XAdES Digital Signature Create Service
Syntax:
com.ibi.agents.XDXAdESCreateAgent
Description:
This service is used to generate an XML Advanced Electronic Signature.
XAdES defines formats for XML Digital Signatures that remain valid
over long periods and incorporate additional useful information
in common use cases. XAdES was developed by the European Telecommunications
Standards Institute and published in the Technical Specification
ETSI TS 101 903. Individual copies of this specification can be
downloaded from http://www.etsi.org.
This guide assumes that the reader is familiar with the XAdES specification.
An XAdES signature is a regular XML Digital Signature with extra
signed and unsigned properties. The specification is organized in
a handful of signature forms that define strictly increasing set
of properties from the simplest form to the most complex one. The specification
uses the term qualifying properties because they qualify
the signature, the signer, all references, or specific references.
A SignedDataObject is an object referenced by an XML Digital Signature
Reference.
Parameters:
The following tables describe the parameters for the XAdES Digital
Signature Create service. Each table is followed by a discussion
of that parameter group.
Algorithms |
|---|
Parameter Name | Description |
|---|
XAdES Form | The signature form determines which signed and
unsigned properties are added to the signature. The options are
XAdES-BES (Basic Electronic Signature), XAdES-EPES (Explicit Policy Electronic
Signature), XAdES-T (electronic signature with Time), XAdES-C (electronic
signature with Complete validation data references). |
Signature Method | Signature algorithm used to convert the canonicalized
SignedInfo into the SignatureValue. |
Signature Canonicalization Method | Algorithm used to canonicalize the SignedInfo element
before it is digested as part of the signature operation. |
Reference Digest Method | Digest algorithm applied to the data object references
to yield the DigestValue. |
Reference Property Digest Method | Digest algorithm applied to the qualifying properties
that contain references to certificates, CRLs, and so on. |
Time Stamp Canonicalization Method | Algorithm used to canonicalize the qualifying properties,
when needed by a time stamp. |
Time Stamp Digest Method | Digest algorithm applied to the qualifying properties
that contain time stamps. |
Message Digest JCE Provider | JCE Provider for the MessageDigest service. |
The signature form determines which signed and unsigned properties
are added to the signature. The forms are organized in a hierarchy
where each form augments the previous form with more properties.
The Signature Method is the Signature algorithm used to convert
the canonicalized SignedInfo into the SignatureValue.
The Signature Canonicalization Method is the Algorithm used to
canonicalize the SignedInfo element before it is digested as part
of the signature operation.
The Reference Digest Method is the algorithm used to hash the
references. The same digest method will be used by all the references.
The Reference Property Digest Method is the algorithm used to
hash some values in XAdES properties. For example, the CertDigest
of the SigningCertificate, or the SigPolicyHash of the SignaturePolicyIdentifier.
The Time Stamp Canonicalization Method is the algorithm used
to canonicalize the data for a time stamp. The Time Stamp Digest
Method is the hash algorithm to reduce the data before it is signed
by a time stamp. The Message Digest JCE Provider is the JCE Provider
used to create the JCE MessageDigest instance.
Signature Key |
|---|
Parameter Name | Description |
|---|
KeyStore Provider | Provider for the keystore containing the signature
private key. |
Signing Key Alias | Private key alias used to sign the SignedInfo. |
Signing Key Password | Password for the signing private key. If
left blank, the password for accessing the keystore will be used. |
The KeyStore Provider is the name of the provider that holds
the private key. The Signing Key Alias and Signing Key Password
are the Alias and Password for the private key. This key must be
compatible with the signature algorithm chosen in the Signature
Method parameter. The service will enforce the digitalSignature
or the nonRepudiation usage if the KeyUsage extension is present
in the Signing Key Certificate.
