xmldsig

package module
v0.15.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 23, 2026 License: Apache-2.0 Imports: 26 Imported by: 15

README

XML DSig

Partial implementation of the XML DSig and XAdES standards for Go. Accepts certificates in .p12/.pfx format and generates signatures typically used with UBL invoice documents or similar local standards.

Lint Test Go Go Report Card GoDoc Latest Tag

Available settings

The library supports multiple configuration options. It's possible to specify options such as:

  • whether to attach QualifyingProperties element (XAdES) or not (XML DSig but without XAdES)
  • what canonicalizers to use
  • what hashes to use
  • whether to include reference to KeyInfo in SignedInfo (some APIs require it, some don't)
  • whether to include the public key value (RSA or ECDSA) in KeyInfo (some APIs require it, some don't)

These options are passed to the library by creating structs of type xmldsig.XMLDSigConfig and xmldsig.XAdESConfig, and passing them to xmldsig.WithXMLDSigConfig and xmldsig.WithXAdES respectively. Settings in these structs will override default settings.

For convenience, there are predefined option builders:

  • facturae.XMLDSigConfig() and facturae.XAdESConfig() for Spanish FacturaE
  • ksef.XAdESConfig() for Polish KSeF (no need to override XMLDSig defaults)
Example of fully custom configuration, overriding all defaults
xmlConfig := xmldsig.XMLDSigConfig{
	DataCanonicalizer:            dsig.MakeC14N10RecCanonicalizer(), // Canonicalize the XML that is signed
	DataHash:                     crypto.SHA512,                     // Hash algorithm for the signed XML
	SignedInfoCanonicalizer:      dsig.MakeC14N10RecCanonicalizer(), // Canonicalization algorithm for SignedInfo
	SignedInfoHash:               crypto.SHA256,                     // Hash algorithm for SignedInfo
	IncludeKeyValue:              false,                             // Whether to include the public key in KeyInfo
	ReferenceKeyInfoInSignedInfo: true,                              // Whether SignedInfo should reference KeyInfo
	KeyInfoCanonicalizer:         dsig.MakeC14N10RecCanonicalizer(),
	KeyInfoHash:                  crypto.SHA512,
}

xadesConfig := xmldsig.XAdESConfig{
	TimestampFormatter:            customTimestampFormatter,          // Timestamp formatter for SigningTime
	IssuerSerializer:              nil,                               // Serializer for issuer names, nil for default
	SignedPropertiesCanonicalizer: dsig.MakeC14N10RecCanonicalizer(),
	SignedPropertiesHash:          crypto.SHA512,
	SigningCertificateHash:        crypto.SHA512,
}

signature, err := xmldsig.Sign(data,
	xmldsig.WithCertificate(cert),
	xmldsig.WithXMLDSigConfig(xmlConfig),
	xmldsig.WithXAdES(&xadesConfig),
)

Example of a custom timestamp formatter:

func customTimestampFormatter(t time.Time) string {
	return t.UTC().Format("2006-01-02T15:04:05.0000000+00:00")
}

Usage Example

This example shows how to sign a document using the XAdES standard with Polish KSeF predefined settings. In KSeF, signing an XML is used when logging into the API.

type AuthTokenRequest struct {
	XMLName       xml.Name `xml:"AuthTokenRequest"`
	XMLNamespace  string   `xml:"xmlns,attr"`
	XSI           string   `xml:"xmlns:xsi,attr"`
	XSD           string   `xml:"xmlns:xsd,attr"`
	Challenge     string   `xml:"Challenge"`
	ContextIdentifier *ContextIdentifier `xml:"ContextIdentifier"`
	Signature     *xmldsig.Signature `xml:"ds:Signature,omitempty"` // Add signature object!
}

func main() {
	authTokenRequest := &AuthTokenRequest{
		// ... fill in the rest of the fields as needed ...
	}

	data, _ := xml.Marshal(authTokenRequest)
	cert, _ := xmldsig.LoadCertificate("./invopop.p12", "invopop")
	authTokenRequest.Signature, _ = xmldsig.Sign(data,
		xmldsig.WithCertificate(cert),
		xmldsig.WithXAdES(ksef.XAdESConfig()),
	)

