(PureBasic) Create XML Signature with KeyInfo / X509Data / X509Certificate

This example demonstrates how to create an XML Digital Signature where the KeyInfo element contains an X509Data element, which in turn contains an X509Certificate element which contains the base64-encoded certificate.

Chilkat PureBasic Module Download Chilkat PureBasic Module

IncludeFile "CkBinData.pb"
IncludeFile "CkHttp.pb"
IncludeFile "CkXmlDSigGen.pb"
IncludeFile "CkPfx.pb"
IncludeFile "CkStringBuilder.pb"
IncludeFile "CkCert.pb"

Procedure ChilkatExample()

    ; This example requires the Chilkat API to have been previously unlocked.
    ; See Global Unlock Sample for sample code.

    ; To begin, we'll need a PFX containing a certificate and private key, and the SOAP XML to be signed.
    ; Chilkat provides sample data at chilkatsoft.com and chilkatdownload.com, and our first step is to download.

    ; -------------------------------------------------------------------------
    ; Step 1: Get the SOAP XML to be signed.
    ; 
    sbXml.i = CkStringBuilder::ckCreate()
    If sbXml.i = 0
        Debug "Failed to create object."
        ProcedureReturn
    EndIf

    http.i = CkHttp::ckCreate()
    If http.i = 0
        Debug "Failed to create object."
        ProcedureReturn
    EndIf

    success.i = CkHttp::ckQuickGetSb(http,"https://www.chilkatsoft.com/exampleData/soapToSign.xml",sbXml)
    If success <> 1
        Debug CkHttp::ckLastErrorText(http)
        CkStringBuilder::ckDispose(sbXml)
        CkHttp::ckDispose(http)
        ProcedureReturn
    EndIf

    ; The SOAP XML contains this:

    ; <?xml version="1.0" encoding="UTF-8" standalone="no" ?>
    ; <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
    ;     <SOAP-ENV:Header>
    ;         <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" SOAP-ENV:mustUnderstand="1"></wsse:Security>
    ;     </SOAP-ENV:Header>
    ;     <SOAP-ENV:Body xmlns:SOAP-SEC="http://schemas.xmlsoap.org/soap/security/2000-12" SOAP-SEC:id="Body">
    ;         <z:FooBar xmlns:z="http://example.com" />
    ;     </SOAP-ENV:Body>
    ; </SOAP-ENV:Envelope>

    ; -------------------------------------------------------------------------
    ; Step 2: Get the test certificate and private key stored in a .pfx
    ; 
    pfxData.i = CkBinData::ckCreate()
    If pfxData.i = 0
        Debug "Failed to create object."
        ProcedureReturn
    EndIf

    success = CkHttp::ckQuickGetBd(http,"https://chilkatdownload.com/example_data/testcertificate.pfx",pfxData)
    If success <> 1
        Debug CkHttp::ckLastErrorText(http)
        CkStringBuilder::ckDispose(sbXml)
        CkHttp::ckDispose(http)
        CkBinData::ckDispose(pfxData)
        ProcedureReturn
    EndIf

    pfx.i = CkPfx::ckCreate()
    If pfx.i = 0
        Debug "Failed to create object."
        ProcedureReturn
    EndIf

    password.s = "test"
    success = CkPfx::ckLoadPfxEncoded(pfx,CkBinData::ckGetEncoded(pfxData,"base64"),"base64",password)
    If success <> 1
        Debug CkPfx::ckLastErrorText(pfx)
        CkStringBuilder::ckDispose(sbXml)
        CkHttp::ckDispose(http)
        CkBinData::ckDispose(pfxData)
        CkPfx::ckDispose(pfx)
        ProcedureReturn
    EndIf

    ; -------------------------------------------------------------------------
    ; Step 3: Get the certificate from the PFX.
    ; 
    cert.i = CkPfx::ckGetCert(pfx,0)
    If CkPfx::ckLastMethodSuccess(pfx) <> 1
        Debug CkPfx::ckLastErrorText(pfx)
        CkStringBuilder::ckDispose(sbXml)
        CkHttp::ckDispose(http)
        CkBinData::ckDispose(pfxData)
        CkPfx::ckDispose(pfx)
        ProcedureReturn
    EndIf

    ; Prepare for signing...
    gen.i = CkXmlDSigGen::ckCreate()
    If gen.i = 0
        Debug "Failed to create object."
        ProcedureReturn
    EndIf

    ; Indicate where the Signature will be inserted.
    CkXmlDSigGen::setCkSigLocation(gen, "SOAP-ENV:Envelope|SOAP-ENV:Header|wsse:Security")

    ; Add a reference to the fragment of the XML to be signed.

