Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Name

Type

Default

Description

uriDereferencer

javax.xml.crypto.URIDereferencer

null

URI dereferencer. You can specify here your own URI dereferencer, if you want to restrict the dereferencing or have special requirements for dereferencing.

baseUri

String

null

Base URI used in the URI dereferencer. Relative URIs are concatenated with the base URI.

cryptoContextProperties

Map<String, ? extends Object>

null

Crypto context properties. See javax.xml.crypto.XMLCryptoContext.setProperty(String, Object). The properties can depend on the provider. For example, the JDK provider "XMLDSig" has the property "org.jcp.xml.dsig.validateManifests" for enabling manifest validation. The following properties are set by default to the value Boolean.TRUE for the XML verifier: "org.jcp.xml.dsig.validateManifests", "javax.xml.crypto.dsig.cacheReference". If the option secureValidation} is {{true then additionally the properties "org.apache.jcp.xml.dsig.secureValidation" and "org.jcp.xml.dsig.secureValidation" are set to Boolean.TRUE for the XML verifier. If you want to switch these features off you must set the property values to Boolean.FALSE.

disallowDoctypeDecl

Boolean

Boolean.TRUE

Indicator whether DTD DOCTYPE declarations shall be disallowed in the incoming XML message.

omitXmlDeclaration

Boolean

Boolean.FALSE

Indicator whether the XML declaration header shall be omitted in the output XML message.

clearHeaders

Boolean

Boolean.TRUE

Indicator whether the XML signature message headers defined in XmlSignatureConstants shall be deleted at the end of the signer or verifier processing.

schemaResourceUriStringnullSince 2.14.0. Classpath to the XML Schema file. If set then the XML document is validated against the XML schema. Must be set in the case of detached signatures in order to determine the attributes of type ID. This value can be overwritten by the header "CamelXmlSignatureSchemaResourceUri". For further information, see sub-chapter "Detached XML Signatures as Siblings of the Signed Elements". The schema is also necessary in the case of enveloped signature with a reference URI to an ID attribute (see Signing Option 'contentReferenceUri').
outputXmlEncodingStringnullSince 2.15.0. Character encoding of the output XML document. If null then UTF-8 is used.

...

Name

Type

Default

Description

keyAccessor

KeyAccessor

null

Provides the signing key and the KeyInfo instance. There is an example implementation which uses a keystore, see DefaultKeyAccessor

addKeyInfoReference

Boolean

Boolean.TRUE

Indicator whether a Reference element refering the KeyInfo element provided by the key accessor should be added to the XML signature.

signatureAlgorithm

String

http://www.w3.org/2000/09/xmldsig#rsa-sha1

signature algorithm consisting of a digest and encryption algorithm. The digest algorithm is used to calculate the digest of the SignedInfo element and the encryption algorithm is used to sign this digest. Possible values: http://www.w3.org/2000/09/xmldsig#dsa-sha1, http://www.w3.org/2000/09/xmldsig#rsa-sha1, http://www.w3.org/2001/04/xmldsig-more#rsa-sha256, http://www.w3.org/2001/04/xmldsig-more#rsa-sha384, http://www.w3.org/2001/04/xmldsig-more#rsa-sha512

digestAlgorithm

String

see description

Digest algorithm for calculating the digest of the in-message body. If not specified then the digest algorithm of the signature algorithm is used. Possible values: http://www.w3.org/2000/09/xmldsig#sha1, http://www.w3.org/2001/04/xmlenc#sha256, http://www.w3.org/2001/04/xmldsig-more#sha384, http://www.w3.org/2001/04/xmlenc#sha512

parentLocalName

String

null

Local name of the parent of the Signature element. The Signature element will be added at the end of the children of the parent. Necessary for enveloped XML signature. If this option and the option parentXpath are null, then an enveloping XML signature is created. See also option parentNamespace. Alternatively you can specify the parent via the option parentXpath.

