Sign with the originator private RSA or DSA key, and verify with a X509 certificate retrieval method and trusted X509 certificates

Use if the sender of the XML document adds a X509 retrieval method that was signed by another trusted X509 certificate.

Only the originator can sign a message with this specific pair of keys. Any other peer needs the corresponding public key and does not have access to the private key.

How to sign

  1. Create a RSA or DSA key with the constructor of the CryptoKey class.
  2. Load the RSA or DSA private key into the CryptoKey object.
  3. Create a X509 certificate with the constructor of the CryptoX509 class.
  4. Set the RetrievalMethod feature on the CryptoX509 object with the URL where the XML form of the originator X509 certificate is available.
  5. Create a blank signature with the constructor of the Signature class.
  6. Assign the CryptoKey object to the Signature object.
  7. Assign the CryptoX509 object to the Signature object.
  8. Create one or more references to be signed.
  9. Compute the signature.
  10. Retrieve the XML signature document from the Signature object.

How to verify

  1. Create a X509 certificate with the constructor of the CryptoX509 class.
  2. Load the X509 certificate that was used to sign the originator X509 certificate into the CryptoX509 object.
  3. Add the X509 certificate as trusted certificate to the application.
  4. Create a signature with the constructor of the Signature class and from a XML signature node obtained after the above compute operation.
  5. Verify the signature validity.
Note:

Steps 1 - 3 can be omitted if entry xml.application.calist has been set in FGLPROFILE file with the trusted certificate.

Note:

There is no key or certificate to set in the Signature object during validation.