XML Signatures

www.altova.com Expand/Collapse All Print this Topic Previous Page Up One Level Next page

Home >  Command Line Interface (CLI) > Options >

XML Signatures

Click to expand/collapseabsolute-reference-uri

--absolute-reference-uri = true|false

Specifies whether the URI of the signed document is to be read as absolute (true) or relative (false). Default is false.

Note:   Boolean option values are set to true if the option is specified without a value.


Click to expand/collapsecertname, certificate-name

--certname, --certificate-name = VALUE

The name of the certificate used for signing.



This is the Subject name of a certificate from the selected --certificate-store.


Example to list the certificates (under PowerShell)

% ls cert://CurrentUser/My

PSParentPath: Microsoft.PowerShell.Security\Certificate::CurrentUser\My

Thumbprint Subject

---------- -------

C9DF64BB0AAF5FA73474D78B7CCFFC37C95BFC6C CN=certificate1

... CN=...


Example: --certificate-name==certificate1




--certname specifies the file name of a PEM encoded X.509v3 certificate with the private key. Such files usually have the extension .pem.


Example: --certificate-name==/path/to/certificate1.pem


Click to expand/collapsecertstore, certificate-store

--certstore, --certificate-store = VALUE

The location where the the certificate specified with --certificate-name is stored.



The name of a certificate store under cert://CurrentUser. The available certificate stores can be listed (under PowerShell) by using % ls cert://CurrentUser/. Certificates would then be listed as follows:


Name : TrustedPublisher

Name : ClientAuthIssuer

Name : Root

Name : UserDS

Name : CA

Name : ACRS


Name : AuthRoot

Name : MSIEHistoryJournal

Name : TrustedPeople

Name : MyCertStore

Name : Local NonRemovable Certificates

Name : SmartCardRoot

Name : Trust

Name : Disallowed


Example: --certificate-store==MyCertStore




The --certstore option is currently not supported.

Click to expand/collapsedigest, digest-method

--digest, --digest-method = sha1|sha256|sha384|sha512|base64

The algorithm that is used to compute the digest value over the input XML file. Available values are: sha1|sha256|sha384|sha512|base64.


Click to expand/collapsehmackey, hmac-secret-key

--hmackey, --hmac-secret-key = VALUE

The HMAC shared secret key; must have a minimum length of six characters.


Example: --hmackey=secretpassword


Click to expand/collapsehmaclen, hmac-output-length

--hmaclen, --hmac-output-length = LENGTH

Truncates the output of the HMAC algorithm to length bits. If specified, this value must be

a multiple of 8
larger than 80
larger than half of the underlying hash algorithm's output length


Click to expand/collapsekeyinfo, append-keyinfo

--keyinfo, --append-keyinfo = true|false

Specifies whether to include the KeyInfo element in the signature or not. The default is false.


Click to expand/collapsesigc14nmeth, signature-canonicalization-method

--sigc14nmeth, --signature-canonicalization-method = VALUE

Specifies the canonicalization algorithm to apply to the SignedInfo element. The value must be one of:




Click to expand/collapsesigmeth, signature-method

--sigmeth, --signature-method = VALUE

Specifies the algorithm to use for generating the signature.


When a certificate is used

If a certificate is specified, then SignatureMethod is optional and the value for this parameter is derived from the certificate. If specified, it must match the algorithm used by the certificate. Example: rsa-sha256.


When --hmac-secret-key is used

When HMACSecretKey is used, then SignatureMethod is mandatory. The value must be one of the supported HMAC algorithms:

hmac-sha1 (discouraged by the specification)


Example: hmac-sha256



Click to expand/collapsesigtype, signature-type

--sigtype, --signature-type = detached | enveloping | enveloped

Specifies the type of signature to be generated.


Click to expand/collapsetransforms

--transforms = VALUE

Specifies the XML Signature transformations applied to the input document. The supported values are:


REC-xml-c14n-20010315 for Canonical XML 1.0 (omit comments)
xml-c14n11 for Canonical XML 1.1 (omit comments)
xml-exc-c14n# for Exclusive XML Canonicalization 1.0 (omit comments)
REC-xml-c14n-20010315#WithComments for Canonical XML 1.0 (with comments)
xml-c14n11#WithComments for Canonical XML 1.1 (with comments)
xml-exc-c14n#WithComments for Exclusive XML Canonicalization 1.0 (with comments)
strip-whitespaces Altova extension


Example: --transforms=xml-c14n11


Note: This option can be specified multiple times. If specified multiple times, then the order of specification is significant. The first specified transformation receives the input document. The last specified transformation is used immediately before calculation of the digest value.



Click to expand/collapsewrite-default-attributes

--write-default-attributes = true|false

Specifies whether to include default attribute values from the DTD in the signed document.



© 2019 Altova GmbH