Signing a document using MS cryptoAPI with Delphi

StackOverflow https://stackoverflow.com/questions/21645022

Pergunta

I have tried to find some complete examples in Delphi of how to sign a piece of data using the Microsoft CryptoAPI. Online I find mostly snippets and pseudo-code, but no concrete examples of how to do this.

From what I understand, having spent a day hunting for code and info, you can create a hash of a document/file based on a public key (either if you self-generate a pair, or provided by a certificate on the keychain). This hash is then encoded into the encrypted output file (container section) and can be verified and decoded by the receiver holding the private key.

If a Delphi example doesnt exist, are there any free commanline programs I can use to sign a file/document?

I have found code for MD5/SHA1 hashing and also one that encrypts a file using a password string (deriving a hash from a keypar generated on the fly). But sadly no signing of a stream or a file. The closest match on google is an older product by Turbopower (LockBox) but I have no idea if the generated output is compatible with MS cryptoAPI (?)

Update: This is something along the lines of what I am looking for, but written in C: http://blogs.msdn.com/b/alejacma/archive/2008/01/23/how-to-sign-and-verify-with-cryptoapi-and-a-user-certificate.aspx

Also, when you downgrade a question - be good enough to describe why you do so. It is a perfectly valid question for Delphi regarding something you face in larger, corporate applications.

Foi útil?

Solução

I know it's bad form to actually answere your own question, but since there seem to be little "hands on" examples for this under Delphi, I decided to post what I found here to help others.

Security, certificates and signatures is a massive and complex topic which requires serious study, so forgive me for the simplicity of this post. It is only meant to point people in the right direction.

Signing XML, what does it mean?

In very simple, hands-on terms this is what happens:

  • You generate a HASH of your XML document (MD5 for instance, or SHA1)
  • You encrypt this HASH using the private key, either generated by yourself or provided/derived by your certificate
  • A new XML node (DSIG signature) is inserted into the document which contains the encrypted hash (and more)

In order to verify that an XML document has not been tampered with, the reader must use the public key to decode the HASH value. So the reader-software must generate a hash of the same document (minus the appended XML) and compare that to the (decrypted) value embedded in the document. If these match, then we know the document is intact. And it will only match if you use a valid key to decrypt the appended hash.

Since this is tedious work (and it includes quite a few steps, like looking up providers in the keystore [in my case] and much, much more) I ended up buying ready-made VCL components from ELDOS (SecureBlackBox) which saved me a lot of time.

External references

Licenciado em: CC-BY-SA com atribuição
Não afiliado a StackOverflow
scroll top