XAdES Signer

Fully qualified class name: org.signserver.module.xades.signer.XAdESSigner

Overview

The XAdES Signer creates XML signatures according to the specified profile of XAdES.

Available Properties

Property

Description

XADESFORM

Profile of XAdES to use. Currently BES and T is supported. Default: BES

COMMITMENT_TYPES

List of commitment types to be indicated in the signature. Multiple values can be given separated by ",". See Commitment Types for valid values. Optionally, the constant NONE can be used to explicitly state that no commitment types should be included (this constant can only be used alone). Optional. Default: no commitment types are included.

SIGNATUREALGORITHM

The algorithm used to sign the data. The same set of algorithms as for the same property in XMLSigner is supported. Optional. Default: depending on the signer's private key: SHA1withDSA for DSA keys, SHA256withRSA for RSA keys, and SHA1withECDSA for EC keys.

CLAIMED_ROLE

Claimed role to include in the signature. If the CLAIMED_ROLE_FROM_USERNAME property is also set, this value is used as a fallback when there is no user name provided in the request. Optional. Default: no default claimed role defined.

CLAIMED_ROLE_FROM_USERNAME

If set to true, use the user name from the request (provided by an authorizer) as the value for claimed role. If there is no user name provided, fall back to the value set by CLAIMED_USER. If this is set to true, and CLAIMED_ROLE is not set, and the request does not contain a user name, the request will result in an error. Optional. Default: false.

INCLUDE_CERTIFICATE_LEVELS

Number of certificate levels to include in the document's KeyInfo (also see Common Properties). Minimum and default value is 1, which includes only the signer certificate. The value 2 includes the signer certificate and its issuer. To include all certificates, specify at least the same value as number of certificates in the certificate chain.

TSA_URL

URL of Time-Stamping Authority. Required if XADESFORM=T and TSA_WORKER not specified.

images/s/en_GB/7901/58be3fa11e9ad58113c0ea45e7063389a7c7d344/_/images/icons/emoticons/warning.svg Cannot be set at the same time as TSA_WORKER.

TSA_WORKER

Specify a worker ID or worker name for a time stamp signer. Required if XADESFORM=T and TSA_URL are not specified. This will use internal calls and can only be used for a time stamp authority running in the same SignServer instance.

images/s/en_GB/7901/58be3fa11e9ad58113c0ea45e7063389a7c7d344/_/images/icons/emoticons/warning.svg Use this option instead of TSA_URL when using a time stamp signer running in the same SignServer instance to avoid thread deadlocks under high load. Cannot be set at the same time as TSA_URL.

TSA_USERNAME

Login username used if the TSA uses HTTP Basic Auth.

TSA_PASSWORD

Login password used if the TSA uses HTTP Basic Auth.

TSA_DIGESTALGORITHM

Algorithm for timestamp digests. Optional. Default: SHA-256.

Commitment Types

Value

Description

NONE

Do not include any commitment type. This cannot be used in conjunction with the other constants below.

PROOF_OF_APPROVAL

Indicates that the signer has approved the content of the signed data object.

PROOF_OF_CREATION

Indicates that the signer has created the signed data object (but not necessarily approved, nor sent it).

PROOF_OF_DELIVERY

Indicates that the TSP providing that indication has delivered a signed data object in a local store accessible to the recipient of the signed data object.

PROOF_OF_ORIGIN

Indicates that the signer recognizes to have created, approved and sent the signed data object.

PROOF_OF_RECEIPT

Indicates that the signer recognizes to have received the content of the signed data object.

PROOF_OF_SENDER

Indicates that the entity providing that indication has sent the signed data object (but not necessarily created it).