Builds XML-DSig elements for the XAdES B-B sign flow.
The shape produced is the W3C XML Signature 1.1 envelope:
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm=".../exc-c14n#"/>
<ds:SignatureMethod Algorithm="..."/>
<ds:Reference URI="...">
<ds:Transforms>
<ds:Transform Algorithm=".../enveloped-signature"/>
<ds:Transform Algorithm=".../exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm=".../sha256"/>
<ds:DigestValue>...</ds:DigestValue>
</ds:Reference>
<ds:Reference Type="...SignedProperties" URI="#xades-...">
<ds:Transforms>
<ds:Transform Algorithm=".../exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm=".../sha256"/>
<ds:DigestValue>...</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
...
</ds:X509Data>
</ds:KeyInfo>
<ds:Object>
<xades:QualifyingProperties .../>
</ds:Object>
</ds:Signature>Builder functions emit raw binary XML — exc-c14n is applied during digest / signature computation, so attribute order and whitespace in these strings is normalised away before any hash is taken.
Summary
Functions
Map an XML Signature URI back to a JOSE alg atom. Inverse of
signature_method_uri/1.
Canonicalisation method URI for Exclusive XML C14N 1.0.
Digest method URI for SHA-256.
URI namespace for the XML Signature ds: prefix (W3C XMLDSig).
Helper: 8-byte hex random id suitable for XML Id attributes.
Build a <ds:Reference> element targeting a fragment of the
enveloping document. :transforms is a list of transform URIs
applied left-to-right; the typical XAdES B-B set is
[envelope, exc_c14n] for the data reference and [exc_c14n]
for the SignedProperties reference.
URI tag for the standard XAdES SignedProperties reference Type attribute.
Build the full <ds:Signature> envelope. Ready to splice into the
document at the chosen insertion point.
Returns the XML Signature URI for a given JOSE alg atom.
Build a standalone <ds:SignatureValue> element with the ds
namespace declared inline. Used by the B-T attach path to compute
the canonical bytes of the signature-value element exactly the way
a verifier would re-derive them when extracting it from the signed
document.
Build a <ds:SignedInfo> element wrapping the supplied
references. The :alg selects the <ds:SignatureMethod> URI.
Transform URI for the enveloped-signature rewrite.
URI namespace for the XAdES xades: prefix.
Functions
Map an XML Signature URI back to a JOSE alg atom. Inverse of
signature_method_uri/1.
Canonicalisation method URI for Exclusive XML C14N 1.0.
Digest method URI for SHA-256.
URI namespace for the XML Signature ds: prefix (W3C XMLDSig).
@spec random_id() :: String.t()
Helper: 8-byte hex random id suitable for XML Id attributes.
Build a <ds:Reference> element targeting a fragment of the
enveloping document. :transforms is a list of transform URIs
applied left-to-right; the typical XAdES B-B set is
[envelope, exc_c14n] for the data reference and [exc_c14n]
for the SignedProperties reference.
URI tag for the standard XAdES SignedProperties reference Type attribute.
Build the full <ds:Signature> envelope. Ready to splice into the
document at the chosen insertion point.
Args:
signed_info_xml— the<ds:SignedInfo>block produced bysigned_info/2. Used verbatim (after exc-c14n) so that the signature is computed over the same bytes the verifier sees.signature_value_b64— base64 of the raw signature.x509_chain_b64— list of base64-encoded DER certs. Leaf first.qualifying_properties_xml— the XAdES<xades:QualifyingProperties>element produced bySignCore.XML.XAdES.:signature_id— theIdattribute on<ds:Signature>. Required for XAdES-LT compatibility; v1 just emits a fresh one if not supplied.
Returns the XML Signature URI for a given JOSE alg atom.
iex> SignCore.XML.Builder.signature_method_uri(:RS256)
"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
iex> SignCore.XML.Builder.signature_method_uri(:PS256)
"http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1"Build a standalone <ds:SignatureValue> element with the ds
namespace declared inline. Used by the B-T attach path to compute
the canonical bytes of the signature-value element exactly the way
a verifier would re-derive them when extracting it from the signed
document.
value_b64 MUST be base64 already (RFC 4648). The caller is
responsible for producing it; this builder just wraps the bytes.
Build a <ds:SignedInfo> element wrapping the supplied
references. The :alg selects the <ds:SignatureMethod> URI.
Transform URI for the enveloped-signature rewrite.
URI namespace for the XAdES xades: prefix.