Signature Location |
|---|
Parameter Name | Description |
|---|
XML Namespace Provider | Provider for the mapping between XML namespace
prefix and namespace URI. If left blank, the XPath expression in
the Signature Parent Element cannot contain namespaces. |
XPath Syntax | Determines which syntax level of XPath should be
used. You can select the iWay abbreviated syntax or the XPath 1.0
full syntax. The default option selects the syntax level as set
in the General Settings area of the iSM Administration Console. |
Create Parent Element | Determines whether the parent element is created
if it is missing. Select true or false (default)
from the drop-down list. |
Signature Parent Element | Path to the element where the signature
will be inserted. If left blank, then the signature parent is the
root element. If the Create Parent Element parameter is set to true,
then the expression must adhere to Restricted XPath syntax, otherwise
the expression may adhere to the full syntax of the XPath engine
selected by the XPath Syntax parameter. Restricted XPath has the
form /step1/step2/... where a step has the form ns:elem[predicate]
or a pair of consecutive steps that has the form *[1]/self::ns:elem[predicate]
to indicate the element must be the first child of its parent. The
namespace prefixes are optional, but if present they must be declared
in the XML Namespace provider. The predicate is optional, but when
present it has the form [@ns1:attr1='val1' and @ns2:attr2='val2'
and ...]. If no element matches the Restricted XPath expression
and the Create Parent Element parameter is set to true, then the
necessary elements and attributes will be created, such that the
expression would match successfully. |
The XML Namespace Provider is optional. It is the name of the
provider that gives the mapping between XML Namespace prefixes and
XML Namespace URIs. The Signature Parent Element is an XPath expression
pointing to the element where the ds:Signature element will be inserted.
This expression cannot contain namespace prefixes if the XML Namespace
Provider is left blank.
When the Create Parent Element parameter is true, the parent
element will be created if needed, but the XPath expression must
adhere to the Restricted XPath syntax. When the Create parent Element
parameter is false, the parent element must exist but the expression may
adhere to the full syntax of the XPath engine selected by the XPath
Syntax parameter.
KeyInfo |
|---|
Parameter Name | Description |
|---|
Include Signing Certificate | Indicates whether the signing certificate should
be included in a ds:X509Certificate element within ds:KeyInfo. |
Include Public Key | Indicates whether a ds:KeyValue element containing
the value of the public key should be included in ds:KeyInfo. |
These parameters determine the content of the generated KeyInfo
element. They can be used in any combination. If none of the parameters
are used, the KeyInfo element will not appear. Since the KeyInfo
is not signed in general, the digest of every certificate in the certificate
chain will also appear under the SigningCertificate property. The SigningCertificate
is a signed qualifying property that is always added to the XAdES signature.
The Include Signing Certificate boolean parameter determines
whether the signing certificate is included in the KeyInfo element.
If so, it will appear base64 encoded in a KeyInfo/X509Data/X509Certificate
element.
The Include Public Key boolean parameter determines whether the
public key is included in the KeyInfo element. For an RSA key, this
adds a KeyInfo/KeyValue/RSAKeyValue/Modulus element encoded in base
64.
Qualifying Properties |
|---|
Parameter Name | Description |
|---|
All Signed Data Objects Commitment | Commitment type that applies to all the
signed data objects. |
All Signed Data Objects Commitment Description | The text description for the commitment
type that applies to all the signed data objects. A default English
description will be used if a standard commitment type is chosen
and this property is left blank. |
All Signed Data Objects Time Stamp | Determines whether to add a time stamp computed
before the signature production, over the sequence formed by ALL
the Reference elements within the SignedInfo referencing whatever
the signer wants to sign except the SignedProperties element. |
Sign Signing Certificate | Indicates whether the signature should cover the
ds:X509Certificate element containing the signing certificate. This
is only considered if Include Signing Certificate is selected. |
Signing Time | Specifies the time at which the signer purportedly
performed the signing process. Leave blank to use the current time. |
Signer Roles | A newline separated list of the roles claimed by
the signer. |
TSA URL | The location of the Time Stamp Authority
used to create time stamps. |
These parameters define global qualifying properties of the signature,
the signer or all of the references. See the reference parameters
for reference specific qualifying properties.
The All Signed Data Objects Commitment identifies the type of
commitment made by the signer with respect to all the references.
It is possible to use custom commitment types by typing a custom
ObjectIdentifier. The dropdown list contains the commitment types already
defined by the XAdES Technical Specification, namely:
- Proof of origin. Indicates
that the signer recognizes to have created, approved, and sent the
signed data object.
- Proof of receipt. Indicates
that signer recognizes to have received the content of the signed
data object.
- Proof of delivery. Indicates
that the TSP providing that indication has delivered a signed data
object in a local store accessible to the recipient of the signed data
object.
- Proof of sender. Indicates
that the entity providing that indication has sent the signed data
object (but not necessarily created it).
