...
Code Block | ||||
---|---|---|---|---|
| ||||
<dependency> <groupId>org.apache.camel</groupId> <artifactId>camel-xmlsecurity</artifactId> <version>x.x.x</version> <!-- use the same version as your Camel core version --> </dependency> |
XML Signature
...
Wrapping Modes
XML Signature differs between enveloped, enveloping, and detached XML signature. In the enveloped XML signature case, the XML Signature is wrapped by the signed XML Document; which means that the XML signature element is a child element of a parent element, which belongs to the signed XML Document. In the enveloping XML signature case, the XML Signature contains the signed content. All other cases are called detached XML signatures. A certain form of detached XML signature is supported since 2.14.0.
...
Code Block | ||
---|---|---|
| ||
(<[signed element] Id="[id_value]"> <!-- signed element must have an attribute of type ID --> ... </[signed element]> <other sibling/>* <!-- between the signed element and the corresponding signature element, there can be other siblings. Signature element is added as last sibling. --> <Signature Id="generated_unique_ID"> <SignedInfo> <CanonicalizationMethod> <SignatureMethod> <Reference URI="#[id_value]" type="[optional_type_value]"> <!-- reference URI contains the ID attribute value of the signed element --> (<Transform>)* <!-- By default "http://www.w3.org/2006/12/xml-c14n11" is added to the transforms --> <DigestMethod> <DigestValue> </Reference> (<Reference URI="#[generated_keyinfo_Id]"> <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <DigestMethod> <DigestValue> </Reference>)? </SignedInfo> <SignatureValue> (<KeyInfo Id="[generated_keyinfo_id]">)? </Signature>)+ |
URI
...
Format
The camel component consists of two endpoints which have the following URI format.
...
Name | Type | Default | Description |
---|---|---|---|
uriDereferencer | null | URI dereferencer. You can specify here your own URI dereferencer, if you want to restrict the dereferencing or have special requirements for dereferencing. | |
baseUri | String | null | Base URI used in the URI dereferencer. Relative URIs are concatenated with the base URI. |
cryptoContextProperties | Map<String, ? extends Object> | null | Crypto context properties. See |
disallowDoctypeDecl | Boolean | Boolean.TRUE | Indicator whether DTD DOCTYPE declarations shall be disallowed in the incoming XML message. |
omitXmlDeclaration | Boolean | Boolean.FALSE | Indicator whether the XML declaration header shall be omitted in the output XML message. |
clearHeaders | Boolean | Boolean.TRUE | Indicator whether the XML signature message headers defined in XmlSignatureConstants shall be deleted at the end of the signer or verifier processing. |
schemaResourceUri | String | null | Since 2.14.0. Classpath to the XML Schema file. If set then the XML document is validated against the XML schema. Must be set in the case of detached signatures in order to determine the attributes of type ID. This value can be overwritten by the header "CamelXmlSignatureSchemaResourceUri ". For further information, see sub-chapter "Detached XML Signatures as Siblings of the Signed Elements". The schema is also necessary in the case of enveloped signature with a reference URI to an ID attribute (see Signing Option 'contentReferenceUri'). |
outputXmlEncoding | String | null | Since 2.15.0. Character encoding of the output XML document. If null then UTF-8 is used. |
...
