Use if the sender of the XML document adds a X509 retrieval method that was signed by
another trusted X509 certificate.
Only the originator can sign a message with this specific pair of
keys. Any other peer needs the corresponding public key and does not have access to the private
key.
How to sign
- Create a RSA or DSA key with the constructor of the CryptoKey
class.
- Load the RSA or
DSA private key into the CryptoKey object.
- Create a X509 certificate with the constructor of the
CryptoX509 class.
- Set the RetrievalMethod feature on the
CryptoX509 object with the URL where the XML form of the originator X509 certificate is
available.
- Create a blank signature with the constructor of the Signature
class.
- Assign the
CryptoKey object to the Signature object.
- Assign the CryptoX509 object to the Signature object.
- Create one or more references to be signed.
- Compute the
signature.
- Retrieve
the XML signature document from the Signature object.
How to verify
- Create a X509 certificate with the constructor of the
CryptoX509 class.
- Load the X509
certificate that was used to sign the originator X509 certificate into the CryptoX509 object.
- Add the X509 certificate as trusted certificate to the application.
- Create a signature with the constructor
of the Signature class and from a XML signature node obtain after the above compute operation.
- Verify the
signature validity.
Note: Steps 1 - 3 can be omitted if entry
xml.application.calist has been set in FGLPROFILE file with the trusted
certificate.
Note: There is no key or certificate to set in the Signature object during
validation.