XAdES Signer

Fully qualified class name: org.signserver.module.xades.signer.XAdESSigner

Overview

The XAdES Signer creates XML signatures according to the specified profile of XAdES.

Available Properties

PropertyDescription
XADESFORMProfile of XAdES to use. Currently BES and T is supported. Default: BES
COMMITMENT_TYPESList of commitment types to be indicated in the signature. Multiple values can be given separated by ",". See Commitment Types for valid values. Optionally, the constant NONE can be used to explicitly state that no commitment types should be included (this constant can only be used alone). Optional. Default: no commitment types are included.
SIGNATUREALGORITHM The algorithm used to sign the data. The same set of algorithms as for the same property in XMLSigner is supported. Optional. Default: depending on the signer's private key: SHA1withDSA for DSA keys, SHA256withRSA for RSA keys, and SHA1withECDSA for EC keys.
CLAIMED_ROLEClaimed role to include in the signature. If the CLAIMED_ROLE_FROM_USERNAME property is also set, this value is used as a fallback when there is no user name provided in the request. Optional. Default: no default claimed role defined.
CLAIMED_ROLE_FROM_USERNAMEIf set to true, use the user name from the request (provided by an authorizer) as the value for claimed role. If there is no user name provided, fall back to the value set by CLAIMED_USER. If this is set to true, and CLAIMED_ROLE is not set, and the request does not contain a user name, the request will result in an error. Optional. Default: false.
INCLUDE_CERTIFICATE_LEVELS

Number of certificate levels to include in the document's KeyInfo (also see Common Properties). Minimum and default value is 1, which includes only the signer certificate. The value 2 includes the signer certificate and its issuer. To include all certificates, specify at least the same value as number of certificates in the certificate chain.

TSA_URL

URL of Time-Stamping Authority. Required if XADESFORM=T and TSA_WORKER not specified.

(warning) Cannot be set at the same time as TSA_WORKER.

TSA_WORKER

Specify a worker ID or worker name for a time stamp signer. Required if XADESFORM=T and TSA_URL are not specified. This will use internal calls and can only be used for a time stamp authority running in the same SignServer instance.

(warning) Use this option instead of TSA_URL when using a time stamp signer running in the same SignServer instance to avoid thread deadlocks under high load. Cannot be set at the same time as TSA_URL.

TSA_USERNAME Login username used if the TSA uses HTTP Basic Auth.
TSA_PASSWORD Login password used if the TSA uses HTTP Basic Auth.
TSA_DIGESTALGORITHMAlgorithm for timestamp digests. Optional. Default: SHA-256.

Commitment Types

Value Description
NONE Do not include any commitment type. This cannot be used in conjunction with the other constants below.
PROOF_OF_APPROVAL Indicates that the signer has approved the content of the signed data object.
PROOF_OF_CREATION Indicates that the signer has created the signed data object (but not necessarily approved, nor sent it).
PROOF_OF_DELIVERYIndicates that the TSP providing that indication has delivered a signed data object in a local store accessible to the recipient of the signed data object.
PROOF_OF_ORIGINIndicates that the signer recognizes to have created, approved and sent the signed data object.
PROOF_OF_RECEIPTIndicates that the signer recognizes to have received the content of the signed data object.
PROOF_OF_SENDERIndicates that the entity providing that indication has sent the signed data object (but not necessarily created it).