Name | Type | Default | Description | |||||
---|---|---|---|---|---|---|---|---|
keyAccessor | null | Provides the signing key and the KeyInfo instance. There is an example implementation which uses a keystore, see DefaultKeyAccessor | ||||||
addKeyInfoReference | Boolean | Boolean.TRUE | Indicator whether a Reference element refering the KeyInfo element provided by the key accessor should be added to the XML signature. | |||||
signatureAlgorithm | String | signature algorithm consisting of a digest and encryption algorithm. The digest algorithm is used to calculate the digest of the SignedInfo element and the encryption algorithm is used to sign this digest. Possible values: http://www.w3.org/2000/09/xmldsig#dsa-sha1, http://www.w3.org/2000/09/xmldsig#rsa-sha1, http://www.w3.org/2001/04/xmldsig-more#rsa-sha256, http://www.w3.org/2001/04/xmldsig-more#rsa-sha384, http://www.w3.org/2001/04/xmldsig-more#rsa-sha512 | ||||||
digestAlgorithm | String | see description | Digest algorithm for calculating the digest of the in-message body. If not specified then the digest algorithm of the signature algorithm is used. Possible values: http://www.w3.org/2000/09/xmldsig#sha1, http://www.w3.org/2001/04/xmlenc#sha256, http://www.w3.org/2001/04/xmldsig-more#sha384, http://www.w3.org/2001/04/xmlenc#sha512 | |||||
parentLocalName | String | null | Local name of the parent of the Signature element. The Signature element will be added at the end of the children of the parent. Necessary for enveloped XML signature. If this option and the option | |||||
parentNamespace | String | null | Namespace of the parent of the Signature element. See option | |||||
parentXpath | XPathFilterParameterSpec | null | Since 2.15.0. XPath to the parent of the Signature element. The Signature element will be added at the end of the children of the parent. Necessary for enveloped XML signature. If this option and the option parentLocalName are null, then an enveloping XML signature is created. Alternatively you can specify the parent via the option parentLocalName. Example: /p1:root/SecurityItem[last()] This example will select the last sibling with the name SecurityItem . Such kind of selection is not possible with the option parentLocalName . | |||||
canonicalizationMethod | C14n | Canonicalization method used to canonicalize the SignedInfo element before the digest is calculated. You can use the helper methods XmlSignatureHelper.getCanonicalizationMethod(String algorithm) or getCanonicalizationMethod(String algorithm, List<String> inclusiveNamespacePrefixes) to create a canonicalization method. | ||||||
transformMethods | List<javax.xml.crypto.AlgorithmMethod> | see description | Transforms which are executed on the message body before the digest is calculated. By default, C14n is added and in the case of enveloped signature (see option | |||||
prefixForXmlSignatureNamespace | String | ds | Prefix for the XML signature namespace. If | |||||
contentReferenceUri | String | see description | The URI of the reference to the signed content (in-message body). If | |||||
contentReferenceType | String | null | Value of the type attribute of the content reference. This value can be overwritten by the header " | |||||
plainText | Boolean | Boolean.FALSE | Indicator whether the in-message body contains plain text. Normally, the signature generator treats the incoming message body as XML. If the message body is plain text, then you must set this option to | |||||
The Camel header "CamelXmlSignatureTransformMethods" overwrites this option (since Camel 2.17.0). The header value must be of type string; you specify in a comma separated list the transform algorithms, for example "http://www.w3.org/2000/09/xmldsig#enveloped-signature,http://www.w3.org/TR/2001/REC-xml-c14n-20010315". In the header you cannot specify transform algorithms which need parameters, like http://www.w3.org/TR/1999/REC-xslt-19991116, http://www.w3.org/2002/06/xmldsig-filter2, or http://www.w3.org/TR/1999/REC-xpath-19991116. | ||||||||
prefixForXmlSignatureNamespace | String | ds | Prefix for the XML signature namespace. If | |||||
contentReferenceUri | String | see description | The URI of the reference to the signed content (in-message body). If | plainTextEncoding | String | null | Only used when the option | |
properties | null | For adding additional References and Objects to the XML signature which contain additional properties, you can provide a bean which implements the XmlSignatureProperties interface. | ||||||
contentObjectId | String | null | Value of the Id attribute of the Object element. Only used in the enveloping XML signature case. If | |||||
| ||||||||
contentReferenceType | String | null | Value of the type attribute of the content reference. This value can be overwritten by the header " | |||||
plainText | Boolean | Boolean.FALSE | Indicator whether the in-message body contains plain text. Normally, the signature generator treats the incoming message body as XML. If the message body is plain text, then you must set this option to | xpathsToIdAttributes | List<XPathFilterParameterSpec> | empty list | Since 2.14.0. List of XPATH expressions to ID attributes of elements to be signed. Used for the detached XML Signatures. Can only be used in combination with the option. The value can be overwritten by the header " | CamelXmlSignatureMessageIsPlainText". |
plainTextEncoding | String | null | Only used when | If the option | | at the same time then an exception is thrown. The class to | ||
properties | null | For adding additional References and Objects to the XML signature which contain additional properties, you can provide a bean which implements the XmlSignatureProperties interface. | ||||||
contentObjectId | String | null | signatureId | String | null | Since 2.14.0.Value of the Id attribute of the | Signature Object element. Only used in the enveloping XML signature case. If | Id value is generated. | If the value is the empty string ("") then no Id attribute is added to the Signature element.
