(Lianja) Signed Zip as Base64 with XAdES-BES

This example is to help companies implement a solution for sending XAdES-BES to the Polish government for reporting purposes. Specifically:

Przed podpisaniem deklaracja zbiorcza (PIT-11Z, PIT-8CZ, PIT-40Z, PIT-RZ) musi zostać
umieszczona w archiwum ZIP. W tym przypadku, podpisywany jest plik archiwum ZIP,
przyjmujący w podpisie XAdES-BES formę zakodowaną base64.

The example demonstrates the following:

Zip an XML file (PIT-11Z.xml is zipped to PIT-11Z.zip)
Create XML to be signed, where the XML contains the base64 encoded content of the PIT-11Z.zip archive.
XAdES-BES sign the XML containing the base64 zip.

This example will also show the reverse:

Verify the signed XML.
Extract the PIT-11z.zip from the signed XML.
Unzip the PIT-11Z.zip to get the original PIT-11Z.xml

Chilkat Lianja Extension Download

Chilkat Lianja Extension

// This example assumes the Chilkat API to have been previously unlocked.
// See Global Unlock Sample for sample code.

// Zip the PIT-11Z.xml to create PIT-11Z.zip (not as a .zip file, but in-memory).
loSbXmlToZip = createobject("CkStringBuilder")
llSuccess = loSbXmlToZip.LoadFile("qa_data/xml/PIT-11Z.xml","utf-8")
if (llSuccess <> .T.) then
    ? "Failed to load the XML to be zipped."
    release loSbXmlToZip
    return
endif

loZip = createobject("CkZip")

// Initialize the zip object. No file is created in this call.
// It should always return .T..
llSuccess = loZip.NewZip("PIT-11Z.zip")

// Add the XML to be zipped.
loEntry = loZip.AppendString("PIT-11Z.xml",loSbXmlToZip.GetAsString())
release loEntry

// Write the zip to a BinData object.
loBdZip = createobject("CkBinData")
loZip.WriteBd(loBdZip)
// The contents of the bdZip will be retrieved in base64 format when needed below..

loGen = createobject("CkXmlDSigGen")

loGen.SigLocation = ""
loGen.SigLocationMod = 0

loGen.SigId = "Signature_2a8df7f8-b958-40cc-83f6-edb53b837347_19"
loGen.SigNamespacePrefix = "ds"
loGen.SigNamespaceUri = "http://www.w3.org/2000/09/xmldsig#"
loGen.SigValueId = "SignatureValue_2a8df7f8-b958-40cc-83f6-edb53b837347_52"
loGen.SignedInfoId = "SignedInfo_2a8df7f8-b958-40cc-83f6-edb53b837347_41"
loGen.SignedInfoCanonAlg = "C14N"
loGen.SignedInfoDigestMethod = "sha1"

// Set the KeyInfoId before adding references..
loGen.KeyInfoId = "KeyInfo_2a8df7f8-b958-40cc-83f6-edb53b837347_24"

