(Objective-C) Sign XML (XAdES) using USB Token or Smartcard on iOS iPhone

Demonstrates how to sign XML using an HSM (USB token or smart card) connected to an iPhone.

Note: This example requires Chilkat v10.0.0 or greater.

Chilkat Objective-C Library Downloads MAC OS X (Cocoa) Libs iOS Libs

#import <CkoCert.h>
#import <CkoStringBuilder.h>
#import <CkoXmlDSigGen.h>

// This example requires the Chilkat API to have been previously unlocked.
// See Global Unlock Sample for sample code.

// When signing with a USB token or smartcard, the only coding difference is how the certificate
// gets loaded.  To load the default certificate from the connected USB token or smartcard, just call
// LoadFromSmartcard with an empty string argument.
// 
// This requires Chilkat v10.0.0 or later.
// 
// ------------------------------------------------------------------------------------------------------------------------------------------------------
// Important: In your Xcode project, you'll need to add the "com.apple.token" entitlement.
// Also, adding the com.apple.token in the "Project > Signing & Capabilities" will actually add $(AppIdentifierPrefix)com.apple.token, which does not work. 
// Edit the entitlements file directly and add only com.apple.token
// If using a Yubikey, you'll only find the certificate if it is added in the Yubikey app as Public.
// ------------------------------------------------------------------------------------------------------------------------------------------------------
CkoCert *cert = [[CkoCert alloc] init];
BOOL success = [cert LoadFromSmartcard: @""];
if (success == NO) {
    NSLog(@"%@",cert.LastErrorText);
    return;
}

// Create the XML to be signed.
CkoStringBuilder *sbXml = [[CkoStringBuilder alloc] init];

BOOL bCrlf = YES;
[sbXml AppendLine: @"<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\" ?>" crlf: bCrlf];
[sbXml AppendLine: @"<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\">" crlf: bCrlf];
[sbXml AppendLine: @"    <SOAP-ENV:Header>" crlf: bCrlf];
[sbXml AppendLine: @"        <wsse:Security xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" SOAP-ENV:mustUnderstand=\"1\"></wsse:Security>" crlf: bCrlf];
[sbXml AppendLine: @"    </SOAP-ENV:Header>" crlf: bCrlf];
[sbXml AppendLine: @"    <SOAP-ENV:Body xmlns:SOAP-SEC=\"http://schemas.xmlsoap.org/soap/security/2000-12\" SOAP-SEC:id=\"Body\">" crlf: bCrlf];
[sbXml AppendLine: @"        <z:FooBar xmlns:z=\"http://example.com\" />" crlf: bCrlf];
[sbXml AppendLine: @"    </SOAP-ENV:Body>" crlf: bCrlf];
[sbXml AppendLine: @"</SOAP-ENV:Envelope>" crlf: bCrlf];

// Prepare for signing...
CkoXmlDSigGen *gen = [[CkoXmlDSigGen alloc] init];

// Indicate where the Signature will be inserted.
gen.SigLocation = @"SOAP-ENV:Envelope|SOAP-ENV:Header|wsse:Security";

// Add a reference to the fragment of the XML to be signed.

// Note: "Body" refers to the XML element having an "id" equal to "Body", where "id" is case insensitive
// and where any namespace might qualify the attribute.  In this case, the SOAP-ENV:Body fragment is signed
// NOT because the tag = "Body", but because it has SOAP-SEC:id="Body"
[gen AddSameDocRef: @"Body" digestMethod: @"sha1" canonMethod: @"EXCL_C14N" prefixList: @"" refType: @""];

// (You can read about the SignedInfoPrefixList in the online reference documentation.  It's optional..)
gen.SignedInfoPrefixList = @"wsse SOAP-ENV";

gen.KeyInfoType = @"X509Data";
gen.X509Type = @"IssuerSerial";

BOOL bUsePrivateKey = YES;
success = [gen SetX509Cert: cert usePrivateKey: bUsePrivateKey];
if (success != YES) {
    NSLog(@"%@",gen.LastErrorText);

    return;
}

// Everything's specified.  Now create and insert the Signature
success = [gen CreateXmlDSigSb: sbXml];
if (success != YES) {
    NSLog(@"%@",gen.LastErrorText);
    return;
}

// Examine the XML with the digital signature inserted
NSLog(@"%@",[sbXml GetAsString]);