Sign XML Documents with Digital Signatures

This example demonstrates how to sign an XML document with digital signature by using of the SOAP Message component.

//You will need to add the following units to your Uses section: clSoapSecurity, clCertificate, clCertificateStore.

SOAP.BatchSize := 8192;
SOAP.EncodingStyle := 'http://schemas.xmlsoap.org/soap/encoding/';

//we have added a special SecurityConfig property and moved all security-related properties to this new property.
SOAP.SecurityConfig.CSP := 'Microsoft Base Cryptographic Provider v1.0';
SOAP.SecurityConfig.ProviderType := 1;
SOAP.SecurityConfig.IdName := 'Id';
SOAP.SecurityConfig.SignatureStyle := ssJava;

//The old version 7.8 supports the only one certificate information style. It inserts X509 binary security token to the resulting XML.
//Starting from the version 9.1, the library supports different styles for including the certificate info: X509 binary security token, certificate subject key identifier, and certificate thumbprint.
//The new version also supports multiple digital signatures. So both these properties were moved to TclSoapSignatureInfo (see the Signatures collection).
//You can choose the desired style by using of the KeyClassName property of the TclSoapSignatureInfo class. Instances of this class are stored within the Signatures collection.
//As a result, the IsIncludeCertificate was removed.
//SOAP.IsIncludeCertificate := true;
SOAP.Signatures.Add();
SOAP.Signatures[0].ID := 'your_signature_id';//in most cases, you should not leave this property empty
SOAP.Signatures[0].KeyClassName := 'TclXmlX509KeyInfo'; //By default, the X509 binary security token is used for created signatures. In your case, you can leave this property unchanged.
SOAP.Signatures[0].SignatureMethod := 'http://www.w3.org/2000/09/xmldsig#rsa-sha1';//this value is used by default. In your case, you can leave this property unchanged.

//A sample of using of the TclSoapMessage component for making digital signatures can be seen below:
SOAP.OnGetSigningCertificate := GetSigningCertificateEventHandler;
SOAP.SecurityConfig.IdName := 'Id';
SOAP.SecurityConfig.SignatureStyle := ssJava;

SOAP.BuildSoapMessage('your_xml', '');

SOAP.Signatures.Add();
SOAP.Signatures[0].ID := 'your_signature_id';
SOAP.Signatures[0].KeyReferenceID := 'your_key_reference_id';
SOAP.BodyID := 'your_enveloped_body_id';

//Optional parameters. Depending on your task, you can leave it empty.
SOAP.Addressing.AddItem('To', 'your_address_id', 'your_address_value');
SOAP.Timestamp.ID := 'your_timestamp_id';
SOAP.Timestamp.Created := 'created_str';
SOAP.Timestamp.Expires := 'expires_str';

SOAP.Signatures[0].References.Clear();
SOAP.Signatures[0].References.Add().URI := '#your_enveloped_body_id';
SOAP.Signatures[0].References.Add().URI := '#your_timestamp_id'; //if you didn't specify the timestamp, do not add this reference.
SOAP.Signatures[0].References.Add('#your_address_id'); //see the comment above

SOAP.Sign();

An event handler for loading the signing certificate.

procedure TForm1.GetSigningCertificateEventHandler(Sender: TObject;
  AKeyInfo: TclXmlKeyInfo; var ACertificate: TclCertificate;
  AExtraCerts: TclCertificateList; var Handled: Boolean);
begin
  ACertificate := CertificateStore.CertificateByThumbprint('123456...');
  Handled := True;
end;

Add Feedback