1

I need to add two QualifyingPropertiesReference nodes with given URI values into Object within a XadES Signature.

I'm generating an xml Signature which requires to pass a certificate via URL instead of attaching it in KeyInfo element. For this, QualifyingPropertiesReference looks like a good fit, however I could not find a way or an example in wiki/tests that would add this element. Looking at the code, I found XmlQualifyingPropertiesReferenceType, but did not see it being used anywhere. My signing code:

XadesSigningProfile signingProfile =
                    new XadesBesSigningProfile(keyingDP)
.withBasicSignatureOptions(new BasicSignatureOptions().includeSigningCertificate(SigningCertificateMode.NONE));
XadesSigner signer = signingProfile.newSigner();

Document doc = createDocument(xmlMessage);

DataObjectDesc obj = new DataObjectReference("")
                    .withTransform(new EnvelopedSignatureTransform());
SignedDataObjects dataObjects = new SignedDataObjects().withSignedDataObject(obj);

signer.sign(dataObjects, doc.getFirstChild());

Basically, I want this kind of Signature structure:

<Signature>
   ....
   <Object>
     <QualifyingPropertiesReference URI="some_url"/>
     <QualifyingPropertiesReference URI="some_url2"/>
     <QualifyingProperties>
        ....
   </Object>
</Signature>

If there's no way, would adding them to doc manually make Signature invalid? Are <Object> contents used for hashing?

Mantas Kentra
  • 13
  • 3
  • Were you able to find an appropriate solution for this? I'm struggling with something similar. – Corey Oct 29 '19 at 13:02
  • Sadly no. I started looking into ESIG-DSS library, however requirements were adjusted before I managed to confirm whether or not it was possible. – Mantas Kentra Oct 30 '19 at 14:28

1 Answers1

0

xades4j doesn't support QualifyingPropertiesReference for two main reasons: 1) no real use cases for it; 2) XAdES Baseline profiles do not allow it section 6.1 of baseline profiles spec.

That said, I'm not sure your use-case is one for QualifyingPropertiesReference. This element is just a means of pointing to another XML resource where the qualifying properties are present. Maybe you misunderstood it. I don't think it has anything to do with certificates or how to obtain them.

It is ok that a signature doesn't include the certificates needed for validation. In this case the verifier is expected to know how to obtain them. Another option is to add "application-specific" data to the signature, where you pass the URL.

lgoncalves
  • 2,040
  • 1
  • 14
  • 12