- Proof of approval. Indicates
that the signer has approved the content of the signed data object.
- Proof of creation. Indicates
that the signer has created the signed data object (but not necessarily
approved, nor sent it).
The All Signed Data Objects Commitment Description parameter
contains a human readable description of the commitment type. Enter
the text of the custom description. This property can also be left
blank when a standard commitment type is chosen, and a default English
description will be used. This parameter is ignored if the All
Signed Data Objects Commitment parameter is unspecified.
The All Signed Data Objects Time Stamp Boolean parameter indicates
whether the AllDataObjectsTimeStamp element is generated. This element
contains the time stamp computed before the signature production,
over the sequence formed by processing all the References except
the Reference to the SignedProperties.
The Sign Signing Certificate Boolean parameter indicates whether
the signature should cover the X509Certificate element containing
the signing certificate. This parameter is ignored if the Include
Signing Certificate parameter is false.
The Signing Time parameter specifies the time at which the signer
purportedly performed the signing process. Leave this parameter
blank to use the current time.
The Signer Roles parameter holds a newline separated list of
the roles claimed by the signer. One possible way to enter this
expression is to double-quote the list and use the \n escape sequence
for the newline separator. To force the evaluation of the expression, surround
the string literal with a call to the _concat function. For example _concat("buyer\nmanager").
The XAdES Technical Specification does not define any standard roles.
A role could be something like Sales Director, which would indicate
that the signer was acting as the Sales Director when he signed
the document.
The TSA URL parameter is the location of the Time Stamp Authority
used to create time stamps. The XAdES properties that contain time
stamps are: AllDataObjectsTimeStamp, IndividualDataObjectsTimeStamp,
SignatureTimeStamp, RefsOnlyTimeStamp, and SigAndRefsTimeStamp.
Signature Production Place |
|---|
Parameter Name | Description |
|---|
City | The purported city where the signer was
at the time of signature creation. |
State Or Province | The purported state or province where the signer
was at the time of signature creation. |
Postal Code | The purported postal code where the signer
was at the time of signature creation. |
Country | The purported country where the signer was
at the time of signature creation. |
Together, these parameters specify where the signer purportedly
was at the time of signature creation. The Signature Production
Place is a qualifying property of the whole signature.
Signature Policy |
|---|
Parameter Name | Description |
|---|
Signature Policy Identifier | An Object Identifier that uniquely identifies
a specific version of the signature policy. Leave this property
blank to specify an Implied policy in XAdES-EPES form and above. |
Signature Policy Document | Path to the file containing a copy of the
Signature Policy Document. Leave this property blank to specify an
Implied policy in XAdES-EPES form and above. |
The policy parameters specify the Signature policy for Explicit
Policy Electronic Signature forms and above. For an implied policy,
simply leave both parameters empty. For an explicit policy, specify
the policy ObjectIdentifer (URI or OID) and the path to the policy file.
The contents of the file will be digested and the hash will appear
in the SignaturePolicyIdentifier/SignaturePolicyId/SigPolicyHash
element. Both parameters are ignored if the XAdES-BES form is selected.
Complete Form |
|---|
Parameter Name | Description |
|---|
TrustStore Provider | Provider for the keystore containing the Certificate
Authorities. This property is required for XAdES-C forms and above. |
Certificate Store Providers | Comma-separated List of Keystore, Directory CertStore
or LDAP providers for the certificate stores used to retrieve revocation
material. This property is required for XAdES-C forms and above. |
These parameters are needed to retrieve the validation data for
XAdES-C forms and above. The data is found by executing PKIX validation
of the signing certificate with revocation checking enabled. The
TrustStore provider specifies the keystore provider containing the
Certificate Authorities to be used as trust anchors. The Certificate
Store Providers parameter is a comma-separated List of providers
used to retrieve revocation material.
