Sign with the originator private RSA or DSA key, and verify with a X509 certificate retrieval method and trusted X509 certificates
Use if the sender of the XML document adds a X509 retrieval method that was signed by another trusted X509 certificate.
Only the originator can sign a message with this specific pair of keys. Any other peer needs the corresponding public key and does not have access to the private key.
How to sign
- Create a RSA or DSA key with the constructor of the CryptoKey class.
- Load the RSA or DSA private key into the CryptoKey object.
- Create a X509 certificate with the constructor of the CryptoX509 class.
- Set the RetrievalMethod feature on the CryptoX509 object with the URL where the XML form of the originator X509 certificate is available.
- Create a blank signature with the constructor of the Signature class.
- Assign the CryptoKey object to the Signature object.
- Assign the CryptoX509 object to the Signature object.
- Create one or more references to be signed.
- Compute the signature.
- Retrieve the XML signature document from the Signature object.
How to verify
- Create a X509 certificate with the constructor of the CryptoX509 class.
- Load the X509 certificate that was used to sign the originator X509 certificate into the CryptoX509 object.
- Add the X509 certificate as trusted certificate to the application.
- Create a signature with the constructor of the Signature class and from a XML signature node obtained after the above compute operation.
- Verify the signature validity.
Note:
Steps 1 - 3 can be omitted if entry xml.application.calist
has been set in FGLPROFILE file with the trusted
certificate.
Note:
There is no key or certificate to set in the Signature object during validation.