    ; Note: "Body" refers to the XML element having an "id" equal to "Body", where "id" is case insensitive
    ; and where any namespace might qualify the attribute.  In this case, the SOAP-ENV:Body fragment is signed
    ; NOT because the tag = "Body", but because it has SOAP-SEC:id="Body"
    CkXmlDSigGen::ckAddSameDocRef(gen,"Body","sha1","EXCL_C14N","","")

    ; (You can read about the SignedInfoPrefixList in the online reference documentation.  It's optional..)
    CkXmlDSigGen::setCkSignedInfoPrefixList(gen, "wsse SOAP-ENV")

    ; Provide the private key for signing via the certificate, and indicate that
    ; we want the base64 of the certificate embedded in the KeyInfo.
    CkXmlDSigGen::setCkKeyInfoType(gen, "X509Data")
    CkXmlDSigGen::setCkX509Type(gen, "Certificate")

    ; Note: Because our certificate was loaded from a PFX which also contained the private key,
    ; Chilkat automatically knows and has the private key associated with the certificate.
    ; We set bUsePrivateKey to tell the SetX509Cert method to automatically use the private key
    ; associated with the certificate for signing.  If, for example, we obtained the certificate
    ; by loading from a .cer file, then we would not already have the associated private key.
    ; In that case, the application could explicitly load the cert's private key from some
    ; other source, such as a .key, .pem, etc. and then call gen.SetPrivateKey.
    bUsePrivateKey.i = 1
    success = CkXmlDSigGen::ckSetX509Cert(gen,cert,bUsePrivateKey)
    If success <> 1
        Debug CkXmlDSigGen::ckLastErrorText(gen)
        CkCert::ckDispose(cert)

        CkStringBuilder::ckDispose(sbXml)
        CkHttp::ckDispose(http)
        CkBinData::ckDispose(pfxData)
        CkPfx::ckDispose(pfx)
        CkXmlDSigGen::ckDispose(gen)
        ProcedureReturn
    EndIf

    CkCert::ckDispose(cert)

    ; Everything's specified.  Now create and insert the Signature
    success = CkXmlDSigGen::ckCreateXmlDSigSb(gen,sbXml)
    If success <> 1
        Debug CkXmlDSigGen::ckLastErrorText(gen)
        CkStringBuilder::ckDispose(sbXml)
        CkHttp::ckDispose(http)
        CkBinData::ckDispose(pfxData)
        CkPfx::ckDispose(pfx)
        CkXmlDSigGen::ckDispose(gen)
        ProcedureReturn
    EndIf

    ; Examine the XML with the digital signature inserted
    Debug CkStringBuilder::ckGetAsString(sbXml)

    ; Here is the actual output.  A pretty-printed version of the output is shown below, but the addition of whitespace
    ; in the XML invalidates the signature.