	// Now output the data
	out, _ := xml.Marshal(authTokenRequest)
	fmt.Println(string(out))
}

This example shows how to sign a document using the XAdES standard with Spanish FacturaE predefined settings. Note that this system requires additional configuration parameters to generate additional elements in the signature.

type SampleDoc struct {
	XMLName       xml.Name `xml:"test:SampleDoc"`
	TestNamespace string   `xml:"xmlns:test,attr"`
	Title         string
	Signature     *xmldsig.Signature `xml:"ds:Signature,omitempty"` // Add signature object!
}

func main() {
	doc := &SampleDoc{
		TestNamespace: "http://invopop.com/xml/test",
		Title:         "This is a test",
	}
	// Using XAdES FacturaE example policy config
	facturaeConfig := facturae.XAdESConfig(xmldsig.XAdESConfig{
		Role:        xmldsig.XAdESSignerRole("third party"),
		Description: "test",
		Policy: &xmldsig.XAdESPolicyConfig{
			URL:         "http://www.facturae.es/politica_de_firma_formato_facturae/politica_de_firma_formato_facturae_v3_1.pdf",
			Description: "Política de Firma FacturaE v3.1",
			Algorithm:   "http://www.w3.org/2000/09/xmldsig#sha1",
			Hash:        "Ohixl6upD6av8N7pEvDABhEL6hM=",
		},
	})
	data, _ := xml.Marshal(doc)
	cert, _ := xmldsig.LoadCertificate("./invopop.p12", "invopop")
	doc.Signature, _ = xmldsig.Sign(data,
		xmldsig.WithCertificate(cert),
		xmldsig.WithXMLDSigConfig(facturae.XMLDSigConfig()),
		xmldsig.WithXAdES(&facturaeConfig),
	)

	// Now output the data
	out, _ := xml.Marshal(doc)
	fmt.Println(string(out))
}

Support is also included for using a Time Stamp Authority (TSA). Simply add the following to the Sign options with the URL of the service you want to use:

xmldsig.WithTimestamp(xmldsig.TimestampFreeTSA) // uses https://freetsa.org/tsr

Using this option requires XAdES support to be enabled (by calling WithXAdES), as the timestamp is added to QualifyingProperties > UnsignedProperties > SignatureTimestamp.

Certificates

Signing and certificates can be overwhelming. OpenSSL is the tool to use for clarifying what the situation is and this page has a useful set of commands: https://www.sslshopper.com/article-most-common-openssl-commands.html

This library requires certificates in PKCS12 DER format (.pfx or .p12 extension). If you don't have something like that, use the OpenSSL tools to convert between X509 (.pem) format and PKCS12.

The order of certificates is important, the main certificate must come first. You can check order using the following command:

openssl pkcs12 -info -in keyStore.p12

It might be a good idea to try exporting and re-creating your existing PKCS12 files if in doubt. First extract to pem:

openssl pkcs12 -in invopop.p12 -out invopop.pem -nodes

Split the resulting .pem file into multiple parts for the key, certificate, and CA certificate(s) using your text editor. Then rebuild:

openssl pkcs12 -export -out invopop.p12 -inkey invopop.key -in invopop.crt -certfile invopop.ca

Changes

Add information about canonicalization method to SignedInfo

Before this change, the library was performing canonicalization on the signed data and SignedProperties elements, but was not adding appropriate Transform elements, describing the canonicalization method, to the SignedInfo element.

Updated methods
  • As FacturaE-specific options were previously hardcoded and now were moved to API-specific configuration, xmldsig.WithXAdES now must be combined with xmldsig.WithXAdES(facturae.XAdESConfig(...)).