Reference 1 |
|---|
Parameter Name | Description |
|---|
Reference 1 URI | URI to the first piece of data that will
be digested and signed. If left blank, the whole XML document will be
digested and signed. |
Reference 1 Transform 1 | First transform algorithm to apply to the
first reference data. |
Reference 1 Transform 1 Parameters | Parameters for the first transform algorithm
to apply to the first reference data. For Exclusive Canonical XML,
this is a space separated list of XML namespace prefixes. For XSLT,
this is the name of a defined transform. For XPathFilter, this is
an XPath expression. |
Reference 1 Transform 1 XML Namespace Provider | Provider for the XML Namespace Map for XPathFilter
transforms. |
Reference 1 Transform 2 | Second transform algorithm to apply to the
first reference data. |
Reference 1 Transform 2 Parameters | Parameters for the second transform algorithm
to apply to the first reference data. For Exclusive Canonical XML,
this is a space separated list of XML namespace prefixes. For XSLT,
this is the name of a defined transform. For XPathFilter, this is
an XPath expression. |
Reference 1 Transform 2 XML Namespace Provider | Provider for the XML Namespace Map for XPathFilter
transforms. |
Reference 1 MimeType | The MimeType element of the DataObjectFormat. Indicates
how a user should interpret the signed data in the first reference
(text, sound, video, and so on). |
Reference 1 Encoding | The Encoding element of the DataObjectFormat. Indicates
the encoding of the signed data in the first reference. Ignored
if MimeType is left blank. |
Reference 1 Description | The Description element of the DataObjectFormat.
Holds textual information related to the signed data in the first
reference. Ignored if MimeType is left blank. |
Reference 1 Documentation URI | A DocumentationReference sub-element of
the ObjectIdentifier element of the DataObjectFormat. Points to
a document where additional information about the nature of the
data object can be found. Ignored if MimeType is left blank. |
Reference 1 Identifier | The Identifier sub-element of the ObjectIdentifier element
of the DataObjectFormat. Contains a permanent identifier of the
nature of the object. Ignored if MimeType is left blank. |
Reference 1 Commitment | Commitment type that applies to this signed
data object. |
Reference 1 Commitment Description | The text description for the commitment
type that applies to this signed data object. A default English description
will be used if a standard commitment type is chosen and this property
is left blank. |
Reference 1 Time Stamp | Requests a time stamp to be computed before the
signature production, over a sequence formed by some of the ds:Reference
elements within the ds:SignedInfo referencing whatever the signer
wants to sign except the SignedProperties element. |
The reference URIs supported are: <empty string> for the
whole XML document; #idattrib for the same-document sub-tree rooted
at the element that has an ID attribute with value idattrib; http://host:port/page
for the resource located at this HTTP address, and possibly other
URLs supported by the library.
The Reference 1 URI parameter is the URI to the first piece of
data that will be digested and signed. If left blank, the whole
XML document will be digested and signed.
The Reference 1 Transform 1 is the first transform algorithm
to apply to the reference data. The Reference 1 Transform 1 Parameters
contain the parameters for the transform. Similarly, the Reference
1 Transform 2 is the second transform and Reference 1 Transform 2
Parameters specify its parameters.
For more information on the transforms, see the table in this
section that lists and describes the transforms available to the
digital signature service.
The remaining parameters in this group are reference-specific
qualifying properties.
The MimeType, Encoding, Description, and Documentation URI parameters
together form the contents of the DataObjectFormat for this particular
reference.
The Commitment and Commitment Description parameters are similar
to the All Signed Data Objects Commitment and All Signed Data Objects
Commitment Description parameters, except they apply to a single
reference. Refer to the table on the Qualifying Properties group
earlier in this section for an explanation of the commitment types
in the XAdES Technical Specification.
The Time Stamp boolean parameter indicates whether an IndividualDataObjectsTimeStamp
element is generated for this reference.
Subsequent references (2, 3) are similar to reference 1 except
a missing reference URI indicates the end of the list of references
instead of the whole document.
The list of transforms per reference is not limited to 2. Any
number of transforms can be specified using user parameters.
The list of references is not limited to 2. Any number of references
can be specified using user parameters.