    ; Actual output:
    ; <?xml version="1.0" encoding="UTF-8" standalone="no" ?>
    ; <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
    ;     <SOAP-ENV:Header>
    ;         <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" SOAP-ENV:mustUnderstand="1"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse SOAP-ENV"/></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#Body"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>PIiVPpuMc1jGpWaL8ftzTOcc4gc=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>dlSGYRtxv8DiGQ9THPEdPTlbwjkidCUEutVWkqhnjzKOxjl6EZPp6ibf7ogrn1QJAabo7eb/d2UjD8LXzQYB+q9OmN29dsDcg4i9hzpttjU9xt8Sc3IgdaQ+6NXStWd1AKrjNTCY52sOpIWh45uff/yjf9ynsbCo/UR8+hk6ZDCrM78YEyMj52miXzVQtSZ7f+bvWtz8iPppXXC+/zwGPAI9EPC+9uRHRRh4vzGwid+clMmh9FF/0Oe4n0G5dBZvwLPncwOMg0UxLVs63ZRdTCSku4oKReQieqNr7+hzBAKaS8NRpxMtx2XC5aR0wYMkYT9API/vYubeU0L3r4lplw==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDgzCCAmugAwIBAgIBADANBgkqhkiG9w0BAQUFADBcMRUwEwYDVQQDDAxUZXN0IENvbXBhbnkxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTcwOTEzMDA1NTM1WhcNMTgwOTEzMDA1NTM1WjBcMRUwEwYDVQQDDAxUZXN0IENvbXBhbnkxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiWRKlx+88u4SKZnfCMraqMsfJCs6tcz3EjMYTWmRKhhUOE9pDkvZfv0mgF7pNHsTKvFRtoVnEVQaZC5TlHNOGa2QWit9YuruWjW8VSaU4s9gR1/Cg9/Zc8Z0yUEDpsaVnwuoARpVzvzoRzPmTNpMNEcQ07aBjHP7OJrwyvcdqQA1BbfDVMmRmw1d+/i8tyR3cTyzl/3TismN5nrmhGh/ZF75FFA/xDN7PbVYDPowiFnEVHiBrYh2mFTabRUnb7K4oLx+d1L5x3Az299F/HYZlBenXpJLtnCL3+HY6qsGXVbzKjlKNqbXsmlzVkChu093weN/qUvWO2883cEiXmdqxAgMBAAGjUDBOMB0GA1UdDgQWBBRsMy2bxsCKYyUYtTYz/zZbz7Le0zAfBgNVHSMEGDAWgBRsMy2bxsCKYyUYtTYz/zZbz7Le0zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQBnFQ+Sc3s8y79DTsA7CvvAFeG/zvWQiu8yUM5LO1QcWeQQj29GMThqrY21dNfkynl7mZUMEeXKvwwzweFCc2odiUPHxoV1G4FEtzNaZ8Ap9jye78YQ8SB8NPQwC7ovecfSqNflT4NMAThSuxpGp8Ugf7a24LXozLzLbCRvG9sLGyRneZbfU8B43ELRLCkjzWR32N7D2pmKk4CEMiW0ScphU1JEHaimneMaTFc63hNzKpuj7+BGv4ZuvB1j/Mbmz53PGgFKnGQHPb2TIvMxyB+lML5vE0Bm8YWtP8DNyx11CCCdBdMWfeta6MjmmqcV5/YEq92c5O2Ql94tWFNLR6wQ</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature></wsse:Security>
    ;     </SOAP-ENV:Header>
    ;     <SOAP-ENV:Body xmlns:SOAP-SEC="http://schemas.xmlsoap.org/soap/security/2000-12" SOAP-SEC:id="Body">
    ;         <z:FooBar xmlns:z="http://example.com" />
    ;     </SOAP-ENV:Body>
    ; </SOAP-ENV:Envelope>

    ; ----------------------------------------------------------------
    ; Pretty-printed output (invalidates the signature)
    ; This makes it easier to see the base64 certificate contained within the KeyInfo.