This project is developed and maintained under the Apache 2.0 Open Source license by Invopop.

Copyright 2021-2023 Invopop Ltd.

Documentation

Overview

Package xmldsig helps generate XML files with digital signatures.

Index

Constants

View Source 
const (
	NamespaceXAdES  = "http://uri.etsi.org/01903/v1.3.2#"
	NamespaceDSig   = "http://www.w3.org/2000/09/xmldsig#"
	NamespaceDSig11 = "http://www.w3.org/2009/xmldsig11#"
)

Namespaces used in XML-DSig and XAdES.

View Source 
const (
	XMLNS = "xmlns"
	XAdES = "xades"
	DSig  = "ds"
)

XML namespace prefixes.

View Source 
const (
	ReferenceTypeObject  = "http://www.w3.org/2000/09/xmldsig#Object"
	XpathFilterAlgorithm = "http://www.w3.org/TR/1999/REC-xpath-19991116"
)

Reference type URIs.

View Source 
const (
	AlgDSigRSASHA224     = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha224"
	AlgDSigRSASHA256     = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
	AlgDSigRSASHA384     = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"
	AlgDSigRSASHA512     = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"
	AlgDSigRSASHA512_224 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512/224"
	AlgDSigRSASHA512_256 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512/256"
	AlgDSigECDSASHA224   = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"
	AlgDSigECDSASHA256   = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"
	AlgDSigECDSASHA384   = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"
	AlgDSigECDSASHA512   = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"
)

Supported signing algorithms URIs.

View Source 
const (
	TimestampFreeTSA = "https://freetsa.org/tsr"
)

List of free TSA servers: https://gist.github.com/Manouchehri/fd754e402d98430243455713efada710

Variables

View Source 
var ErrNotFound = errors.New("not found")

ErrNotFound is returned when a matching certificate was not found.

Functions

func NakedPEM 

func NakedPEM(cert *x509.Certificate) string

NakedPEM converts a x509 formated certificate to the PEM format without the headers, useful for including in the XML document.

func PEMCertificate 

func PEMCertificate(cert *x509.Certificate) []byte

PEMCertificate provides the complete PEM version of the certificate.

func PEMPrivateECDSAKey added in v0.13.0 

func PEMPrivateECDSAKey(key *ecdsa.PrivateKey) []byte

PEMPrivateECDSAKey issues a PEM string with the ECDSA Key.

func PEMPrivateRSAKey 

func PEMPrivateRSAKey(key *rsa.PrivateKey) []byte

PEMPrivateRSAKey issues a PEM string with the RSA Key.

Types

type AlgorithmMethod 

type AlgorithmMethod struct {
	Algorithm string `xml:"Algorithm,attr"`
	XPath     string `xml:"ds:XPath,omitempty"`
}

AlgorithmMethod contains URL identifier of the signing algorithm (e.g. RSA-SHA256)

type Cert added in v0.12.0 

type Cert struct {
	CertDigest   *CertDigest   `xml:"xades:CertDigest"`
	IssuerSerial *IssuerSerial `xml:"xades:IssuerSerial"`
}

Cert encapsulates digest and issuer information for the signing certificate.

type CertDigest added in v0.12.0 

type CertDigest struct {
	DigestMethod *AlgorithmMethod `xml:"ds:DigestMethod"`
	DigestValue  string           `xml:"ds:DigestValue"`
}

CertDigest contains the digest method and value for the signing certificate.

type Certificate 

type Certificate struct {
	CaChain []*x509.Certificate
	// contains filtered or unexported fields
}

Certificate stores information about a signing Certificate which can be used to sign a facturae XML

func LoadCertificate 

func LoadCertificate(path, password string) (*Certificate, error)

LoadCertificate creates a new Certificate instance from a PKCS12 file at the given path with the given password

func LoadCertificateFromBytes added in v0.12.0 

func LoadCertificateFromBytes(data []byte, password string) (*Certificate, error)

