Tessera Validator

Validate NATO Metadata Labels Against the Normative Standards

ADatP-4774 · ADatP-4778 · ADatP-5636 — upload labelled files and get a per-rule compliance report mapped to the specific spec section that defines each requirement.

The web interface accepts a batch of files, runs all applicable rules for the detected format and binding approach, and returns a per-file verdict — COMPLIANT or NON-COMPLIANT — with every finding linked to the normative requirement it maps to.

Tessera Validator results view showing 12 uploaded files, 11 compliant, 1 non-compliant, with per-file rule breakdown

What Gets Validated

80+ rules across four standards, covering structure, binding, and cryptography.

Label Structure ADatP-4774

Required XML elements, PolicyIdentifier, classification level and category values, originator, CreationDateTime format. Validated against both the XML schema and the normative SHALL/SHALL NOT requirements.

Metadata Binding ADatP-4778 / 4778.2

BDO structure, binding approach, JWS compact serialization format, protected header fields (alg, cty), payload decodability, granularity rules, XMP storage profile compliance. Catches bindings that are structurally valid but non-conformant with the normative profiles.

Cryptographic Verification ADatP-4778 Annex A/B

XML-DSIG digest and signature verification, algorithm compliance — MD5, SHA-1, DSA-SHA1, RSA-MD5 flagged as prohibited — KeyInfo requirements, and X.509 certificate chain validation against a user-provided trust anchor.

Core Metadata ADatP-5636

Required metadata elements, PointOfContact, Code, DCMIType, datetime format compliance. Validated against the NATO Core Metadata Specification normative requirements.

Supported File Formats

The validator detects the format and binding approach from the file itself and applies the rules appropriate for that combination.

  • OOXML.docx, .xlsx, .pptx with embedded BDO in customXml
  • XML BDO.bdo sidecar or detached binding files
  • JSON BDO.bdoj JWS-based binding objects
  • XMP-embedded — JPEG, TIFF, PNG, PDF, GIF with label in XMP metadata segment
  • EML — email messages with label in headers or body part
  • Sidecar & OPC containers — detached binding files and OPC-based archives

Command-Line Interface

The validator is also available as a CLI for scripting and CI pipelines. It accepts the same file formats and produces the same rule-mapped output in console, JSON, or HTML format.

Validate a batch of files
tessera validate *.docx samples/*.bdo
JSON output for pipeline integration
tessera validate file.docx --output json --output-file results.json
With trust anchor for certificate chain validation
tessera validate file.docx --trust-anchor root_ca.pem
List all 80+ rules
tessera list-rules

The CLI is included in the self-hosted deployment. Contact us if you need access to it on an isolated network.

Access

A hosted instance is available at validator.tessera-solutions.eu. Access is open to nationals from FMN Affiliate nations working with the NATO metadata labelling standards.

If you are working on an isolated or classified network where the hosted instance is not reachable, the validator can be deployed locally. Get in touch to discuss your situation.

Request access → Open validator ↗

Standards validated by Tessera Validator

ADatP-4774 ADatP-4778 ADatP-5636