Default signature algorithm
The system applies a default algorithm for the generation of signatures. This applies in requests where it is not specified which algorithm we want to use for the signature. This situation is typical when we send, for example, a PDF file.
The system configuration in this aspect is as follows:
- Currently -> SHA1 Algorithm
- From 04/26/2023 -> SHA256
How to request a specific algorithm in the signature request
The <SignatureDigestAlgorithm> field must be added to the <OptionalInputs> field in the request that arrives at TX
The possible values are:
- md5
- sha1
- id_sha256
- id_sha384
- id_sha512
Example:
<OptionalInputs>
...
<SignatureDigestAlgorithm>id_sha256</SignatureDigestAlgorithm>
....
</OptionalInputs>
Requests that instead of a document provide an externally calculated HASH.
There are cases where the request does not contain the document to be signed but a HASH calculated externally to TrustedX. In this case the <Document> node contains a structure like this
<InputDocuments><DocumentHash>
<ns3:DigestMethod Algorithm=" urn:nist-gov:sha256 " xsi:type="ns3:DigestMethodType" xmlns:ns3=http://www.w3.org/2000/09/xmldsig#/>
<ns4:DigestValue xsi:type="ns4:DigestValueType" xmlns:ns4=http://www.w3.org/2000/09/xmldsig#>ZTgwZTYyZTQ2MTJmMjQ5NGE4OTAwY2QxZTJjZTA4ZjQwNjQwMjI0NTE1MzY4ZjYwNDVjOTU4YTM3MjFlZGY3MA==</ns4:DigestValue gestureValue>
</DocumentHash>
</InputDocuments>
In this case the value to indicate in <ds:DigestMethod> the Algorithm attribute that has been used, the values can be the following:
- http://www.w3.org/2000/09/xmldsig#sha1
- http://www.w3.org/2001/04/xmldsig-more#md5
- urn:nist-gov:sha256
- urn:nist-gov:sha384
- urn:nist-gov:sha512
- http://www.w3.org/2001/04/xmlenc#sha256 (only for generating XMLDSig/XAdES signatures)
- http://www.w3.org/2001/04/xmldsig-more#sha384 (only for generating XMLDSig/XAdES signatures)
- http://www.w3.org/2001/04/xmlenc#sha512 (only for generating XMLDSig/XAdES signatures)
NOTE : In these cases, it is necessary to ensure that the combination between SignatureDigestAlgorithm and the calculated HASH must be consistent or the system will not sign.