Sample code for 30+ languages & platforms
PowerShell

Signed Zip as Base64 with XAdES-BES

See more XAdES Examples

This example is to help companies implement a solution for sending XAdES-BES to the Polish government for reporting purposes. Specifically:

Przed podpisaniem deklaracja zbiorcza (PIT-11Z, PIT-8CZ, PIT-40Z, PIT-RZ) musi zostać
umieszczona w archiwum ZIP. W tym przypadku, podpisywany jest plik archiwum ZIP,
przyjmujący w podpisie XAdES-BES formę zakodowaną base64.

The example demonstrates the following:

  1. Zip an XML file (PIT-11Z.xml is zipped to PIT-11Z.zip)
  2. Create XML to be signed, where the XML contains the base64 encoded content of the PIT-11Z.zip archive.
  3. XAdES-BES sign the XML containing the base64 zip.

This example will also show the reverse:

  1. Verify the signed XML.
  2. Extract the PIT-11z.zip from the signed XML.
  3. Unzip the PIT-11Z.zip to get the original PIT-11Z.xml

Chilkat PowerShell Downloads

PowerShell
Add-Type -Path "C:\chilkat\ChilkatDotNet47-x64\ChilkatDotNet47.dll"

$success = $false

# This example assumes the Chilkat API to have been previously unlocked.
# See Global Unlock Sample for sample code.

# Zip the PIT-11Z.xml to create PIT-11Z.zip (not as a .zip file, but in-memory).
$sbXmlToZip = New-Object Chilkat.StringBuilder
$success = $sbXmlToZip.LoadFile("qa_data/xml/PIT-11Z.xml","utf-8")
if ($success -ne $true) {
    $("Failed to load the XML to be zipped.")
    exit
}

$zip = New-Object Chilkat.Zip

# Initialize the zip object. No file is created in this call.
# It should always return $true.
$success = $zip.NewZip("PIT-11Z.zip")

# Add the XML to be zipped.
$zip.AddSb("PIT-11Z.xml",$sbXmlToZip,"utf-8")

# Write the zip to a BinData object.
$bdZip = New-Object Chilkat.BinData
$zip.WriteBd($bdZip)
# The contents of the bdZip will be retrieved in base64 format when needed below..

$gen = New-Object Chilkat.XmlDSigGen

$gen.SigLocation = ""
$gen.SigLocationMod = 0

$gen.SigId = "Signature_2a8df7f8-b958-40cc-83f6-edb53b837347_19"
$gen.SigNamespacePrefix = "ds"
$gen.SigNamespaceUri = "http://www.w3.org/2000/09/xmldsig#"
$gen.SigValueId = "SignatureValue_2a8df7f8-b958-40cc-83f6-edb53b837347_52"
$gen.SignedInfoId = "SignedInfo_2a8df7f8-b958-40cc-83f6-edb53b837347_41"
$gen.SignedInfoCanonAlg = "C14N"
$gen.SignedInfoDigestMethod = "sha1"

