Discuss this help topic in SecureBlackbox Forum

Create CAdES signature of the required level

Creation of CAdES signature of specific type (BES, T, XL, etc.) can be cumbersome due to the variety of co-existing profiles and the complexity of signing process. In SecureBlackbox, we tried to make it as simple as possible.

CAdES signing in SecureBlackbox employs TElSignedCMSMessage and TElCAdESSignatureProcessor components. The steps to be taken to generate a new signature depend on its level and profile.

  1. The first step is common to all levels/profiles. Create a new TElSignedCMSMessage object and add an empty signature to it:
    TElSignedCMSMessage msg = new TElSignedCMSMessage();
    msg.CreateNew(buf, 0, buf.Length);
    int sigIdx = msg.AddSignature(); // while sigIdx will always be 0 for new CMSes, a good practice is to use it anyway
    TElCMSSignature sig = msg.get_Signatures(sigIdx);
  2. Create an instance of TElCAdESSignatureProcessor class. This class is an add-on to general CMS classes. It knows about CAdES profiles and is capable of adding signatures compliant to them. TElCAdESSignatureProcessor is created for a particular signature, not for a CMS. You should pass your signature object to its constructor: TElCAdESSignatureProcessor processor = new TElCAdESSignatureProcessor(sig);
  3. Now, call any of the Create* methods of the signature processor to create a compliant signature: processor.CreateBES(cert); Some levels may require additional components such as type T signature in the example below:
    TElHTTPTSPClient tspClient = new TElHTTPTSPClient();
    tspClient.HTTPClient = new TElHTTPSClient();
    tspClient.URL = "http://mytsa.com/tsa";
    processor.CreateT(cert, tspClient);
    Essentially, each CreateXXX() method does exactly two things: (1) configures signature attributes as required by the relevant profile, and (2) signs the signature with the provided certificate and chain.
    Note, you can add your custom signed and/or unsigned attributes to the signature object if you need to do so (be careful not to violate the profile requirements though). This should be done before any CreateXXX() method is called.

How To articles about CAdES

Discuss this help topic in SecureBlackbox Forum