LoadCertificateFromBytes creates a new Certificate instance from a PKCS12 certificate given as bytes, with the given password

func NewCertificate added in v0.15.0 

func NewCertificate(cert *x509.Certificate, key crypto.Signer) (*Certificate, error)

NewCertificate creates a Certificate from a parsed x509.Certificate and a crypto.Signer

func (*Certificate) Fingerprint 

func (cert *Certificate) Fingerprint(hash crypto.Hash) (string, error)

Fingerprint returns the requested hash of the certificate's DER bytes.

func (*Certificate) Issuer 

func (cert *Certificate) Issuer() string

Issuer returns a description of the certificate issuer

func (*Certificate) NakedPEM 

func (cert *Certificate) NakedPEM() string

NakedPEM will return the public certificate encoded in base64 PEM (without markers like "-----BEGIN CERTIFICATE-----")

func (*Certificate) PEM 

func (cert *Certificate) PEM() []byte

PEM provides the PEM representation of the certificate.

func (*Certificate) PrivateKey 

func (cert *Certificate) PrivateKey() []byte

PrivateKey provides the private key in PEM format for both RSA and ECDSA keys.

func (*Certificate) PrivateKeyInfo 

func (cert *Certificate) PrivateKeyInfo() *PrivateKeyInfo

PrivateKeyInfo exposes public components of the configured private key that may be embedded in ds:KeyInfo blocks for interoperability.

func (*Certificate) PublicKeyAlgorithm added in v0.12.0 

func (cert *Certificate) PublicKeyAlgorithm() x509.PublicKeyAlgorithm

PublicKeyAlgorithm exposes the public key algorithm of the certificate.

func (*Certificate) SerialNumber 

func (cert *Certificate) SerialNumber() string

SerialNumber returns the serial number of the certificate

func (*Certificate) Sign 

func (cert *Certificate) Sign(data string, hash crypto.Hash, ecdsaFormatDER bool) (string, error)

Sign hashes the provided data with the requested hash algorithm and signs the digest using the configured private key. For ECDSA keys, ecdsaFormat controls whether the signature is returned in concatenated r||s format (W3C XML DSig standard) or raw DER encoding (required by ZATCA).

func (*Certificate) SubjectSerialNumber added in v0.13.0 

func (cert *Certificate) SubjectSerialNumber() string

SubjectSerialNumber returns the serialNumber attribute from the certificate's Subject Distinguished Name (OID 2.5.4.5). This is typically used to carry national identifiers such as "TINPL-…", "PNOPL-…", "PESEL-…", or "NIP-…" in Polish qualified certificates.

func (*Certificate) TLSAuthConfig 

func (cert *Certificate) TLSAuthConfig() (*tls.Config, error)

TLSAuthConfig prepares TLS authentication connection details ready to use with HTTP servers that require them in addition to the signatures of the XML-DSig signed payload.

type ClaimedRoles added in v0.12.0 

type ClaimedRoles struct {
	ClaimedRole []string `xml:"xades:ClaimedRole"`
}

ClaimedRoles holds one or more claimed role declarations.

type DataObjectFormat 

type DataObjectFormat struct {
	ObjectReference  string            `xml:"ObjectReference,attr"`
	Description      string            `xml:"xades:Description,omitempty"`
	ObjectIdentifier *ObjectIdentifier `xml:"xades:ObjectIdentifier,omitempty"`
	MimeType         string            `xml:"xades:MimeType,omitempty"`
	Encoding         string            `xml:"xades:Encoding,omitempty"`
}

DataObjectFormat describes the xades:DataObjectFormat element.