Reference 2 |
|---|
Parameter Name | Description |
|---|
Reference 2 URI | URI to the second piece of data that will
be digested and signed. If you need more references, create user parameters
named ref[X]uri, ref[X]transform[Y], ref[X]transform[Y]parms, ref[X]transform[Y]nsmap, ref[X]formatmime,
ref[X]formatenc, ref[X]formatdesc, ref[X]formatdocuri, ref[X]formatident,
ref[X]commitment, ref[X]timestamp, where X >= 3, Y >= 1. For
example, ref3transform2 is the second transform of the third reference. |
Reference 2 Transform 1 | First transform algorithm to apply to the
second reference data. |
Reference 2 Transform 1 Parameters | Parameters for the first transform algorithm
to apply to the second reference data. For Exclusive Canonical XML,
this is a space separated list of XML namespace prefixes. For XSLT,
this is the name of a defined transform. For XPathFilter, this is
an XPath expression. |
Reference 2 Transform 1 XML Namespace Provider | Provider for the XML Namespace Map for XPathFilter transforms. |
Reference 2 Transform 2 | Second transform algorithm to apply to the
second reference data. |
Reference 2 Transform 2 Parameters | Parameters for the second transform algorithm
to apply to the second reference data. For Exclusive Canonical XML,
this is a space separated list of XML namespace prefixes. For XSLT,
this is the name of a defined transform. For XPathFilter, this is
an XPath expression. |
Reference 2 Transform 2 XML Namespace Provider | Provider for the XML Namespace Map for XPathFilter transforms. |
Reference 2 MimeType | The MimeType element of the DataObjectFormat. Indicates
how a user should interpret the signed data in the second reference
(text, sound, video, and so on). |
Reference 2 Encoding | The Encoding element of the DataObjectFormat. Indicates
the encoding of the signed data in the second reference. Ignored
if MimeType is left blank. |
Reference 2 Description | The Description element of the DataObjectFormat. Holds
textual information related to the signed data in the second reference.
Ignored if MimeType is left blank. |
Reference 2 Documentation URI | A DocumentationReference sub-element of
the ObjectIdentifier element of the DataObjectFormat. Points to
a document where additional information about the nature of the
data object can be found. Ignored if MimeType is left blank. |
Reference 2 Identifier | The Identifier sub-element of the ObjectIdentifier element
of the DataObjectFormat. Contains a permanent identifier of the
nature of the object. Ignored if MimeType is left blank. |
Reference 2 Commitment | Commitment type that applies to this signed
data object. |
Reference 2 Commitment Description | The text description for the commitment
type that applies to this signed data object. A default English description
will be used if a standard commitment type is chosen and this property
is left blank. |
Reference 2 Time Stamp | Requests a time stamp to be computed before
the signature production, over a sequence formed by some of the
ds:Reference elements within the ds:SignedInfo referencing whatever
the signer wants to sign except the SignedProperties element. |
The Reference 2 parameters are similar to the Reference 1 parameters.
Refer to the Reference 1 group above for details.
The following table lists the transforms available. Some transforms
have implicit parameters and do not require any explicit parameters.
Other transforms take parameters, as described in the following
table.
Transforms Available to Digital Signature Service |
|---|
Base64 http://www.w3.org/2000/09/ xmldsig#base64 | This transform decodes the Base64 encoded character
data. If the input is a node-set, then the string-value of the node-set
is decoded (ignoring the element tags, comments and processing instructions). This
transform takes no explicit parameters. |
Enveloped Signature http://www.w3.org/2000/09/ xmldsig#enveloped-signature | This transform removes the Signature element from
the calculation of the signature when the signature is within the
content that it is being signed. This transform takes no explicit parameters. |
Exclusive Canonical XML http://www.w3.org/2001/10/xml-exc-c14n# | This transform is useful when message parts can
be enveloped and stripped off to construct new messages. Exclusive
Canonical XML ignores the namespace context inherited from parent
elements. This keeps the digested data constant despite these operations. This
transform takes an optional space-separated list of XML namespace
prefixes declared in the XML Namespace provider. These are additional
prefixes to be ignored. |
Exclusive Canonical XML With Comments http://www.w3.org/2001/10/xml-exc-c14n#WithComments | This transform is similar to Exclusive Canonical XML
except comments are preserved in the digested data. This transform
takes an optional space-separated list of XML namespace prefixes
declared in the XML Namespace provider. These are additional prefixes
to be ignored. |
XPathFilter http://www.w3.org/TR/1999/REC-xpath-19991116 | This transform evaluates the XPath expression for
each node in the input node-set and keeps only the nodes where the
expression evaluated to true. This transform takes the XPath
