dp:verify()

Namespace declaration

xmlns:dp="http://www.datapower.com/extensions"

Parameters

algorithm

The xs:string that identifies the signature algorithm and must take one of the following values.

• http://www.w3.org/2000/09/xmldsig#dsa-sha1
• http://www.w3.org/2000/09/xmldsig#rsa-pss
• http://www.w3.org/2000/09/xmldsig#rsa-sha1
• http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1
• http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224
• http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256
• http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384
• http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512
• http://www.w3.org/2001/04/xmldsig-more#rsa-md5
• http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160
• http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
• http://www.w3.org/2001/04/xmldsig-more#rsa-sha384
• http://www.w3.org/2001/04/xmldsig-more#rsa-sha512

hash

The xs:string that identifies the locally calculated hash of the <SignedInfo> element of the XML signature.

value

The xs:string that is derived from the contents of the <Signature Value> element of the XML signature and contains the digital signature to be verified.

certificate

The xs:string that identifies the X.509 certificate that contains the public key of the XML signatory. The target certificate can be identified in any of the following ways.

• name:cert

  name:

  Indicates the literal prefix for a certificate alias.

  cert

  Specifies the name of an X.509 cryptographic certificate alias.

• cert:base64Cert

  cert:

  Indicates the literal prefix for a base-64 encoded certificate.

  base64Cert

  Specifies that the target certificate is base-64 encoded.

• ski:certSKI

  ski:

  Indicates the literal prefix for a certificate where the Subject Key Identifier (SKI) is used as the identifier.

  certSKI

  Specifies that the target certificate is the base-64 encoding of the SKI.

• issuerserial:serial

  issuerserial:

  Indicates the literal prefix for a certificate where the issuer serial number and DN is used as the identifier.

  serial

  Specifies the issuer serial number as a decimal integer and the issuer DN; for example, 0,CN=Harold, O=Acme, L=Someplace, ST=MA, C=US. The function uses this value to search the management store for a matching certificate. The issuer DN must be in LDAP format. Autodetection of the DN format is deprecated in this release. When the auto-detection option is removed in a future release, you cannot look up certificates by specifying the issuer DN in non-LDAP format.

• thumbprintsha1:sha1string

  thumbprintsha1:

  Indicates the literal prefix for a certificate with a base-64 encoded SHA-1 hash.

  sha1string

  Specifies a base-64 encoded SHA-1 hash of a certificate. The function uses this value to search the management store for the SHA-1 hash of a matching certificate.

• pkcs7:base64Cert

  pkcs7:

  Indicates the literal prefix for a certificate that is identified as the first certificate in an unordered collection of certificates.

  base64Cert

  Specifies a string of base-64 encoded ASN.1 objects with multiple certificates. The function uses the first certificate that it finds in the string.

• pkipath:base64cert

  pkipath:

  Indicates the literal prefix for a certificate that is identified as the last certificate in an ordered collection of certificates.

  base64cert

  Specifies a string of base-64 encoded ASN.1 objects with multiple certificates. The function uses the last certificate that it finds in the string.

Guidelines

Verifies a digital signature as specified in W3C Recommendation 12 February 2002, IETF RFC 3275 XML - Signature Syntax and Processing.

The extension passes all arguments as XPath expressions.

Results

An empty xs:string if signature verification succeeds; otherwise, returns an error string.