Sample code for 30+ languages & platforms
Unicode C

Signed Zip as Base64 with XAdES-BES

See more XAdES Examples

This example is to help companies implement a solution for sending XAdES-BES to the Polish government for reporting purposes. Specifically:

Przed podpisaniem deklaracja zbiorcza (PIT-11Z, PIT-8CZ, PIT-40Z, PIT-RZ) musi zostać
umieszczona w archiwum ZIP. W tym przypadku, podpisywany jest plik archiwum ZIP,
przyjmujący w podpisie XAdES-BES formę zakodowaną base64.

The example demonstrates the following:

  1. Zip an XML file (PIT-11Z.xml is zipped to PIT-11Z.zip)
  2. Create XML to be signed, where the XML contains the base64 encoded content of the PIT-11Z.zip archive.
  3. XAdES-BES sign the XML containing the base64 zip.

This example will also show the reverse:

  1. Verify the signed XML.
  2. Extract the PIT-11z.zip from the signed XML.
  3. Unzip the PIT-11Z.zip to get the original PIT-11Z.xml

Chilkat Unicode C Downloads

Unicode C
#include <C_CkStringBuilderW.h>
#include <C_CkZipW.h>
#include <C_CkBinDataW.h>
#include <C_CkXmlDSigGenW.h>
#include <C_CkXmlW.h>
#include <C_CkCertW.h>
#include <C_CkXmlDSigW.h>
#include <C_CkZipEntryW.h>

void ChilkatSample(void)
    {
    BOOL success;
    HCkStringBuilderW sbXmlToZip;
    HCkZipW zip;
    HCkBinDataW bdZip;
    HCkXmlDSigGenW gen;
    HCkXmlW object1;
    HCkCertW cert;
    HCkStringBuilderW sbXml;
    HCkXmlDSigW verifier;
    BOOL verified;
    HCkXmlW xml;
    const wchar_t *strZipBase64;
    HCkZipEntryW entry;
    const wchar_t *origXml;

    success = FALSE;

    // This example assumes the Chilkat API to have been previously unlocked.
    // See Global Unlock Sample for sample code.

    // Zip the PIT-11Z.xml to create PIT-11Z.zip (not as a .zip file, but in-memory).
    sbXmlToZip = CkStringBuilderW_Create();
    success = CkStringBuilderW_LoadFile(sbXmlToZip,L"qa_data/xml/PIT-11Z.xml",L"utf-8");
    if (success != TRUE) {
        wprintf(L"Failed to load the XML to be zipped.\n");
        CkStringBuilderW_Dispose(sbXmlToZip);
        return;
    }

    zip = CkZipW_Create();

    // Initialize the zip object. No file is created in this call.
    // It should always return TRUE.
    success = CkZipW_NewZip(zip,L"PIT-11Z.zip");

    // Add the XML to be zipped.
    CkZipW_AddSb(zip,L"PIT-11Z.xml",sbXmlToZip,L"utf-8");

    // Write the zip to a BinData object.
    bdZip = CkBinDataW_Create();
    CkZipW_WriteBd(zip,bdZip);
    // The contents of the bdZip will be retrieved in base64 format when needed below..

    gen = CkXmlDSigGenW_Create();

    CkXmlDSigGenW_putSigLocation(gen,L"");
    CkXmlDSigGenW_putSigLocationMod(gen,0);

    CkXmlDSigGenW_putSigId(gen,L"Signature_2a8df7f8-b958-40cc-83f6-edb53b837347_19");
    CkXmlDSigGenW_putSigNamespacePrefix(gen,L"ds");
    CkXmlDSigGenW_putSigNamespaceUri(gen,L"http://www.w3.org/2000/09/xmldsig#");
    CkXmlDSigGenW_putSigValueId(gen,L"SignatureValue_2a8df7f8-b958-40cc-83f6-edb53b837347_52");
    CkXmlDSigGenW_putSignedInfoId(gen,L"SignedInfo_2a8df7f8-b958-40cc-83f6-edb53b837347_41");
    CkXmlDSigGenW_putSignedInfoCanonAlg(gen,L"C14N");
    CkXmlDSigGenW_putSignedInfoDigestMethod(gen,L"sha1");

    // Set the KeyInfoId before adding references..
    CkXmlDSigGenW_putKeyInfoId(gen,L"KeyInfo_2a8df7f8-b958-40cc-83f6-edb53b837347_24");