expression in ref[X]transform[Y]parms1 and optionally an XML Namespace
provider name in ref[X]transform[Y]parms1nsmap to declare a namespace
map. |
XSLTTransform http://www.w3.org/TR/1999/REC-xslt-19991116 | This transform indicates an XSLT stylesheet must
be used and the result is what is referenced for signing. This
transform takes the name of a defined transform as parameter (similar
to what is done with the XDGenTransform service). The defined transform must
be an XSLT transform and return XML. |
Inclusive Canonical XML 1.0 http://www.w3.org/TR/2001/REC-xml-c14n-20010315 | This transform performs typical XML Canonicalization
that attracts the xml namespace declarations from the inherited
context. This canonicalization is the default if the last transform returns
a node-set. This transform takes no parameters. |
Inclusive Canonical XML With Comments 1.0 http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments | This transform is similar to Inclusive Canonical XML
except comments are preserved. This transform takes no parameters. |
Inclusive Canonical XML 1.1 http://www.w3.org/2006/12/xml-c14n11 | Canonical XML 1.1 is a revision to Canonical XML
1.0 to address issues related to inheritance of attributes in the
XML namespace when canonicalizing document subsets, including the requirement
not to inherit xml:id, and to treat xml:base URI path processing
properly. This canonicalization is a better choice than the default Inclusive
Canonical XML 1.0. This transform takes no parameters. |
Inclusive Canonical XML With Comments 1.1 http://www.w3.org/2006/12/xml-c14n11#WithComments | This transform is similar to Inclusive Canonical XML
1.1 except comments are preserved. This transform takes no
parameters. |
ref[X]transform[Y]parms where X >= 3 and Y >= 1, for example,
ref3transform2 is the second transform of the third reference.
When the Tree level is selected in the trace settings, the service
will log the referenced data that was actually digested.
Edges:
The following table lists and describes the edges that are returned
by the XML Digital Signature Create service.
Edge | Description |
|---|
success | The Signature was successfully inserted. |
fail_parse | An iFL or XPath expression could not be evaluated. |
fail_operation | The Signature could not be inserted. |
x
For more information on related examples of XML Digital
Signatures, see XML Digital Signature Create Service. In particular, Example 2: Simple SOAP Message shows how an XPath expression for
the signature parent element can instruct the service to find or
construct that path. There are also examples of Transform with Transform
parameters.
Note: The examples in this section are specific to the
XAdES Digital Signature Create service (com.ibi.agents.XDXAdESCreateAgent).
For your convenience, the sample input and output documents are
attached to the PDF in unabbreviated form.
For PDF-compatibility purposes, the file extension of the XAdESCreate.zip file
is temporarily renamed to .zap. After saving this file to
your file system, you must rename this extension back to .zip before
the file can be used.
x
Example 1: Enveloped Basic Electronic Signature
The XAdES Digital Signature Create service has a large
number of parameters but very few are actually required. At a minimum,
the signing key must be specified using the KeyStore Provider and
Signing Key Alias parameters. The Signing Key Password must also
be specified if it is different than the KeyStore password. Everything else
is optional. Since we use the default empty reference URI to sign
the whole document, we must also specify the Enveloped Signature
transform.
This table lists the parameter values for this example. Other
parameters that are not listed have their default value.
|
Parameter
|
Value
|
|---|
|
KeyStore Provider
|
ksprov
|
|
Signing Key Alias
|
alias1
|
|
Signing Key Password
|
secret
|
|
Reference 1 Transform 1
|
http://www.w3.org/2000/09/xmldsig#enveloped-signature
|
A sample input document is shown as follows (indented for display
purposes only):
A sample output of the service is shown as follows (indented
for display purposes only):
The signature is appended to the end of the parent element. In
this case, the default parent is the root element. This explains
why the Body appears before the Signature. The Signature contains
two references. The first reference was configured in the service
to cover the whole document except the signature itself. The second
reference was added automatically to cover the SignedProperties.
A XAdES Signature is a regular XML Digital Signature with extra
properties. Those properties appear in a ds:Object element within
the signature. The QualifyingProperties contain the SIgnedProperties
and the UnsignedProperties. In this simple case, there are no UnsignedProperties.
The SigningTime is the first property under the QualifyingProperties
element. The service picked the current time since the Signing Time
parameter was left blank.
Multiple certificates can bind the same private key to multiple
identities. XAdES dictates the Signing Certificate must be unambiguously
declared to show in which capacity the signer signed the document.
