades:EncapsulatedTimeStamp>
    //    to the unsigned properties.
    // 2) Specify the TSA URL (Timestamping Authority URL).
    //    Here we specify the TSA URL:
    // -------------------------------------------------------------------------------------------

    jsonTsa = CkJsonObject_Create();
    CkJsonObject_UpdateString(jsonTsa,"timestampToken.tsaUrl","http://timestamp.digicert.com");
    CkJsonObject_UpdateBool(jsonTsa,"timestampToken.requestTsaCert",TRUE);
    CkXmlDSigGen_SetTsa(gen,jsonTsa);

    // Load XML to be signed...
    sbXml = CkStringBuilder_Create();
    CkXml_GetXmlSb(xmlToSign,sbXml);

    CkXmlDSigGen_putBehaviors(gen,"IndentedSignature,OmitAlreadyDefinedSigNamespace");

    // Sign the XML...
    success = CkXmlDSigGen_CreateXmlDSigSb(gen,sbXml);
    if (success != TRUE) {
        printf("%s\n",CkXmlDSigGen_lastErrorText(gen));
        CkXml_Dispose(xmlToSign);
        CkXmlDSigGen_Dispose(gen);
        CkXml_Dispose(object1);
        CkXml_Dispose(object2);
        CkCert_Dispose(cert);
        CkJsonObject_Dispose(jsonTsa);
        CkStringBuilder_Dispose(sbXml);
        return;
    }

    // -----------------------------------------------

    // Save the signed XML to a file.
    success = CkStringBuilder_WriteFile(sbXml,"c:/temp/qa_output/signedXml.xml","utf-8",FALSE);

    printf("%s\n",CkStringBuilder_getAsString(sbXml));

    // ----------------------------------------
    // Verify the signatures we just produced...
    verifier = CkXmlDSig_Create();
    success = CkXmlDSig_LoadSignatureSb(verifier,sbXml);
    if (success != TRUE) {
        printf("%s\n",CkXmlDSig_lastErrorText(verifier));
        CkXml_Dispose(xmlToSign);
        CkXmlDSigGen_Dispose(gen);
        CkXml_Dispose(object1);
        CkXml_Dispose(object2);
        CkCert_Dispose(cert);
        CkJsonObject_Dispose(jsonTsa);
        CkStringBuilder_Dispose(sbXml);
        CkXmlDSig_Dispose(verifier);
        return;
    }

    numSigs = CkXmlDSig_getNumSignatures(verifier);
    verifyIdx = 0;
    while (verifyIdx < numSigs) {
        CkXmlDSig_putSelector(verifier,verifyIdx);
        verified = CkXmlDSig_VerifySignature(verifier,TRUE);
        if (verified != TRUE) {
            printf("%s\n",CkXmlDSig_lastErrorText(verifier));
            CkXml_Dispose(xmlToSign);
            CkXmlDSigGen_Dispose(gen);
            CkXml_Dispose(object1);
            CkXml_Dispose(object2);
            CkCert_Dispose(cert);
            CkJsonObject_Dispose(jsonTsa);
            CkStringBuilder_Dispose(sbXml);
            CkXmlDSig_Dispose(verifier);
            return;
        }

        verifyIdx = verifyIdx + 1;
    }

    printf("All signatures were successfully verified.\n");


    CkXml_Dispose(xmlToSign);
    CkXmlDSigGen_Dispose(gen);
    CkXml_Dispose(object1);
    CkXml_Dispose(object2);
    CkCert_Dispose(cert);
    CkJsonObject_Dispose(jsonTsa);
    CkStringBuilder_Dispose(sbXml);
    CkXmlDSig_Dispose(verifier);

    }