Stack Overflow
Stack Overflow

Questions tagged [xml-signature]

XML Signatures provide integrity, message authentication, and/or signer authentication services for data of any type, whether located within the XML that includes the signature or elsewhere.

XML Signatures can be Enveloped, Enveloping or Detached.

Enveloped XML signature is when the the signature element resides within the root element of the document which contains or refers to the data to be signed.

Enveloping XML signature is when the data to be signed resides or is referenced inside the signature element itself.

Detached XML signature is when the xml data to be signed and the signature are two separate documents.

A Signature in general contains the following elements :

  • Signature - Root Element.
  • SignedInfo - Contains information on what elements should be signed and how they should be signed.
  • CanonicalizationMethod - Defines the canonicalization algorithm to be used before calculating the signature of the SignedInfo element.
  • SignatureMethod - Defines the Signature Method that should be used to sign the SignedInfo Element.
  • Reference - Points to the external document or the internal parts of the document that should be signed.
  • Transforms - Contains various transformations that are to be performed on the data to be signed before calculating the digest.
  • DigestMethod - Contains the the digest algorithm that should be used to calculate the digest of the output of the transformations.
  • DigestValue - Contains the value of the digest calculated using the algorithm specified in the DigestMethod element.
  • SignatureValue - Contains the output after calculating the signature of the whole SignedInfo element after canonicalizing it using the algorithm specified in the CanonicalizationMethod element.

Example of an Enveloped Signature.

<?xml version="1.0" encoding="ISO-8859-1"?>
<Document>
              <Pan>1234</Pan>
              <Name>Qwerty</Name>      
              <MobileNo>12335566</MobileNo>
              <Income-Salary>23000</Income-Salary>
              <Income-Other>12000</Income-Other>
              <TotalAmount>5000</TotalAmount>

              <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
               <SignedInfo>
                <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                <Reference URI="">
                <Transforms>
                 <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                 <Transform Algorithm="http://www.w3.org/TR/1999/REC-xslt-19991116">
                    <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
                    <xsl:output method="text"/>
                    <xsl:template match="/">
                    Pan : <xsl:copy-of select="//Pan"/>

                    MobileNo : <xsl:copy-of select="//MobileNo"/>

                    TotalAmount : <xsl:copy-of select="//TotalAmount"/>
                    </xsl:template>
                    </xsl:stylesheet>
                 </Transform>
                </Transforms>
                <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                   <DigestValue>q5RNFTQLSOlNs2GHe+35UsT2aVMMXpsHNDR1LkjuxuQ=</DigestValue>
                </Reference>
                </SignedInfo>
                <SignatureValue>QW/kE0WFj6kfJvY4+xrLzn+uRgmPvTrWEP66he0JH7WtCqmWX1CbDhb2dUQj4nhzpG0KJMZzvV/2
                                Qsrh5kiE40s6IOHIFtlM33LxRTo3bF/lo5kHb0m1GZtY7HQXN0P1cQUw9+BeyI7rFz75flVGLlkv
                                 erjENwxwCD+5DQ+VipY=
                </SignatureValue>
                </Signature>

</Document>

From the above signature element specification and the above example you must have noticed that the signature element includes a Transforms element. A list of transformations are specified in this element. A transformation defines how the data should be extracted and converted before calculating the digest. The output of the Transform is the input for the digest operation.

XML Signatures have been subject to legal disputes. When a human signs an XML document (as opposed to a machine), it is required that the data to be signed be first transformed using xslt (see the above example). If there are more than one transformations, XSLT Transformation should be the last transformation. Then this satisfies the property "What you See is What you Sign" and is thus legally valid.

420 questions
10
votes
1 answer

How to verify digital XML signature

I want to verify that the document was not be modified in any way. From a Java web service, I receive the following Soap response with a digital XML signature:
momo
  • 3,313
  • 2
  • 19
  • 37
10
votes
7 answers

How to verify a SAML signature for HTTP-redirect binding

I'm receiving a SAML request via HTTP-redirect binding the content of the SAML request look like this {"SigAlg"=>"http://www.w3.org/2000/09/xmldsig#rsa-sha1", …
Ratatouille
  • 1,372
  • 5
  • 23
  • 50
10
votes
4 answers

