Electronic signature
An electronic signature is generated by the algorithm GOST R 34.10-2012 (256 and 512 bits) according to the XMLDSig standard. The Signature section, which contains the XMLDSig-generated EP, is placed in the SgntrSt section inside the SplmtryData section, which is designed to accommodate arbitrary data. Each Signature section contains a link to the section to be signed (s) inside the xml document. The message must be fully signed, including the section
<SplmtryData>
<Envlp>
<SgntrSt>
</SgntrSt>
</Envlp>
</SplmtryData>
General recommendations for generating an XMLDSig signature:
1) You can use a certified combination of the cryptographic provider CryptoPro CSP and the API from Java to it CryptoPro JavaCSP, but you must specify JavaCSP in your software
2)You can use CryptoPro JCP 2.0. There is .jar with examples: samples.jar samples-sources.jar including xmlSign in its distribution.
When you sign with two keys, you should sign only the data. When you sign with the second signature, the first signature is not signed
To avoid the "UnrecoverableKeyException: Get Key failed" error, you need to transfer the keys and certificate from the * .pfx repository to the HDImageStore repository (this will be a folder with 6 * .key files), which Java distinguishes with installed CryptoPro (more details https://www.cryptopro.ru/forum2/default.aspx?g=posts&t=8271)
Examples of implementation and signed documents: https://github.com/Host-to-Host-Instructions/iso20022-signature
Signature Formation Example
<CstmrCdtTrfInitn>
...
<SplmtryData>
<Envlp>
<SgntrSt>
<Signature хmlns="http://www.w3.org/2000/09/xmldsig#">
{ЭП #1 …}
</Signature>
<Signature хmlns="http://www.w3.org/2000/09/xmldsig#">
{ЭП #2 …}
</Signature>
</SgntrSt>
</Envlp>
</SplmtryData>
</CstmrCdtTrfInitn>
Example request summary extract with signature
<?xml version="1.0" encoding="UTF-8"?>
<p:Document xmlns:p="urn:iso:std:iso:20022:tech:xsd:camt.060.001.03" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:iso:std:iso:20022:tech:xsd:camt.060.001.03">
<p:AcctRptgReq>
<p:GrpHdr>
<p:MsgId>MSG_20170830_test_55</p:MsgId>
<p:CreDtTm>2017-05-26T12:00:00</p:CreDtTm>
</p:GrpHdr>
<p:RptgReq>
<p:Id>REQ_20170830_test_55</p:Id>
<p:ReqdMsgNmId>HMQSTASCF</p:ReqdMsgNmId>
<p:Acct>
<p:Id>
<p:Othr>
<p:Id>40702810200000000083</p:Id>
