...
Code Block | ||||
---|---|---|---|---|
| ||||
<QualifyingProperties Target> <SignedProperties> <SignedSignatureProperties> (SigningTime)? (SigningCertificate)? (SignaturePolicyIdentifier) (SignatureProductionPlace)? (SignerRole)? </SignedSignatureProperties> <SignedDataObjectProperties> (DataObjectFormat)? (CommitmentTypeIndication)? </SignedDataObjectProperties> </SignedProperties> </QualifyingProperties> |
The properties of the XAdES-BES form are the same except that the SignaturePolicyIdentifier
property is missing.
You can configure the XAdES-BES/EPES properties via the bean org.apache.camel.component.xmlsecurity.api.XAdESSignatureProperties
or org.apache.camel.component.xmlsecurity.api.DefaultXAdESSignatureProperties. XAdESSignatureProperties
does support all properties mentioned above except the SigningCertificate
property. To get the SigningCertificate
property, you must overwrite either the method XAdESSignatureProperties.getSigningCertificate()
or XAdESSignatureProperties.getSigningCertificateChain().
The class DefaultXAdESSignatureProperties
overwrites the method getSigningCertificate()
and allows you to specify the signing certificate via a keystore and alias. The following example shows all parameters which you can specify, if you do not need certain parameters you can just omit them.
Code Block | ||||
---|---|---|---|---|
| ||||
Keystore keystore = ... // load a keystore DefaultKeyAccessor accessor = new DefaultKeyAccessor(); accessor.setKeyStore(keystore); accessor.setPassword("password"); accessor.setAlias("cert_alias"); // signer key alias DefaultXAdESSignatureProperties props = new DefaultXAdESSignatureProperties(); props.setNamespace("http://uri.etsi.org/01903/v1.3.2#"); // sets the namespace for the XAdES elements; the namspace is related to the XAdES version, default value is "http://uri.etsi.org/01903/v1.3.2#", other possible values are "http://uri.etsi.org/01903/v1.1.1#" and "http://uri.etsi.org/01903/v1.2.2#" props.setPrefix("etsi"); // sets the prefix for the XAdES elements, default value is "etsi" // signing certificate props.setKeystore(keystore)); props.setAlias("cert_alias"); // specify the alias of the signing certificate in the keystore = signer key alias props.setDigestAlgorithmForSigningCertificate(DigestMethod.SHA256); props.setSigningCertificateURIs(Collections.singletonList("http://certuri")); // signing time props.setAddSigningTime(true); // policy props.setSignaturePolicy(XAdESSignatureProperties.SIG_POLICY_EXPLICIT_ID); // also the values XAdESSignatureProperties.SIG_POLICY_NONE and XAdESSignatureProperties.SIG_POLICY_IMPLIED are possible // then you must not specify any further policy parameters props.setSigPolicyId("urn:oid:1.2.840.113549.1.9.16.6.1"); props.setSigPolicyIdQualifier("OIDAsURN"); props.setSigPolicyIdDescription("invoice version 3.1"); props.setSignaturePolicyDigestAlgorithm(DigestMethod.SHA256); props.setSignaturePolicyDigestValue("Ohixl6upD6av8N7pEvDABhEL6hM="); props.setSigPolicyQualifiers(Arrays .asList(new String[] { "<SigPolicyQualifier xmlns=\"http://uri.etsi.org/01903/v1.3.2#\"><SPURI>http://test.com/sig.policy.pdf</SPURI><SPUserNotice><ExplicitText>display text</ExplicitText>" + "</SPUserNotice></SigPolicyQualifier>", "category B" })); props.setSigPolicyIdDocumentationReferences(Arrays.asList(new String[] {"http://test.com/policy.doc.ref1.txt", "http://test.com/policy.doc.ref2.txt" })); // production place props.setSignatureProductionPlaceCity("Munich"); props.setSignatureProductionPlaceCountryName("Germany"); props.setSignatureProductionPlacePostalCode("80331"); props.setSignatureProductionPlaceStateOrProvince("Bavaria"); //role // you can add claimed roles either by specifying simple text or an XML fragment with the root element ClaimedRole props.setSignerClaimedRoles(Arrays.asList(new String[] {"test", "<a:ClaimedRole xmlns:a=\"http://uri.etsi.org/01903/v1.3.2#\"><TestRole>TestRole</TestRole></a:ClaimedRole>" })); props.setSignerCertifiedRoles(Collections.singletonList(new XAdESEncapsulatedPKIData("Ahixl6upD6av8N7pEvDABhEL6hM=", "http://uri.etsi.org/01903/v1.2.2#DER", "IdCertifiedRole"))); // data object format props.setDataObjectFormatDescription("invoice"); props.setDataObjectFormatMimeType("text/xml"); props.setDataObjectFormatIdentifier("urn:oid:1.2.840.113549.1.9.16.6.2"); props.setDataObjectFormatIdentifierQualifier("OIDAsURN"); props.setDataObjectFormatIdentifierDescription("identifier desc"); props.setDataObjectFormatIdentifierDocumentationReferences(Arrays.asList(new String[] { "http://test.com/dataobject.format.doc.ref1.txt", "http://test.com/dataobject.format.doc.ref2.txt" })); //commitment props.setCommitmentTypeId("urn:oid:1.2.840.113549.1.9.16.6.4"); props.setCommitmentTypeIdQualifier("OIDAsURN"); props.setCommitmentTypeIdDescription("description for commitment type ID"); props.setCommitmentTypeIdDocumentationReferences(Arrays.asList(new String[] {"http://test.com/commitment.ref1.txt", "http://test.com/commitment.ref2.txt" })); // you can specify a commitment type qualifier either by simple text or an XML fragment with root element CommitmentTypeQualifier props.setCommitmentTypeQualifiers(Arrays.asList(new String[] {"commitment qualifier", "<c:CommitmentTypeQualifier xmlns:c=\"http://uri.etsi.org/01903/v1.3.2#\"><C>c</C></c:CommitmentTypeQualifier>" })); beanRegistry.bind("xmlSignatureProperties",props); beanRegistry.bind("keyAccessorDefault",keyAccessor); // you must reference the properties bean in the "xmlsecurity" URI from("direct:xades").to("xmlsecurity:sign://xades?keyAccessor=#keyAccessorDefault&properties=#xmlSignatureProperties") .to("mock:result"); |
Headers
Header | Type | Description |
---|---|---|
| String | for the 'Id' attribute value of QualifyingProperties element |
| String | for the 'Id' attribute value of SignedDataObjectProperties element |
| String | for the 'Id' attribute value of SignedSignatureProperties element |
| String | for the value of the Encoding element of the DataObjectFormat element |
CamelXmlSignatureXAdESNamespace | String | overwrites the XAdES namespace parameter value |
| String | overwrites the XAdES prefix parameter value |
Limitations
- No support for signature form XAdES-T and XAdES-C
- Only signer part implemented.
- No support for the '
QualifyingPropertiesReference
' element (see section 6.3.2 of spec). - No support for the
Transforms
element contained in theSignaturePolicyId
element contained in theSignaturePolicyIdentifier element
- No support of the
CounterSignature
element --> no support for theUnsignedProperties
element - At most one
DataObjectFormat
element. More than oneDataObjectFormat
element makes no sense because we have only one data object which is signed (this is the incoming message body to the XML signer endpoint). - At most one
CommitmentTypeIndication
element. More than oneCommitmentTypeIndication
element makes no sense because we have only one data object which is signed (this is the incoming message body to the XML signer endpoint). A
CommitmentTypeIndication
element contains always theAllSignedDataObjects
element. TheObjectReference
element withinCommitmentTypeIndication
element is not supported.- The
AllDataObjectsTimeStamp
element is not supported - The
IndividualDataObjectsTimeStamp
element is not supported
...