type ECKeyValue added in v0.12.0 

type ECKeyValue struct {
	XMLName xml.Name `xml:"dsig11:ECKeyValue"`

	NamedCurve NamedCurve `xml:"dsig11:NamedCurve"`
	PublicKey  string     `xml:"dsig11:PublicKey"`
}

type Identifier 

type Identifier struct {
	Qualifier string `xml:"Qualifier,attr,omitempty"`
	Value     string `xml:",chardata"`
}

Identifier is reused by multiple elements to represent string content with an optional qualifier attribute.

type IssuerSerial 

type IssuerSerial struct {
	X509IssuerName   string `xml:"ds:X509IssuerName"`
	X509SerialNumber string `xml:"ds:X509SerialNumber"`
}

IssuerSerial wraps issuer and serial number statements for a certificate.

type KeyAlgorithm added in v0.12.0 

type KeyAlgorithm string

KeyAlgorithm describes the public key algorithm exposed via PrivateKeyInfo. 

const (
	KeyAlgorithmUnknown KeyAlgorithm = ""
	KeyAlgorithmRSA     KeyAlgorithm = "RSA"
	KeyAlgorithmECDSA   KeyAlgorithm = "ECDSA"
)

type KeyInfo 

type KeyInfo struct {
	XMLName xml.Name `xml:"ds:KeyInfo"`
	ID      string   `xml:"Id,attr"`

	DSig11Namespace string `xml:"xmlns:dsig11,attr,omitempty"`

	X509Data *X509Data `xml:"ds:X509Data,omitempty"`
	KeyValue *KeyValue `xml:"ds:KeyValue,omitempty"` // optional, some APIs require it
}

KeyInfo contains the public key and certificate information

type KeyValue 

type KeyValue struct {
	// RSA (XMLDSIG 1.0)
	RSA *RSAKeyValue `xml:"ds:RSAKeyValue,omitempty"`

	// EC (XMLDSIG 1.1)
	EC *ECKeyValue `xml:"dsig11:ECKeyValue,omitempty"`
}

KeyValue contains the public key (optional, only specific APIs require it)

type NamedCurve added in v0.12.0 

type NamedCurve struct {
	URI string `xml:"URI,attr"`
}

type Namespaces 

type Namespaces map[string]string

Namespaces defines special functionality for dealing with namespaces

func (Namespaces) Add 

func (ns Namespaces) Add(name, url string) Namespaces

Add will add the namespace and return a new instance of the map without modifying the original.

type Object 

type Object struct {
	QualifyingProperties *QualifyingProperties `xml:"xades:QualifyingProperties"`
}

Object wraps the XAdES qualifying properties

type ObjectIdentifier 

type ObjectIdentifier struct {
	Identifier  Identifier `xml:"xades:Identifier"`
	Description string     `xml:"xades:Description,omitempty"`
}

ObjectIdentifier configures xades:ObjectIdentifier element content.

type Option 

type Option func(o *options) error

Option function to be used for defining startup options

func WithCertificate 

func WithCertificate(cert *Certificate) Option

WithCertificate expects a path to a file containing a PKCS12 (.p12 or .pfx) certificate file, and a password used to open it.

func WithCurrentTime 

func WithCurrentTime(fn func() time.Time) Option

WithCurrentTime allows a callback to be provided in order to using a different signing time method. This is especially useful for testing. Default is to provide `time.Now().UTC()`.

func WithDocID 

func WithDocID(id string) Option

WithDocID assigns a document ID to the signatures

func WithNamespace 

func WithNamespace(name, url string) Option

WithNamespace is used to define all the namespaces that must be included in canonicalization processes. DSig requires each segment that is used in a hash to reference all previously defined namespaces, even if they are not used inside the current segment.

func WithTimestamp 

func WithTimestamp(url string) Option

WithTimestamp will add an official timestamp to the signature.

func WithXAdESConfig added in v0.13.0 

func WithXAdESConfig(opts XAdESConfig) Option

WithXAdESConfig enables XAdES support with the given config. Pass a zero-value XAdESConfig to use default XAdES settings.