# Set the KeyInfoId before adding references..
$gen.KeyInfoId = "KeyInfo_2a8df7f8-b958-40cc-83f6-edb53b837347_24"

# Create an Object to be added to the Signature.
$object1 = New-Object Chilkat.Xml
$object1.Tag = "xades:QualifyingProperties"
$object1.AddAttribute("xmlns:xades","http://uri.etsi.org/01903/v1.3.2#")
$object1.AddAttribute("Id","QualifyingProperties_2a8df7f8-b958-40cc-83f6-edb53b837347_43")
$object1.AddAttribute("Target","#Signature_2a8df7f8-b958-40cc-83f6-edb53b837347_19")
$object1.UpdateAttrAt("xades:SignedProperties",$true,"Id","SignedProperties_2a8df7f8-b958-40cc-83f6-edb53b837347_4e")
$object1.UpdateAttrAt("xades:SignedProperties|xades:SignedSignatureProperties",$true,"Id","SignedSignatureProperties_2a8df7f8-b958-40cc-83f6-edb53b837347_0a")
# Chilkat will replace the strings "TO BE GENERATED BY CHILKAT" with actual values when the signature is created.
$object1.UpdateChildContent("xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningTime","TO BE GENERATED BY CHILKAT")
# Note: It may be that http://www.w3.org/2001/04/xmlenc#sha256 is needed in the following line instead of http://www.w3.org/2000/09/xmldsig#sha1
$object1.UpdateAttrAt("xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificateV2|xades:Cert|xades:CertDigest|ds:DigestMethod",$true,"Algorithm","http://www.w3.org/2000/09/xmldsig#sha1")
$object1.UpdateChildContent("xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificateV2|xades:Cert|xades:CertDigest|ds:DigestValue","TO BE GENERATED BY CHILKAT")
$object1.UpdateChildContent("xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificateV2|xades:Cert|xades:IssuerSerialV2","TO BE GENERATED BY CHILKAT")
$object1.UpdateAttrAt("xades:SignedProperties|xades:SignedDataObjectProperties",$true,"Id","SignedDataObjectProperties_2a8df7f8-b958-40cc-83f6-edb53b837347_4b")
$object1.UpdateAttrAt("xades:SignedProperties|xades:SignedDataObjectProperties|xades:DataObjectFormat",$true,"ObjectReference","#Reference1_2a8df7f8-b958-40cc-83f6-edb53b837347_27")
$object1.UpdateChildContent("xades:SignedProperties|xades:SignedDataObjectProperties|xades:DataObjectFormat|xades:Description","MIME-Version: 1.0`r`nContent-Type: application/zip`r`nContent-Transfer-Encoding: binary`r`nContent-Disposition: filename="PIT-11Z.zip"")
$object1.UpdateAttrAt("xades:SignedProperties|xades:SignedDataObjectProperties|xades:DataObjectFormat|xades:ObjectIdentifier|xades:Identifier",$true,"Qualifier","OIDAsURI")
$object1.UpdateChildContent("xades:SignedProperties|xades:SignedDataObjectProperties|xades:DataObjectFormat|xades:ObjectIdentifier|xades:Identifier","http://www.certum.pl/OIDAsURI/signedFile/1.2.616.1.113527.3.1.1.3.1")
$object1.UpdateChildContent("xades:SignedProperties|xades:SignedDataObjectProperties|xades:DataObjectFormat|xades:ObjectIdentifier|xades:Description","Opis formatu dokumentu oraz jego pelna nazwa")
$object1.UpdateChildContent("xades:SignedProperties|xades:SignedDataObjectProperties|xades:DataObjectFormat|xades:ObjectIdentifier|xades:DocumentationReferences|xades:DocumentationReference","http://www.certum.pl/OIDAsURI/signedFile.pdf")
$object1.UpdateChildContent("xades:SignedProperties|xades:SignedDataObjectProperties|xades:DataObjectFormat|xades:MimeType","application/zip")
$object1.UpdateChildContent("xades:SignedProperties|xades:SignedDataObjectProperties|xades:CommitmentTypeIndication|xades:CommitmentTypeId|xades:Identifier","http://uri.etsi.org/01903/v1.2.2#ProofOfApproval")
$object1.UpdateChildContent("xades:SignedProperties|xades:SignedDataObjectProperties|xades:CommitmentTypeIndication|xades:AllSignedDataObjects","")
$object1.UpdateAttrAt("xades:UnsignedProperties",$true,"Id","UnsignedProperties_2a8df7f8-b958-40cc-83f6-edb53b837347_55")

# Emit XML in compact (single-line) format to avoid whitespace problems.
$object1.EmitCompact = $true
$gen.AddObject("",$object1.GetXml(),"","")

# Create an Object to be added to the Signature.
# This is where we add the base64 representation of the PIT-11Z.zip
$gen.AddObject("Object1_2a8df7f8-b958-40cc-83f6-edb53b837347",$bdZip.GetEncoded("base64"),"","http://www.w3.org/2000/09/xmldsig#base64")

