Sign with the originator private RSA or DSA key, and verify with trusted X509 certificates

Use if the sender of the XML document adds a X509 certificate that was signed by another trusted X509 certificate.

Only the originator can sign a message with this specific pair of keys. Any other peer needs the corresponding public key and does not have access to the private key.

How to sign

  1. Create a RSA or DSA key with the constructor of the CryptoKey class.
  2. Load the RSA or DSA private key into the CryptoKey object.
  3. Create a X509 certificate with the constructor of the CryptoX509 class.
  4. Load the X509 certificate associated to the RSA or DSA private key into the CryptoKey object.
  5. Create a blank signature with the constructor of the Signature class.
  6. Assign the CryptoKey object to the Signature object.
  7. Assign the CryptoX509 object to the Signature object.
  8. Create one or more references to be signed.
  9. Compute the signature.
  10. Retrieve the XML signature document from the Signature object.

How to verify

  1. Create a X509 certificate with the constructor of the CryptoX509 class.
  2. Load the X509 certificate that was used to sign the originator X509 certificate into the CryptoX509 object.
  3. Add the X509 certificate as trusted certificate to the application.
  4. Create a signature with the constructor of the Signature class and from a XML signature node obtained after the above compute operation.
  5. Verify the signature validity.
Note: Point 1 to 3 can be omitted if entry xml.application.calist has been set in FGLPROFILE file with the trusted certificate.
Note: There is no key nor certificate to set in the Signature object during validation.