Marco,

Thank you for pointer and recommendations.

XML signing has becoming imperative in many places and in many areas of business. In some cases, signing and encryption as well. Portuguese tax system requires a specific signature to be generated and included in fiscal documents (both electronically and in print), but formally it is a regular XML element. Other systems, like the National Health Service, may require proper XML signing. This is also true for other public or private business all over the world and, as far as I know, such situations have always lead VFP developers into using something else: in some cases, this would be just an integration with a specific DLL for a specific communication requirement; in others, by delegating the resolution to other languages or systems.

When I started this project Chilkat didn't have XML signing capabilities. It has it since a few months, so in this respect XMLSecurity + Chilkat may seem redundant (unless for non-up-to-date or no-bundle Chilkat licenses, and for native XML encryption, that I believe Chilkat will provide in the future, anyway). Obviously, integrating it with other components - starting with the old FFC CryptoAPI.vcx - would be a relevant development.

Being a bit short of spare time to do so, at least I'll try to improve on the project documentation. That will ease the task for anyone willing to work on such integration.


>Hi Antonio, signing xml is something VFP developers in Latam are working with from some time ago, since governments from many countries implemented electronic billing using UBL 2.0 xml signed documents.
>
>I've seen they use open SSL, Java & .net solutions to do it, so I advice you to post about it there. if you want to find testers / collaborators and experienced people working with XML signing. Don't know if Portugal uses it, I've seen Spain wanted to implement the standard.. I just find amazing the fact that many Latin American governments seems to be ahead in this area.
>
>Check this many threads on the subject:
>https://groups.google.com/forum/#!searchin/publicesvfoxpro/firmar$20xml%7Csort:date
>
>Marco
>
>
>>Dear All
>>
>>Bob wants to send an XML secret message to Alice. He takes her certificate, encrypts the document using a pair of Alice's public key and a random key, and sends the full encrypted document to her. Alice then takes her private key, decrypts the randomly generated key, and knowing this one then decrypts the rest of the document.
>>
>>They may start to use VFP for this, now.
>>
>>I've been working on the development of an XMLSecurity set of classes, as part of the VFP XML Library Set, and as a result of porting a PHP library by Rob Richards.
>>
>>The goal of these classes is to allow the creation and consumption of secure XML documents, that is, documents that are encrypted and signed according to XML standards.
>>
>>Following Rob Richards' design, there are three main class: XMLSecurityDSig for signing, XMLSecurityEnc for encryption, and XMLSecurityKey for handling key operations.
>>
>>The original PHP version extensively uses PHP openssl_* functions, and a few others. In VFP, XMLSecurityLibrary replaces these. It's an abstract class that gathers in one place all the required methods (like SignData, or Hash, or ParseX509, ...).
>>
>>This class must be subclassed to use specific cryptographic components or libraries. Since I've been using the Chilkat ActiveX RSA component since 2010, and am reasonably confident in working with it, I built a first subclass XMLSecurityLibChilkat to handle the required encrypting and hashing. Of course, this class can be replaced in a particular setup of the overall library by other classes based on other components or API - maybe CryptoAPI, CAPICOM, VFPEncryption... but currently I don't have the chance to develop versions for these.
>>
>>Although far from being thoroughly tested and developed, I've been using this part of the VFP XML Library Set in a controlled production environment and, until now, with good results. But be aware that some lines of the library did not run at all, yet.
>>
>>The full source code for the class is uploaded at VFPX, with a few examples to help understand how it works. Any feedback would be much appreciated. And if anyone finds it worthy of support and improvement, in particular providing subclasses for XMLSecurityLib using other cryptographic components would be awesome!
>>
>>References:
>>VFP XML Library Set @ https://github.com/atlopes/xml
>>Rob Richards XMLSecLibs @ https://github.com/robrichards/xmlseclibs