Default signature algorithm

The system applies a default algorithm for the generation of signatures. This applies in requests where it is not specified which algorithm we want to use for the signature. This situation is typical when we send, for example, a PDF file.

The system configuration in this aspect is as follows:

  • Currently -> SHA1 Algorithm
  • From 04/26/2023 -> SHA256

How to request a specific algorithm in the signature request

The <SignatureDigestAlgorithm> field must be added to the <OptionalInputs> field in the request that arrives at TX

The possible values are:

  • md5
  • sha1
  • id_sha256
  • id_sha384
  • id_sha512

Example:

<OptionalInputs>

...

<SignatureDigestAlgorithm>id_sha256</SignatureDigestAlgorithm>

....

</OptionalInputs>

Requests that instead of a document provide an externally calculated HASH.

There are cases where the request does not contain the document to be signed but a HASH calculated externally to TrustedX. In this case the <Document> node contains a structure like this

<InputDocuments><DocumentHash>

<ns3:DigestMethod Algorithm=" urn:nist-gov:sha256 " xsi:type="ns3:DigestMethodType" xmlns:ns3=http://www.w3.org/2000/09/xmldsig#/>

<ns4:DigestValue xsi:type="ns4:DigestValueType" xmlns:ns4=http://www.w3.org/2000/09/xmldsig#>ZTgwZTYyZTQ2MTJmMjQ5NGE4OTAwY2QxZTJjZTA4ZjQwNjQwMjI0NTE1MzY4ZjYwNDVjOTU4YTM3MjFlZGY3MA==</ns4:DigestValue>

</DocumentHash>

</InputDocuments>

In this case the value that must be indicated in <ds:DigestMethod> the Algorithm attribute that has been used, the values can be the following:

  • http://www.w3.org/2000/09/xmldsig#sha1
  • http://www.w3.org/2001/04/xmldsig-more#md5
  • urn:nist-gov:sha256
  • urn:nist-gov:sha384
  • urn:nist-gov:sha512
  • http://www.w3.org/2001/04/xmlenc#sha256 (only for generating XMLDSig/XAdES signatures)
  • http://www.w3.org/2001/04/xmldsig-more#sha384 (only for generating XMLDSig/XAdES signatures)
  • http://www.w3.org/2001/04/xmlenc#sha512 (only for generating XMLDSig/XAdES signatures)

NOTE : In these cases, it is necessary to ensure that the combination between SignatureDigestAlgorithm and the calculated HASH must be consistent or the system will not sign.