dp:sign()

Generates a digital signature.

Namespace declaration

xmlns:dp="http://www.datapower.com/extensions"

Syntax

dp:sign(mechanism, hash, key)

Parameters

mechanism
The xs:string that identifies the algorithm to generate the digital signature. The mechanism must reference one of the following algorithms.
  • http://www.w3.org/2000/09/xmldsig#dsa-sha1
  • http://www.w3.org/2000/09/xmldsig#rsa-sha1
  • http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
  • http://www.w3.org/2001/04/xmldsig-more#rsa-sha512
  • http://www.w3.org/2001/04/xmldsig-more#rsa-sha384
  • http://www.w3.org/2001/04/xmldsig-more/rsa-ripemd160
  • http://www.w3.org/2001/04/xmldsig-more#rsa-md5
hash
The xs:string that specifies the hash of the <SignedInfo> element.
key
The xs:string that identifies the private key to encrypt the hash parameter to generate the digital signature.
The private key can take one of the following forms.
  • name:key
    name:
    Indicates the required literal prefix for a certificate that is identified by object name.
    key
    Specifies the name of a cryptographic key alias.
  • cert:base64Cert
    cert:
    Indicates the required literal prefix for a base-64 encoded certificate.
    base64Cert
    Specifies that the target certificate is base-64 encoded.
  • ski:certSKI
    ski:
    Indicates the required literal prefix for a certificate that is identified by Subject Key Identifier (SKI).
    certSKI
    Specifies that the target certificate is the base-64 encoding of the SKI.
  • issuerserial:serial
    issuerserial:
    Indicates the required literal prefix for a certificate that is identified by issuer serial number and Distinguished Name (DN).
    serial
    Specifies the issuer serial number as a decimal integer and the issuer DN; for example, 0,CN=Harold, O=Acme, L=Someplace, ST=MA, C=US. The function uses the serial value to search the management store for a matching certificate. The issuer DN must be in LDAP format. Auto-detection of the DN format is deprecated in this release. When the auto-detection option is removed in a future release, you cannot look up certificates by specifying the issuer DN in non-LDAP format.
  • thumbprintsha1:sha1string
    thumbprintsha1:
    Indicates the required literal prefix for a certificate with a base-64 encoded SHA-1 hash.
    sha1string
    Specifies a base-64 encoded SHA-1 hash of a certificate. The function uses this value to search the management store for the SHA-1 hash of a matching certificate.
All forms, except the name:key form, refer to certificates in identification credentials. The identification credentials configuration obtains the private key for the specified certificate.

Guidelines

The extension passes all arguments as XPath expressions.

Results

An xs:string that contains a digital signature

Example

…
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
  <xsl:copy-of select="$signedinfo-subtree"/>
  <SignatureValue>
    <xsl:value-of select="dp:sign($sigmech,$signedinfo-hash,$keyid)"/>
  </SignatureValue>
  <xsl:if test='$certid!=""'>
    <KeyInfo><X509Data><X509Certificate>
    <xsl:value-of select="dp:base64-cert($certid)"/>
    </X509Certificate></X509Data></KeyInfo>
  </xsl:if>
</Signature>
…