SignedXml checksignature returns false

I've looked at other posts on here regarding this issue and none of them seem to address my situation. I've been trying to verify a SAML assertion for the last week and I have 2 clients that have sent me SAML but I cannot verify it. The main process…
Jonathan S.
  • 541
  • 1
  • 3
  • 13
9
votes
1 answer

WCF Client - Specifying the signature algorithm for WS-Security Timestamp signature

I have a WCF client that is sending a message to a non-WCF service and that service is having problems handling the HMAC-SHA1 signature method used to sign the WS-Security Timestamp element. Ideally, we'd like to use the RSA-SHA1 signature method…
BearsEars
  • 849
  • 1
  • 13
  • 21
9
votes
1 answer

Malformed Reference Element

I am attempting to add References to my Security Header and am running into a fairly generic error: Malformed Reference Element I have tried the following with similar results: Referencing the element within the document by passing in the ID of…
Russ
  • 678
  • 8
  • 26
9
votes
3 answers

XSLT transform in xmlSignature java?

I have a XML document.I am signing a part of document using xmlsignature. Before finding digest, I want to apply XSLT transform. According to what I read, XSLT converts an XML document to another format(can be XML also). Now I am confused that,…
suraj
  • 1,828
  • 12
  • 36
  • 64
8
votes
8 answers

How to produce XML signature with no whitespaces and line-breaks in Java?

I work with the brazilian "Nota Fiscal Eletronica" project, in which they define a standart way to sign XML documents. Recently, they started to require that there are absolutely no whitespaces between tags, including signature tags (*). We happen…
Jonathas Carrijo
  • 743
  • 2
  • 7
  • 14
8
votes
2 answers

Manual verification of XML Signature

I can successfully do manual reference validation (canonicalize every referenced element --> SHA1 --> Base64 --> check if it's the same of DigestValue content) but I fail with the verification of the SignatureValue. Here's the SignedInfo to…
Johnca
  • 143
  • 1
  • 9
8
votes
0 answers

Spring SAML signature validation issue

I'm trying to use the Spring SAML sample app to connect to a Shibboleth IdP but have run into a signature validation issue that I haven't been able to resolve. When the sample app gets the response from the IdP, an exception is thrown with the…
Dan Ciarniello
  • 193
  • 1
  • 2
  • 9
8
votes
1 answer

OpenSAML (2.0) Signature validation not working

Problem: I am using OpenSAML to build a means of authenticating the SAML 2.0 response posted to our servers. I have got most of it working, with the ability to access the various aspects of the assertion. The only issue is that when I attempt to…
schlock
  • 519
  • 3
  • 5
  • 14
8
votes
1 answer

Xml signature is invalidated on adding a c14n exclusive transform

This is my code to generate xml signature : DOMSignContext dsc = new DOMSignContext (prk, xmldoc.getDocumentElement()); XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM"); DigestMethod digestMethod = …
Ashwin
  • 12,691
  • 31
  • 118
  • 190
8
votes
2 answers

XML Canonicalization algorithm gives two difference results when called directly than when called as part of an xml digital signature?

I'm getting two different hashes of the same xml document when I directly canonicalize some xml than when I perform a digital signature on it which also performs the same canonicalization algoririth on the xml before hashing it? I worked out that…
Jon
  • 4,295
  • 6
  • 47
  • 56
7
votes
1 answer

Problem with conversion of org.dom4j.Document to org.w3c.dom.Document and XML Signature

I have some classes that already use DOM4J to read XML files and provide getter methods to the data. Now, I need to add the possibility of checking XML digital signatures. Using org.w3c.dom and following…
user635056
7
votes
1 answer

How to get WS-Security certificate to be accepted by Java application

So I've been struggling with WS-Security for some time now, slowly making progress. First let me briefly describe my setup. I have Java application running in a tomcat, which offers a webservice endpoint (using Spring). I want incoming messages to…
VHristov
  • 1,059
  • 2
  • 13
  • 25
7
votes
2 answers

Is there any reason to use CAdES over XAdES for advanced electronic signatures?

I haven't been able to find any reason of why should anyone prefer to implement a CAdES oriented electronic signature software solution over a XAdES oriented one. There are a lot more open libraries and implementation cases and examples of XAdES on…
ABE
  • 75
  • 1
  • 6
1
2
3
27 28