Versions Compared

Old Version 25

changes.mady.by.user Franz Forsthofer

Saved on

compared with

New Version 26

changes.mady.by.user Franz Forsthofer

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

 

Code Block
languagexml
titleXAdES-EPES Properties
        <QualifyingProperties Target>
            <SignedProperties>
                <SignedSignatureProperties>
                    (SigningTime)?
                    (SigningCertificate)?
                    (SignaturePolicyIdentifier)
                    (SignatureProductionPlace)?
                    (SignerRole)?
                </SignedSignatureProperties>
                <SignedDataObjectProperties>
                    (DataObjectFormat)?
                    (CommitmentTypeIndication)?
                </SignedDataObjectProperties>
            </SignedProperties>
        </QualifyingProperties>

The properties of the XAdES-BES form are the same except that the SignaturePolicyIdentifier property is missing. 

You can configure the XAdES-BES/EPES properties via the bean org.apache.camel.component.xmlsecurity.api.XAdESSignatureProperties or org.apache.camel.component.xmlsecurity.api.DefaultXAdESSignatureProperties. XAdESSignatureProperties does support all properties mentioned above except the SigningCertificate property. To get the SigningCertificate property, you must overwrite either the method XAdESSignatureProperties.getSigningCertificate() or XAdESSignatureProperties.getSigningCertificateChain(). The class DefaultXAdESSignatureProperties overwrites the method getSigningCertificate() and allows you to specify the signing certificate via a keystore and alias. The following example shows all parameters which you can specify, if you do not need certain parameters you can just omit them.

 

 

 

Code Block
languagejava
titleXAdES-BES/EPES example in Java DSL
        Keystore keystore = ... // load a keystore
        DefaultKeyAccessor accessor = new DefaultKeyAccessor();
        accessor.setKeyStore(keystore);
        accessor.setPassword("password");
        accessor.setAlias("cert_alias"); // signer key alias
 
        DefaultXAdESSignatureProperties props = new DefaultXAdESSignatureProperties();
        props.setKeystore(keystore));
        props.setAlias("cert_aliassetNamespace("http://uri.etsi.org/01903/v1.3.2#"); // specifysets the aliasnamespace offor the signingXAdES certificateelements; in the keystorenamspace =is signerrelated keyto alias
the XAdES version, default value    props.setAddSigningTime(true);is "http://uri.etsi.org/01903/v1.3.2#"
        props.setDigestAlgorithmForSigningCertificate(DigestMethod.SHA256);
        props.setSigningCertificateURIs(Collections.singletonList("http://certuri"));setPrefix("etsi"); // sets the prefix for the XAdES elements, default value is "etsi"
        // policyprops.setKeystore(keystore));
        props.setSignaturePolicy(XAdESSignatureProperties.SIG_POLICY_EXPLICIT_ID);
        // also the values XAdESSignatureProperties.SIG_POLICY_NONE and XAdESSignatureProperties.SIG_POLICY_IMPLIED are possiblesetAlias("cert_alias"); // specify the alias of the signing certificate in the keystore = signer key alias
        // then you must not specify any further policy parametersprops.setAddSigningTime(true);
        props.setDigestAlgorithmForSigningCertificate(DigestMethod.SHA256);
        props.setSigPolicyIdsetSigningCertificateURIs(Collections.singletonList("urn:oid:1.2.840.113549.1.9.16.6.1"http://certuri"));
        props.setSigPolicyIdQualifier("OIDAsURN"); // policy
        props.setSigPolicyIdDescription("invoice version 3.1"setSignaturePolicy(XAdESSignatureProperties.SIG_POLICY_EXPLICIT_ID);
        props.setSignaturePolicyDigestAlgorithm(DigestMethod.SHA256);
        props.setSignaturePolicyDigestValue("Ohixl6upD6av8N7pEvDABhEL6hM=");// also the values XAdESSignatureProperties.SIG_POLICY_NONE and XAdESSignatureProperties.SIG_POLICY_IMPLIED are possible
        props.setSigPolicyQualifiers(Arrays
            .asList(new String[] {// then you must not specify any further policy parameters
        props.setSigPolicyId("urn:oid:1.2.840.113549.1.9.16.6.1");
        "<SigPolicyQualifier xmlns=\"http://uri.etsi.org/01903/v1.3.2#\"><SPURI>http://test.com/sig.policy.pdf</SPURI><SPUserNotice><ExplicitText>display text</ExplicitText>"props.setSigPolicyIdQualifier("OIDAsURN");
        props.setSigPolicyIdDescription("invoice version 3.1");
        props.setSignaturePolicyDigestAlgorithm(DigestMethod.SHA256);
      + "</SPUserNotice></SigPolicyQualifier>", "category B" })) props.setSignaturePolicyDigestValue("Ohixl6upD6av8N7pEvDABhEL6hM=");
        props.setSigPolicyIdDocumentationReferencessetSigPolicyQualifiers(Arrays.
            .asList(new String[] {"http://test.com/policy.doc.ref1.txt",
                "<SigPolicyQualifier xmlns=\"http://uri.etsi.org/01903/v1.3.2#\"><SPURI>http://test.com/sig.policy.doc.ref2.txt" }));pdf</SPURI><SPUserNotice><ExplicitText>display text</ExplicitText>"
        // production place
        props.setSignatureProductionPlaceCity("Munich");
        props.setSignatureProductionPlaceCountryName("Germany"+ "</SPUserNotice></SigPolicyQualifier>", "category B" }));
        props.setSignatureProductionPlacePostalCode("80331");setSigPolicyIdDocumentationReferences(Arrays.asList(new String[] {"http://test.com/policy.doc.ref1.txt",
        props.setSignatureProductionPlaceStateOrProvince("Bavaria"    "http://test.com/policy.doc.ref2.txt" }));
        //role production place
        props.setSignerClaimedRoles(Arrays.asList(new String[] {"test",setSignatureProductionPlaceCity("Munich");
         props.setSignatureProductionPlaceCountryName("Germany");
        props.setSignatureProductionPlacePostalCode("80331");
        props.setSignatureProductionPlaceStateOrProvince("Bavaria");
        //role
        props.setSignerClaimedRoles(Arrays.asList(new String[] {"test",
            "<a:ClaimedRole xmlns:a=\"http://uri.etsi.org/01903/v1.3.2#\"><TestRole>TestRole</TestRole></a:ClaimedRole>" }));
        props.setSignerCertifiedRoles(Collections.singletonList(new XAdESEncapsulatedPKIData("Ahixl6upD6av8N7pEvDABhEL6hM=",
            "http://uri.etsi.org/01903/v1.2.2#DER", "IdCertifiedRole")));
        // data object format
        props.setDataObjectFormatDescription("invoice");
        props.setDataObjectFormatMimeType("text/xml");
        props.setDataObjectFormatIdentifier("urn:oid:1.2.840.113549.1.9.16.6.2");
        props.setDataObjectFormatIdentifierQualifier("OIDAsURN");
        props.setDataObjectFormatIdentifierDescription("identifier desc");
        props.setDataObjectFormatIdentifierDocumentationReferences(Arrays.asList(new String[] {
            "http://test.com/dataobject.format.doc.ref1.txt", "http://test.com/dataobject.format.doc.ref2.txt" }));
        //commitment
        props.setCommitmentTypeId("urn:oid:1.2.840.113549.1.9.16.6.4");
        props.setCommitmentTypeIdQualifier("OIDAsURN");
        props.setCommitmentTypeIdDescription("description for commitment type ID");
        props.setCommitmentTypeIdDocumentationReferences(Arrays.asList(new String[] {"http://test.com/commitment.ref1.txt",
            "http://test.com/commitment.ref2.txt" }));
        props.setCommitmentTypeQualifiers(Arrays.asList(new String[] {"commitment qualifier",
            "<c:CommitmentTypeQualifier xmlns:c=\"http://uri.etsi.org/01903/v1.3.2#\"><C>c</C></c:CommitmentTypeQualifier>" }));
 
