Add signer role only when one is given

signature.go

@@ -311,9 +311,6 @@ func (s *Signature) buildQualifyingProperties() error {
 					},
 				},
 				PolicyIdentifier: s.xadesPolicyIdentifier(),
-				SignerRole: &SignerRole{
-					ClaimedRoles: &Roles{ClaimedRole: []string{s.opts.xades.Role.String()}},
-				},
 			},
 			DataObjectProperties: &DataObjectFormat{
 				ObjectReference: "#" + s.referenceID,
@@ -329,6 +326,13 @@ func (s *Signature) buildQualifyingProperties() error {
 			},
 		},
 	}
+
+	if s.opts.xades.Role != "" {
+		qp.SignedProperties.SignatureProperties.SignerRole = &SignerRole{
+			ClaimedRoles: &Roles{ClaimedRole: []string{s.opts.xades.Role.String()}},
+		}
+	}
+
 	s.Object = &Object{
 		QualifyingProperties: qp,
 	}

signature_test.go

@@ -80,6 +80,29 @@ func TestSignature(t *testing.T) {
 		// we can safely compare the final signature here.
 		assert.Contains(t, signature.Value.Value, "r1GyPRqPZN3LXZ7SKpENUtI7dSXA83aIlza7fG2c1XGnHOK4HNweEDifqg65owS6TYLn7eZtiUXMHN49CUnZ7YDo9O")
 	})
+
+	t.Run("should not set a signer role when not provided", func(t *testing.T) {
+		xades := xadesConfig()
+		xades.Role = ""
+		signature, err := xmldsig.Sign(data,
+			xmldsig.WithCertificate(certificate),
+			xmldsig.WithXAdES(xades),
+		)
+		assert.Nil(t, err)
+		assert.Nil(t, signature.Object.QualifyingProperties.SignedProperties.SignatureProperties.SignerRole)
+	})
+
+	t.Run("should set a signer role when provided", func(t *testing.T) {
+		signature, err := xmldsig.Sign(data,
+			xmldsig.WithCertificate(certificate),
+			xmldsig.WithXAdES(xadesConfig()),
+		)
+		assert.Nil(t, err)
+		assert.Equal(t,
+			"third party",
+			signature.Object.QualifyingProperties.SignedProperties.
+				SignatureProperties.SignerRole.ClaimedRoles.ClaimedRole[0])
+	})
 }
 
 func xadesConfig() *xmldsig.XAdESConfig {