dp:sign()

Generates a digital signature.

Namespace declaration

xmlns:dp="http://www.datapower.com/extensions"

Syntax

dp:sign(algorithm, hash, key)

Parameters

algorithm
The xs:string that identifies the algorithm to generate the digital signature and must take one of the following values.
  • http://www.w3.org/2000/09/xmldsig#dsa-sha1
  • http://www.w3.org/2000/09/xmldsig#rsa-pss
  • http://www.w3.org/2000/09/xmldsig#rsa-sha1
  • http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1
  • http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224
  • http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256
  • http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384
  • http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512
  • http://www.w3.org/2001/04/xmldsig-more#rsa-md5
  • http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160
  • http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
  • http://www.w3.org/2001/04/xmldsig-more#rsa-sha384
  • http://www.w3.org/2001/04/xmldsig-more#rsa-sha512
hash
The xs:string that specifies the hash of the <SignedInfo> element.
key
The xs:string that identifies the private key to encrypt the hash parameter to generate the digital signature. The target key can be identified in any of the following ways.
The private key can take one of the following forms.
  • name:key
    name:
    Indicates the literal prefix for a certificate when the object name is used as the identifier.
    key
    Specifies the name of a cryptographic key alias.
  • cert:base64Cert
    cert:
    Indicates the literal prefix for a Base64 encoded certificate.
    base64Cert
    Specifies that the target certificate is Base64 encoded.
  • ski:certSKI
    ski:
    Indicates the literal prefix for a certificate when the Subject Key Identifier (SKI) is used as the identifier.
    certSKI
    Specifies that the target certificate is the Base64 encoding of the SKI.
  • issuerserial:serial
    issuerserial:
    Indicates the literal prefix for a certificate when the issuer serial number and DN is used as the identifier.
    serial
    Specifies the issuer serial number as a decimal integer and the issuer DN; for example, 0,CN=Harold, O=Acme, L=Someplace, ST=MA, C=US. The function uses the serial value to search the management store for a matching certificate. The issuer DN must be in LDAP format. Auto-detection of the DN format is deprecated in this release. When the auto-detection option is removed in a future release, you cannot look up certificates by specifying the issuer DN in non-LDAP format.
  • thumbprintsha1:sha1string
    thumbprintsha1:
    Indicates the literal prefix for a certificate with a Base64 encoded SHA-1 hash.
    sha1string
    Specifies a Base64 encoded SHA-1 hash of a certificate. The function uses this value to search the management store for the SHA-1 hash of a matching certificate.
All forms, except the name:key form, refer to certificates in a keystore. The keystore contains the private key for the specified certificate.

Guidelines

The extension passes all arguments as XPath expressions.

Results

An xs:string that contains a digital signature.

Example

⋯
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
  <xsl:copy-of select="$signedinfo-subtree"/>
  <SignatureValue>
    <xsl:value-of select="dp:sign($algorithm,$hash,$key)"/>
  </SignatureValue>
  <xsl:if test='$certid!=""'>
    <KeyInfo><X509Data><X509Certificate>
    <xsl:value-of select="dp:base64-cert($certid)"/>
    </X509Certificate></X509Data></KeyInfo>
  </xsl:if>
</Signature>
⋯