Here the Signing Certificate appears in the KeyInfo. The KeyInfo
is not signed, but a hash of the Signing Certificate also appears
under the SignedProperties. The SigningCertificate holds a reference
to each certificate in the signer certificate chain. The Issuer
and Serial Number pair plus a hash uniquely identify each certificate.
x
Example 2: Optional Qualifying Properties
XAdES has many optional Qualifying Properties. This
example shows how to add more qualifying properties to the signature.
This table lists the parameter values for this example. Other
parameters that are not listed have their default value.
|
Parameter
|
Value
|
|---|
|
KeyStore Provider
|
ksprov
|
|
Signing Key Alias
|
alias1
|
|
Signing Key Password
|
secret
|
|
All Signed Data Objects Commitment
|
http://uri.etsi.org/01903/v1.2.2#ProofOfOrigin
|
|
All Signed Data Objects Time Stamp
|
true
|
|
Sign Signing Certificate
|
true
|
|
Signer Roles
|
_concat("Buyer\nSales Director")
|
|
City
|
New York
|
|
State Or Province
|
NY
|
|
Postal Code
|
10121
|
|
Country
|
US
|
|
Reference 1 URI
|
#myid
|
A sample input document is shown as follows (indented for display
purposes only):
A sample output of the service is shown as follows (indented
for display purposes only):
This signature has three references: the first reference is declared
in the service, the second reference covers the SignedProperties,
and the third reference covers the KeyInfo because we asked to sign
the Signing Certificate. The last two references were added automatically
by the service.
The QualifyingProperties element contains more properties. The
SigningTime and SigningCertificate are familiar from example 1.
All the other properties are new in example 2.
The City, State Or Province, Postal Code, and Country parameters
combine to form the SignatureProductionPlace property.
The SignerRole property lists two ClaimedRoles: Buyer and Sales
Director.
The signer declares he is the originator of this message by claiming
the Proof of Origin commitment. This commitment applies to all references
because of the presence of the AllSignedDataObjects element. Since
the All Signed Data Objects Commitment Description parameter is
left blank, a default commitment description appears in the signature.
The AllDataObjectsTimeStamp is a time stamp calculated over all
the references except the one marked with Type attribute equal to "http://uri.etsi.org/01903#SignedProperties".
x
Example 3: Implied Policy
To specify the Signature Policy, the XAdES form must
be EPES or above. The XAdES Technical Specification states:
A signature policy is useful to clarify the precise role and
commitments that the signer intends to assume with respect to the
signed data object, and to avoid claims by the verifier that a different
signature policy was implied by the signer.
The signer may reference the policy either implicitly or explicitly.
An implied policy means the signer follows the rules of the policy
but the signature does not indicate which policy. It is assumed
the choice of policy is clear from the context in which the signature
is used. When the policy is not implied, the signature contains
an ObjectIdentier (URI or OID) that uniquely identifies the version
of the policy in use. The signature also contains a hash of the
policy document to make sure the signer and verifier agree on the
contents of the policy document.
Example 3 demonstrates an implied policy. This is obtained by
setting the XAdES form to EPES and leaving the Signature Policy
Identifier and Signature Policy Document parameters blank.
This table lists the parameter values for this example. Other
parameters that are not listed have their default value.
|
Parameter
|
Value
|
|---|
|
XAdES Form
|
XAdES-EPES
|
|
KeyStore Provider
|
ksprov
|
|
Signing Key Alias
|
alias1
|
|
Signing Key Password
|
secret
|
|
Reference 1 URI
|
#myid
|
A sample input document is shown as follows (indented for display
purposes only):
A sample output of the service is shown as follows (indented
for display purposes only):
The property to notice is the SignaturePolicyIdentifier with
the SignaturePolicyImplied empty element.
x
Example 4: Explicit Policy Identifier
This example demonstrates an explicit policy identifier.
This is obtained by setting the XAdES form to EPES, and assigning
values to the two policy parameters. The Signature Policy Identifier
is a URI or OID that uniquely identifies the version of the policy document.
The Signature Policy Document is the path to the policy file in
the file system. The signature will contain a hash of the policy
to prove both the signer and verifier agree on the contents of the
policy. It is important to keep the policy file intact in order
to keep the hash constant. It would be wise to make the policy file
read-only.