Verifying Options
The verifier endpoint has the following options.
Name | Type | Default | Description |
---|---|---|---|
keySelector | null | Provides the key for validating the XML signature. There is an example implementation which uses a keystore, see DefaultKeySelector. | |
xmlSignatureChecker | null | This interface allows the application to check the XML signature before the validation is executed. This step is recommended in http://www.w3.org/TR/xmldsig-bestpractices/#check-what-is-signed | |
validationFailedHandler | Handles the different validation failed situations. The default implementation throws specific exceptions for the different situations (All exceptions have the package name | ||
xmlSignature2Message | Bean which maps the XML signature to the ouput-message after the validation. How this mapping should be done can be configured by the options | ||
outputNodeSearchType | String | "Default" | Determines the type of the search of the output node. See option |
outputNodeSearch | Object | null | Search value of the output node search. The type depends on the search type. For the default search implementation |
removeSignatureElements | Boolean | Boolean.FALSE | Indicator for removing Signature elements in the output message in the enveloped XML signature case. Used in the |
secureValidation | Boolean | Boolean.TRUE | Enables secure validation. If true then secure validation is enabled - see here for more information. |
Output Node Determination in Enveloping XML Signature Case
After the validation the node is extracted from the XML signature document which is finally returned to the output-message body. In the enveloping XML signature case, the default implementation DefaultXmlSignature2Message of XmlSignature2Message does this for the node search type "Default" in the following way (see option xmlSignature2Message
):
First an Object reference is determined:
- Only same document references are taken into account (URI must start with '#')
- Also indirect same document references to an object via manifest are taken into account.
- The resulting number of Object references must be 1.
Then, the Object is dereferenced and the Object must only contain one XML element. This element is returned as output node.
This does mean that the enveloping XML signature must have either the structure
Available as of 2.12.2 | |||
xpathsToIdAttributes | List<XPathFilterParameterSpec> | empty list | Since 2.14.0. List of XPATH expressions to ID attributes of elements to be signed. Used for the detached XML Signatures. Can only be used in combination with the option schemaResourceUri . The value can be overwritten by the header "CamelXmlSignatureXpathsToIdAttributes ". If the option parentLocalNam e is set at the same time then an exception is thrown. The class XPathFilterParameterSpec has the package javax.xml.crypto.dsig.spec . For further information, see sub-chapter "Detached XML Signatures as Siblings of the Signed Elements". |
signatureId | String | null | Since 2.14.0. Value of the Id attribute of the Signature element. If null then a unique Id is generated. If the value is the empty string ("") then no Id attribute is added to the Signature element. |
Verifying Options
The verifier endpoint has the following options.
Name | Type | Default | Description |
---|---|---|---|
keySelector | null | Provides the key for validating the XML signature. There is an example implementation which uses a keystore, see DefaultKeySelector. | |
xmlSignatureChecker | null | This interface allows the application to check the XML signature before the validation is executed. This step is recommended in http://www.w3.org/TR/xmldsig-bestpractices/#check-what-is-signed | |
validationFailedHandler | Handles the different validation failed situations. The default implementation throws specific exceptions for the different situations (All exceptions have the package name | ||
xmlSignature2Message | Bean which maps the XML signature to the ouput-message after the validation. How this mapping should be done can be configured by the options | ||
outputNodeSearchType | String | "Default" | Determines the type of the search of the output node. See option |
outputNodeSearch | Object | null | Search value of the output node search. The type depends on the search type. For the default search implementation |
removeSignatureElements | Boolean | Boolean.FALSE | Indicator for removing Signature elements in the output message in the enveloped XML signature case. Used in the |
secureValidation | Boolean | Boolean.TRUE | Enables secure validation. If true then secure validation is enabled - see here for more information. |
Output Node Determination in Enveloping XML Signature Case
After the validation the node is extracted from the XML signature document which is finally returned to the output-message body. In the enveloping XML signature case, the default implementation DefaultXmlSignature2Message of XmlSignature2Message does this for the node search type "Default" in the following way (see option xmlSignature2Message
):
First an Object reference is determined:
- Only same document references are taken into account (URI must start with '#')
- Also indirect same document references to an object via manifest are taken into account.
