dp:verify()
Verifies a digital signature.
Namespace declaration
xmlns:dp="http://www.datapower.com/extensions"
Syntax
dp:verify(signAlgorithm, signedInfoHash, signValue, cert)
Parameters
- signAlgorithm
- The
xs:string
that identifies the signature algorithm and must take one of the following values.- http://www.w3.org/2000/09/xmldsig#dsa-sha1
- http://www.w3.org/2000/09/xmldsig#rsa-sha1
- http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
- http://www.w3.org/2001/04/xmldsig-more#rsa-sha384
- http://www.w3.org/2001/04/xmldsig-more#rsa-sha512
- http://www.w3.org/2001/04/xmldsig-more#rsa-md5
- http://www.w3.org/2001/04/xmldsig-more/rsa-ripemd160
- signedInfoHash
- The
xs:string
that identifies the locally calculated hash of the<SignedInfo>
element of the XML signature. - signValue
- The
xs:string
that is derived from the contents of the<Signature Value>
element of the XML signature and contains the digital signature to be verified. - cert
- The
xs:string
that identifies the X.509 certificate that contains the public key of the XML signatory. The target certificate can be identified in any of the following ways.name:cert
name:
- Indicates the literal prefix for a certificate alias.
- cert
- Specifies the name of an X.509 cryptographic certificate alias.
cert:base64Cert
cert:
- Indicates the literal prefix for a base-64 encoded certificate.
- base64Cert
- Specifies that the target certificate is base-64 encoded.
ski:certSKI
ski:
- Indicates the literal prefix for a certificate where the Subject Key Identifier (SKI) is used as the identifier.
- certSKI
- Specifies that the target certificate is the base-64 encoding of the SKI.
issuerserial:serial
issuerserial:
- Indicates the literal prefix for a certificate where the issuer serial number and DN is used as the identifier.
- serial
- Specifies the issuer serial number as a decimal integer and the issuer DN; for example,
0,CN=Harold, O=Acme, L=Someplace, ST=MA, C=US
. The function uses this value to search the management store for a matching certificate. The issuer DN must be in LDAP format. Autodetection of the DN format is deprecated in this release. When the auto-detection option is removed in a future release, you cannot look up certificates by specifying the issuer DN in non-LDAP format.
thumbprintsha1:sha1string
thumbprintsha1:
- Indicates the literal prefix for a certificate with a base-64 encoded SHA-1 hash.
- sha1string
- Specifies a base-64 encoded SHA-1 hash of a certificate. The function uses this value to search the management store for the SHA-1 hash of a matching certificate.
pkcs7:base64Cert
pkcs7:
- Indicates the literal prefix for a certificate that is identified as the first certificate in an unordered collection of certificates.
- base64Cert
- Specifies a string of base-64 encoded ASN.1 objects with multiple certificates. The function uses the first certificate that it finds in the string.
pkipath:base64cert
pkipath:
- Indicates the literal prefix for a certificate that is identified as the last certificate in an ordered collection of certificates.
- base64cert
- Specifies a string of base-64 encoded ASN.1 objects with multiple certificates. The function uses the last certificate that it finds in the string.
Guidelines
Verifies a digital signature as specified in W3C Recommendation 12 February 2002, IETF RFC 3275 XML - Signature Syntax and Processing.
The extension passes all arguments as XPath expressions.
Results
An empty xs:string
if signature verification succeeds; otherwise, returns an
error string.
Example
…
<xsl:variable name="verify-result"
select='dp:verify($sigmech,$signedinfo-hash,$sigvalue,$certid)'/>
…