Sign XML Files | Keyfactor Docs

To sign .xml files with Signum, use the 3rd party XMLsectool script to generate signatures for the files.

Prerequisites

Signum Linux Agent installed.
Download xmlsectool.
XML file to sign.

Set up XMLSec Tool

Unzip the archive:

unzip xmlsectool-#.#.#-bin.zip

Establish a JAVA_HOME environmental variable:

export JAVA_HOME="/usr/lib/jvm/open-jdk"

Create Configuration File

Create a configuration file /etc/keyfactor/signumpkcs11.cfg with the following properties:

name = SignumPKCS11
library = /usr/lib/libsignumpkcs11.so
description = Keyfactor PKCS#11 interface for SmartCard

List Key Objects

Use keytool to list the keys from the Keyfactor Signum PKCS#11 provider:

keytool -list -storetype PKCS11 -storepass NONE -providerClass sun.security.pkcs11.SunPKCS11 -providerArg /etc/keyfactor/signumpkcs11.cfg

Keystore type: PKCS11
Keystore provider: SunPKCS11-SignumPKCS11
Your keystore contains 4 entries
170570A1D56FBB5A4CC780B69ACAEF94010D5DAA - Certificate, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 1C:3B:0B:5E:B7:7F:29:29:87:4E:7D:BC:77:11:D9:7F:FF:06:0B:C3:F2:F9:DE:02:8E:72:C6:87:4E:CE:B2:94
3AB5BFB91DFBB46CF765D5BEE51429618C4857DD - Certificate, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 97:58:8B:1B:C4:D5:19:3C:C6:5F:3F:4A:73:11:53:17:98:D4:A7:E9:FD:A3:3D:88:B0:9F:09:EB:77:D9:23:F0
DE0BB605AC697DF1A99A3C675BC03DF0B83F49D0 - Certificate, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 88:A0:C7:2B:6B:F6:3B:61:4C:4D:49:AB:CD:2F:C7:6A:B2:4F:50:63:27:B1:74:15:87:34:72:54:69:54:F1:A4
F78AE7871FEF1D0CF3EFFB58E9CC85F261438D2B - Certificate, PrivateKeyEntry,
Certificate fingerprint (SHA-256): B4:D6:B2:C1:B9:A0:4A:55:D4:7B:37:AD:C2:3F:D3:7A:B0:77:60:B5:B3:30:87:11:8A:F4:26:2F:D4:2F:B7:89

Sign

Use the following command with the key information to sign the .xml file:

./xmlsectool.sh --sign --pkcs11Config /etc/keyfactor/signumpkcs11.cfg --keyAlias "3AB5BFB91DFBB46CF765D5BEE51429618C4857DD - Certificate" --keyPassword NONE --inFile sample.xml --outFile sample.xml.signed
INFO  XMLSecTool - Reading XML document from file 'sample.xml'
INFO  XMLSecTool - XML document parsed and is well-formed.
INFO  XMLSecTool - XML document successfully signed
INFO  XMLSecTool - XML document written to file xmlsectool-3.0.0/sample.xml.signed

Verify

Use the following command to verify the signature:

./xmlsectool.sh --verifySignature --pkcs11Config /etc/keyfactor/signumpkcs11.cfg --keyAlias "3AB5BFB91DFBB46CF765D5BEE51429618C4857DD - Certificate" --keyPassword NONE --inFile sample.xml.signed 
INFO  XMLSecTool - Reading XML document from file 'sample.xml.signed'
INFO  XMLSecTool - XML document parsed and is well-formed.
INFO  XMLSecTool - XML document signature verified.