# -------- Reference 1 --------
$gen.AddObjectRef("Object1_2a8df7f8-b958-40cc-83f6-edb53b837347","sha1","C14N_WithComments","","")
$gen.SetRefIdAttr("Object1_2a8df7f8-b958-40cc-83f6-edb53b837347","Reference1_2a8df7f8-b958-40cc-83f6-edb53b837347_27")

# -------- Reference 2 --------
$gen.AddObjectRef("SignedProperties_2a8df7f8-b958-40cc-83f6-edb53b837347_4e","sha1","","","http://uri.etsi.org/01903#SignedProperties")
$gen.SetRefIdAttr("SignedProperties_2a8df7f8-b958-40cc-83f6-edb53b837347_4e","SignedProperties-Reference_2a8df7f8-b958-40cc-83f6-edb53b837347_28")

# Provide a certificate + private key. (PFX password is test123)
$cert = New-Object Chilkat.Cert
$success = $cert.LoadPfxFile("qa_data/pfx/cert_test123.pfx","test123")
if ($success -eq $false) {
    $($cert.LastErrorText)
    exit
}

$gen.SetX509Cert($cert,$true)

$gen.KeyInfoType = "X509Data"
$gen.X509Type = "Certificate"

# This will be an enveloping signature where the Signature element
# is the XML document root, the signed data is contained within Object
# tag(s) within the Signature.
# Therefore, pass an empty sbXml to CreateXmlDsigSb.
$sbXml = New-Object Chilkat.StringBuilder

# The Polish government's XmlDSig implementation requires that we reproduce an attribute-sorting error.
# (This is an error in the XML canonicalization that is not noticed when both the signature-creation code and signature-verification code use
# the same XML canonicalization implementation w/ the bug.)
$gen.Behaviors = "AttributeSortingBug,CompactSignedXml"

# Sign the XML...
$success = $gen.CreateXmlDSigSb($sbXml)
if ($success -eq $false) {
    $($gen.LastErrorText)
    exit
}

# -----------------------------------------------

# Save the signed XML to a file.
$success = $sbXml.WriteFile("qa_output/signedXml.xml","utf-8",$false)

$($sbXml.GetAsString())

# ----------------------------------------
# Verify the signature we just produced...
$verifier = New-Object Chilkat.XmlDSig
$success = $verifier.LoadSignatureSb($sbXml)
if ($success -eq $false) {
    $($verifier.LastErrorText)
    exit
}

$verified = $verifier.VerifySignature($true)
if ($verified -ne $true) {
    $($verifier.LastErrorText)
    exit
}

$("This signature was successfully verified.")

# ------------------------------------
# Finally, let's extract the .zip from the signed XML, and then unzip the original PIT-11Z.xml from the in-memory zip.
$xml = New-Object Chilkat.Xml
$xml.LoadSb($sbXml,$true)

# The base64 image of the PIT-11Z.zip is in the 2nd ds:Object child of the ds:Signature (the ds:Signature is the root element of the signed XML).
# (ds:Object[0] would be the 1st ds:Object child.  Index 1 is the 2nd ds:Object child.)
$strZipBase64 = $xml.GetChildContent("ds:Object[1]")

$bdZip.Clear()
$bdZip.AppendEncoded($strZipBase64,"base64")
if ($bdZip.NumBytes -eq 0) {
    $("Something went wrong.. we dont' have any data..")
    exit
}

$success = $zip.OpenBd($bdZip)
if ($success -eq $false) {
    $($zip.LastErrorText)
    exit
}

# Get the 1st file in the zip, which should be the PIT-11Z.xml
$entry = New-Object Chilkat.ZipEntry
$success = $zip.EntryAt(0,$entry)
if ($success -eq $false) {
    $("Zip contains no files...")
    exit
}

# Get the XML:
$origXml = $entry.UnzipToString(0,"utf-8")
$("Original XML extracted from base64 zip:")
$($origXml)