parentNamespace

String

null

Namespace of the parent of the Signature element. See option parentLocalName

parentXpathXPathFilterParameterSpecnullSince 2.15.0. XPath to the parent of the Signature element. The Signature element will be added at the end of the children of the parent. Necessary for enveloped XML signature. If this option and the option parentLocalName are null, then an enveloping XML signature is created. Alternatively you can specify the parent via the option parentLocalName. Example: /p1:root/SecurityItem[last()] This example will select the last sibling with the name SecurityItem. Such kind of selection is not possible with the option parentLocalName.

canonicalizationMethod

javax.xml.crypto.AlgorithmMethod

C14n

Canonicalization method used to canonicalize the SignedInfo element before the digest is calculated. You can use the helper methods XmlSignatureHelper.getCanonicalizationMethod(String algorithm) or getCanonicalizationMethod(String algorithm, List<String> inclusiveNamespacePrefixes) to create a canonicalization method.

transformMethods

List<javax.xml.crypto.AlgorithmMethod>

see description

Transforms which are executed on the message body before the digest is calculated. By default, C14n is added and in the case of enveloped signature (see option parentLocalName) also http://www.w3.org/2000/09/xmldsig#enveloped-signature is added at position 0 of the list. Use methods in XmlSignatureHelper to create the transform methods.

The Camel header "CamelXmlSignatureTransformMethods" overwrites this option (since Camel 2.17.0). The header value must be of type string; you specify in a comma separated list the transform algorithms, for example "http://www.w3.org/2000/09/xmldsig#enveloped-signature,http://www.w3.org/TR/2001/REC-xml-c14n-20010315". In the header you cannot specify transform algorithms which need parameters, like http://www.w3.org/TR/1999/REC-xslt-19991116, http://www.w3.org/2002/06/xmldsig-filter2, or http://www.w3.org/TR/1999/REC-xpath-19991116.

prefixForXmlSignatureNamespace

String

ds

Prefix for the XML signature namespace. If null is specified or an empty string then no prefix is used for the signature namespace.

contentReferenceUri

String

see description

The URI of the reference to the signed content (in-message body). If null and we are in the enveloped XML signature case then the URI is set to "". If null and we are in the enveloping XML signature case then the URI is set to "generated_object_id" which means that the reference points to the Object element containing the in-message body. You can use this option to reference a specific part in your in-message body if you do not want to sign the complete in-message body. This value can be overwritten by the header "CamelXmlSignatureContentReferenceUri". Please be aware, if you want to use a value of an XML ID attribute (example: "#ID_value"), then you must provide the information about the ID attribute either via a doctype definition contained in the input XML document or via a XML schema document which you can specify in the option 'schemaResourceUri'. The defining of the ID attributes via XML schema with the option 'schemaResourceURi' works only in the enveloped signature case. This option is ignored in the case of detached signature when the option xpathsToIdAttributes is set.

contentReferenceType

String

null

Value of the type attribute of the content reference. This value can be overwritten by the header "CamelXmlSignatureContentReferenceType"

plainText

Boolean

Boolean.FALSE

Indicator whether the in-message body contains plain text. Normally, the signature generator treats the incoming message body as XML. If the message body is plain text, then you must set this option to true. The value can be overwritten by the header "CamelXmlSignatureMessageIsPlainText".

plainTextEncoding

String

null

Only used when the option plainText is set to true. Then you can specify the encoding of the plain text. If null then UTF-8 is used. The value can be overwritten by the header "CamelXmlSignatureMessageIsPlainTextEncoding".

properties

XmlSignatureProperties

null

For adding additional References and Objects to the XML signature which contain additional properties, you can provide a bean which implements the XmlSignatureProperties interface.

contentObjectId

String

null

Value of the Id attribute of the Object element. Only used in the enveloping XML signature case. If null then a unique value is generated. Available as of 2.12.2

xpathsToIdAttributesList<XPathFilterParameterSpec>empty listSince 2.14.0. List of XPATH expressions to ID attributes of elements to be signed. Used for the detached XML Signatures. Can only be used in combination with the option schemaResourceUri. The value can be overwritten by the header "CamelXmlSignatureXpathsToIdAttributes". If the option parentLocalName is set at the same time then an exception is thrown. The class XPathFilterParameterSpec has the package javax.xml.crypto.dsig.spec. For further information, see sub-chapter "Detached XML Signatures as Siblings of the Signed Elements".
signatureIdStringnullSince 2.14.0. Value of the Id attribute of the Signature element. If null then a unique Id is generated. If the value is the empty string ("") then no Id attribute is added to the Signature element.

