XMLDSigVerifyAgent

The XDXMLDSigVerifyAgent is used to validate an XML Digital Signature.

The following table lists and describes XDXMLDSigVerifyAgent parameters.

Parameter Name

Description

XML Digital Signature JCE Provider

JCE Provider for the XMLSignatureFactory service.

TrustStore Provider

Provider for the keystore containing the Certificate Authorities.

Certificate Store Provider

Comma-separated List of Keystore, Directory CertStore or LDAP providers for the certificate stores used to complete signer certificate chains when the signature contains fewer certificates than needed.

PKIX Signature JCE Cryptography Provider

JCE Provider for Signature Objects created by the PKIX Certificate Path Builder.

PKIX JCE Provider

JCE Provider for PKIX services. If left blank, the default JCE provider for PKIX will be used.

Enable Certificate Revocation

If set to true, use the CRLs from the CertStore to check whether the certificate of the signer has been revoked.

Enforce KeyUsage Extension

If set to true, verify certificates used for signing allow the digitalSignature KeyUsage extension. Select true or false (default) from the drop-down list.

XML Namespace Provider

Provider for the mapping between XML namespace prefix and namespace URI. If left blank, the XPATH expression in the Element Path and Required Signature Coverage parameters cannot contain namespaces.

Signature Element Path

Path to the signature XML element. If left blank, the agent will search throughout the document for an element named Signature in the namespace http://www.w3.org/2000/09/xmldsig#.

ID Attributes

Space-separated list of attributes that are considered type ID. The value of an ID attribute can be used in a same-document reference with a URI of the form #idvalue. Each attribute declaration has the form ns:*/@ns1:attrib or @ns1:attrib where ns: and ns1: are optional. If used, the ns and ns1 prefixes must be declared in the XML Namespace Provider. The form @ns1:attrib means an Attribute named attrib in XML Namespace ns1. The form ns:*/@ns1:attrib is similar except the attribute must also appear on an element of any name in the XML Namespace ns. The default value is xml:id ds:*/@Id wsu:Id.

Acceptable Transforms

Space-separated list of transforms that can appear in the XML Digital Signature. Other transforms will cause a validation failure before being evaluated. If this field is left blank, all transforms are accepted.

Required Signature Coverage

An XPATH expression that returns a node set, where each node in the set must have been signed by the Signature to be considered valid.

Unsigned Attachment

Action to perform when a document contains an unsigned attachment. Select one of the following values from the drop-down list:

Keep Unsigned Attachment {keep} (default)

Remove Unsigned Attachment {remove}

Fail Validation {fail}

Remove Security Parent Element

If set to True, the WSSE Security parent element is removed from the document after the verification is successful.

Parameter Name	Description
XML Digital Signature JCE Provider	JCE Provider for the XMLSignatureFactory service.
TrustStore Provider	Provider for the keystore containing the Certificate Authorities.
Certificate Store Provider	Comma-separated List of Keystore, Directory CertStore or LDAP providers for the certificate stores used to complete signer certificate chains when the signature contains fewer certificates than needed.
PKIX Signature JCE Cryptography Provider	JCE Provider for Signature Objects created by the PKIX Certificate Path Builder.
PKIX JCE Provider	JCE Provider for PKIX services. If left blank, the default JCE provider for PKIX will be used.
Enable Certificate Revocation	If set to true, use the CRLs from the CertStore to check whether the certificate of the signer has been revoked.
Enforce KeyUsage Extension	If set to true, verify certificates used for signing allow the digitalSignature KeyUsage extension. Select true or false (default) from the drop-down list.
XML Namespace Provider	Provider for the mapping between XML namespace prefix and namespace URI. If left blank, the XPATH expression in the Element Path and Required Signature Coverage parameters cannot contain namespaces.
Signature Element Path	Path to the signature XML element. If left blank, the agent will search throughout the document for an element named Signature in the namespace http://www.w3.org/2000/09/xmldsig#.
ID Attributes	Space-separated list of attributes that are considered type ID. The value of an ID attribute can be used in a same-document reference with a URI of the form #idvalue. Each attribute declaration has the form ns:/@ns1:attrib or @ns1:attrib where ns: and ns1: are optional. If used, the ns and ns1 prefixes must be declared in the XML Namespace Provider. The form @ns1:attrib means an Attribute named attrib in XML Namespace ns1. The form ns:/@ns1:attrib is similar except the attribute must also appear on an element of any name in the XML Namespace ns. The default value is xml:id ds:*/@Id wsu:Id.
Acceptable Transforms	Space-separated list of transforms that can appear in the XML Digital Signature. Other transforms will cause a validation failure before being evaluated. If this field is left blank, all transforms are accepted.
Required Signature Coverage	An XPATH expression that returns a node set, where each node in the set must have been signed by the Signature to be considered valid.
Unsigned Attachment	Action to perform when a document contains an unsigned attachment. Select one of the following values from the drop-down list: Keep Unsigned Attachment {keep} (default) Remove Unsigned Attachment {remove} Fail Validation {fail}
Remove Security Parent Element	If set to True, the WSSE Security parent element is removed from the document after the verification is successful.

The JCE Provider for the XMLSignatureFactory service must be set to XMLDSig to select the XML Digital Signature implementation.

The agent recovers the signer public key based on the information it finds in the KeyInfo element. To begin, the agent collects all the X509Certificates and X509CRLs under the X509Data element and creates a certificate store. This store together with the certificate store providers will be used to complete the certificate chain. The agent then iterates through the KeyInfo content. The agent understands X509IssuerSerial, X509SubjectName and X509SKI (for example, the Subject Key Identifier). The agent also understands a wsse:SecurityTokenReference pointing to a wsse:BinarySecurityToken holding an X509 certificate encoded in base64. The agent iterates in order of appearance and works with the first item it understands ignoring subsequent ones. A Certificate selector is created and the CertStores are queried to complete and validate the chain.

If the signature validates, the agent will continue on the success edge. The xmldsig_signer special register will hold the signer DN and the xmldsig_signer_cn will hold the Common Name found in the signer DN. If validation fails because of Unsigned Attachments or incomplete Required Signature Coverage, the agent will follow the fail_coverage edge. If validation fails for other reasons, the agent will follow the fail_verify edge. If there is no signature, the flow will continue on the unsigned edge.

When the debug level is on, the agent will show the referenced data that was actually digested. It will also show whether core validation passed, and the validation status of each reference.

iWay Software