Search code examples
javaxades4j

is there a way to add QualifyingPropertiesReference with xades4j?

I need to add two QualifyingPropertiesReference nodes with given URI values into Object within a XadES Signature.

I'm generating an xml Signature which requires to pass a certificate via URL instead of attaching it in KeyInfo element. For this, QualifyingPropertiesReference looks like a good fit, however I could not find a way or an example in wiki/tests that would add this element. Looking at the code, I found XmlQualifyingPropertiesReferenceType, but did not see it being used anywhere. My signing code:

XadesSigningProfile signingProfile =
                    new XadesBesSigningProfile(keyingDP)
.withBasicSignatureOptions(new BasicSignatureOptions().includeSigningCertificate(SigningCertificateMode.NONE));
XadesSigner signer = signingProfile.newSigner();

Document doc = createDocument(xmlMessage);

DataObjectDesc obj = new DataObjectReference("")
                    .withTransform(new EnvelopedSignatureTransform());
SignedDataObjects dataObjects = new SignedDataObjects().withSignedDataObject(obj);

signer.sign(dataObjects, doc.getFirstChild());

Basically, I want this kind of Signature structure:

<Signature>
   ....
   <Object>
     <QualifyingPropertiesReference URI="some_url"/>
     <QualifyingPropertiesReference URI="some_url2"/>
     <QualifyingProperties>
        ....
   </Object>
</Signature>

If there's no way, would adding them to doc manually make Signature invalid? Are <Object> contents used for hashing?

Solution

  • xades4j doesn't support QualifyingPropertiesReference for two main reasons: 1) no real use cases for it; 2) XAdES Baseline profiles do not allow it section 6.1 of baseline profiles spec.

    That said, I'm not sure your use-case is one for QualifyingPropertiesReference. This element is just a means of pointing to another XML resource where the qualifying properties are present. Maybe you misunderstood it. I don't think it has anything to do with certificates or how to obtain them.

    It is ok that a signature doesn't include the certificates needed for validation. In this case the verifier is expected to know how to obtain them. Another option is to add "application-specific" data to the signature, where you pass the URL.