Versions Compared

Old Version 33

changes.mady.by.user Franz Forsthofer

Saved on

compared with

New Version 34

changes.mady.by.user Colm O hEigeartaigh

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

ŸXML Advanced Electronic Signatures (XAdES) defines extensions to XML Signature. This standard was defined by the European Telecomunication Standards Institute and allows you to create signatures which are compliant to the European Union Directive (1999/93/EC) on a Community framework for electronic signatruessignatures. XAdES defines different sets of signature properties which are called signature forms. We support the signature forms Basic Electronic Signature (XAdES-BES) and Explicit Policy Based Electronic Signature (XAdES-EPES) for the Signer Endpoint. The forms Electronic Signature with Validation Data XAdES-T and XAdES-C are not supported.

...

 

Code Block
languagexml
titleSupported XAdES-EPES Properties
        <QualifyingProperties Target>
            <SignedProperties>
                <SignedSignatureProperties>
                    (SigningTime)?
                    (SigningCertificate)?
                    (SignaturePolicyIdentifier)
                    (SignatureProductionPlace)?
                    (SignerRole)?
                </SignedSignatureProperties>
                <SignedDataObjectProperties>
                    (DataObjectFormat)?
                    (CommitmentTypeIndication)?
                </SignedDataObjectProperties>
            </SignedProperties>
        </QualifyingProperties>

The properties of the XAdES-BES form are the same except that the SignaturePolicyIdentifier property is not püart part of XAdES-BES. 

You can configure the XAdES-BES/EPES properties via the bean org.apache.camel.component.xmlsecurity.api.XAdESSignatureProperties or org.apache.camel.component.xmlsecurity.api.DefaultXAdESSignatureProperties. XAdESSignatureProperties does support all properties mentioned above except the SigningCertificate property. To get the SigningCertificate property, you must overwrite either the method XAdESSignatureProperties.getSigningCertificate() or XAdESSignatureProperties.getSigningCertificateChain(). The class DefaultXAdESSignatureProperties overwrites the method getSigningCertificate() and allows you to specify the signing certificate via a keystore and alias. The following example shows all parameters you can specify. If you do not need certain parameters you can just omit them.

Code Block
languagejava
titleXAdES-BES/EPES Example in Java DSL
        Keystore keystore = ... // load a keystore
        DefaultKeyAccessor accessor = new DefaultKeyAccessor();
        accessor.setKeyStore(keystore);
        accessor.setPassword("password");
        accessor.setAlias("cert_alias"); // signer key alias
 
        DefaultXAdESSignatureProperties props = new DefaultXAdESSignatureProperties();
        props.setNamespace("http://uri.etsi.org/01903/v1.3.2#"); // sets the namespace for the XAdES elements; the namspace is related to the XAdES version, default value is "http://uri.etsi.org/01903/v1.3.2#", other possible values are "http://uri.etsi.org/01903/v1.1.1#" and "http://uri.etsi.org/01903/v1.2.2#"
        props.setPrefix("etsi"); // sets the prefix for the XAdES elements, default value is "etsi"
        
        // signing certificate
        props.setKeystore(keystore));
        props.setAlias("cert_alias"); // specify the alias of the signing certificate in the keystore = signer key alias
        props.setDigestAlgorithmForSigningCertificate(DigestMethod.SHA256); // possible values for the algorithm are "http://www.w3.org/2000/09/xmldsig#sha1", "http://www.w3.org/2001/04/xmlenc#sha256", "http://www.w3.org/2001/04/xmldsig-more#sha384", "http://www.w3.org/2001/04/xmlenc#sha512", default value is "http://www.w3.org/2001/04/xmlenc#sha256"
        props.setSigningCertificateURIs(Collections.singletonList("http://certuri"));
 
        // signing time
        props.setAddSigningTime(true);
 