...

 

Code Block
languagexml
titleSupported XAdES-EPES Properties
        <QualifyingProperties Target>
            <SignedProperties>
                <SignedSignatureProperties>
                    (SigningTime)?
                    (SigningCertificate)?
                    (SignaturePolicyIdentifier)
                    (SignatureProductionPlace)?
                    (SignerRole)?
                </SignedSignatureProperties>
                <SignedDataObjectProperties>
                    (DataObjectFormat)?
                    (CommitmentTypeIndication)?
                </SignedDataObjectProperties>
            </SignedProperties>
        </QualifyingProperties>

The properties of the XAdES-BES form are the same except that the SignaturePolicyIdentifier property is not part of XAdES-BES. 

You can configure the XAdES-BES/EPES properties via the bean org.apache.camel.component.xmlsecurity.api.XAdESSignatureProperties or org.apache.camel.component.xmlsecurity.api.DefaultXAdESSignatureProperties. XAdESSignatureProperties does support all properties mentioned above except the SigningCertificate property. To get the SigningCertificate property, you must overwrite either the method XAdESSignatureProperties.getSigningCertificate() or XAdESSignatureProperties.getSigningCertificateChain(). The class DefaultXAdESSignatureProperties overwrites the method getSigningCertificate() and allows you to specify the signing certificate via a keystore and alias. The following example shows all parameters you can specify. If you do not need certain parameters you can just omit them.

Code Block
languagejava
titleXAdES-BES/EPES Example in Java DSL
        Keystore keystore = ... // load a keystore
        DefaultKeyAccessor accessor = new DefaultKeyAccessor();
        accessor.setKeyStore(keystore);
        accessor.setPassword("password");
        accessor.setAlias("cert_alias"); // signer key alias
 
        DefaultXAdESSignatureProperties props = new DefaultXAdESSignatureProperties();
        props.setNamespace("http://uri.etsi.org/01903/v1.3.2#"); // sets the namespace for the XAdES elements; the namspace is related to the XAdES version, default value is "http://uri.etsi.org/01903/v1.3.2#", other possible values are "http://uri.etsi.org/01903/v1.1.1#" and "http://uri.etsi.org/01903/v1.2.2#"
        props.setPrefix("etsi"); // sets the prefix for the XAdES elements, default value is "etsi"
        
        // signing certificate
        props.setKeystore(keystore));
        props.setAlias("cert_alias"); // specify the alias of the signing certificate in the keystore = signer key alias
        props.setDigestAlgorithmForSigningCertificate(DigestMethod.SHA256); // possible values for the algorithm are "http://www.w3.org/2000/09/xmldsig#sha1", "http://www.w3.org/2001/04/xmlenc#sha256", "http://www.w3.org/2001/04/xmldsig-more#sha384", "http://www.w3.org/2001/04/xmlenc#sha512", default value is "http://www.w3.org/2001/04/xmlenc#sha256"
        props.setSigningCertificateURIs(Collections.singletonList("http://certuri"));
 
        // signing time
        props.setAddSigningTime(true);
 
