# `SignCore.XML.XAdES` [๐Ÿ”—](https://github.com/utaladriz/pkcs11ex/blob/v0.1.0/lib/sign_core/xml/xades.ex#L1) Builds the XAdES B-B `` block. Produces the canonical shape ETSI EN 319 132-1 prescribes for B-B: 2026-05-06T14:05:30Z ... ... The `` element is what the second `` in the signature points at. The verifier recomputes its exc-c14n digest and matches it against the reference's `` โ€” that's how the signature binds the claimed signing certificate, signing time, and any other signed properties to the rest of the signed data. ## v1 scope * `SigningCertificateV2` with `IssuerSerialV2` (XAdES EN 319 132-1). The older `SigningCertificate` / `IssuerSerial` (TS 101 903 v1.3.2) form is post-v1. * Only the leaf cert is digested into `SigningCertificateV2`. Including intermediates is allowed by spec but not required for B-B; each cert in the chain would otherwise become its own `` element. * `SigningTime` is the only signed-signature-property emitted besides `SigningCertificateV2`. `SignaturePolicyIdentifier`, `SignatureProductionPlaceV2`, and `SignerRoleV2` are post-v1. # `build_issuer_serial_v2_der` ```elixir @spec build_issuer_serial_v2_der(SignCore.X509.t()) :: {:ok, binary()} | {:error, term()} ``` Builds the DER-encoded `IssuerSerial` (RFC 5035 ยง4) octets for a `` element. Returns the raw DER โ€” the caller base64-encodes it for the XML element body. ## ASN.1 shape IssuerSerial ::= SEQUENCE { issuer GeneralNames, serialNumber CertificateSerialNumber } GeneralNames ::= SEQUENCE OF GeneralName GeneralName ::= CHOICE { ..., directoryName [4] Name, ... } Single-element `GeneralNames` containing a single `[4] EXPLICIT Name` is the canonical encoding for an X.509 issuer. # `qualifying_properties` ```elixir @spec qualifying_properties(keyword()) :: {:ok, String.t()} | {:error, term()} ``` Builds the full `` block ready for splicing into the `` element of a ``. Required: * `:signature_id` โ€” the `Id` of the parent ``. Used as the `Target` attribute (``). * `:signed_properties_id` โ€” the `Id` for ``. The data Reference's URI in the `` block must point at `#`. * `:leaf_cert` โ€” `SignCore.X509.t()` for the signing cert. Optional: * `:signing_time` โ€” `DateTime.t()`. Default `DateTime.utc_now/0`. # `splice_unsigned_properties` ```elixir @spec splice_unsigned_properties(String.t(), String.t()) :: {:ok, String.t()} | {:error, term()} ``` Splices an `` block into the `` produced by `qualifying_properties/1`. Inserts immediately before the `` closing tag. # `unsigned_signature_timestamp` ```elixir @spec unsigned_signature_timestamp(keyword()) :: {:ok, String.t()} | {:error, term()} ``` Builds the `` block carrying a `` (XAdES B-T per ETSI EN 319 132-1 ยง5.4.1). The TST is embedded base64-encoded as ``. ... Note: this returns just the `` block. Splice it inside the parent `` after ``. Required opts: * `:tst_der` โ€” RFC 3161 TimeStampToken DER (the `Pkcs11ex.Audit.Anchor.RFC3161.extract_token/1` output). * `:timestamp_id` โ€” `Id` attribute on the `` element. --- *Consult [api-reference.md](api-reference.md) for complete listing*