    ; <?xml version="1.0" encoding="UTF-8" standalone="no" ?>
    ; <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
    ;     <SOAP-ENV:Header>
    ;         <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" SOAP-ENV:mustUnderstand="1">
    ;             <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    ;                 <ds:SignedInfo>
    ;                     <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
    ;                         <InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse SOAP-ENV" />
    ;                     </ds:CanonicalizationMethod>
    ;                     <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
    ;                     <ds:Reference URI="#Body">
    ;                         <ds:Transforms>
    ;                             <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
    ;                         </ds:Transforms>
    ;                         <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
    ;                         <ds:DigestValue>PIiVPpuMc1jGpWaL8ftzTOcc4gc=</ds:DigestValue>
    ;                     </ds:Reference>
    ;                 </ds:SignedInfo>
    ;                 <ds:SignatureValue>dlSGYRtxv8DiGQ9THPEdPTlbwjkidCUEutVWkqhnjzKOxjl6EZPp6ibf7ogrn1QJAabo7eb/d2UjD8LXzQYB+q9OmN29dsDcg4i9hzpttjU9xt8Sc3IgdaQ+6NXStWd1AKrjNTCY52sOpIWh45uff/yjf9ynsbCo/UR8+hk6ZDCrM78YEyMj52miXzVQtSZ7f+bvWtz8iPppXXC+/zwGPAI9EPC+9uRHRRh4vzGwid+clMmh9FF/0Oe4n0G5dBZvwLPncwOMg0UxLVs63ZRdTCSku4oKReQieqNr7+hzBAKaS8NRpxMtx2XC5aR0wYMkYT9API/vYubeU0L3r4lplw==</ds:SignatureValue>
    ;                 <ds:KeyInfo>
    ;                     <ds:X509Data>
    ;                         <ds:X509Certificate>MIIDgzCCAmugAwIBAgIBADANBgkqhkiG9w0BAQUFADBcMRUwEwYDVQQDDAxUZXN0IENvbXBhbnkxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTcwOTEzMDA1NTM1WhcNMTgwOTEzMDA1NTM1WjBcMRUwEwYDVQQDDAxUZXN0IENvbXBhbnkxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiWRKlx+88u4SKZnfCMraqMsfJCs6tcz3EjMYTWmRKhhUOE9pDkvZfv0mgF7pNHsTKvFRtoVnEVQaZC5TlHNOGa2QWit9YuruWjW8VSaU4s9gR1/Cg9/Zc8Z0yUEDpsaVnwuoARpVzvzoRzPmTNpMNEcQ07aBjHP7OJrwyvcdqQA1BbfDVMmRmw1d+/i8tyR3cTyzl/3TismN5nrmhGh/ZF75FFA/xDN7PbVYDPowiFnEVHiBrYh2mFTabRUnb7K4oLx+d1L5x3Az299F/HYZlBenXpJLtnCL3+HY6qsGXVbzKjlKNqbXsmlzVkChu093weN/qUvWO2883cEiXmdqxAgMBAAGjUDBOMB0GA1UdDgQWBBRsMy2bxsCKYyUYtTYz/zZbz7Le0zAfBgNVHSMEGDAWgBRsMy2bxsCKYyUYtTYz/zZbz7Le0zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQBnFQ+Sc3s8y79DTsA7CvvAFeG/zvWQiu8yUM5LO1QcWeQQj29GMThqrY21dNfkynl7mZUMEeXKvwwzweFCc2odiUPHxoV1G4FEtzNaZ8Ap9jye78YQ8SB8NPQwC7ovecfSqNflT4NMAThSuxpGp8Ugf7a24LXozLzLbCRvG9sLGyRneZbfU8B43ELRLCkjzWR32N7D2pmKk4CEMiW0ScphU1JEHaimneMaTFc63hNzKpuj7+BGv4ZuvB1j/Mbmz53PGgFKnGQHPb2TIvMxyB+lML5vE0Bm8YWtP8DNyx11CCCdBdMWfeta6MjmmqcV5/YEq92c5O2Ql94tWFNLR6wQ</ds:X509Certificate>
    ;                     </ds:X509Data>
    ;                 </ds:KeyInfo>
    ;             </ds:Signature>
    ;         </wsse:Security>
    ;     </SOAP-ENV:Header>
    ;     <SOAP-ENV:Body xmlns:SOAP-SEC="http://schemas.xmlsoap.org/soap/security/2000-12" SOAP-SEC:id="Body">
    ;         <z:FooBar xmlns:z="http://example.com" />
    ;     </SOAP-ENV:Body>
    ; </SOAP-ENV:Envelope>


    CkStringBuilder::ckDispose(sbXml)
    CkHttp::ckDispose(http)
    CkBinData::ckDispose(pfxData)
    CkPfx::ckDispose(pfx)
    CkXmlDSigGen::ckDispose(gen)


    ProcedureReturn
EndProcedure