        // policy
        props.setSignaturePolicy(XAdESSignatureProperties.SIG_POLICY_EXPLICIT_ID);
        // also the values XAdESSignatureProperties.SIG_POLICY_NONE ("None"), and XAdESSignatureProperties.SIG_POLICY_IMPLIED ("Implied")are possible, default value is XAdESSignatureProperties.SIG_POLICY_EXPLICIT_ID ("ExplicitId")
        // For "None" and "Implied" you must not specify any further policy parameters
        props.setSigPolicyId("urn:oid:1.2.840.113549.1.9.16.6.1");
        props.setSigPolicyIdQualifier("OIDAsURN"); //allowed values are empty string, "OIDAsURI", "OIDAsURN"; default value is empty string
        props.setSigPolicyIdDescription("invoice version 3.1");
        props.setSignaturePolicyDigestAlgorithm(DigestMethod.SHA256);// possible values for the algorithm are "http://www.w3.org/2000/09/xmldsig#sha1", http://www.w3.org/2001/04/xmlenc#sha256", "http://www.w3.org/2001/04/xmldsig-more#sha384", "http://www.w3.org/2001/04/xmlenc#sha512", default value is http://www.w3.org/2001/04/xmlenc#sha256"
        props.setSignaturePolicyDigestValue("Ohixl6upD6av8N7pEvDABhEL6hM=");
        // you can add  qualifiers for the signature policy either by specifying text or an XML fragment with the root element "SigPolicyQualifier" 
        props.setSigPolicyQualifiers(Arrays
            .asList(new String[] {
                "<SigPolicyQualifier xmlns=\"http://uri.etsi.org/01903/v1.3.2#\"><SPURI>http://test.com/sig.policy.pdf</SPURI><SPUserNotice><ExplicitText>display text</ExplicitText>"
                    + "</SPUserNotice></SigPolicyQualifier>", "category B" }));
        props.setSigPolicyIdDocumentationReferences(Arrays.asList(new String[] {"http://test.com/policy.doc.ref1.txt",
            "http://test.com/policy.doc.ref2.txt" }));
 
        // production place
        props.setSignatureProductionPlaceCity("Munich");
        props.setSignatureProductionPlaceCountryName("Germany");
        props.setSignatureProductionPlacePostalCode("80331");
        props.setSignatureProductionPlaceStateOrProvince("Bavaria");
 
        //role
        // you can add claimed roles either by specifying text or an XML fragment with the root element "ClaimedRole" 
        props.setSignerClaimedRoles(Arrays.asList(new String[] {"test",
            "<a:ClaimedRole xmlns:a=\"http://uri.etsi.org/01903/v1.3.2#\"><TestRole>TestRole</TestRole></a:ClaimedRole>" }));
        props.setSignerCertifiedRoles(Collections.singletonList(new XAdESEncapsulatedPKIData("Ahixl6upD6av8N7pEvDABhEL6hM=",
            "http://uri.etsi.org/01903/v1.2.2#DER", "IdCertifiedRole")));
 
        // data object format
        props.setDataObjectFormatDescription("invoice");
        props.setDataObjectFormatMimeType("text/xml");
        props.setDataObjectFormatIdentifier("urn:oid:1.2.840.113549.1.9.16.6.2");
        props.setDataObjectFormatIdentifierQualifier("OIDAsURN"); //allowed values are empty string, "OIDAsURI", "OIDAsURN"; default value is empty string
        props.setDataObjectFormatIdentifierDescription("identifier desc");
        props.setDataObjectFormatIdentifierDocumentationReferences(Arrays.asList(new String[] {
            "http://test.com/dataobject.format.doc.ref1.txt", "http://test.com/dataobject.format.doc.ref2.txt" }));
 
        //commitment
        props.setCommitmentTypeId("urn:oid:1.2.840.113549.1.9.16.6.4");
        props.setCommitmentTypeIdQualifier("OIDAsURN"); //allowed values are empty string, "OIDAsURI", "OIDAsURN"; default value is empty string
        props.setCommitmentTypeIdDescription("description for commitment type ID");
        props.setCommitmentTypeIdDocumentationReferences(Arrays.asList(new String[] {"http://test.com/commitment.ref1.txt",
            "http://test.com/commitment.ref2.txt" }));
        // you can specify a commitment type qualifier either by simple text or an XML fragment with root element "CommitmentTypeQualifier"
        props.setCommitmentTypeQualifiers(Arrays.asList(new String[] {"commitment qualifier",
            "<c:CommitmentTypeQualifier xmlns:c=\"http://uri.etsi.org/01903/v1.3.2#\"><C>c</C></c:CommitmentTypeQualifier>" }));
 
 beanRegistry.bind("xmlSignatureProperties",props);
 beanRegistry.bind("keyAccessorDefault",keyAccessor);
 
