...
Code Block | ||||
---|---|---|---|---|
| ||||
<QualifyingProperties Target> <SignedProperties> <SignedSignatureProperties> (SigningTime)? (SigningCertificate)? (SignaturePolicyIdentifier) (SignatureProductionPlace)? (SignerRole)? </SignedSignatureProperties> <SignedDataObjectProperties> (DataObjectFormat)? (CommitmentTypeIndication)? </SignedDataObjectProperties> </SignedProperties> </QualifyingProperties> |
The properties of the XAdES-BES form are the same except that the SignaturePolicyIdentifier
property is missing.
You can configure the XAdES-BES/EPES properties via the bean org.apache.camel.component.xmlsecurity.api.XAdESSignatureProperties
or org.apache.camel.component.xmlsecurity.api.DefaultXAdESSignatureProperties. XAdESSignatureProperties
does support all properties mentioned above except the SigningCertificate
property. To get the SigningCertificate
property, you must overwrite either the method XAdESSignatureProperties.getSigningCertificate()
or XAdESSignatureProperties.getSigningCertificateChain().
The class DefaultXAdESSignatureProperties
overwrites the method getSigningCertificate()
and allows you to specify the signing certificate via a keystore and alias. The following example shows all parameters which you can specify, if you do not need certain parameters you can just omit them.
Code Block | ||||
---|---|---|---|---|
| ||||
Keystore keystore = ... // load a keystore DefaultKeyAccessor accessor = new DefaultKeyAccessor(); accessor.setKeyStore(keystore); accessor.setPassword("password"); accessor.setAlias("cert_alias"); // signer key alias DefaultXAdESSignatureProperties props = new DefaultXAdESSignatureProperties(); props.setKeystore(keystore)); props.setAlias("cert_aliassetNamespace("http://uri.etsi.org/01903/v1.3.2#"); // specifysets the aliasnamespace offor the signingXAdES certificateelements; in the keystorenamspace =is signerrelated keyto alias the XAdES version, default value props.setAddSigningTime(true);is "http://uri.etsi.org/01903/v1.3.2#" props.setDigestAlgorithmForSigningCertificate(DigestMethod.SHA256); props.setSigningCertificateURIs(Collections.singletonList("http://certuri"));setPrefix("etsi"); // sets the prefix for the XAdES elements, default value is "etsi" // policyprops.setKeystore(keystore)); props.setSignaturePolicy(XAdESSignatureProperties.SIG_POLICY_EXPLICIT_ID); // also the values XAdESSignatureProperties.SIG_POLICY_NONE and XAdESSignatureProperties.SIG_POLICY_IMPLIED are possiblesetAlias("cert_alias"); // specify the alias of the signing certificate in the keystore = signer key alias // then you must not specify any further policy parametersprops.setAddSigningTime(true); props.setDigestAlgorithmForSigningCertificate(DigestMethod.SHA256); props.setSigPolicyIdsetSigningCertificateURIs(Collections.singletonList("urn:oid:1.2.840.113549.1.9.16.6.1"http://certuri")); props.setSigPolicyIdQualifier("OIDAsURN"); // policy props.setSigPolicyIdDescription("invoice version 3.1"setSignaturePolicy(XAdESSignatureProperties.SIG_POLICY_EXPLICIT_ID); props.setSignaturePolicyDigestAlgorithm(DigestMethod.SHA256); props.setSignaturePolicyDigestValue("Ohixl6upD6av8N7pEvDABhEL6hM=");// also the values XAdESSignatureProperties.SIG_POLICY_NONE and XAdESSignatureProperties.SIG_POLICY_IMPLIED are possible props.setSigPolicyQualifiers(Arrays .asList(new String[] {// then you must not specify any further policy parameters props.setSigPolicyId("urn:oid:1.2.840.113549.1.9.16.6.1"); "<SigPolicyQualifier xmlns=\"http://uri.etsi.org/01903/v1.3.2#\"><SPURI>http://test.com/sig.policy.pdf</SPURI><SPUserNotice><ExplicitText>display text</ExplicitText>"props.setSigPolicyIdQualifier("OIDAsURN"); props.setSigPolicyIdDescription("invoice version 3.1"); props.setSignaturePolicyDigestAlgorithm(DigestMethod.SHA256); + "</SPUserNotice></SigPolicyQualifier>", "category B" })) props.setSignaturePolicyDigestValue("Ohixl6upD6av8N7pEvDABhEL6hM="); props.setSigPolicyIdDocumentationReferencessetSigPolicyQualifiers(Arrays. .asList(new String[] {"http://test.com/policy.doc.ref1.txt", "<SigPolicyQualifier xmlns=\"http://uri.etsi.org/01903/v1.3.2#\"><SPURI>http://test.com/sig.policy.doc.ref2.txt" }));pdf</SPURI><SPUserNotice><ExplicitText>display