- The resulting number of Object references must be 1.
Then, the Object is dereferenced and the Object must only contain one XML element. This element is returned as output node.
This does mean that the enveloping XML signature must have either the structure
Code Block |
---|
<Signature>
|
Code Block |
<Signature> <SignedInfo> <Reference URI="#object"/> <!-- further references possible but they must not point to an Object or Manifest containing an object reference <SignedInfo> <Reference URI="#object"/> <!-- further references possible but they must not point to an Object or Manifest containing an object reference --> ... </SignedInfo> <Object Id="object"> <!-- contains one XML element which is extracted to the message body --> <Object> <!-- further object elements possible which are not referenced--> ... (<KeyInfo>)? </Signature> |
...
Code Block | ||||
---|---|---|---|---|
| ||||
from("direct:detached")
.to("xmlsecurity:sign://detached?keyAccessor=#keyAccessorBeant&xpathsToIdAttributes=#xpathsToIdAttributesBean&schemaResourceUri=Test.xsd")
.to("xmlsecurity:verify://detached?keySelector=#keySelectorBean&schemaResourceUri=org/apache/camel/component/xmlsecurity/Test.xsd")
.to("mock:result"); | ||||
Code Block | ||||
| ||||
| ||||
from("direct:detached")
.to("xmlsecurity:sign://detached?keyAccessor=#keyAccessorBeant&xpathsToIdAttributes=#xpathsToIdAttributesBean&schemaResourceUri=Test.xsd")
.to("xmlsecurity:verify://detached?keySelector=#keySelectorBean&schemaResourceUri=org/apache/camel/component/xmlsecurity/Test.xsd")
.to("mock:result"); |
Code Block | ||||
---|---|---|---|---|
| ||||
<bean id="xpathsToIdAttributesBean" class="java.util.ArrayList">
<constructor-arg type="java.util.Collection">
<list>
<bean
class="org.apache.camel.component.xmlsecurity.api.XmlSignatureHelper"
factory-method="getXpathFilter">
<constructor-arg type="java.lang.String"
value="/ns:root/a/@ID" />
<constructor-arg>
<map key-type="java.lang.String" value-type="java.lang.String">
<entry key="ns" value="http://test" />
</map>
</constructor-arg>
</bean>
</list>
</constructor-arg>
</bean>
...
<from uri="direct:detached" />
<to
uri="xmlsecurity:sign://detached?keyAccessor=#keyAccessorBean&xpathsToIdAttributes=#xpathsToIdAttributesBean&schemaResourceUri=Test.xsd" />
<to
uri="xmlsecurity:verify://detached?keySelector=#keySelectorBean&schemaResourceUri=Test.xsd" />
<to uri="mock:result" /> |
XAdES-BES/EPES for the Signer Endpoint
Available as of Camel 2.15.0
Code Block | ||||
---|---|---|---|---|
| ||||
<QualifyingProperties Target> <SignedProperties> <SignedSignatureProperties> (SigningTime)? (SigningCertificate)? (SignaturePolicyIdentifier) (SignatureProductionPlace)? (SignerRole)? </SignedSignatureProperties> <SignedDataObjectProperties> |
...
(DataObjectFormat)? |
...
(CommitmentTypeIndication)? |
...
</SignedDataObjectProperties> |
...
</SignedProperties>
</QualifyingProperties> |
The properties of the XAdES-BES form are the same except that the SignaturePolicyIdentifier
property is not part of XAdES-BES.
