Sample code for 30+ languages & platforms
Pascal (Lazarus/Delphi)

XAdES using TSA Requiring Client Certificate

See more XML Digital Signatures Examples

Demonstrates how to create an XMLDSig (XAdES) signed document which includes an EncapsulatedTimestamp using a TSA (TimeStamp Authority) server requiring client certificate authentication. One such TSA is https://www3.postsignum.cz/TSS/TSS_crt/

Chilkat Pascal (Lazarus/Delphi) Downloads

Pascal (Lazarus/Delphi)
program ChilkatDemo;

// Demonstrates using the Chilkat Pascal wrapper via the C bridge DLL.
// Builds as a console application under Lazarus (FPC) or Delphi.

{$IFDEF FPC}
  {$MODE DELPHI}
{$ENDIF}
{$APPTYPE CONSOLE}

uses
  {$IFDEF UNIX}
  cthreads,
  {$ENDIF}
  SysUtils,
  CkDllLoader,
  Chilkat.XmlDSigGen,
  Chilkat.StringBuilder,
  Chilkat.JsonObject,
  Chilkat.Cert,
  Chilkat.Http,
  Chilkat.Xml;

// ---------------------------------------------------------------------------

procedure RunDemo;
var
  success: Boolean;
  sbXml: TStringBuilder;
  gen: TXmlDSigGen;
  object1: TXml;
  cert: TCert;
  jsonTsa: TJsonObject;
  http: THttp;

begin
  success := False;

  //  This example requires the Chilkat API to have been previously unlocked.
  //  See Global Unlock Sample for sample code.

  success := True;

  //  Load the XML to be signed.  For example, the XML to be signed might contain something like this:

  //  <?xml version="1.0" encoding="utf-8"?>
  //  <TransakcniLogSystemu xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://nsess.public.cz/erms_trans/v_01_01" Id="Signature1">
  //    <TransLogInfo>
  //      <Identifikator>XYZ ABC</Identifikator>
  //      <DatumVzniku>2022-12-20T14:39:02.3625922+01:00</DatumVzniku>
  //      <DatumCasOd>2022-12-20T14:26:26.88</DatumCasOd>
  //      <DatumCasDo>2022-12-20T14:39:02.287</DatumCasDo>
  //      <Software>XYZ</Software>
  //      <VerzeSoftware>2.0.19.32</VerzeSoftware>
  //    </TransLogInfo>
  //    <Udalosti>
  //      <Udalost>
  //        <Poradi>1</Poradi>
  //  ...

  //  Load the XML to be signed from a file.
  //  (XML can be loaded from other source, such as a string variable.)
  sbXml := TStringBuilder.Create;
  success := sbXml.LoadFile('xmlToSign.xml','utf-8');

  gen := TXmlDSigGen.Create;

  gen.SigLocation := 'TransakcniLogSystemu';
  gen.SigLocationMod := 0;
  gen.SigId := 'SignatureID-Signature1';
  gen.SigNamespacePrefix := 'ds';
  gen.SigNamespaceUri := 'http://www.w3.org/2000/09/xmldsig#';
  gen.SignedInfoCanonAlg := 'C14N';
  gen.SignedInfoDigestMethod := 'sha256';

  //  Set the KeyInfoId before adding references..
  gen.KeyInfoId := 'KeyInfoId-Signature-Signature1';

  //  Create an Object to be added to the Signature.

  //  Note: Chilkat will automatically fill in the values marked as "TO BE GENERATED BY CHILKAT" at the time of signing.
  //  The EncapsulatedTimestamp will be automatically generated.

  object1 := TXml.Create;
  object1.Tag := 'xades:QualifyingProperties';
  object1.AddAttribute('xmlns:xades','http://uri.etsi.org/01903/v1.3.2#');
  object1.AddAttribute('Target','#Signature1');

  object1.UpdateAttrAt('xades:SignedProperties',True,'Id','SignedProperties-Signature-Signature1');
  object1.UpdateChildContent('xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningTime','TO BE GENERATED BY CHILKAT');
  object1.UpdateAttrAt('xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificateV2|xades:Cert|xades:CertDigest|ds:DigestMethod',True,'Algorithm','http://www.w3.org/2001/04/xmlenc#sha256');
  object1.UpdateChildContent('xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificateV2|xades:Cert|xades:CertDigest|ds:DigestValue','TO BE GENERATED BY CHILKAT');
  object1.UpdateChildContent('xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificateV2|xades:Cert|xades:IssuerSerialV2','TO BE GENERATED BY CHILKAT');