</p:Othr>
</p:Id>
</p:Acct>
<p:AcctOwnr>
<p:Pty>
<p:Nm>ООО "Тест Альфа-Линк"</p:Nm>
</p:Pty>
</p:AcctOwnr>
<p:RptgPrd>
<p:FrToDt>
<p:FrDt>2017-02-23</p:FrDt>
<p:ToDt>2017-02-23</p:ToDt>
</p:FrToDt>
<p:FrToTm>
<p:FrTm>00:00:00</p:FrTm>
<p:ToTm>24:00:00</p:ToTm>
</p:FrToTm>
<p:Tp>ALLL</p:Tp>
</p:RptgPrd>
</p:RptgReq>
<p:RptgReq>
<p:Id>REQ_20170830_test_56</p:Id>
<p:ReqdMsgNmId>HMQSTASCF</p:ReqdMsgNmId>
<p:Acct>
<p:Id>
<p:Othr>
<p:Id>40702810100000000921</p:Id>
</p:Othr>
</p:Id>
</p:Acct>
<p:AcctOwnr>
<p:Pty>
<p:Nm>ООО "Тест Альфа-Линк"</p:Nm>
</p:Pty>
</p:AcctOwnr>
<p:RptgPrd>
<p:FrToDt>
<p:FrDt>2017-02-23</p:FrDt>
<p:ToDt>2017-02-23</p:ToDt>
</p:FrToDt>
<p:FrToTm>
<p:FrTm>00:00:00</p:FrTm>
<p:ToTm>24:00:00</p:ToTm>
</p:FrToTm>
<p:Tp>ALLL</p:Tp>
</p:RptgPrd>
</p:RptgReq>
<p:SplmtryData>
<p:Envlp>
<SgntrSt>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="sigID1">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="urn:ietf:params:xml:ns:cpxmlsec:algorithms:gostr34102012-gostr34112012-256"/>
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="urn:ietf:params:xml:ns:cpxmlsec:algorithms:gostr34112012-256"/>
<ds:DigestValue>Xv/EW5v1khoK3nKbs3GVK5JtFW6Ij4sl7i17Vk+zkhA=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>dPJn/pPMbY3If7iThchSUnhLiCv40FMiOkxxBtQ3gKtCAi2xvHq0u17xsLCQr5nVW13PG02+8SsKF0ohqv+gug==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIJAzCCCLCgAwIBAgIRBTd/twDprFm+QYXHcVcbqLQwCgYIKoUDBwEBAwIwggELMRgwFgYFKoUDZAESDTEwMjc3MDAwNjczMjgxGjAYBggqhQMDgQMBARIMMDA3NzI4MTY4OTcxMQswCQYDVQQGEwJSVTEYMBYGA1UECAwPNzcg0JzQvtGB0LrQstCwMRUwEwYDVQQHDAzQnNC+0YHQutCy0LAxKjAoBgNVBAkMIdCj0LsuINCa0LDQu9Cw0L3Rh9C10LLRgdC60LDRjyAyNzEPMA0GA1UECwwG0KPQmNCRMSEwHwYDVQQKDBjQkNCeINCQ0JvQrNCk0JAt0JHQkNCd0JoxNTAzBgNVBAMMLNCi0JXQodCiINCj0KYgMi4wINCQ0J4gItCQ0JvQrNCk0JAt0JHQkNCd0JoiMB4XDTIxMDMxMjEwNTgwNloXDTIyMDYxMjExMDgwNlowggH5MTIwMAYDVQQqDCnQodC10YDRgtC40YTQuNC60LDRgiDQodC+0YLRgNGD0LTQvdC40LrQsDEZMBcGA1UEBAwQ0KLQtdGB0YLQvtCy0YvQuTFJMEcGA1UECQxAMTA3MDc4LCDQsy4g0JzQvtGB0LrQstCwLCDRg9C7LiDQmtCw0LvQsNC90YfQtdCy0YHQutCw0Y8sINC0LiAyNzEaMBgGCCqFAwOBAwEBEgwwMDc3MjgxNjg5NzExGDAWBgUqhQNkARINMTAyNzcwMDA2NzMyODE0MDIGA1UEDAwr0JDRgNGF0LjRgtC10LrRgtC+0YAg0L3QsNC/0YDQsNCy0LvQtdC90LjRjzEmMCQGCSqGSIb3DQEJARYXdmJ1cm1pc3Ryb3ZAYWxmYWJhbmsucnUxCzAJBgNVBAYTAlJVMRUwEwYDVQQIDAzQnNC+0YHQutCy0LAxFTATBgNVBAcMDNCc0L7RgdC60LLQsDEjMCEGA1UECgwa0JDQniAi0JDQu9GM0YTQsC3QkdCw0L3QuiIxUDBOBgNVBAsMR9CU0LjRgNC10LrRhtC40Y8g0YDQsNC30YDQsNCx0L7RgtC60Lgg0YbQuNGE0YDQvtCy0YvRhSDRgdC10YDQstC40YHQvtCyMRcwFQYDVQQDDA4xdHJ1c3Rjb3JlLTI1NjBmMB8GCCqFAwcBAQEBMBMGByqFAwICJAAGCCqFAwcBAQICA0MABEA8fBN/QZKE4T03YEHTMTldxRHPF/SdYGSPFEmUMGlrEuLFycdkDBxSFTaFfewyYVTDpJ53/1JGp60sKVFvyvIxo4IE9DCCBPAwDgYDVR0PAQH/BAQDAgOoMB8GCSsGAQQBgjcVBwQSMBAGCCqFAwICLgAIAgEBAgEAMB0GA1UdDgQWBBSXVVvUtLRiPz8231/48DKMZsLbVDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwJwYJKwYBBAGCNxUKBBowGDAKBggrBgEFBQcDAjAKBggrBgEFBQcDBDBxBggrBgEFBQcBAQRlMGMwYQYIKwYBBQUHMAKGVWh0dHA6Ly90ZXN0LXVjMi5tb3Njb3cuYWxmYWludHJhLm5ldC9haWEvNmYwYjBkNTI1ZDE5YTc0OGJlMDUxODkzOTdkODA5NTU3ZDM4OGNhMi5jcnQwHQYDVR0gBBYwFDAIBgYqhQNkcQEwCAYGKoUDZHECMIIBQwYFKoUDZHAEggE4MIIBNAw00KHQmtCX0JggItCa0YDQuNC/0YLQvtCf0YDQviBDU1AiICjQstC10YDRgdC40Y8gNC4wKQxa0J/QkNCaICLQo9C00L7RgdGC0L7QstC10YDRj9GO0YnQuNC5INGG0LXQvdGC0YAgItCa0YDQuNC/0YLQvtCf0YDQviDQo9CmIiDQstC10YDRgdC40LggMi4wDE/QodC10YDRgtC40YTQuNC60LDRgiDRgdC+0L7RgtCy0LXRgtGB0YLQstC40Y8g4oSWINCh0KQvMTI0LTMwMTAg0L7RgiAzMC4xMi4yMDE2DE/QodC10YDRgtC40YTQuNC60LDRgiDRgdC+0L7RgtCy0LXRgtGB0YLQstC40Y8g4oSWINCh0KQvMTI4LTI5ODMg0L7RgiAxOC4xMS4yMDE2MD8GBSqFA2RvBDYMNNCh0JrQl9CYICLQmtGA0LjQv9GC0L7Qn9GA0L4gQ1NQIiAo0LLQtdGA0YHQuNGPIDQuMCkwgb0GA1UdHwSBtTCBsjBboFmgV4ZVaHR0cDovL3Rlc3QtdWMyLm1vc2Nvdy5hbGZhaW50cmEubmV0L2NkcC82ZjBiMGQ1MjVkMTlhNzQ4YmUwNTE4OTM5N2Q4MDk1NTdkMzg4Y2EyLmNybDBToFGgT4ZNaHR0cDovL2NhLmFsZmFpbnRyYS5uZXQvY2VydGRhdGEvNmYwYjBkNTI1ZDE5YTc0OGJlMDUxODkzOTdkODA5NTU3ZDM4OGNhMi5jcmwwggFNBgNVHSMEggFEMIIBQIAUbwsNUl0Zp0i+BRiTl9gJVX04jKKhggETpIIBDzCCAQsxGDAWBgUqhQNkARINMTAyNzcwMDA2NzMyODEaMBgGCCqFAwOBAwEBEgwwMDc3MjgxNjg5NzExCzAJBgNVBAYTAlJVMRgwFgYDVQQIDA83NyDQnNC+0YHQutCy0LAxFTATBgNVBAcMDNCc0L7RgdC60LLQsDEqMCgGA1UECQwh0KPQuy4g0JrQsNC70LDQvdGH0LXQstGB0LrQsNGPIDI3MQ8wDQYDVQQLDAbQo9CY0JExITAfBgNVBAoMGNCQ0J4g0JDQm9Cs0KTQkC3QkdCQ0J3QmjE1MDMGA1UEAwws0KLQldCh0KIg0KPQpiAyLjAg0JDQniAi0JDQm9Cs0KTQkC3QkdCQ0J3QmiKCEQWXkJ8A26z9j0tjSIs3FfK5MCsGA1UdEAQkMCKADzIwMjEwMzEyMTA1ODA1WoEPMjAyMjA2MTIxMDU4MDVaMAoGCCqFAwcBAQMCA0EAHvrxKAto/T3htcx89MTL17HjVlLFJMt1rjCg2lg1jhUof6rY4FVArNEOsIRWxhwG8hV8j3rhl15wvpTgmOTvLg==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</SgntrSt>
</p:Envlp>
</p:SplmtryData>
</p:AcctRptgReq>
</p:Document>