The xmlsignature-sign | xsign command takes an XML document as input and creates an XML signature output document using the specified signing options.
raptorxml xmlsignature-sign [options] --output=File --signature-type=Value --signature-canonicalization-method=Value --certname=Value|hmackey=Value InputFile |
•The InputFile argument is the XML document to sign.
•The --output option specifies the location of the document that contains the XML signature.
Example
Example of the xmlsignature-sign command:
•raptorxml xsign --output=c:\SignedFile.xml --signature-type=enveloped --signature-canonicalization-method=xml-c14n11 --hmackey=secretpassword c:\SomeUnsigned.xml
RaptorXML (and RaptorXMLServer for administration commands) on Windows raptorxml (and raptorxmlserver for administration commands) on Windows and Unix (Linux, Mac) * Note that lowercase (raptorxml and raptorxmlserver) works on all platforms (Windows, Linux, and Mac), while upper-lower (RaptorXML) works only on Windows and Mac. * Use forward slashes on Linux and Mac, backslashes on Windows. |
On Windows systems: When spaces or special characters occur in strings (for example in file or folder names, or company, person or product names), use quotes: for example, "My File". Note, however, that a backslash followed by a double-quotation mark (for example, "C:\My directory\") might not be read correctly. This is because the backslash character is also used to indicate the start of an escape sequence, and the escape sequence \" stands for the double-quotation mark character. If you want to escape this sequence of characters, use a preceding backslash, like this: \\". To summarize: If you need to write a file path that contains spaces or an end backslash, write it like this: "C:\My Directory\\". |
Options
Options are listed in short form (if available) and long form. You can use one or two dashes for both short and long forms. An option may or may not take a value. If it takes a value, it is written like this: --option=value. Values can be specified without quotes except in two cases: (i) when the value string contains spaces, or (ii) when explicitly stated in the description of the option that quotes are required. If an option takes a Boolean value and no value is specified, then the option's default value is TRUE. Use the --h, --help option to display information about the command.
output = FILE The URL of the output document that is created with the new XML signature. |
--verbose = true|false A value of true enables output of additional information during validation. Default value is false. Note: Boolean option values are set to true if the option is specified without a value. |
|
--absolute-reference-uri = true|false Specifies whether the URI of the signed document is to be read as absolute (true) or relative (false). Default is false. Note: Boolean option values are set to true if the option is specified without a value. |
--certname, --certificate-name = VALUE The name of the certificate used for signing. Windows This is the Subject name of a certificate from the selected --certificate-store. Example to list the certificates (under PowerShell) % ls cert://CurrentUser/My PSParentPath: Microsoft.PowerShell.Security\Certificate::CurrentUser\My Thumbprint Subject ---------- ------- C9DF64BB0AAF5FA73474D78B7CCFFC37C95BFC6C CN=certificate1 ... CN=... Example: --certificate-name==certificate1 Linux/MacOS --certname specifies the file name of a PEM encoded X.509v3 certificate with the private key. Such files usually have the extension .pem. Example: --certificate-name==/path/to/certificate1.pem |
--certstore, --certificate-store = VALUE The location where the certificate specified with --certificate-name is stored. Windows The name of a certificate store under cert://CurrentUser. The available certificate stores can be listed (under PowerShell) by using % ls cert://CurrentUser/. Certificates would then be listed as follows: Name : TrustedPublisher Name : ClientAuthIssuer Name : Root Name : UserDS Name : CA Name : ACRS Name : REQUEST Name : AuthRoot Name : MSIEHistoryJournal Name : TrustedPeople Name : MyCertStore Name : Local NonRemovable Certificates Name : SmartCardRoot Name : Trust Name : Disallowed Example: --certificate-store==MyCertStore Linux/MacOS The --certstore option is currently not supported. |
--digest, --digest-method = sha1|sha256|sha384|sha512 The algorithm that is used to compute the digest value over the input XML file. Available values are: sha1|sha256|sha384|sha512. |
--hmackey, --hmac-secret-key = VALUE The HMAC shared secret key; must have a minimum length of six characters. Example: --hmackey=secretpassword |
--hmaclen, --hmac-output-length = LENGTH Truncates the output of the HMAC algorithm to length bits. If specified, this value must be •a multiple of 8 •larger than 80 •larger than half of the underlying hash algorithm's output length |
--keyinfo, --append-keyinfo = true|false Specifies whether to include the KeyInfo element in the signature or not. The default is false. |
--sigc14nmeth, --signature-canonicalization-method = VALUE Specifies the canonicalization algorithm to apply to the SignedInfo element. The value must be one of: •REC-xml-c14n-20010315 •xml-c14n11 •xml-exc-c14n# |
--sigmeth, --signature-method = VALUE Specifies the algorithm to use for generating the signature. When a certificate is usedIf a certificate is specified, then SignatureMethod is optional and the value for this parameter is derived from the certificate. If specified, it must match the algorithm used by the certificate. Example: rsa-sha256. When --hmac-secret-key is usedWhen HMACSecretKey is used, then SignatureMethod is mandatory. The value must be one of the supported HMAC algorithms: •hmac-sha256 •hmac-sha386 •hmac-sha512 •hmac-sha1 (discouraged by the specification) Example: hmac-sha256 |
--sigtype, --signature-type = detached | enveloping | enveloped Specifies the type of signature to be generated. |
--transforms = VALUE Specifies the XML Signature transformations applied to the input document. The supported values are: •REC-xml-c14n-20010315 for Canonical XML 1.0 (omit comments) •xml-c14n11 for Canonical XML 1.1 (omit comments) •xml-exc-c14n# for Exclusive XML Canonicalization 1.0 (omit comments) •REC-xml-c14n-20010315#WithComments for Canonical XML 1.0 (with comments) •xml-c14n11#WithComments for Canonical XML 1.1 (with comments) •xml-exc-c14n#WithComments for Exclusive XML Canonicalization 1.0 (with comments) •base64 •strip-whitespaces Altova extension Example: --transforms=xml-c14n11 Note: This option can be specified multiple times. If specified multiple times, then the order of specification is significant. The first specified transformation receives the input document. The last specified transformation is used immediately before calculation of the digest value. |
--write-default-attributes = true|false Specifies whether to include default attribute values from the DTD in the signed document. |
|
--help Displays help text for the command. For example, valany --h. (Alternatively the help command can be used with an argument. For example: help valany.) |
--version Displays the version of RaptorXML Server. If used with a command, place --version before the command. |
|