Skip to content

SignatureProduction

Jump to bottom
Luís Gonçalves edited this page Feb 19, 2022 · 3 revisions

Signature Production Overview

XAdES4j supports producing signatures in any of the four main XAdES forms (XAdES-BES, XAdES-EPES, XAdES-T and XAdES-C).

All the optional qualifying properties in XAdES 1.4.1, i.e. the ones that are not part of any specific form. As for mandatory properties, the library doesn't support the ones related to attribute certificates, such as AttributeCertificateRefs and AttrAuthoritiesCertValues. In addition, the use of OCSP is not yet supported.

Generating a XAdES signature with XAdES4j consists of two tasks. The first is to create a signer which is represented by the XadesSigner interface. The second is to define the resources being signed.

Creating a Signer

Signers are created through XadesSigningProfiles which are a means to configure the service providers that should be used by the signer. The only mandatory provider is the keying provider, i.e. the one that is used by the signer to obtain the signing key/certificate.

KeyingDataProvider kp = FileSystemKeyStoreKeyingDataProvider.builder(...).build();
XadesSigningProfile p = new XadesBesSigningProfile(kp);
XadesSigner signer = p.newSigner();

Since each XAdES form demands specific information (policy document, validation data), there are diferent profile types for each of them: XadesBesSigningProfile, XadesEpesSigningProfile, XadesTSigningProfile and XadesCSigningProfile. Each type enables the configuration of the appropriate service providers.

Defining the Signed Resources

The following types are available to represent signed data objects:

  • DataObjectReference for same-document or external URI references.
  • EnvelopedXmlObject for content that will be added to an Object element within the siganture.
  • AnonymousDataObjectReference for references without the URI attribute (at most one reference per signature).
  • EnvelopedManifest for embedded Manifest.

Each of these classes represents signed content and results in a Reference element being added to the signature.

More info on different types of signed data objects.

Signed data objects can be subject to transforms. The library supports some of the most common transforms and a generic transform with parameters.

DataObjectDesc obj = new DataObjectReference("#someId")
   .withTransform(new XPath2FilterTransform(XPathFilter.subtract("/excludedElem")))
   .withTransform(new GenericDataObjectTransform("http://transform.uri"));

The data object classes also provide the API to define the data object's qualifying properties. Qualifying properties that apply to all the signed data objects are defined using the SignedDataObjects container.

DataObjectDesc obj = new DataObjectReference("http://...").withDataObjectTimeStamp();
SignedDataObjects dataObjs = new SignedDataObjects(obj).withCommitmentType(AllDataObjsCommitmentTypeProperty.proofOfOrigin());

More info on defining qualifying properties.

Generating the Signature

After configuring the signer and defining the signed data objects, applying the signature is straightforward.

Element sigParentNode = ...; // The DOM node to which the signature will be appended (Element or Document)
signer.sign(dataObjs, sigParentNode);
Clone this wiki locally