// Create an Object to be added to the Signature.
loObject1 = createobject("CkXml")
loObject1.Tag = "xades:QualifyingProperties"
loObject1.AddAttribute("xmlns:xades","http://uri.etsi.org/01903/v1.3.2#")
loObject1.AddAttribute("Id","QualifyingProperties_2a8df7f8-b958-40cc-83f6-edb53b837347_43")
loObject1.AddAttribute("Target","#Signature_2a8df7f8-b958-40cc-83f6-edb53b837347_19")
loObject1.UpdateAttrAt("xades:SignedProperties",.T.,"Id","SignedProperties_2a8df7f8-b958-40cc-83f6-edb53b837347_4e")
loObject1.UpdateAttrAt("xades:SignedProperties|xades:SignedSignatureProperties",.T.,"Id","SignedSignatureProperties_2a8df7f8-b958-40cc-83f6-edb53b837347_0a")
// Chilkat will replace the strings "TO BE GENERATED BY CHILKAT" with actual values when the signature is created.
loObject1.UpdateChildContent("xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningTime","TO BE GENERATED BY CHILKAT")
// Note: It may be that http://www.w3.org/2001/04/xmlenc#sha256 is needed in the following line instead of http://www.w3.org/2000/09/xmldsig#sha1
loObject1.UpdateAttrAt("xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificate|xades:Cert|xades:CertDigest|ds:DigestMethod",.T.,"Algorithm","http://www.w3.org/2000/09/xmldsig#sha1")
loObject1.UpdateChildContent("xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificate|xades:Cert|xades:CertDigest|ds:DigestValue","TO BE GENERATED BY CHILKAT")
loObject1.UpdateChildContent("xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificate|xades:Cert|xades:IssuerSerial|ds:X509IssuerName","TO BE GENERATED BY CHILKAT")
loObject1.UpdateChildContent("xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificate|xades:Cert|xades:IssuerSerial|ds:X509SerialNumber","TO BE GENERATED BY CHILKAT")
loObject1.UpdateAttrAt("xades:SignedProperties|xades:SignedDataObjectProperties",.T.,"Id","SignedDataObjectProperties_2a8df7f8-b958-40cc-83f6-edb53b837347_4b")
loObject1.UpdateAttrAt("xades:SignedProperties|xades:SignedDataObjectProperties|xades:DataObjectFormat",.T.,"ObjectReference","#Reference1_2a8df7f8-b958-40cc-83f6-edb53b837347_27")
loObject1.UpdateChildContent("xades:SignedProperties|xades:SignedDataObjectProperties|xades:DataObjectFormat|xades:Description","MIME-Version: 1.0" + Chr(13) + Chr(10) + "Content-Type: application/zip" + Chr(13) + Chr(10) + "Content-Transfer-Encoding: binary" + Chr(13) + Chr(10) + "Content-Disposition: filename=&quot;PIT-11Z.zip&quot;")
loObject1.UpdateAttrAt("xades:SignedProperties|xades:SignedDataObjectProperties|xades:DataObjectFormat|xades:ObjectIdentifier|xades:Identifier",.T.,"Qualifier","OIDAsURI")
loObject1.UpdateChildContent("xades:SignedProperties|xades:SignedDataObjectProperties|xades:DataObjectFormat|xades:ObjectIdentifier|xades:Identifier","http://www.certum.pl/OIDAsURI/signedFile/1.2.616.1.113527.3.1.1.3.1")
loObject1.UpdateChildContent("xades:SignedProperties|xades:SignedDataObjectProperties|xades:DataObjectFormat|xades:ObjectIdentifier|xades:Description","Opis formatu dokumentu oraz jego pelna nazwa")
loObject1.UpdateChildContent("xades:SignedProperties|xades:SignedDataObjectProperties|xades:DataObjectFormat|xades:ObjectIdentifier|xades:DocumentationReferences|xades:DocumentationReference","http://www.certum.pl/OIDAsURI/signedFile.pdf")
loObject1.UpdateChildContent("xades:SignedProperties|xades:SignedDataObjectProperties|xades:DataObjectFormat|xades:MimeType","application/zip")
loObject1.UpdateChildContent("xades:SignedProperties|xades:SignedDataObjectProperties|xades:CommitmentTypeIndication|xades:CommitmentTypeId|xades:Identifier","http://uri.etsi.org/01903/v1.2.2#ProofOfApproval")
loObject1.UpdateChildContent("xades:SignedProperties|xades:SignedDataObjectProperties|xades:CommitmentTypeIndication|xades:AllSignedDataObjects","")
loObject1.UpdateAttrAt("xades:UnsignedProperties",.T.,"Id","UnsignedProperties_2a8df7f8-b958-40cc-83f6-edb53b837347_55")

// Emit XML in compact (single-line) format to avoid whitespace problems.
loObject1.EmitCompact = .T.
loGen.AddObject("",loObject1.GetXml(),"","")

// Create an Object to be added to the Signature.
// This is where we add the base64 representation of the PIT-11Z.zip
loGen.AddObject("Object1_2a8df7f8-b958-40cc-83f6-edb53b837347",loBdZip.GetEncoded("base64"),"","http://www.w3.org/2000/09/xmldsig#base64")

// -------- Reference 1 --------
loGen.AddObjectRef("Object1_2a8df7f8-b958-40cc-83f6-edb53b837347","sha1","C14N_WithComments","","")
loGen.SetRefIdAttr("Object1_2a8df7f8-b958-40cc-83f6-edb53b837347","Reference1_2a8df7f8-b958-40cc-83f6-edb53b837347_27")

// -------- Reference 2 --------
loGen.AddObjectRef("SignedProperties_2a8df7f8-b958-40cc-83f6-edb53b837347_4e","sha1","","","http://uri.etsi.org/01903#SignedProperties")
loGen.SetRefIdAttr("SignedProperties_2a8df7f8-b958-40cc-83f6-edb53b837347_4e","SignedProperties-Reference_2a8df7f8-b958-40cc-83f6-edb53b837347_28")