func WithXMLDSigConfig added in v0.12.0 

func WithXMLDSigConfig(opts XMLDSigConfig) Option

WithXMLDSigConfig allows passing custom options overriding default XMLDSig settings.

type PolicyIdentifier 

type PolicyIdentifier struct {
	SignaturePolicyID *PolicySignaturePolicyID `xml:"xades:SignaturePolicyId"`
}

PolicyIdentifier represents xades:SignaturePolicyIdentifier > xades:SignaturePolicyId.

type PolicySigPolicyHash added in v0.12.0 

type PolicySigPolicyHash struct {
	DigestMethod *AlgorithmMethod `xml:"ds:DigestMethod,omitempty"`
	DigestValue  string           `xml:"ds:DigestValue,omitempty"`
}

PolicySigPolicyHash carries information about the policy hash.

type PolicySigPolicyID added in v0.12.0 

type PolicySigPolicyID struct {
	Identifier  Identifier `xml:"xades:Identifier"`
	Description string     `xml:"xades:Description,omitempty"`
}

PolicySigPolicyID wraps identifier and description fields.

type PolicySignaturePolicyID added in v0.12.0 

type PolicySignaturePolicyID struct {
	SigPolicyID         PolicySigPolicyID    `xml:"xades:SigPolicyId"`
	SigPolicyHash       *PolicySigPolicyHash `xml:"xades:SigPolicyHash,omitempty"`
	SigPolicyQualifiers *SigPolicyQualifiers `xml:"xades:SigPolicyQualifiers,omitempty"`
}

PolicySignaturePolicyID contains the policy identifier and optional hash data.

type PrivateKeyInfo 

type PrivateKeyInfo struct {
	Algorithm KeyAlgorithm

	// RSA fields
	Modulus  string
	Exponent string

	// ECDSA fields
	CurveURI  string
	PublicKey string
}

PrivateKeyInfo contains public information extracted from the private key. Values are base64-encoded to match XML-DSig expectations when embedding ds:KeyInfo payloads.

type QualifyingProperties 

type QualifyingProperties struct {
	XAdESNamespace string `xml:"xmlns:xades,attr,omitempty"`
	ID             string `xml:"Id,attr"`
	Target         string `xml:"Target,attr"`

	SignedProperties   *SignedProperties   `xml:"xades:SignedProperties"`
	UnsignedProperties *UnsignedProperties `xml:"xades:UnsignedProperties,omitempty"`
}

QualifyingProperties contains XAdES-specific signature data. XAdES-specific namespace is required, so we use `xades` prefix.

type RSAKeyValue added in v0.12.0 

type RSAKeyValue struct {
	XMLName xml.Name `xml:"ds:RSAKeyValue"`

	Modulus  string `xml:"ds:Modulus,omitempty"`
	Exponent string `xml:"ds:Exponent,omitempty"`
}

type Reference 

type Reference struct {
	ID   string `xml:"Id,attr,omitempty"`
	Type string `xml:"Type,attr,omitempty"`
	URI  string `xml:"URI,attr"`

	Transforms   *Transforms      `xml:"ds:Transforms,omitempty"`
	DigestMethod *AlgorithmMethod `xml:"ds:DigestMethod"`
	DigestValue  string           `xml:"ds:DigestValue"`
}

Reference contains information about the document part that is signed Note that there may be multiple references in a signature - in XAdES, one reference is for the outermost XML element, and another reference is for XAdES-specific data (xades:SignedProperties)

type SigPolicyQualifier added in v0.14.0 

type SigPolicyQualifier struct {
	SPURI string `xml:"xades:SPURI"`
}

SigPolicyQualifier contains a single policy qualifier (e.g. SPURI).

type SigPolicyQualifiers added in v0.14.0 

type SigPolicyQualifiers struct {
	SigPolicyQualifier []SigPolicyQualifier `xml:"xades:SigPolicyQualifier"`
}