This table lists the parameter values for this example. Other
parameters that are not listed have their default value.
|
Parameter
|
Value
|
|---|
|
XAdES Form
|
XAdES-EPES
|
|
KeyStore Provider
|
ksprov
|
|
Signing Key Alias
|
alias1
|
|
Signing Key Password
|
secret
|
|
Signature Policy Identifier
|
http://iwaysoftware.com/xades#policy1.0
|
|
Signature Policy Document
|
policy-1.0.doc
|
|
Reference 1 URI
|
#myid
|
A sample input document is shown as follows (indented for display
purposes only):
A sample output of the service is shown as follows (indented
for display purposes only):
The property to notice is the SignaturePolicyIdentifier with
a SigPolicyId and a SigPolicyHash.
x
Example 5: Reference Specific Properties
This example shows the effect of qualifying properties
that pertain to a specific reference. Two references are declared
with different qualifying properties. Contrast this with Example 2: Optional Qualifying Properties where the qualifying properties
applied to the signature itself or all the references at once.
This table lists the parameter values for this example. Other
parameters that are not listed have their default value.
|
Parameter
|
Value
|
|---|
|
KeyStore Provider
|
ksprov
|
|
Signing Key Alias
|
alias1
|
|
Signing Key Password
|
secret
|
|
Reference 1 URI
|
#id1
|
|
Reference 1 MimeType
|
audio/mpeg
|
|
Reference 1 Encoding
|
base64
|
|
Reference 1 Description
|
MP3 file encoded in base64
|
|
Reference 1 Documentation URI
|
http://iwaysoftware.com/xades/audio.html
|
|
Reference 1 Identifier
|
http://iwaysoftware.com/xades#mp3
|
|
Reference 2 URI
|
#id2
|
|
Reference 2 Commitment
|
http://uri.etsi.org/01903/v1.2.2#ProofOfApproval
|
|
Reference 2 Commitment Description
|
Signer has approved the content
|
|
Reference 2 Time Stamp
|
true
|
A sample input document is shown as follows (indented for display
purposes only):
A sample output of the service is shown as follows (indented
for display purposes only):
The signature contains three references: two configured in the
service and one added automatically for the SignedProperties. The
Reference specific qualifying properties are found within the SignedDataObjectProperties
element. The DataObjectFormat property qualifies the first reference
as can be seen by the URI in the ObjectReference attribute. The CommitmentTypeIndication
qualifies the second reference as can be seen by the URI in the ObjectReference
element. The commitment is described by a custom commitment description.
Finally, the IndividualDataObjectsTimeStamp contains a type stamp
for the second reference as can be seen in the URI attribute.
x
Example 6: Electronic Signature With Time
This example demonstrates the
XAdES-T form.
This table lists the parameter values
for this example. Other parameters that are not listed have their
default value.
|
Parameter
|
Value
|
|---|
|
XAdES Form
|
XAdES-T
|
|
KeyStore Provider
|
ksprov
|
|
Signing Key Alias
|
alias1
|
|
Signing Key Password
|
secret
|
|
Reference 1 URI
|
#myid
|
A sample input document is shown as follows (indented for display
purposes only):
A sample output of the service is shown as follows (indented
for display purposes only):
The XAdES-T form is a superset of the XAdES-EPES form. Since
the Signature Policy Identifier and the Signature Policy Document
parameters are unspecified, this produces an implied policy.
The SignatureTimeStamp mandated by the XAdES-T form appears as
an unsigned property within the QualifyingProperties.
x
Example 7: Complete Validation Data References
This example demonstrates the XAdES-C form.
This table lists the parameter values for this example. Other
parameters that are not listed have their default value.
|
Parameter
|
Value
|
|---|
|
XAdES Form
|
XAdES-C
|
|
KeyStore Provider
|
ksprov
|
|
Signing Key Alias
|
alias1
|
|
Signing Key Password
|
secret
|
|
Signing Key Password
|
secret
|
|
Signing Key Password
|
secret
|
|
Reference 1 URI
|
#myid
|
A sample input document is shown as follows (indented for display
purposes only):
A sample output of the service is shown as follows (indented
for display purposes only):
The XAdES-C form is a superset of the XAdES-T form. Therefore,
the signature contains an implied policy and a SignatureTimeStamp,
like Example 6: Electronic Signature With Time.