text</ExplicitText>" // production place props.setSignatureProductionPlaceCity("Munich"); props.setSignatureProductionPlaceCountryName("Germany"+ "</SPUserNotice></SigPolicyQualifier>", "category B" })); props.setSignatureProductionPlacePostalCode("80331");setSigPolicyIdDocumentationReferences(Arrays.asList(new String[] {"http://test.com/policy.doc.ref1.txt", props.setSignatureProductionPlaceStateOrProvince("Bavaria" "http://test.com/policy.doc.ref2.txt" })); //role production place props.setSignerClaimedRoles(Arrays.asList(new String[] {"test",setSignatureProductionPlaceCity("Munich"); props.setSignatureProductionPlaceCountryName("Germany"); props.setSignatureProductionPlacePostalCode("80331"); props.setSignatureProductionPlaceStateOrProvince("Bavaria"); //role props.setSignerClaimedRoles(Arrays.asList(new String[] {"test", "<a:ClaimedRole xmlns:a=\"http://uri.etsi.org/01903/v1.3.2#\"><TestRole>TestRole</TestRole></a:ClaimedRole>" })); props.setSignerCertifiedRoles(Collections.singletonList(new XAdESEncapsulatedPKIData("Ahixl6upD6av8N7pEvDABhEL6hM=", "http://uri.etsi.org/01903/v1.2.2#DER", "IdCertifiedRole"))); // data object format props.setDataObjectFormatDescription("invoice"); props.setDataObjectFormatMimeType("text/xml"); props.setDataObjectFormatIdentifier("urn:oid:1.2.840.113549.1.9.16.6.2"); props.setDataObjectFormatIdentifierQualifier("OIDAsURN"); props.setDataObjectFormatIdentifierDescription("identifier desc"); props.setDataObjectFormatIdentifierDocumentationReferences(Arrays.asList(new String[] { "http://test.com/dataobject.format.doc.ref1.txt", "http://test.com/dataobject.format.doc.ref2.txt" })); //commitment props.setCommitmentTypeId("urn:oid:1.2.840.113549.1.9.16.6.4"); props.setCommitmentTypeIdQualifier("OIDAsURN"); props.setCommitmentTypeIdDescription("description for commitment type ID"); props.setCommitmentTypeIdDocumentationReferences(Arrays.asList(new String[] {"http://test.com/commitment.ref1.txt", "http://test.com/commitment.ref2.txt" })); props.setCommitmentTypeQualifiers(Arrays.asList(new String[] {"commitment qualifier", "<c:CommitmentTypeQualifier xmlns:c=\"http://uri.etsi.org/01903/v1.3.2#\"><C>c</C></c:CommitmentTypeQualifier>" })); beanRegistry.bind("xmlSignatureProperties",props); beanRegistry.bind("keyAccessorDefault",keyAccessor); from("direct:xades").to("xmlsecurity:sign://xades?keyAccessor=#keyAccessorDefault&properties=#xmlSignatureProperties") .to("mock:result"); |
Headers
Header |
---|
Type | Description | |
---|---|---|
| String | for the 'Id' attribute value of QualifyingProperties element |
| String | for the 'Id' attribute value of SignedDataObjectProperties element |
| String | for the 'Id' attribute value of SignedSignatureProperties element |
| String | for the value of the Encoding element of the DataObjectFormat element |
CamelXmlSignatureXAdESNamespace | String | overwrites the XAdES namespace parameter value |
| String | overwrites the XAdES prefix parameter value |
Limitations
- No support for signature form XAdES-T and XAdES-C
- Only signer part implemented.
- No support for the '
QualifyingPropertiesReference
' element (see section 6.3.2 of spec). - No support for the
Transforms
element contained in theSignaturePolicyId
element contained in theSignaturePolicyIdentifier element
- No support of the
CounterSignature
element --> no support for theUnsignedProperties
element - At most one
DataObjectFormat
element. More than oneDataObjectFormat
element makes no sense because we have only one data object which is signed (this is the incoming message body to the XML signer endpoint). - At most one
CommitmentTypeIndication
element. More than oneCommitmentTypeIndication
element makes no sense because we have only one data object which is signed (this is the incoming message body to the XML signer endpoint). A
CommitmentTypeIndication
element contains always theAllSignedDataObjects
element. TheObjectReference
element withinCommitmentTypeIndication
element is not supported.- The
AllDataObjectsTimeStamp
element is not supported - The
IndividualDataObjectsTimeStamp
element is not supported