3

I have tried to find some complete examples in Delphi of how to sign a piece of data using the Microsoft CryptoAPI. Online I find mostly snippets and pseudo-code, but no concrete examples of how to do this.

From what I understand, having spent a day hunting for code and info, you can create a hash of a document/file based on a public key (either if you self-generate a pair, or provided by a certificate on the keychain). This hash is then encoded into the encrypted output file (container section) and can be verified and decoded by the receiver holding the private key.

If a Delphi example doesnt exist, are there any free commanline programs I can use to sign a file/document?

I have found code for MD5/SHA1 hashing and also one that encrypts a file using a password string (deriving a hash from a keypar generated on the fly). But sadly no signing of a stream or a file. The closest match on google is an older product by Turbopower (LockBox) but I have no idea if the generated output is compatible with MS cryptoAPI (?)

Update: This is something along the lines of what I am looking for, but written in C: http://blogs.msdn.com/b/alejacma/archive/2008/01/23/how-to-sign-and-verify-with-cryptoapi-and-a-user-certificate.aspx

Also, when you downgrade a question - be good enough to describe why you do so. It is a perfectly valid question for Delphi regarding something you face in larger, corporate applications.

jww
  • 97,681
  • 90
  • 411
  • 885
Jon Lennart Aasenden
  • 3,920
  • 2
  • 29
  • 44
  • 2
    There is a Delphi MD5 library, `MessageDigest_5.pas`. It can take a dynamic byte array as input, so a stream could be passed if you like. The source is in `..\Soap\WsdlImporter` , even though it is omitted by mistake in some Delphi versions (XE3 for example). See [Delphi – MD5: the MessageDigest_5 unit has been there since Delphi 2007](http://wiert.me/2009/12/11/delphi-md5-the-messagedigest_5-unit-has-been-there-since-delphi-2007/). – LU RD Feb 08 '14 at 11:42
  • Or you can use the MD5 library with direct support of streams here, [`How to do one-way hashing of an ASCII string using standard functions of Delphi?`](http://stackoverflow.com/a/21638594/576719). – LU RD Feb 08 '14 at 11:56
  • 1
    I'm not very familiar with this, but did you look in here: http://sourceforge.net/projects/jedi-apilib/ Specifically, http://sourceforge.net/p/jedi-apilib/code/HEAD/tree/jwapi/trunk/Win32API/JwaWinCrypt.pas – MikeD Feb 08 '14 at 12:06
  • the command-line utility is `gpg` - see http://www.gnupg.org/. Warning - do not install the monster of Gpg4Win to sign a document, find precompiled gpg binaries for Windows instead. – kludg Feb 08 '14 at 12:07
  • Guys im not trying to hash a file and get an MD5. Im trying to sign a file that can be shipped and only decoded/verified by the certificate holder. – Jon Lennart Aasenden Feb 08 '14 at 18:43
  • I found this C example, but I was looking for a complete Delphi example: http://blogs.msdn.com/b/alejacma/archive/2008/01/23/how-to-sign-and-verify-with-cryptoapi-and-a-user-certificate.aspx – Jon Lennart Aasenden Feb 08 '14 at 18:45
  • 1
    Have you looked at MS [`SignTool`](http://msdn.microsoft.com/en-us/library/windows/desktop/aa387763(v=vs.85).aspx)? – LU RD Feb 09 '14 at 08:09
  • @MikeD: yes I have that unit, but this is a direct translation of the C api - and does not supply easy to use delphi methods. – Jon Lennart Aasenden Feb 10 '14 at 07:20

1 Answers1

4

I know it's bad form to actually answere your own question, but since there seem to be little "hands on" examples for this under Delphi, I decided to post what I found here to help others.

Security, certificates and signatures is a massive and complex topic which requires serious study, so forgive me for the simplicity of this post. It is only meant to point people in the right direction.

Signing XML, what does it mean?

In very simple, hands-on terms this is what happens:

  • You generate a HASH of your XML document (MD5 for instance, or SHA1)
  • You encrypt this HASH using the private key, either generated by yourself or provided/derived by your certificate
  • A new XML node (DSIG signature) is inserted into the document which contains the encrypted hash (and more)

In order to verify that an XML document has not been tampered with, the reader must use the public key to decode the HASH value. So the reader-software must generate a hash of the same document (minus the appended XML) and compare that to the (decrypted) value embedded in the document. If these match, then we know the document is intact. And it will only match if you use a valid key to decrypt the appended hash.

Since this is tedious work (and it includes quite a few steps, like looking up providers in the keystore [in my case] and much, much more) I ended up buying ready-made VCL components from ELDOS (SecureBlackBox) which saved me a lot of time.

External references

Jon Lennart Aasenden
  • 3,920
  • 2
  • 29
  • 44