    // Create an Object to be added to the Signature.
    object1 = CkXmlW_Create();
    CkXmlW_putTag(object1,L"xades:QualifyingProperties");
    CkXmlW_AddAttribute(object1,L"xmlns:xades",L"http://uri.etsi.org/01903/v1.3.2#");
    CkXmlW_AddAttribute(object1,L"Id",L"QualifyingProperties_2a8df7f8-b958-40cc-83f6-edb53b837347_43");
    CkXmlW_AddAttribute(object1,L"Target",L"#Signature_2a8df7f8-b958-40cc-83f6-edb53b837347_19");
    CkXmlW_UpdateAttrAt(object1,L"xades:SignedProperties",TRUE,L"Id",L"SignedProperties_2a8df7f8-b958-40cc-83f6-edb53b837347_4e");
    CkXmlW_UpdateAttrAt(object1,L"xades:SignedProperties|xades:SignedSignatureProperties",TRUE,L"Id",L"SignedSignatureProperties_2a8df7f8-b958-40cc-83f6-edb53b837347_0a");
    // Chilkat will replace the strings "TO BE GENERATED BY CHILKAT" with actual values when the signature is created.
    CkXmlW_UpdateChildContent(object1,L"xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningTime",L"TO BE GENERATED BY CHILKAT");
    // Note: It may be that http://www.w3.org/2001/04/xmlenc#sha256 is needed in the following line instead of http://www.w3.org/2000/09/xmldsig#sha1
    CkXmlW_UpdateAttrAt(object1,L"xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificateV2|xades:Cert|xades:CertDigest|ds:DigestMethod",TRUE,L"Algorithm",L"http://www.w3.org/2000/09/xmldsig#sha1");
    CkXmlW_UpdateChildContent(object1,L"xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificateV2|xades:Cert|xades:CertDigest|ds:DigestValue",L"TO BE GENERATED BY CHILKAT");
    CkXmlW_UpdateChildContent(object1,L"xades:SignedProperties|xades:SignedSignatureProperties|xades:SigningCertificateV2|xades:Cert|xades:IssuerSerialV2",L"TO BE GENERATED BY CHILKAT");
    CkXmlW_UpdateAttrAt(object1,L"xades:SignedProperties|xades:SignedDataObjectProperties",TRUE,L"Id",L"SignedDataObjectProperties_2a8df7f8-b958-40cc-83f6-edb53b837347_4b");
    CkXmlW_UpdateAttrAt(object1,L"xades:SignedProperties|xades:SignedDataObjectProperties|xades:DataObjectFormat",TRUE,L"ObjectReference",L"#Reference1_2a8df7f8-b958-40cc-83f6-edb53b837347_27");
    CkXmlW_UpdateChildContent(object1,L"xades:SignedProperties|xades:SignedDataObjectProperties|xades:DataObjectFormat|xades:Description",L"MIME-Version: 1.0\r\nContent-Type: application/zip\r\nContent-Transfer-Encoding: binary\r\nContent-Disposition: filename=&quot;PIT-11Z.zip&quot;");
    CkXmlW_UpdateAttrAt(object1,L"xades:SignedProperties|xades:SignedDataObjectProperties|xades:DataObjectFormat|xades:ObjectIdentifier|xades:Identifier",TRUE,L"Qualifier",L"OIDAsURI");
    CkXmlW_UpdateChildContent(object1,L"xades:SignedProperties|xades:SignedDataObjectProperties|xades:DataObjectFormat|xades:ObjectIdentifier|xades:Identifier",L"http://www.certum.pl/OIDAsURI/signedFile/1.2.616.1.113527.3.1.1.3.1");
    CkXmlW_UpdateChildContent(object1,L"xades:SignedProperties|xades:SignedDataObjectProperties|xades:DataObjectFormat|xades:ObjectIdentifier|xades:Description",L"Opis formatu dokumentu oraz jego pelna nazwa");
    CkXmlW_UpdateChildContent(object1,L"xades:SignedProperties|xades:SignedDataObjectProperties|xades:DataObjectFormat|xades:ObjectIdentifier|xades:DocumentationReferences|xades:DocumentationReference",L"http://www.certum.pl/OIDAsURI/signedFile.pdf");
    CkXmlW_UpdateChildContent(object1,L"xades:SignedProperties|xades:SignedDataObjectProperties|xades:DataObjectFormat|xades:MimeType",L"application/zip");
    CkXmlW_UpdateChildContent(object1,L"xades:SignedProperties|xades:SignedDataObjectProperties|xades:CommitmentTypeIndication|xades:CommitmentTypeId|xades:Identifier",L"http://uri.etsi.org/01903/v1.2.2#ProofOfApproval");
    CkXmlW_UpdateChildContent(object1,L"xades:SignedProperties|xades:SignedDataObjectProperties|xades:CommitmentTypeIndication|xades:AllSignedDataObjects",L"");
    CkXmlW_UpdateAttrAt(object1,L"xades:UnsignedProperties",TRUE,L"Id",L"UnsignedProperties_2a8df7f8-b958-40cc-83f6-edb53b837347_55");

