XAdES Signer

CLAIMED_ROLE

(Optional) Specifies the claimed role to include in the signature. If the CLAIMED_ROLE_FROM_USERNAME property is also set, this value is used as a fallback when there is no user name provided in the request.

Default: no default claimed role defined.

CLAIMED_ROLE_FROM_USERNAME

(Optional) If set to true, the user name from the request (provided by an authorizer) is used as the value for claimed role. If there is no user name provided, the value set by CLAIMED_USER is used. If this is set to true, and CLAIMED_ROLE is not set, and the request does not contain a user name, the request results in an error.

Default: False.

COMMITMENT_TYPES

(Optional) Specifies the list of commitment types to be indicated in the signature. Multiple values can be given separated by ",". See Commitment Types for valid values. Optionally, the constant NONE can be used to explicitly state that no commitment types should be included. NONE can only be used alone.

Default: no commitment types are included.

INCLUDE_CERTIFICATE_LEVELS

Specifies the number of certificate levels to include in the document's KeyInfo (also see Common Properties). The minimum value is 1, which includes only the signer certificate. The value 2 includes the signer certificate and its issuer. To include all certificates, specify at least the same value as number of certificates in the certificate chain.

Default: 1.

SIGNATUREALGORITHM 

(Optional) Specifies the algorithm used to sign the data. The same set of algorithms as for the same property in XMLSigner is supported.

The default value depends on the signer’s private key:

• SHA256withRSA for RSA keys

• SHA256withECDSA for EC keys

TSA_DIGESTALGORITHM

(Optional) Specifies the algorithm for timestamp digests.

Default: SHA-256.

TSA_PASSWORD 

Specifies the login password used if the TSA uses HTTP Basic Auth.

TSA_URL

Specifies the URL of the Time-Stamping Authority. Required if XADESFORM=T and TSA_WORKER are not specified.

Cannot be set at the same time as TSA_WORKER.

TSA_USERNAME 

Specifies the login username used if the TSA uses HTTP Basic Auth.

TSA_WORKER

Specifies a worker ID or worker name for a time stamp signer. Required if XADESFORM=T and TSA_URL are not specified. This uses internal calls and can only be used for a time stamp authority running in the same SignServer instance.

Use this option instead of TSA_URL when using a time stamp signer running in the same SignServer instance to avoid thread deadlocks under high load. Cannot be set at the same time as TSA_URL.

XADESFORM

Specifies the profile of XAdES to use. Currently BES and T is supported.

Default: BES.

NONE 

Do not include any commitment type. This cannot be used in conjunction with the other constants below.

PROOF_OF_APPROVAL 

Indicates that the signer has approved the content of the signed data object.

PROOF_OF_CREATION 

Indicates that the signer has created the signed data object (but not necessarily approved, nor sent it).

PROOF_OF_DELIVERY

Indicates that the TSP providing that indication has delivered a signed data object in a local store accessible to the recipient of the signed data object.

PROOF_OF_ORIGIN

Indicates that the signer recognizes to have created, approved, and sent the signed data object.

PROOF_OF_RECEIPT

Indicates that the signer recognizes to have received the content of the signed data object.

PROOF_OF_SENDER

Indicates that the entity providing that indication has sent the signed data object (but not necessarily created it).