 beanRegistry.bind("xmlSignatureProperties",props);
 beanRegistry.bind("keyAccessorDefault",keyAccessor);
 
 from("direct:xades").to("xmlsecurity:sign://xades?keyAccessor=#keyAccessorDefault&properties=#xmlSignatureProperties")
                     .to("mock:result");
 

Headers

 
Header

 

  
TypeDescription

CamelXmlSignatureXAdESQualifyingPropertiesId

Stringfor the 'Id' attribute value of QualifyingProperties element

CamelXmlSignatureXAdESSignedDataObjectPropertiesId

Stringfor the 'Id' attribute value of SignedDataObjectProperties element

CamelXmlSignatureXAdESSignedSignaturePropertiesId

Stringfor the 'Id' attribute value of  SignedSignatureProperties element

CamelXmlSignatureXAdESDataObjectFormatEncoding

Stringfor the value of the Encoding element of the DataObjectFormat element
CamelXmlSignatureXAdESNamespaceString overwrites the XAdES namespace parameter value

CamelXmlSignatureXAdESPrefix

Stringoverwrites the XAdES prefix parameter value

Limitations

  • No support for signature form XAdES-T and XAdES-C
  • Only signer part implemented.
  • No support for the 'QualifyingPropertiesReference' element (see section 6.3.2 of spec).
  • No support for the Transforms element contained in the SignaturePolicyId element contained in the SignaturePolicyIdentifier element
  • No support of the CounterSignature element --> no support for the UnsignedProperties element
  • At most one DataObjectFormat element. More than one DataObjectFormat element makes no sense  because we have only one data object which is signed (this is the incoming message body to the XML signer endpoint).
  • At most one CommitmentTypeIndication element. More than one CommitmentTypeIndicationelement makes no sense  because we have only one data object which is signed (this is the incoming message body to the XML signer endpoint).

  • A CommitmentTypeIndication element contains always the AllSignedDataObjects element. The ObjectReference element within CommitmentTypeIndication  element is not supported.

  • The AllDataObjectsTimeStamp element is not supported
  • The IndividualDataObjectsTimeStamp element is not supported

See Also