    // Emit XML in compact (single-line) format to avoid whitespace problems.
    CkXmlW_putEmitCompact(object1,TRUE);
    CkXmlDSigGenW_AddObject(gen,L"",CkXmlW_getXml(object1),L"",L"");

    // Create an Object to be added to the Signature.
    // This is where we add the base64 representation of the PIT-11Z.zip
    CkXmlDSigGenW_AddObject(gen,L"Object1_2a8df7f8-b958-40cc-83f6-edb53b837347",CkBinDataW_getEncoded(bdZip,L"base64"),L"",L"http://www.w3.org/2000/09/xmldsig#base64");

    // -------- Reference 1 --------
    CkXmlDSigGenW_AddObjectRef(gen,L"Object1_2a8df7f8-b958-40cc-83f6-edb53b837347",L"sha1",L"C14N_WithComments",L"",L"");
    CkXmlDSigGenW_SetRefIdAttr(gen,L"Object1_2a8df7f8-b958-40cc-83f6-edb53b837347",L"Reference1_2a8df7f8-b958-40cc-83f6-edb53b837347_27");

    // -------- Reference 2 --------
    CkXmlDSigGenW_AddObjectRef(gen,L"SignedProperties_2a8df7f8-b958-40cc-83f6-edb53b837347_4e",L"sha1",L"",L"",L"http://uri.etsi.org/01903#SignedProperties");
    CkXmlDSigGenW_SetRefIdAttr(gen,L"SignedProperties_2a8df7f8-b958-40cc-83f6-edb53b837347_4e",L"SignedProperties-Reference_2a8df7f8-b958-40cc-83f6-edb53b837347_28");

    // Provide a certificate + private key. (PFX password is test123)
    cert = CkCertW_Create();
    success = CkCertW_LoadPfxFile(cert,L"qa_data/pfx/cert_test123.pfx",L"test123");
    if (success == FALSE) {
        wprintf(L"%s\n",CkCertW_lastErrorText(cert));
        CkStringBuilderW_Dispose(sbXmlToZip);
        CkZipW_Dispose(zip);
        CkBinDataW_Dispose(bdZip);
        CkXmlDSigGenW_Dispose(gen);
        CkXmlW_Dispose(object1);
        CkCertW_Dispose(cert);
        return;
    }

    CkXmlDSigGenW_SetX509Cert(gen,cert,TRUE);

    CkXmlDSigGenW_putKeyInfoType(gen,L"X509Data");
    CkXmlDSigGenW_putX509Type(gen,L"Certificate");

    // This will be an enveloping signature where the Signature element
    // is the XML document root, the signed data is contained within Object
    // tag(s) within the Signature.
    // Therefore, pass an empty sbXml to CreateXmlDsigSb.
    sbXml = CkStringBuilderW_Create();

    // The Polish government's XmlDSig implementation requires that we reproduce an attribute-sorting error.
    // (This is an error in the XML canonicalization that is not noticed when both the signature-creation code and signature-verification code use
    // the same XML canonicalization implementation w/ the bug.)
    CkXmlDSigGenW_putBehaviors(gen,L"AttributeSortingBug,CompactSignedXml");

    // Sign the XML...
    success = CkXmlDSigGenW_CreateXmlDSigSb(gen,sbXml);
    if (success == FALSE) {
        wprintf(L"%s\n",CkXmlDSigGenW_lastErrorText(gen));
        CkStringBuilderW_Dispose(sbXmlToZip);
        CkZipW_Dispose(zip);
        CkBinDataW_Dispose(bdZip);
        CkXmlDSigGenW_Dispose(gen);
        CkXmlW_Dispose(object1);
        CkCertW_Dispose(cert);
        CkStringBuilderW_Dispose(sbXml);
        return;
    }

    // -----------------------------------------------

    // Save the signed XML to a file.
    success = CkStringBuilderW_WriteFile(sbXml,L"qa_output/signedXml.xml",L"utf-8",FALSE);

    wprintf(L"%s\n",CkStringBuilderW_getAsString(sbXml));

