The required SignedInfo element contains the information that is actually signed:. The required CanonicalizationMethod element defines the algorithm used to canonicalize the SignedInfo element before it is signed or validated.
Secure Xml: The New Syntax For Signatures And Encryption by Donald E. Eastlake
Canonicalization is the process of converting XML content to a canonical form, to take into account changes that can invalidate a signature over that data. Canonicalization is necessary due to the nature of XML and the way it is parsed by different processors and intermediaries, which can change the data such that the signature is no longer valid but the signed data is still logically equivalent. One or more Reference elements identify the data that is digested. Each Reference element identifies the data via a URI. In this example, the value of the URI is the empty String "" , which indicates the root of the document.
The optional Transforms element contains a list of one or more Transform elements, each of which describes a transformation algorithm used to transform the data before it is digested. In this example, there is one Transform element for the enveloped transform algorithm. The enveloped transform is required for enveloped signatures so that the signature element itself is removed before calculating the signature value.
Finally the required DigestValue element contains the actual baseencoded digested value.
What is XML Signature?
The required SignatureValue element contains the baseencoded signature value of the signature over the SignedInfo element. The optional KeyInfo element contains information about the key that is needed to validate the signature:. KeyInfo can contain various content such as X. The sample program will validate the signature in the file signature. An application obtains the default implementation for DocumentBuilderFactory by calling the following line of code:. Next, we use the factory to get an instance of a DocumentBuilder, which is used to parse the document:. We need to specify the Signature element that we want to validate, since there could be more than one in the document.
We use the DOM method Document. This returns a list of all Signature elements in the document. In this example, there is only one Signature element.
This process is called unmarshalling. We then invoke the unmarshalXMLSignature method of the factory to unmarshal an XMLSignature object, and pass it the validation context we created earlier:. Now we are ready to validate the signature. We do this by invoking the validate method on the XMLSignature object, and pass it the validation context as follows:. The validate method returns "true" if the signature validates successfully according to the core validation rules in the W3C XML Signature Recommendation, and false otherwise.
Alternatively, we could have passed a PublicKey as the first argument if we already knew what key is needed to validate the signature. However, we often don't know. It does not determine if the key is trusted. This is a very simple KeySelector implementation, designed for illustration rather than real-world usage.
The sample program will generate an enveloped signature of the document in the file envelope. An enveloped signature is a signature that is contained inside the content that it is signing. A basic knowledge of XML Signatures and their different components is helpful for understanding this section. We generate a public key pair.
Later in the example, we will use the private key to generate the signature. We create the key pair with a KeyPairGenerator. In practice, the private key is usually previously generated and stored in a KeyStore file with an associated public key certificate. We then invoke various factory methods to create the different parts of the XMLSignature object as shown below. We create a Reference object, passing to it the following:. A single Transform, the enveloped Transform, which is required for enveloped signatures so that the signature itself is removed before calculating the signature value.
Next, we create the SignedInfo object, which is the object that is actually signed, as shown below. When creating the SignedInfo, we pass as parameters:. Next, we create the optional KeyInfo object, which contains information that enables the recipient to find the key needed to validate the signature. In this example, we add a KeyValue object containing the public key.
About this task
Now we are ready to generate the signature, which we do by invoking the sign method on the XMLSignature object, and pass it the signing context as follows:. The resulting document now contains a signature, which has been inserted as the last child element of the root element. You can use the following code to print the resulting signed document to a file or standard output:.
The Object Element. The Manifest Element. The SignatureProperties Element. Comments and Processing Instructions. XML Signature Examples. Simple Protocol Example. Simple Document Example. More Complex Protocol Example. More Complex Form Example. Transforms and the Use of XPath. Dereferencing the URI.
The Data Pipeline. Transforms Element Syntax. Processing Rules.
Signature Generation. Signature Verification.
Welcome to Apache Santuario™
Security of Signatures. Check the Signature Security Model. Signature Strength. Algorithms and Executable Content Caution. Specific Assurance Syntax. Qualifying and Qualifying Reference Properties. Signed and Unsigned Properties. Basic Elements. The SigningTime Element. The SigningCertificate Element.
The SignaturePolicyIdentifier Element.