You can configure the XAdES-BES/EPES properties via the bean org.apache.camel.component.xmlsecurity.api.XAdESSignatureProperties
or org.apache.camel.component.xmlsecurity.api.DefaultXAdESSignatureProperties. XAdESSignatureProperties
does support all properties mentioned above except the SigningCertificate
property. To get the SigningCertificate
property, you must overwrite either the method XAdESSignatureProperties.getSigningCertificate()
or XAdESSignatureProperties.getSigningCertificateChain().
The class DefaultXAdESSignatureProperties
overwrites the method getSigningCertificate()
and allows you to specify the signing certificate via a keystore and alias. The following example shows all parameters you can specify. If you do not need certain parameters you can just omit them.
Code Block | ||||
---|---|---|---|---|
| ||||
Keystore keystore |
...
= ... // load a keystore DefaultKeyAccessor accessor = |
...
new DefaultKeyAccessor(); accessor.setKeyStore(keystore); |
...
accessor.setPassword("password"); accessor.setAlias("cert_alias"); // signer key alias DefaultXAdESSignatureProperties props = new DefaultXAdESSignatureProperties(); |
...
|
...
props.setNamespace("http:// |
...
uri.etsi.org/01903/v1.3.2#"); // sets the namespace for the XAdES elements; the namspace is related to the XAdES version, default value is "http://uri.etsi.org/01903/v1.3.2#", other possible values are "http://uri.etsi.org/01903/v1.1.1#" and "http://uri.etsi.org/01903/v1.2.2#" |
...
props.setPrefix("etsi"); // sets the prefix for the XAdES elements, default value is "etsi" |
...
// signing |
...
certificate |
...
props.setKeystore(keystore)); |
...
props.setAlias("cert_alias"); // specify the alias of the signing certificate in the keystore = signer key alias props.setDigestAlgorithmForSigningCertificate(DigestMethod.SHA256); // possible values for the algorithm are |
...
" |
...
http: |
...
// |
...
XAdES-BES/EPES for the Signer Endpoint
Available as of Camel 2.15.0
Code Block | ||||
---|---|---|---|---|
| ||||
www.w3.org/2000/09/xmldsig#sha1", "http://www.w3.org/2001/04/xmlenc#sha256", "http://www.w3.org/2001/04/xmldsig-more#sha384", "http://www.w3.org/2001/04/xmlenc#sha512", default value is "http://www.w3.org/2001/04/xmlenc#sha256" props.setSigningCertificateURIs(Collections.singletonList("http://certuri")); // signing time props.setAddSigningTime(true); // policy props.setSignaturePolicy(XAdESSignatureProperties.SIG_POLICY_EXPLICIT_ID); <QualifyingProperties Target> // also the values XAdESSignatureProperties.SIG_POLICY_NONE ("None"), and XAdESSignatureProperties.SIG_POLICY_IMPLIED ("Implied")are possible, default value <SignedProperties> is XAdESSignatureProperties.SIG_POLICY_EXPLICIT_ID ("ExplicitId") // For "None" and "Implied" you <SignedSignatureProperties> must not specify any further policy parameters (SigningTime)?props.setSigPolicyId("urn:oid:1.2.840.113549.1.9.16.6.1"); props.setSigPolicyIdQualifier("OIDAsURN"); //allowed values are empty string, "OIDAsURI", "OIDAsURN"; default value is empty (SigningCertificate)?string props.setSigPolicyIdDescription("invoice version 3.1"); (SignaturePolicyIdentifier) (SignatureProductionPlace)?props.setSignaturePolicyDigestAlgorithm(DigestMethod.SHA256);// possible values for the algorithm are "http://www.w3.org/2000/09/xmldsig#sha1", http://www.w3.org/2001/04/xmlenc#sha256", "http://www.w3.org/2001/04/xmldsig-more#sha384", "http://www.w3.org/2001/04/xmlenc#sha512", default value is http://www.w3.org/2001/04/xmlenc#sha256" (SignerRole)?props.setSignaturePolicyDigestValue("Ohixl6upD6av8N7pEvDABhEL6hM="); // you can add qualifiers for </SignedSignatureProperties> the signature policy either by specifying text or an XML fragment with the root element "SigPolicyQualifier" <SignedDataObjectProperties> props.setSigPolicyQualifiers(Arrays (DataObjectFormat)? .asList(new String[] { "<SigPolicyQualifier (CommitmentTypeIndication)?xmlns=\"http://uri.etsi.org/01903/v1.3.2#\"><SPURI>http://test.com/sig.policy.pdf</SPURI><SPUserNotice><ExplicitText>display text</ExplicitText>" </SignedDataObjectProperties> + "</SPUserNotice></SigPolicyQualifier>", "category </SignedProperties>B" })); </QualifyingProperties> |
The properties of the XAdES-BES form are the same except that the SignaturePolicyIdentifier
property is missing.