    // ----------------------------------------
    // Verify the signature we just produced...
    verifier = CkXmlDSigW_Create();
    success = CkXmlDSigW_LoadSignatureSb(verifier,sbXml);
    if (success == FALSE) {
        wprintf(L"%s\n",CkXmlDSigW_lastErrorText(verifier));
        CkStringBuilderW_Dispose(sbXmlToZip);
        CkZipW_Dispose(zip);
        CkBinDataW_Dispose(bdZip);
        CkXmlDSigGenW_Dispose(gen);
        CkXmlW_Dispose(object1);
        CkCertW_Dispose(cert);
        CkStringBuilderW_Dispose(sbXml);
        CkXmlDSigW_Dispose(verifier);
        return;
    }

    verified = CkXmlDSigW_VerifySignature(verifier,TRUE);
    if (verified != TRUE) {
        wprintf(L"%s\n",CkXmlDSigW_lastErrorText(verifier));
        CkStringBuilderW_Dispose(sbXmlToZip);
        CkZipW_Dispose(zip);
        CkBinDataW_Dispose(bdZip);
        CkXmlDSigGenW_Dispose(gen);
        CkXmlW_Dispose(object1);
        CkCertW_Dispose(cert);
        CkStringBuilderW_Dispose(sbXml);
        CkXmlDSigW_Dispose(verifier);
        return;
    }

    wprintf(L"This signature was successfully verified.\n");

    // ------------------------------------
    // Finally, let's extract the .zip from the signed XML, and then unzip the original PIT-11Z.xml from the in-memory zip.
    xml = CkXmlW_Create();
    CkXmlW_LoadSb(xml,sbXml,TRUE);

    // The base64 image of the PIT-11Z.zip is in the 2nd ds:Object child of the ds:Signature (the ds:Signature is the root element of the signed XML).
    // (ds:Object[0] would be the 1st ds:Object child.  Index 1 is the 2nd ds:Object child.)
    strZipBase64 = CkXmlW_getChildContent(xml,L"ds:Object[1]");

    CkBinDataW_Clear(bdZip);
    CkBinDataW_AppendEncoded(bdZip,strZipBase64,L"base64");
    if (CkBinDataW_getNumBytes(bdZip) == 0) {
        wprintf(L"Something went wrong.. we dont' have any data..\n");
        CkStringBuilderW_Dispose(sbXmlToZip);
        CkZipW_Dispose(zip);
        CkBinDataW_Dispose(bdZip);
        CkXmlDSigGenW_Dispose(gen);
        CkXmlW_Dispose(object1);
        CkCertW_Dispose(cert);
        CkStringBuilderW_Dispose(sbXml);
        CkXmlDSigW_Dispose(verifier);
        CkXmlW_Dispose(xml);
        return;
    }

    success = CkZipW_OpenBd(zip,bdZip);
    if (success == FALSE) {
        wprintf(L"%s\n",CkZipW_lastErrorText(zip));
        CkStringBuilderW_Dispose(sbXmlToZip);
        CkZipW_Dispose(zip);
        CkBinDataW_Dispose(bdZip);
        CkXmlDSigGenW_Dispose(gen);
        CkXmlW_Dispose(object1);
        CkCertW_Dispose(cert);
        CkStringBuilderW_Dispose(sbXml);
        CkXmlDSigW_Dispose(verifier);
        CkXmlW_Dispose(xml);
        return;
    }

    // Get the 1st file in the zip, which should be the PIT-11Z.xml
    entry = CkZipEntryW_Create();
    success = CkZipW_EntryAt(zip,0,entry);
    if (success == FALSE) {
        wprintf(L"Zip contains no files...\n");
        CkStringBuilderW_Dispose(sbXmlToZip);
        CkZipW_Dispose(zip);
        CkBinDataW_Dispose(bdZip);
        CkXmlDSigGenW_Dispose(gen);
        CkXmlW_Dispose(object1);
        CkCertW_Dispose(cert);
        CkStringBuilderW_Dispose(sbXml);
        CkXmlDSigW_Dispose(verifier);
        CkXmlW_Dispose(xml);
        CkZipEntryW_Dispose(entry);
        return;
    }

    // Get the XML:
    origXml = CkZipEntryW_unzipToString(entry,0,L"utf-8");
    wprintf(L"Original XML extracted from base64 zip:\n");
    wprintf(L"%s\n",origXml);


    CkStringBuilderW_Dispose(sbXmlToZip);
    CkZipW_Dispose(zip);
    CkBinDataW_Dispose(bdZip);
    CkXmlDSigGenW_Dispose(gen);
    CkXmlW_Dispose(object1);
    CkCertW_Dispose(cert);
    CkStringBuilderW_Dispose(sbXml);
    CkXmlDSigW_Dispose(verifier);
    CkXmlW_Dispose(xml);
    CkZipEntryW_Dispose(entry);

    }