        // policy
        props.setSignaturePolicy(XAdESSignatureProperties.SIG_POLICY_EXPLICIT_ID);
        // also the values XAdESSignatureProperties.SIG_POLICY_NONE ("None"), and XAdESSignatureProperties.SIG_POLICY_IMPLIED ("Implied")are possible, default value is XAdESSignatureProperties.SIG_POLICY_EXPLICIT_ID ("ExplicitId")
        // For "None" and "Implied" you must not specify any further policy parameters
        props.setSigPolicyId("urn:oid:1.2.840.113549.1.9.16.6.1");
        props.setSigPolicyIdQualifier("OIDAsURN"); //allowed values are empty string, "OIDAsURI", "OIDAsURN"; default value is empty string
        props.setSigPolicyIdDescription("invoice version 3.1");
        props.setSignaturePolicyDigestAlgorithm(DigestMethod.SHA256);// possible values for the algorithm are "http://www.w3.org/2000/09/xmldsig#sha1", http://www.w3.org/2001/04/xmlenc#sha256", "http://www.w3.org/2001/04/xmldsig-more#sha384", "http://www.w3.org/2001/04/xmlenc#sha512", default value is http://www.w3.org/2001/04/xmlenc#sha256"
        props.setSignaturePolicyDigestValue("Ohixl6upD6av8N7pEvDABhEL6hM=");
        // you can add  qualifiers for the signature policy either by specifying text or an XML fragment with the root element "SigPolicyQualifier" 
        props.setSigPolicyQualifiers(Arrays
            .asList(new String[] {
                "<SigPolicyQualifier xmlns=\"http://uri.etsi.org/01903/v1.3.2#\"><SPURI>http://test.com/sig.policy.pdf</SPURI><SPUserNotice><ExplicitText>display text</ExplicitText>"
                    + "</SPUserNotice></SigPolicyQualifier>", "category B" }));
        props.setSigPolicyIdDocumentationReferences(Arrays.asList(new String[] {"http://test.com/policy.doc.ref1.txt",
            "http://test.com/policy.doc.ref2.txt" }));
 
        // production place
        props.setSignatureProductionPlaceCity("Munich");
        props.setSignatureProductionPlaceCountryName("Germany");
        props.setSignatureProductionPlacePostalCode("80331");
        props.setSignatureProductionPlaceStateOrProvince("Bavaria");
 
        //role
        // you can add claimed roles either by specifying text or an XML fragment with the root element "ClaimedRole" 
        props.setSignerClaimedRoles(Arrays.asList(new String[] {"test",
            "<a:ClaimedRole xmlns:a=\"http://uri.etsi.org/01903/v1.3.2#\"><TestRole>TestRole</TestRole></a:ClaimedRole>" }));
        props.setSignerCertifiedRoles(Collections.singletonList(new XAdESEncapsulatedPKIData("Ahixl6upD6av8N7pEvDABhEL6hM=",
            "http://uri.etsi.org/01903/v1.2.2#DER", "IdCertifiedRole")));
 
        // data object format
        props.setDataObjectFormatDescription("invoice");
        props.setDataObjectFormatMimeType("text/xml");
        props.setDataObjectFormatIdentifier("urn:oid:1.2.840.113549.1.9.16.6.2");
        props.setDataObjectFormatIdentifierQualifier("OIDAsURN"); //allowed values are empty string, "OIDAsURI", "OIDAsURN"; default value is empty string
        props.setDataObjectFormatIdentifierDescription("identifier desc");
        props.setDataObjectFormatIdentifierDocumentationReferences(Arrays.asList(new String[] {
            "http://test.com/dataobject.format.doc.ref1.txt", "http://test.com/dataobject.format.doc.ref2.txt" }));
 
        //commitment
        props.setCommitmentTypeId("urn:oid:1.2.840.113549.1.9.16.6.4");
        props.setCommitmentTypeIdQualifier("OIDAsURN"); //allowed values are empty string, "OIDAsURI", "OIDAsURN"; default value is empty string
        props.setCommitmentTypeIdDescription("description for commitment type ID");
        props.setCommitmentTypeIdDocumentationReferences(Arrays.asList(new String[] {"http://test.com/commitment.ref1.txt",
            "http://test.com/commitment.ref2.txt" }));
        // you can specify a commitment type qualifier either by simple text or an XML fragment with root element "CommitmentTypeQualifier"
        props.setCommitmentTypeQualifiers(Arrays.asList(new String[] {"commitment qualifier",
            "<c:CommitmentTypeQualifier xmlns:c=\"http://uri.etsi.org/01903/v1.3.2#\"><C>c</C></c:CommitmentTypeQualifier>" }));
 
 beanRegistry.bind("xmlSignatureProperties",props);
 beanRegistry.bind("keyAccessorDefault",keyAccessor);
 
