Question:
When we receive the xades-file as part of the signing, we would like to test if it contains the correct document… (to verify that either us or signicat have not made any error)
How can this be done?
Answer:
I’m assuming here that this is for Signicat Enterprise.
In that case it depends on configuration, but in general, the original document can be found in the LTV-SDO, or XAdES as you say. Look for the ltv:OriginalDocument element and base64 decode its contents.
PS. If your packaging options are set up to use detached mode - which is advantageous if you are signing many and/or large documents - then the LTV-SDO will only contain a digest of the original document.
There’s also a ltv:DocumentDigest element in the XAdES, which is a hash of the original document conforming to the W3C recommendations (specifically the SHA256 algorithm, identified by the alg attribute on the element) which could be used for programmatic comparison with a corresponding hash of the document generated on your end.
This post has been migrated from the previous community