The xmlsignature-sign | xsign command takes an XML document as input and creates an XML signature output document using the specified signing options.
raptorxmlxbrl xmlsignature-sign [options] --output=File --signature-type=Value --signature-canonicalization-method=Value --certname=Value|hmackey=Value InputFile
|
•The InputFile argument is the XML document to sign.
•The --output option specifies the location of the document that contains the XML signature.
Example
Example of the xmlsignature-sign command:
•raptorxmlxbrl xsign --output=c:\SignedFile.xml --signature-type=enveloped --signature-canonicalization-method=xml-c14n11 --hmackey=secretpassword c:\SomeUnsigned.xml
RaptorXMLXBRL (and RaptorXMLXBRLServer for administration commands) on Windows
raptorxmlxbrl (and raptorxmlxbrlserver for administration commands) on Windows and Unix (Linux, Mac)
* Note that lowercase (raptorxmlxbrl and raptorxmlxbrlserver) works on all platforms (Windows, Linux, and Mac), while upper-lower (RaptorXMLXBRL) works only on Windows and Mac.
* Use forward slashes on Linux and Mac, backslashes on Windows.
|
On Windows systems: When spaces or special characters occur in strings (for example in file or folder names, or company, person or product names), use quotes: for example, "My File". Note, however, that a backslash followed by a double-quotation mark (for example, "C:\My directory\") might not be read correctly. This is because the backslash character is also used to indicate the start of an escape sequence, and the escape sequence \" stands for the double-quotation mark character. If you want to escape this sequence of characters, use a preceding backslash, like this: \\". To summarize: If you need to write a file path that contains spaces or an end backslash, write it like this: "C:\My Directory\\".
|
Options
Options are listed in short form (if available) and long form. You can use one or two dashes for both short and long forms. An option may or may not take a value. If it takes a value, it is written like this: --option=value. Values can be specified without quotes except in two cases: (i) when the value string contains spaces, or (ii) when explicitly stated in the description of the option that quotes are required. If an option takes a Boolean value and no value is specified, then the option's default value is TRUE. Use the --h, --help option to display information about the command.
output = FILE
The URL of the output document that is created with the new XML signature.
|
--verbose = true|false
A value of true enables output of additional information during validation. Default value is false.
Note: Boolean option values are set to true if the option is specified without a value.
|
|
--absolute-reference-uri = true|false
Specifies whether the URI of the signed document is to be read as absolute (true) or relative (false). Default is false.
Note: Boolean option values are set to true if the option is specified without a value.
|
--certname, --certificate-name = VALUE
The name of the certificate used for signing.
Windows
This is the Subject name of a certificate from the selected --certificate-store.
Example to list the certificates (under PowerShell)
% ls cert://CurrentUser/My
PSParentPath: Microsoft.PowerShell.Security\Certificate::CurrentUser\My
Thumbprint Subject
---------- -------
C9DF64BB0AAF5FA73474D78B7CCFFC37C95BFC6C CN=certificate1
... CN=...
Example: --certificate-name==certificate1
Linux/MacOS
--certname specifies the file name of a PEM encoded X.509v3 certificate with the private key. Such files usually have the extension .pem.
Example: --certificate-name==/path/to/certificate1.pem
|
--certstore, --certificate-store = VALUE
The location where the certificate specified with --certificate-name is stored.
Windows
The name of a certificate store under cert://CurrentUser. The available certificate stores can be listed (under PowerShell) by using % ls cert://CurrentUser/. Certificates would then be listed as follows:
Name : TrustedPublisher
Name : ClientAuthIssuer
Name : Root
Name : UserDS
Name : CA
Name : ACRS
Name : REQUEST
Name : AuthRoot
Name : MSIEHistoryJournal
Name : TrustedPeople
Name : MyCertStore
Name : Local NonRemovable Certificates
Name : SmartCardRoot
Name : Trust
Name : Disallowed
Example: --certificate-store==MyCertStore
Linux/MacOS
The --certstore option is currently not supported.
|
--digest, --digest-method = sha1|sha256|sha384|sha512
The algorithm that is used to compute the digest value over the input XML file. Available values are: sha1|sha256|sha384|sha512.
|
--hmackey, --hmac-secret-key = VALUE
The HMAC shared secret key; must have a minimum length of six characters.
Example: --hmackey=secretpassword
|
--hmaclen, --hmac-output-length = LENGTH
Truncates the output of the HMAC algorithm to length bits. If specified, this value must be
•a multiple of 8 •larger than 80 •larger than half of the underlying hash algorithm's output length
|
--keyinfo, --append-keyinfo = true|false
Specifies whether to include the KeyInfo element in the signature or not. The default is false.
|
--sigc14nmeth, --signature-canonicalization-method = VALUE
Specifies the canonicalization algorithm to apply to the SignedInfo element. The value must be one of:
•REC-xml-c14n-20010315 •xml-c14n11 •xml-exc-c14n#
|
--sigmeth, --signature-method = VALUE
Specifies the algorithm to use for generating the signature.
When a certificate is used
If a certificate is specified, then SignatureMethod is optional and the value for this parameter is derived from the certificate. If specified, it must match the algorithm used by the certificate. Example: rsa-sha256.
When --hmac-secret-key is used
When HMACSecretKey is used, then SignatureMethod is mandatory. The value must be one of the supported HMAC algorithms:
•hmac-sha256 •hmac-sha386 •hmac-sha512 •hmac-sha1 (discouraged by the specification)
Example: hmac-sha256
|
--sigtype, --signature-type = detached | enveloping | enveloped
Specifies the type of signature to be generated.
|
--transforms = VALUE
Specifies the XML Signature transformations applied to the input document. The supported values are:
•REC-xml-c14n-20010315 for Canonical XML 1.0 (omit comments) •xml-c14n11 for Canonical XML 1.1 (omit comments) •xml-exc-c14n# for Exclusive XML Canonicalization 1.0 (omit comments) •REC-xml-c14n-20010315#WithComments for Canonical XML 1.0 (with comments) •xml-c14n11#WithComments for Canonical XML 1.1 (with comments) •xml-exc-c14n#WithComments for Exclusive XML Canonicalization 1.0 (with comments) •base64 •strip-whitespaces Altova extension
Example: --transforms=xml-c14n11
Note: This option can be specified multiple times. If specified multiple times, then the order of specification is significant. The first specified transformation receives the input document. The last specified transformation is used immediately before calculation of the digest value.
|
--write-default-attributes = true|false
Specifies whether to include default attribute values from the DTD in the signed document.
|
|
--help
Displays help text for the command. For example, valany --h. (Alternatively the help command can be used with an argument. For example: help valany.)
|
--version
Displays the version of RaptorXML+XBRL Server. If used with a command, place --version before the command.
|
|