 // you must reference the properties bean in the "xmlsecurity" URI
 from("direct:xades").to("xmlsecurity:sign://xades?keyAccessor=#keyAccessorDefault&properties=#xmlSignatureProperties")
                     .to("mock:result");
Code Block
languagexml
titleXAdES-BES/EPES Example in Spring XML
   ...
   <from uri="direct:xades" />
            <to
                uri="xmlsecurity:sign://xades?keyAccessor=#accessorRsa&amp;properties=#xadesProperties" />
            <to uri="mock:result" />
   ...
   <bean id="xadesProperties"
        class="org.apache.camel.component.xmlsecurity.api.XAdESSignatureProperties">
        <!-- For more properties see the the previous Java DSL example. 
             If you want to have a signing certificate then use the bean class DefaultXAdESSignatureProperties (see the previous Java DSL example). -->
        <property name="signaturePolicy" value="ExplicitId" />
        <property name="sigPolicyId" value="http://www.test.com/policy.pdf" />
        <property name="sigPolicyIdDescription" value="factura" />
        <property name="signaturePolicyDigestAlgorithm" value="http://www.w3.org/2000/09/xmldsig#sha1" />
        <property name="signaturePolicyDigestValue" value="Ohixl6upD6av8N7pEvDABhEL1hM=" />
        <property name="signerClaimedRoles" ref="signerClaimedRoles_XMLSigner" />
        <property name="dataObjectFormatDescription" value="Factura electrónica" />
        <property name="dataObjectFormatMimeType" value="text/xml" />
    </bean>
    <bean class="java.util.ArrayList" id="signerClaimedRoles_XMLSigner">
        <constructor-arg>
            <list>
                <value>Emisor</value>
                <value>&lt;ClaimedRole
                    xmlns=&quot;http://uri.etsi.org/01903/v1.3.2#&quot;&gt;&lt;test
                    xmlns=&quot;http://test.com/&quot;&gt;test&lt;/test&gt;&lt;/ClaimedRole&gt;</value>
            </list>
        </constructor-arg>
    </bean>

Headers

HeaderTypeDescription

CamelXmlSignatureXAdESQualifyingPropertiesId

Stringfor the 'Id' attribute value of QualifyingProperties element

CamelXmlSignatureXAdESSignedDataObjectPropertiesId

Stringfor the 'Id' attribute value of SignedDataObjectProperties element

CamelXmlSignatureXAdESSignedSignaturePropertiesId

Stringfor the 'Id' attribute value of  SignedSignatureProperties element

CamelXmlSignatureXAdESDataObjectFormatEncoding

Stringfor the value of the Encoding element of the DataObjectFormat element
CamelXmlSignatureXAdESNamespaceString overwrites the XAdES namespace parameter value

CamelXmlSignatureXAdESPrefix

Stringoverwrites the XAdES prefix parameter value

Limitations with regard to XAdES version 1.4.2

  • No support for signature form XAdES-T and XAdES-C
  • Only signer part implemented. Verifier part currently not available.
  • No support for the 'QualifyingPropertiesReference' element (see section 6.3.2 of spec).
  • No support for the Transforms element contained in the SignaturePolicyId element contained in the SignaturePolicyIdentifier element
  • No support of the CounterSignature element --> no support for the UnsignedProperties element
  • At most one DataObjectFormat element. More than one DataObjectFormat element makes no sense  because we have only one data object which is signed (this is the incoming message body to the XML signer endpoint).
  • At most one CommitmentTypeIndication element. More than one CommitmentTypeIndicationelement makes no sense  because we have only one data object which is signed (this is the incoming message body to the XML signer endpoint).

  • A CommitmentTypeIndication element contains always the AllSignedDataObjects element. The ObjectReference element within CommitmentTypeIndication  element is not supported.

  • The AllDataObjectsTimeStamp element is not supported
  • The IndividualDataObjectsTimeStamp element is not supported

...