SigPolicyQualifiers holds policy qualifier elements such as SPURI.

type Signature 

type Signature struct {
	DSigNamespace string   `xml:"xmlns:ds,attr,omitempty"`
	ID            string   `xml:"Id,attr"`
	XMLName       xml.Name `xml:"ds:Signature"`

	SignedInfo *SignedInfo `xml:"ds:SignedInfo"`
	Value      *Value      `xml:"ds:SignatureValue"`
	KeyInfo    *KeyInfo    `xml:"ds:KeyInfo"`
	Object     *Object     `xml:"ds:Object,omitempty"`
	// contains filtered or unexported fields
}

Signature contains the complete signature to be added to the document.

func Sign 

func Sign(data []byte, opts ...Option) (*Signature, error)

Sign the provided data

type SignedDataObjectProperties added in v0.12.0 

type SignedDataObjectProperties struct {
	DataObjectFormat *DataObjectFormat `xml:"xades:DataObjectFormat"`
}

SignedDataObjectProperties describes signed objects such as the main document body.

type SignedInfo 

type SignedInfo struct {
	XMLName xml.Name `xml:"ds:SignedInfo"`
	ID      string   `xml:"Id,attr,omitempty"`

	CanonicalizationMethod *AlgorithmMethod `xml:"ds:CanonicalizationMethod"`
	SignatureMethod        *AlgorithmMethod `xml:"ds:SignatureMethod"`
	Reference              []*Reference     `xml:"ds:Reference"`
}

SignedInfo contains the info that will be signed by the certificate.

type SignedProperties 

type SignedProperties struct {
	XMLName                    xml.Name                    `xml:"xades:SignedProperties"`
	ID                         string                      `xml:"Id,attr"`
	SignedSignatureProperties  *SignedSignatureProperties  `xml:"xades:SignedSignatureProperties"`
	SignedDataObjectProperties *SignedDataObjectProperties `xml:"xades:SignedDataObjectProperties,omitempty"`
}

SignedProperties represents the root xades:SignedProperties element.

type SignedSignatureProperties 

type SignedSignatureProperties struct {
	SigningTime               string              `xml:"xades:SigningTime"`
	SigningCertificate        *SigningCertificate `xml:"xades:SigningCertificate"`
	SignaturePolicyIdentifier *PolicyIdentifier   `xml:"xades:SignaturePolicyIdentifier,omitempty"`
	SignerRole                *SignerRole         `xml:"xades:SignerRole,omitempty"`
}

SignedSignatureProperties contains signer-specific statements such as SigningTime and SigningCertificate.

type SignerRole 

type SignerRole struct {
	ClaimedRoles *ClaimedRoles `xml:"xades:ClaimedRoles"`
}

SignerRole enumerates claimed signer roles.

type SigningCertificate 

type SigningCertificate struct {
	Cert []*Cert `xml:"xades:Cert"`
}

SigningCertificate encloses certificate details required by XAdES.

type Timestamp 

type Timestamp struct {
	CanonicalizationMethod *AlgorithmMethod `xml:"ds:CanonicalizationMethod"`
	EncapsulatedTimeStamp  string           `xml:"xades:EncapsulatedTimeStamp"`
}

Timestamp contains authentication data for a timestamp.

type TimestampSignatureValue 

type TimestampSignatureValue struct {
	XMLName   xml.Name
	Namespace string `xml:"xmlns:ds,attr"`
	ID        string `xml:"Id,attr"`
	Value     string `xml:",chardata"`
}

TimestampSignatureValue is the value of the signature timestamp.

type Transforms 

type Transforms struct {
	Transform []*AlgorithmMethod `xml:"ds:Transform"`
}

Transforms contains a list of transforms to apply to the document before signing, as URL identifiers - usually includes canonicalization and hash algorithms.

type UnsignedProperties 

type UnsignedProperties struct {
	SignatureTimestamp *Timestamp `xml:"xades:UnsignedSignatureProperties>xades:SignatureTimestamp"`
}