You can configure the XAdES-BES/EPES properties via the bean org.apache.camel.component.xmlsecurity.api.XAdESSignatureProperties
or org.apache.camel.component.xmlsecurity.api.DefaultXAdESSignatureProperties. XAdESSignatureProperties
does support all properties mentioned above except the SigningCertificate
property. To get the SigningCertificate
property, you must overwrite either the method XAdESSignatureProperties.getSigningCertificate()
or XAdESSignatureProperties.getSigningCertificateChain().
The class DefaultXAdESSignatureProperties
overwrites the method getSigningCertificate()
and allows you to specify the signing certificate via a keystore and alias. The following example shows all parameters which you can specify, if you do not need certain parameters you can just omit them.
Code Block | ||||
---|---|---|---|---|
| ||||
props.setSigPolicyIdDocumentationReferences(Arrays.asList(new String[] {"http://test.com/policy.doc.ref1.txt", "http://test.com/policy.doc.ref2.txt" })); Keystore keystore = ... // loadproduction a keystoreplace DefaultKeyAccessor accessor = new DefaultKeyAccessor(props.setSignatureProductionPlaceCity("Munich"); accessorprops.setKeyStoresetSignatureProductionPlaceCountryName(keystore"Germany"); accessorprops.setPasswordsetSignatureProductionPlacePostalCode("password80331"); accessorprops.setAliassetSignatureProductionPlaceStateOrProvince("cert_aliasBavaria"); // signer key alias DefaultXAdESSignatureProperties props = new DefaultXAdESSignatureProperties();role // you can add claimed roles either by specifying text or an XML fragment with the root element "ClaimedRole" props.setNamespace("http://uri.etsi.org/01903/v1.3.2#"); // sets the namespace for the XAdES elements; the namspace is related to the XAdES version, default value is "http://uri.etsi.org/01903/v1.3.2#", other possible values are setSignerClaimedRoles(Arrays.asList(new String[] {"test", "<a:ClaimedRole xmlns:a=\"http://uri.etsi.org/01903/v1.13.1#" and "http://uri.etsi.org/01903/v1.2.2#"2#\"><TestRole>TestRole</TestRole></a:ClaimedRole>" })); props.setPrefixsetSignerCertifiedRoles(Collections.singletonList(new XAdESEncapsulatedPKIData("etsi"); // sets the prefix for the XAdES elements, default value is "etsi" Ahixl6upD6av8N7pEvDABhEL6hM=", "http://uri.etsi.org/01903/v1.2.2#DER", "IdCertifiedRole"))); // data signingobject certificateformat props.setKeystore(keystore)setDataObjectFormatDescription("invoice"); props.setAliassetDataObjectFormatMimeType("cert_aliastext/xml"); // specify the alias of the signing certificate in the keystore = signer key alias props.setDigestAlgorithmForSigningCertificate(DigestMethod.SHA256setDataObjectFormatIdentifier("urn:oid:1.2.840.113549.1.9.16.6.2"); props.setSigningCertificateURIssetDataObjectFormatIdentifierQualifier(Collections.singletonList("http://certuri"OIDAsURN")); // signing time; //allowed values are empty string, "OIDAsURI", "OIDAsURN"; default value is empty string props.setAddSigningTime(true); // policysetDataObjectFormatIdentifierDescription("identifier desc"); props.setSignaturePolicysetDataObjectFormatIdentifierDocumentationReferences(XAdESSignatureProperties.SIG_POLICY_EXPLICIT_ID);Arrays.asList(new String[] { // also the values XAdESSignatureProperties.SIG_POLICY_NONE and XAdESSignatureProperties.SIG_POLICY_IMPLIED are possible "http://test.com/dataobject.format.doc.ref1.txt", "http://test.com/dataobject.format.doc.ref2.txt" })); // then you must not specify any further