 // you must reference the properties bean in the "xmlsecurity" URI
 from("direct:xades").to("xmlsecurity:sign://xades?keyAccessor=#keyAccessorDefault&properties=#xmlSignatureProperties")
                     .to("mock:result");

Code Block
languagexml
titleXAdES-BES/EPES Example in Spring XML
   ...
   <from uri="direct:xades" />
            <to
                uri="xmlsecurity:sign://xades?keyAccessor=#accessorRsa&amp;properties=#xadesProperties" />
            <to uri="mock:result" />
   ...
   <bean id="xadesProperties"
        class="org.apache.camel.component.xmlsecurity.api.XAdESSignatureProperties">
        <!-- For more properties see the the previous Java DSL example. 
             If you want to have a signing certificate then use the bean class DefaultXAdESSignatureProperties (see the previous Java DSL example). -->
        <property name="signaturePolicy" value="ExplicitId" />
        <property name="sigPolicyId" value="http://www.test.com/policy.pdf" />
        <property name="sigPolicyIdDescription" value="factura" />
        <property name="signaturePolicyDigestAlgorithm" value="http://www.w3.org/2000/09/xmldsig#sha1" />
        <property name="signaturePolicyDigestValue" value="Ohixl6upD6av8N7pEvDABhEL1hM=" />
        <property name="signerClaimedRoles" ref="signerClaimedRoles_XMLSigner" />
        <property name="dataObjectFormatDescription" value="Factura electrónica" />
        <property name="dataObjectFormatMimeType" value="text/xml" />
    </bean>
    <bean class="java.util.ArrayList" id="signerClaimedRoles_XMLSigner">
        <constructor-arg>
            <list>
                <value>Emisor</value>
                <value>&lt;ClaimedRole
                    xmlns=&quot;http://uri.etsi.org/01903/v1.3.2#&quot;&gt;&lt;test
                    xmlns=&quot;http://test.com/&quot;&gt;test&lt;/test&gt;&lt;/ClaimedRole&gt;</value>
            </list>
        </constructor-arg>
    </bean>

Headers

HeaderTypeDescription

CamelXmlSignatureXAdESQualifyingPropertiesId

Stringfor the 'Id' attribute value of QualifyingProperties element

CamelXmlSignatureXAdESSignedDataObjectPropertiesId

Stringfor the 'Id' attribute value of SignedDataObjectProperties element

CamelXmlSignatureXAdESSignedSignaturePropertiesId

Stringfor the 'Id' attribute value of  SignedSignatureProperties element

CamelXmlSignatureXAdESDataObjectFormatEncoding

Stringfor the value of the Encoding element of the DataObjectFormat element
CamelXmlSignatureXAdESNamespaceString overwrites the XAdES namespace parameter value

CamelXmlSignatureXAdESPrefix

Stringoverwrites the XAdES prefix parameter value

Limitations with regard to XAdES version 1.4.2

  • No support for signature form XAdES-T and XAdES-C
  • Only signer part implemented. Verifier part currently not available.
  • No support for the 'QualifyingPropertiesReference' element (see section 6.3.2 of spec).
  • No support for the Transforms element contained in the SignaturePolicyId element contained in the SignaturePolicyIdentifier element
  • No support of the CounterSignature element --> no support for the UnsignedProperties element
  • At most one DataObjectFormat element. More than one DataObjectFormat element makes no sense  because we have only one data object which is signed (this is the incoming message body to the XML signer endpoint).
  • At most one CommitmentTypeIndication element. More than one CommitmentTypeIndicationelement makes no sense  because we have only one data object which is signed (this is the incoming message body to the XML signer endpoint).
  • A CommitmentTypeIndication element contains always the AllSignedDataObjects element. The ObjectReference element within CommitmentTypeIndication  element is not supported.

  • The AllDataObjectsTimeStamp element is not supported
  • The IndividualDataObjectsTimeStamp element is not supported

...