// Provide a certificate + private key. (PFX password is test123)
loCert = createobject("CkCert")
llSuccess = loCert.LoadPfxFile("qa_data/pfx/cert_test123.pfx","test123")
if (llSuccess <> .T.) then
    ? loCert.LastErrorText
    release loSbXmlToZip
    release loZip
    release loBdZip
    release loGen
    release loObject1
    release loCert
    return
endif

loGen.SetX509Cert(loCert,.T.)

loGen.KeyInfoType = "X509Data"
loGen.X509Type = "Certificate"

// This will be an enveloping signature where the Signature element
// is the XML document root, the signed data is contained within Object
// tag(s) within the Signature.
// Therefore, pass an empty sbXml to CreateXmlDsigSb.
loSbXml = createobject("CkStringBuilder")

// The Polish government's XmlDSig implementation requires that we reproduce an attribute-sorting error.
// (This is an error in the XML canonicalization that is not noticed when both the signature-creation code and signature-verification code use
// the same XML canonicalization implementation w/ the bug.)
loGen.Behaviors = "AttributeSortingBug,CompactSignedXml"

// Sign the XML...
llSuccess = loGen.CreateXmlDSigSb(loSbXml)
if (llSuccess <> .T.) then
    ? loGen.LastErrorText
    release loSbXmlToZip
    release loZip
    release loBdZip
    release loGen
    release loObject1
    release loCert
    release loSbXml
    return
endif

// -----------------------------------------------

// Save the signed XML to a file.
llSuccess = loSbXml.WriteFile("qa_output/signedXml.xml","utf-8",.F.)

? loSbXml.GetAsString()

// ----------------------------------------
// Verify the signature we just produced...
loVerifier = createobject("CkXmlDSig")
llSuccess = loVerifier.LoadSignatureSb(loSbXml)
if (llSuccess <> .T.) then
    ? loVerifier.LastErrorText
    release loSbXmlToZip
    release loZip
    release loBdZip
    release loGen
    release loObject1
    release loCert
    release loSbXml
    release loVerifier
    return
endif

llVerified = loVerifier.VerifySignature(.T.)
if (llVerified <> .T.) then
    ? loVerifier.LastErrorText
    release loSbXmlToZip
    release loZip
    release loBdZip
    release loGen
    release loObject1
    release loCert
    release loSbXml
    release loVerifier
    return
endif

? "This signature was successfully verified."

// ------------------------------------
// Finally, let's extract the .zip from the signed XML, and then unzip the original PIT-11Z.xml from the in-memory zip.
loXml = createobject("CkXml")
loXml.LoadSb(loSbXml,.T.)

// The base64 image of the PIT-11Z.zip is in the 2nd ds:Object child of the ds:Signature (the ds:Signature is the root element of the signed XML).
// (ds:Object[0] would be the 1st ds:Object child.  Index 1 is the 2nd ds:Object child.)
lcStrZipBase64 = loXml.GetChildContent("ds:Object[1]")

loBdZip.Clear()
loBdZip.AppendEncoded(lcStrZipBase64,"base64")
if (loBdZip.NumBytes = 0) then
    ? "Something went wrong.. we dont' have any data.."
    release loSbXmlToZip
    release loZip
    release loBdZip
    release loGen
    release loObject1
    release loCert
    release loSbXml
    release loVerifier
    release loXml
    return
endif

llSuccess = loZip.OpenBd(loBdZip)
if (llSuccess <> .T.) then
    ? loZip.LastErrorText
    release loSbXmlToZip
    release loZip
    release loBdZip
    release loGen
    release loObject1
    release loCert
    release loSbXml
    release loVerifier
    release loXml
    return
endif

// Get the 1st file in the zip, which should be the PIT-11Z.xml
loEntry = loZip.GetEntryByIndex(0)
if (loZip.LastMethodSuccess <> .T.) then
    ? "Zip contains no files..."
    release loSbXmlToZip
    release loZip
    release loBdZip
    release loGen
    release loObject1
    release loCert
    release loSbXml
    release loVerifier
    release loXml
    return
endif

// Get the XML:
lcOrigXml = loEntry.UnzipToString(0,"utf-8")
? "Original XML extracted from base64 zip:"
? lcOrigXml

release loEntry


release loSbXmlToZip
release loZip
release loBdZip
release loGen
release loObject1
release loCert
release loSbXml
release loVerifier
release loXml