policy parameterscommitment props.setSigPolicyIdsetCommitmentTypeId("urn:oid:1.2.840.113549.1.9.16.6.14"); props.setSigPolicyIdQualifiersetCommitmentTypeIdQualifier("OIDAsURN"); //allowed values are empty props.setSigPolicyIdDescription("invoice version 3.1"); props.setSignaturePolicyDigestAlgorithm(DigestMethod.SHA256);string, "OIDAsURI", "OIDAsURN"; default value is empty string props.setSignaturePolicyDigestValuesetCommitmentTypeIdDescription("Ohixl6upD6av8N7pEvDABhEL6hM="); props.setSigPolicyQualifiers(Arrays description for commitment type ID"); props.setCommitmentTypeIdDocumentationReferences(Arrays.asList(new String[] { "http://test.com/commitment.ref1.txt", "<SigPolicyQualifier xmlns=\"http://uri.etsi.org/01903/v1.3.2#\"><SPURI>http://test.com/sigcommitment.policy.pdf</SPURI><SPUserNotice><ExplicitText>display text</ExplicitText>"ref2.txt" })); // you can specify a commitment type qualifier either by simple text or an XML fragment with + "</SPUserNotice></SigPolicyQualifier>", "category B" }));root element "CommitmentTypeQualifier" props.setSigPolicyIdDocumentationReferencessetCommitmentTypeQualifiers(Arrays.asList(new String[] {"http://test.com/policy.doc.ref1.txtcommitment qualifier", "<c:CommitmentTypeQualifier xmlns:c=\"http://test.com/policy.doc.ref2.txturi.etsi.org/01903/v1.3.2#\"><C>c</C></c:CommitmentTypeQualifier>" })); beanRegistry.bind("xmlSignatureProperties",props); beanRegistry.bind("keyAccessorDefault",keyAccessor); // production place props.setSignatureProductionPlaceCity("Munich");you must reference the properties bean in the "xmlsecurity" URI from("direct:xades").to("xmlsecurity:sign://xades?keyAccessor=#keyAccessorDefault&properties=#xmlSignatureProperties") props.setSignatureProductionPlaceCountryName("Germany"); props.setSignatureProductionPlacePostalCode("80331"); props.setSignatureProductionPlaceStateOrProvinceto("Bavariamock:result"); //role |
Code Block | ||||
---|---|---|---|---|
| ||||
... // you can add claimed roles either by specifying simple text or an XML fragment with the root element ClaimedRole <from uri="direct:xades" /> <to props.setSignerClaimedRoles(Arrays.asList(new String[] {"test",uri="xmlsecurity:sign://xades?keyAccessor=#accessorRsa&properties=#xadesProperties" /> "<a:ClaimedRole xmlns:a=\"http://uri.etsi.org/01903/v1.3.2#\"><TestRole>TestRole</TestRole></a:ClaimedRole>" }));<to uri="mock:result" /> ... <bean id="xadesProperties" props.setSignerCertifiedRoles(Collections.singletonList(new XAdESEncapsulatedPKIData("Ahixl6upD6av8N7pEvDABhEL6hM=",class="org.apache.camel.component.xmlsecurity.api.XAdESSignatureProperties"> <!-- For more "http://uri.etsi.org/01903/v1.2.2#DER", "IdCertifiedRole"))); properties see the the previous Java DSL example. If you want //to datahave objecta format signing certificate then use the bean class DefaultXAdESSignatureProperties props.setDataObjectFormatDescription("invoice"); props.setDataObjectFormatMimeType("text/xml"); (see the previous Java DSL example). --> <property props.setDataObjectFormatIdentifier("urn:oid:1.2.840.113549.1.9.16.6.2"); name="signaturePolicy" value="ExplicitId" /> props.setDataObjectFormatIdentifierQualifier("OIDAsURN"); <property name="sigPolicyId" value="http://www.test.com/policy.pdf" /> props.setDataObjectFormatIdentifierDescription("identifier desc");<property name="sigPolicyIdDescription" value="factura" /> props.setDataObjectFormatIdentifierDocumentationReferences(Arrays.asList(new String[] { <property