XML Signature Settings

www.altova.com Print this Topic Previous Page Up One Level Next page

Home >  Data Sources and Targets > XML and XML schema > Digital Signatures >

XML Signature Settings

Signature settings are stored for each component individually in the component settings dialog box, and are all stored in the MFD file when it is saved.

dlg_xml_signature_settings

XML Signature Settings dialog box

 

Authentication method: Certificate or Password

The signature can be based on a certificate or a password. Select the radio button of the method you wish to use.

 

Certificate:
If you wish to use a certificate, the certificate must have a private key and be located in an accessible certificate store. The signature is generated using the private key of the certificate. To verify the signature, access to the certificate (or a public-key version of it) is required. The public key of the certificate is used to verify the signature. To select the private-public-key certificate you wish to use, click the Select button and browse for the certificate.

 

Password:
Enter a password with a length of 5 to 16 characters. This password is used to create the signature and will subsequently be required to verify the signature. The OK button of the dialog box only becomes active if this requirement is fulfilled.

 

Save password in MFD file:

When active, the password entered in the Password field is saved in obfuscated form in the MFD file, i.e. the password is encrypted and not human readable. Note that anyone who has access to the MFD file can create signatures using this password.

 

Transformations

The XML data is transformed and the result of the transformation is used for the creation of the signature. You can specify the canonicalization algorithm to be applied to the file's XML data (the SignedInfo content) prior to performing signature calculations. Significant points of difference between the algorithms are noted below:

 

Canonical XML with or without comments:
If comments are included for signature calculation, then any change to comments in the XML data will result in verification failure. Otherwise, comments may be modified or be added to the XML document after the document has been signed, and the signature will still be verified as authentic.

 

Note:

"...with comments" is only available for "Detached" placement.

 

Base64:
The root (or document) element of the XML document is considered to be Base64 encoded, and is read in its binary form. If the root element is not Base64, an error is returned or the element is read as empty, depending on what type of element is encountered.

 

 

None:
No transformation is carried out and the XML data from the binary file saved on disk, is passed directly for signature creation. Any subsequent change in the data will result in a failed verification of the signature.
 
However, if the Strip Whitespace between XML elements check box option is selected, then all whitespace is stripped and changes in whitespace will be ignored.
 
A major difference between the None option and a Canonicalization option is that canonicalization produces an XML data stream, in which some differences, such as attribute order, are normalized. As a result, a canonicalization transformation will normalize any changes such as that of attribute order (so verification will succeed), while no-transformation will reflect such a change (verification will fail).
 
Note, however, that a default canonicalization is performed if the signature is embedded (enveloped). So the XML data will be used as is (i.e. with no transformation) when: the signature is detached, None is selected, and the Strip Whitespaces check box is unchecked.

 

Signature Placement

The signature can be placed within the XML file or be created as a separate file. The following options are available:

 

Enveloped:
The signature element is created as the last child element of the root (document) element. Note: the associated XML Schema must contain the signature definition elements for the output XML to be valid. Please see the top of this section for more information.

 

Detached:
The XML signature is created as a separate file. In this case, you can specify the file extension of the signature file and whether the file name is created with: (i) the extension appended to the name of the XML file (for example, test.xml.xsig), or (ii) the extension replaces the XML extension of the XML file (for example, test.xsig). You can also specify whether, in the signature file, the reference to the XML file is a relative or an absolute path.

 

Note:XML signatures for XML Schema (.xsd) files and for XBRL files can only be created as external signature files. For WSDL files, signatures can be created as external files and can be "enveloped" in the WSDL file.

 

Note:If the XML signature is created as a separate file, then the XML file and signature file are associated with each other via a reference in the signature file. Consequently, signature verification in cases where the signature is in an external fie must be done with the signature file activenot with the XML file active.

 

Append KeyInfo

The Append Keyinfo option is available when the signature is certificate-based. It is unavailable if the signature is password-based.

 

If Append KeyInfo is active/checked, public-key information is placed inside the signature, otherwise key information is not included in the signature. The advantage of including key information is that the certificate itself (specifically the public-key information in it) will not be required for the verification process (since the key information is present in the signature).

 

Invalid signature settings

MapForce cannot digitally sign an output if the signature settings are invalid. Signature settings are invalid if:

 

The selected certificate is not accessible, or is not suitable for signing xml documents, or
No password is set, e. g. the option "Save password in mfd file" is not checked.

 

When clicking the Output button MapForce prompts -

for the password with:

 

Please specify a password to sign the output of component "MarketingExpensesSigned"

 

for the certificate with:

 

Please choose the store containing the certificate you want to use to sign the output of component "MarketingExpensesSigned".

 

If no password or certificate is chosen, then the processing is either stopped, or continued without a signature. You can determine this behavior in the Component Settings dialog box via the "Stop processing" or "Continue without signature" radio buttons.

 

If the mapping is executed from the command line, no prompt dialog box appears. The mapping execution either stops with an error, or continues without signature.


© 2019 Altova GmbH