XML Signatures provide integrity, message authentication, and/or signer authentication services for data of any type, whether located within the XML that includes the signature or elsewhere.
XML Signatures can be Enveloped, Enveloping or Detached.
Enveloped XML signature is when the the signature element resides within the root element of the document which contains or refers to the data to be signed.
Enveloping XML signature is when the data to be signed resides or is referenced inside the signature element itself.
Detached XML signature is when the xml data to be signed and the signature are two separate documents.
A Signature in general contains the following elements :
- Signature - Root Element.
- SignedInfo - Contains information on what elements should be signed and how they should be signed.
- CanonicalizationMethod - Defines the canonicalization algorithm to be used before calculating the signature of the SignedInfo element.
- SignatureMethod - Defines the Signature Method that should be used to sign the SignedInfo Element.
- Reference - Points to the external document or the internal parts of the document that should be signed.
- Transforms - Contains various transformations that are to be performed on the data to be signed before calculating the digest.
- DigestMethod - Contains the the digest algorithm that should be used to calculate the digest of the output of the transformations.
- DigestValue - Contains the value of the digest calculated using the algorithm specified in the DigestMethod element.
- SignatureValue - Contains the output after calculating the signature of the whole SignedInfo element after canonicalizing it using the algorithm specified in the CanonicalizationMethod element.
Example of an Enveloped Signature.
<?xml version="1.0" encoding="ISO-8859-1"?>
<Document>
<Pan>1234</Pan>
<Name>Qwerty</Name>
<MobileNo>12335566</MobileNo>
<Income-Salary>23000</Income-Salary>
<Income-Other>12000</Income-Other>
<TotalAmount>5000</TotalAmount>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/TR/1999/REC-xslt-19991116">
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
<xsl:output method="text"/>
<xsl:template match="/">
Pan : <xsl:copy-of select="//Pan"/>
MobileNo : <xsl:copy-of select="//MobileNo"/>
TotalAmount : <xsl:copy-of select="//TotalAmount"/>
</xsl:template>
</xsl:stylesheet>
</Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>q5RNFTQLSOlNs2GHe+35UsT2aVMMXpsHNDR1LkjuxuQ=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>QW/kE0WFj6kfJvY4+xrLzn+uRgmPvTrWEP66he0JH7WtCqmWX1CbDhb2dUQj4nhzpG0KJMZzvV/2
Qsrh5kiE40s6IOHIFtlM33LxRTo3bF/lo5kHb0m1GZtY7HQXN0P1cQUw9+BeyI7rFz75flVGLlkv
erjENwxwCD+5DQ+VipY=
</SignatureValue>
</Signature>
</Document>
From the above signature element specification and the above example you must have noticed that the signature element includes a Transforms element. A list of transformations are specified in this element. A transformation defines how the data should be extracted and converted before calculating the digest. The output of the Transform is the input for the digest operation.
XML Signatures have been subject to legal disputes. When a human signs an XML document (as opposed to a machine), it is required that the data to be signed be first transformed using xslt (see the above example). If there are more than one transformations, XSLT Transformation should be the last transformation. Then this satisfies the property "What you See is What you Sign" and is thus legally valid.