name="signaturePolicyDigestAlgorithm" value="http://www.w3.org/2000/09/xmldsig#sha1" /> <property "http://test.com/dataobject.format.doc.ref1.txt", "http://test.com/dataobject.format.doc.ref2.txt" })); name="signaturePolicyDigestValue" value="Ohixl6upD6av8N7pEvDABhEL1hM=" /> <property name="signerClaimedRoles" ref="signerClaimedRoles_XMLSigner" //commitment> props.setCommitmentTypeId("urn:oid:1.2.840.113549.1.9.16.6.4"); <property name="dataObjectFormatDescription" value="Factura electrónica" /> props.setCommitmentTypeIdQualifier("OIDAsURN"); <property name="dataObjectFormatMimeType" value="text/xml" /> </bean> props.setCommitmentTypeIdDescription("description for commitment type ID");<bean class="java.util.ArrayList" id="signerClaimedRoles_XMLSigner"> props.setCommitmentTypeIdDocumentationReferences(Arrays.asList(new String[] {"http://test.com/commitment.ref1.txt",<constructor-arg> "http://test.com/commitment.ref2.txt" })); <list> // you can specify a commitment type qualifier<value>Emisor</value> either by simple text or an XML fragment with root element CommitmentTypeQualifier <value><ClaimedRole props.setCommitmentTypeQualifiers(Arrays.asList(new String[] {"commitment qualifier", "<c:CommitmentTypeQualifier xmlns:c=\"="http://uri.etsi.org/01903/v1.3.2#\"><C>c</C></c:CommitmentTypeQualifier>" })); beanRegistry.bind("xmlSignatureProperties",props); beanRegistry.bind("keyAccessorDefault",keyAccessor); // you must reference the properties bean in the "xmlsecurity" URI from("direct:xades").to("xmlsecurity:sign://xades?keyAccessor=#keyAccessorDefault&properties=#xmlSignatureProperties")"><test xmlns="http://test.com/">test</test></ClaimedRole></value> </list> .to("mock:result"); </constructor-arg> </bean> |
Headers
Header | Type | Description |
---|---|---|
| String | for the 'Id' attribute value of QualifyingProperties element |
| String | for the 'Id' attribute value of SignedDataObjectProperties element |
| String | for the 'Id' attribute value of SignedSignatureProperties element |
| String | for the value of the Encoding element of the DataObjectFormat element |
CamelXmlSignatureXAdESNamespace | String | overwrites the XAdES namespace parameter value |
| String | overwrites the XAdES prefix parameter value |
Limitations with regard to XAdES version 1.4.2
- No support for signature form XAdES-T and XAdES-C
- Only signer part implemented. Verifier part currently not available.
- No support for the '
QualifyingPropertiesReference
' element (see section 6.3.2 of spec). - No support for the
Transforms
element contained in theSignaturePolicyId
element contained in theSignaturePolicyIdentifier element
- No support of the
CounterSignature
element --> no support for theUnsignedProperties
element - At most one
DataObjectFormat
element. More than oneDataObjectFormat
element makes no sense because we have only one data object which is signed (this is the incoming message body to the XML signer endpoint). - At most one
CommitmentTypeIndication
element. More than oneCommitmentTypeIndication
element makes no sense because we have only one data object which is signed (this is the incoming message body to the XML signer endpoint). A
CommitmentTypeIndication
element contains always theAllSignedDataObjects
element. TheObjectReference
element withinCommitmentTypeIndication
element is not supported.- The
AllDataObjectsTimeStamp
element is not supported - The
IndividualDataObjectsTimeStamp
element is not supported
...