XML Signature Xml Element Signed Canonicalization Document

Non User

Index: > A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Business

Home > XML Signature

First Prev [ 1 2 ] Next Last

XML Signature (also called "XMLDsig") is a W3C recommendation that defines an XML syntax for digital signatures. Functionally, it has much in common with PKCS#7 but is more extensible and geared towards signing XML documents. It is used by various Web technologies such as SOAP, SAML, and others.

XML signatures can be used to sign data–a resource–of any type, typically XML documents, but anything that is accessible via a URL can be signed. An XML signature used to sign a resource outside its containing XML document is called a detached signature; if it is used to sign some part of its containing document, it is called an enveloped signature; if it contains the signed data within itself it is called an enveloping signature.

1 Structure

An XML Signature consists of a Signature element in the http://www.w3.org/2000/09/xmldsig# namespace. The basic structure is as follows:

Signature SignedInfo SignatureMethod CanonicalizationMethod Reference Transforms DigestMethod DigestValue Reference ... SignatureValue KeyInfo Object

The SignedInfo element specifies what was signed and with what algorithms. The SignatureMethod and CanonicalizationMethod elements are used by the SignatureValue element and are included in SignedInfo to protect them from tampering. A list of Reference elements specify which resources have been signed, using URI references; this element also specifies any transforms to apply to the resource before applying the hash, the digest (hash) algorithm (in DigestMethod), and the result of applying it to the resource ( Base64-encoded in DigestValue).

The SignatureValue is the Base64-encoded value of the signature. This value is the signature (produced according to the specification of the SignatureMethod element) of the SignedInfo element after serializing it with the algorithm specified by the CanonicalizationMethod element (see below for more on canonicalization). The KeyInfo is an optional element that enables the recipients to obtain the key needed to validate the signature. Typically it can contain a set of X.509 certificates. If a KeyInfo element is not present, the recipient is expected to identify the key from context. The Object is an optional element used to hold the signed data in the case of an enveloping signature. 2 Validation and Security Considerations When validating a XML Signature, a procedure called Core Validation is followed. Reference Validation: Each Reference's digest is verified by retrieving the corresponding resource and applying any transforms and then the specified digest method to it. The result is compared to the recorded DigestValue; if they do not match, validation fails. Signature Validation: The SignedInfo element is serialized using the canonicalization method specified in CanonicalizationMethod, the key data is retrieved using KeyInfo or by other means, and the signature is verified using the method specified in SignatureMethod. This procedure establishes whether the resources were really signed by the alleged party. However, because of the extensibiliy of the canonicalization and transform methods, the verifying party must also make sure that what was actually signed or digested is really what was present in the original data, in other words, that the algorithms used there can be trusted not to change the meaning of the signed data. 3 XML Canonicalization The creation of XML Signatures is a bit more complex than the creation of an ordinary digital signature because a given XML Document (an "Infoset," in common usage among XML developers) may have more than one legal serialized representation. For example, whitespace inside an XML Element is not syntactically significant, so that is syntactically identical to . Since the digital signature is created by using an asymmetric key algorithm (typically RSA) to encrypt the results of running the serialized XML document through a Cryptographic hash function (typically SHA1), a single-byte difference would cause the digital signature to vary. To avoid this problem and guarantee that logically-identical XML documents give identical digital signatures, an XML canonicalization transform (frequently abbreviated C14n) is nearly always employed when signing XML documents (for signing the SignedInfo, a canonicalization is mandatory). These algorithms guarantee that logically-identical documents produce exactly identical serialized representations. Another complication arises because of the way that the default canonicalization algorithm handles namespace declarations; frequently a signed XML document needs to be embedded in another document; in this case the original canonicalization algorithm will not yield the same result as if the document is treated alone. For this reason, the so-called Exclusive Canonicalization, which serializes XML namespaceAn XML namespace is a W3C standard for providing uniquely named elements and attributes in an XML instance. An XML instance may contain element or attribute names from more than one XML vocabulary. If each vocabulary is given a namespace then the ambiguit declarations independently of the surrounding XML, was created. Politics Business Finance Topics: XML Signature Xml Element Signed Canonicalization Document... XMLXML eXtensible Markup Language is a W3C recommendation for creating special-purpose markup languages. It is a simplified subset of SGML, capable of describing many different kinds of data. Its primary purpose is to facilitate the sharing of structured tex XML-RPCXML-RPC is a remote procedure call protocol encoded in XML. It is a very simple protocol, defining only a handful of data types and commands, and the entire description can be printed on two pages of paper. This is in stark contrast to most RPC systems, w XML query languageXML Query (short: XQuery is a specification of the W3C. XML Query is a query language that makes it possible to extract information from an XML document. It is semantically similar to SQL. XML Query uses XPath 2. 0 syntax to address specific parts of an X XML transformation languageAn XML transformation language is a computer language designed specifically to transform an input XML document into an output XML document which satisfies some specific goal. There are two special cases of transformation: XML to XML : the output document XML pipelineIn computer science, an XML Pipeline is formed when XML (Extensible Markup Language) processes, sometimes called XML transformations, are connected together. For instance, given a two transformations T andT, the two can be connected together so that an in XML Schema DefinitionAn XML Schema Definition (XSD is an instance of a W3C XML Schema. An XSD defines a type of XML document in terms of constraints upon what elements and attributes may appear, their relationship to each other, what types of data may be in them, and other th XMLambda XML Script XML namespace XML Signature XML Data Binding XML editor XMLTerm XML schema XMLGUI Non User