XML Signatures

www.altova.com Expand/Collapse All Print this Topic Previous Page Up One Level Next page

Home >  Command Line Interface (CLI) > Options >

XML Signatures

Click to expand/collapseabsolute-reference-uri

--absolute-reference-uri = true|false

Specifies whether the URI of the signed document is to be read as absolute (true) or relative (false). Default is false.

Note:   Boolean option values are set to true if the option is specified without a value.

 

Click to expand/collapsecertname, certificate-name

--certname, --certificate-name = VALUE

The name of the certificate used for signing.

 

Windows

This is the Subject name of a certificate from the selected --certificate-store.

 

Example to list the certificates (under PowerShell)

% ls cert://CurrentUser/My

PSParentPath: Microsoft.PowerShell.Security\Certificate::CurrentUser\My

Thumbprint Subject

---------- -------

C9DF64BB0AAF5FA73474D78B7CCFFC37C95BFC6C CN=certificate1

... CN=...

 

Example: --certificate-name==certificate1

 

 

Linux/MacOS

--certname specifies the file name of a PEM encoded X.509v3 certificate with the private key. Such files usually have the extension .pem.

 

Example: --certificate-name==/path/to/certificate1.pem

 

Click to expand/collapsecertstore, certificate-store

--certstore, --certificate-store = VALUE

The location where the the certificate specified with --certificate-name is stored.

 

Windows

The name of a certificate store under cert://CurrentUser. The available certificate stores can be listed (under PowerShell) by using % ls cert://CurrentUser/. Certificates would then be listed as follows:

 

Name : TrustedPublisher

Name : ClientAuthIssuer

Name : Root

Name : UserDS

Name : CA

Name : ACRS

Name : REQUEST

Name : AuthRoot

Name : MSIEHistoryJournal

Name : TrustedPeople

Name : MyCertStore

Name : Local NonRemovable Certificates

Name : SmartCardRoot

Name : Trust

Name : Disallowed

 

Example: --certificate-store==MyCertStore

 

 

Linux/MacOS

The --certstore option is currently not supported.

Click to expand/collapsedigest, digest-method

--digest, --digest-method = sha1|sha256|sha384|sha512|base64

The algorithm that is used to compute the digest value over the input XML file. Available values are: sha1|sha256|sha384|sha512|base64.

 

Click to expand/collapsehmackey, hmac-secret-key

--hmackey, --hmac-secret-key = VALUE

The HMAC shared secret key; must have a minimum length of six characters.

 

Example: --hmackey=secretpassword

 

Click to expand/collapsehmaclen, hmac-output-length

--hmaclen, --hmac-output-length = LENGTH

Truncates the output of the HMAC algorithm to length bits. If specified, this value must be

a multiple of 8
larger than 80
larger than half of the underlying hash algorithm's output length

 

Click to expand/collapsekeyinfo, append-keyinfo

--keyinfo, --append-keyinfo = true|false

Specifies whether to include the KeyInfo element in the signature or not. The default is false.

 

Click to expand/collapsesigc14nmeth, signature-canonicalization-method

--sigc14nmeth, --signature-canonicalization-method = VALUE

Specifies the canonicalization algorithm to apply to the SignedInfo element. The value must be one of:

 

REC-xml-c14n-20010315
xml-c14n11
xml-exc-c14n#

 

Click to expand/collapsesigmeth, signature-method

--sigmeth, --signature-method = VALUE

Specifies the algorithm to use for generating the signature.

 

When a certificate is used

If a certificate is specified, then SignatureMethod is optional and the value for this parameter is derived from the certificate. If specified, it must match the algorithm used by the certificate. Example: rsa-sha256.

 

When --hmac-secret-key is used

When HMACSecretKey is used, then SignatureMethod is mandatory. The value must be one of the supported HMAC algorithms:

hmac-sha256
hmac-sha386
hmac-sha512
hmac-sha1 (discouraged by the specification)

 

Example: hmac-sha256

 

 

Click to expand/collapsesigtype, signature-type

--sigtype, --signature-type = detached | enveloping | enveloped

Specifies the type of signature to be generated.

 

Click to expand/collapsetransforms

--transforms = VALUE

Specifies the XML Signature transformations applied to the input document. The supported values are:

 

REC-xml-c14n-20010315 for Canonical XML 1.0 (omit comments)
xml-c14n11 for Canonical XML 1.1 (omit comments)
xml-exc-c14n# for Exclusive XML Canonicalization 1.0 (omit comments)
REC-xml-c14n-20010315#WithComments for Canonical XML 1.0 (with comments)
xml-c14n11#WithComments for Canonical XML 1.1 (with comments)
xml-exc-c14n#WithComments for Exclusive XML Canonicalization 1.0 (with comments)
base64
strip-whitespaces Altova extension

 

Example: --transforms=xml-c14n11

 

Note: This option can be specified multiple times. If specified multiple times, then the order of specification is significant. The first specified transformation receives the input document. The last specified transformation is used immediately before calculation of the digest value.

 

 

Click to expand/collapsewrite-default-attributes

--write-default-attributes = true|false

Specifies whether to include default attribute values from the DTD in the signed document.

 

 


© 2019 Altova GmbH