Xades countersign document - xades4j

I have an XML document which is already Xades signed. Now I want to counter sign this signature. How can I do this with Xades4j? I have searched the documentation but there is only example how to sign and countersign together.

You can use a format extender directly to add new unsigned properties to an existing signature.

Related

TimeStampToken Storage in MySQL or Oracle?

I'm getting a TimeStampToken (RFC3161) by using a java based client.
I need to store all the information included in TSTInfo in a database, MySql or Oracle.Is there any specific format to store it?
There is no specified format1 for this kind of thing.
But some obvious alternatives spring to mind:
Store the DER-encoded form as a BLOB.
Take the DER-encoded form, base-64 encoded it and store it in a CHAR(n) column.
Create a table with columns to represent each of the fields of the TSSInfo structure ... assuming that you are already decoding it.
Serialize the Java object representation using the Java serialization protocol, XML, JSON, etcetera.
and so on.
1 - Actually, according to Wikipedia, there is an encoding for ASN.1 called XER that is represented using XML.
Note that if you only store the TSTInfo, you lose the signature, which is the whole point of having an RFC3161 token. The TSTInfo without the signature proves nothing!
To preserve its evidentiary property, you really should store the entire timestamp token (which is defined as the signed CMS ContentInfo that wraps the TSTInfo).
In terms of what format to use, probably chapter 3.2 of the RFC3161 specification (https://www.rfc-editor.org/rfc/rfc3161) can be helpful (which is only a suggestion though):
3. Transports
There is no mandatory transport mechanism for TSA messages in this
document. The mechanisms described below are optional; additional
optional mechanisms may be defined in the future.
[...]
3.2. File Based Protocol
A file containing a time-stamp message MUST contain only the DER
encoding of one TSA message, i.e., there MUST be no extraneous header
or trailer information in the file. Such files can be used to
transport time stamp messages using for example, FTP.
So, I would store the DER encoded CMS ContentInfo (not of the TSTInfo) as a BLOB

API home document using json-home

I am developing a small web api in PHP and try to make it as restful as possible.
Currently i'm working on some kind of a "homepage" which should be a json represented overview of what the client can do without having to read a documentation. I discovered the json-home format (see draft-nottingham-json-home-02) what seems to be quite useful in my case. But since it's not spread that much it's hard to find examples. What I don't understand is what the "href-vars" - attribute is (see 4.1. Resolving Templated Links).
For example I have a route /api/documents/{id} what gives me the json representation for one single document. Obviously this is a template-link resource in json-home format, but what would be my href-vars : { id: } ?
HREF-VARS is used to specify a parameter for URL Templating.
The URI is firstly a unique identifier for the parameter. The URL could contain documentation regarding the type of the parameter.

How to stop percent encoding in HTML form submission

I am trying to give users of my website the ability to download files from Amazon S3. The URLs are digitally signed by my AWS private key on my webserver than sent to the client via AJAX and embedded in the action attribute of an html form.
The problem arises when the form is submitted. The action attribute of the form contains a url that has a digital signature. This signature often times contains + symbols which get percent-encoded. It completely invalidates the signature. How can I keep forms from percent-encoding my urls?
I (respectfully) suggest that you need to more carefully identify the precise nature of the problem, where in the process flow it breaks down, and identify precisely what it is that you actually need to fix. URLEncoding of "+" is the correct thing for the browser to do, because the literal "+" in a query string is correctly interpreted by the server as " " (space).
Your question prompted me to review code I've written that generates signed urls for S3 and my recollection was correct -- I'm changing '+' to %2B, '=' to %3D, and '/' to %2F in the signature... so that is not invalid. This is assuming we are talking about the same thing, such that the "digital signature" you mention in the question is the signature discussed here:
http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html#RESTAuthenticationQueryStringAuth
Note the signature in the example has a urlencoded '+' in it: Signature=vjbyPxybdZaNmGa%2ByT272YEAiv4%3D
I will speculate that the problem you are having might not be '+' → '%2B' (which should be not only valid, but required)... but perhaps it's a double-encoding, such that you are, at some point, double-encoding it so that '+' → '%2B' → '%252B' ... with the percent sign being encoded as a literal, which would break the signature.

Using the speicifcation pattern as a validation layer?

I have only seen the specification pattern used to retrieve data, but not to validate it. A colleague suggested I can use the specification pattern to “validate” an object so it does not become invalid when saving changes.
As an example, say we have a root Customer object that has a value for Address. We can track the changes to the object and create a specification that can be sent to the unit of work to make sure the address is valid (Has a physical address, city, and state) before changes are saved.
Any thoughts about this?
Following is a good read regarding differences between a specification and a validaton
http://lostechies.com/jimmybogard/2007/10/25/specifications-versus-validators/

Download and save any web page as Unicode, using Delphi 2009?

I wish to download a web page, which may be in any possible text encoding, and save it as UTF16LE. Assuming I can determine the text's encoding (by examining the HTTP header, HTML header, and/or BOM), how do I convert the text?
I am using Delphi 2009. Unfortunately, the help files do not explain how to get from any encoding to a Unicode (UTF16LE) string. Specific questions:
Can I complete the conversion, simply by setting the correct encoding on an AnsiString and assigning that to a UnicodeString?
If so, how do I translate the various "charset" descriptions that may label the web page (Big5, Shift-JIS, UTF-32, etc) into the right format to initialize the AnsiString?
Thanks for your suggestions.
I have a preference for straight Win32 and VCL, but answers involving ActiveX controls may also be helpful.
how are you going to access the page? Embedded Internet Explorer, INDY, third party tool, ...? That might influence the answer because it determines the format of the input string.
Part 1: Getting the page
If you use the Embedded Internet Explorer (TWebBrowser) to access the page things are pretty straightforward:
var htmlElement:IHTMLElement;
myText:String;
begin
// Get access to the HTML element of the document:
htmlElement:=(WebBrowserControl.DefaultInterface.Document as IHTMLDocument3).documentElement;
// Receive the full HTML of the web page:
myText:=htmlElement.OuterHTML;
The encoding of the web page should be handled properly by the IE and by Delphi and you end up with a UnicodeString containing the result (myText in the examples).
Part 2: Saving in UTF-16LE
Regardless where your string came from - you can save it like this in the desired encoding:
var s:TStringStream;
begin
s:=TStringStream.Create(myText, TEncoding.Unicode, false);
s.SaveToFile('yourFileToSaveTo.txt');
FreeAndNil(s);
end;
TEncoding.Unicode is UTF-16LE, but you could also use any other encoding.
Hope this helps.
In D2009 and later, Indy 10's TIdHTTP component automatically decodes a received webpage to UTF-16 for you.
Doing a charset-to-Unicode conversion on Windows requires the use of codepages (unless you use the ICONV library), so you have to first convert a charset name to a suitable codepage, and then you can use TEncoding.GetEncoding() and TEncoding.GetString(), or call SetCodePage() on a RawByteString (not an AnsiString) that you then assign to a UnicodeString, to do the conversion (internally, Indy uses TEncoding and has its own charset-to-codepage lookup tables).