  //  The EncapsulatedTimestamp will be included in the unsigned properties.
  object1.UpdateAttrAt('xades:UnsignedProperties|xades:UnsignedSignatureProperties|xades:SignatureTimeStamp',True,'Id','signature-timestamp-5561-8212-3316-5191');
  object1.UpdateAttrAt('xades:UnsignedProperties|xades:UnsignedSignatureProperties|xades:SignatureTimeStamp|ds:CanonicalizationMethod',True,'Algorithm','http://www.w3.org/2001/10/xml-exc-c14n#');
  object1.UpdateAttrAt('xades:UnsignedProperties|xades:UnsignedSignatureProperties|xades:SignatureTimeStamp|xades:EncapsulatedTimeStamp',True,'Encoding','http://uri.etsi.org/01903/v1.2.2#DER');
  object1.UpdateChildContent('xades:UnsignedProperties|xades:UnsignedSignatureProperties|xades:SignatureTimeStamp|xades:EncapsulatedTimeStamp','TO BE GENERATED BY CHILKAT');

  gen.AddObject('XadesObjectId-Signature1',object1.GetXml(),'','');

  //  -------- Reference 1 --------
  gen.AddObjectRef('SignedProperties-Signature-Signature1','sha256','EXCL_C14N','','http://uri.etsi.org/01903#SignedProperties');

  //  -------- Reference 2 --------
  gen.AddSameDocRef('KeyInfoId-Signature-Signature1','sha256','EXCL_C14N','','');
  gen.SetRefIdAttr('KeyInfoId-Signature-Signature1','ReferenceKeyInfo');

  //  -------- Reference 3 --------
  gen.AddSameDocRef('','sha256','EXCL_C14N','','');
  gen.SetRefIdAttr('','Reference-Signature1');

  //  Provide a certificate + private key. (PFX password is test123)
  cert := TCert.Create;
  success := cert.LoadPfxFile('qa_data/pfx/cert_test123.pfx','test123');
  if (success <> True) then
    begin
      WriteLn(cert.LastErrorText);
      Exit;
    end;
  gen.SetX509Cert(cert,True);

  gen.KeyInfoType := 'X509Data';
  gen.X509Type := 'Certificate';

  gen.Behaviors := 'IndentedSignature';

  //  -------------------------------------------------------------------------------------------
  //  To have the EncapsulatedTimeStamp automatically added... 
  //  1) Add the <xades:EncapsulatedTimeStamp Encoding="http://uri.etsi.org/01903/v1.2.2#DER">TO BE GENERATED BY CHILKAT</xades:EncapsulatedTimeStamp>
  //     to the unsigned properties.  (This was accomplished in the above code.)
  //  2) Specify the TSA URL (Timestamping Authority URL).
  //     Here we specify the TSA URL:
  //  -------------------------------------------------------------------------------------------

  jsonTsa := TJsonObject.Create;
  jsonTsa.UpdateString('timestampToken.tsaUrl','https://www3.postsignum.cz/TSS/TSS_crt/');
  jsonTsa.UpdateBool('timestampToken.requestTsaCert',True);
  gen.SetTsa(jsonTsa);

  //  -------------------------------------------------------------------------------------------
  //  In this case, the TSA requires client certificate authentication.
  //  To provide your client certificate, the application will instantiate a Chilkat HTTP object,
  //  then set it up with a SSL/TLS client certificate, and then tell the XmlDSigGen object
  //  to use the HTTP object for connections to the TSA server.
  //  -------------------------------------------------------------------------------------------
  http := THttp.Create;
  success := http.SetSslClientCertPfx('/home/bob/pfxFiles/myClientSideCertWithPrivateKey.pfx','pfxPassword');
  if (success <> True) then
    begin
      WriteLn(http.LastErrorText);
      Exit;
    end;

  //  Tell the XmlDSigGen object to use the above HTTP object for TSA communications.
  gen.SetHttpObj(http);

  //  Sign the XML...
  success := gen.CreateXmlDSigSb(sbXml);
  if (success <> True) then
    begin
      WriteLn(gen.LastErrorText);
      Exit;
    end;
  //  -----------------------------------------------

  //  Save the signed XML to a file.
  success := sbXml.WriteFile('c:/temp/qa_output/signedXml.xml','utf-8',False);

  WriteLn(sbXml.GetAsString());


  sbXml.Free;
  gen.Free;
  object1.Free;
  cert.Free;
  jsonTsa.Free;
  http.Free;

end;

// ---------------------------------------------------------------------------

begin

  try
    RunDemo;
  except
    on E: Exception do
      WriteLn('Unhandled exception: ', E.ClassName, ': ', E.Message);
  end;

  WriteLn;
  {$IFDEF MSWINDOWS}
  WriteLn('Press Enter to exit...');
  ReadLn;
  {$ENDIF}
end.