UnsignedProperties contains signature data not included in the SignedInfo (e.g. verified timestamp)

type Value 

type Value struct {
	ID    string `xml:"Id,attr,omitempty"`
	Value string `xml:",chardata"`
}

Value contains the signature itself (base64-encoded)

type X509Data 

type X509Data struct {
	X509Certificate []string `xml:"ds:X509Certificate"`
}

X509Data contains the certificate chain

type XAdESConfig 

type XAdESConfig struct {
	// Configuration for XAdES always present fields
	TimestampFormatter            func(time.Time) string
	IssuerSerializer              func(pkix.RDNSequence) string
	SigningCertificateHash        crypto.Hash
	SignedPropertiesCanonicalizer dsig.Canonicalizer
	SignedPropertiesHash          crypto.Hash

	// XAdES-specific optional XML fields
	Role             XAdESSignerRole
	Description      string
	DataObjectFormat *DataObjectFormat
	Policy           *XAdESPolicyConfig
	IncludeCaChain   bool

	// When true, digests in XAdES elements are hex-encoded
	// before base64: base64(hex(hash)) instead of base64(hash).
	HexEncodeDigests bool
	// When true, the signing certificate digest is computed
	// over the base64 PEM text instead of the raw DER bytes.
	HashPEMText bool
	// SignedPropertiesSerializer, when set, produces the exact bytes of
	// <xades:SignedProperties> that are hashed, replacing the default
	// canonicalization.
	SignedPropertiesSerializer func([]byte) ([]byte, error)
}

XAdESConfig configures the XAdES-specific properties.

type XAdESPolicyConfig 

type XAdESPolicyConfig struct {
	URL         string `json:"url"`                   // URL to the policy definition; also used as SPURI qualifier when Identifier is set
	Identifier  string `json:"identifier,omitempty"`  // OID/URN identifier (when set, used as the policy identifier instead of URL)
	Description string `json:"description,omitempty"` // Optional human description
	Algorithm   string `json:"algorithm"`             // eg. SHA1 or SHA256
	Hash        string `json:"hash"`                  // Base64 encoded hash (usually provided with policy)
}

XAdESPolicyConfig provides a convenient way to specify what policy details to add to the XAdES signature.

type XAdESSignerRole 

type XAdESSignerRole string

XAdESSignerRole defines the accepted signer roles for XAdES signatures.

func (XAdESSignerRole) String 

func (r XAdESSignerRole) String() string

String converts the XAdES role into a string.

type XMLDSigConfig added in v0.12.0 

type XMLDSigConfig struct {
	DataCanonicalizer            dsig.Canonicalizer
	DataHash                     crypto.Hash
	IncludeKeyValue              bool
	ReferenceKeyInfoInSignedInfo bool
	KeyInfoHash                  crypto.Hash
	KeyInfoCanonicalizer         dsig.Canonicalizer
	SignedInfoCanonicalizer      dsig.Canonicalizer
	SignedInfoHash               crypto.Hash
	// ECDSAFormatDER returns ECDSA signatures as raw DER (ZATCA) instead of the W3C-standard r||s form.
	ECDSAFormatDER                    bool
	OmitDocumentReferenceType         bool
	OmitDataCanonicalizationTransform bool
	DocumentTransforms                []*AlgorithmMethod
	PreHashTransforms                 func([]byte) ([]byte, error)
}

XMLDSigConfig configures canonicalization, hashing, and KeyInfo handling for raw XML DSig signatures.

Source Files

View all Source files

Directories

Path Synopsis
profiles
facturae
ksef
verifactu
Package verifactu provides XMLDSig and XAdES configuration for Spain's VERI*FACTU invoicing system.
 Package verifactu provides XMLDSig and XAdES configuration for Spain's VERI*FACTU invoicing system.
zatca

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.