XML digital signatures (DSig) overviewAdded by IBM on October 10, 2012 | Version 1 (Original)
|XML DSig (Digital Signature) is a standard published by the W3C that defines a common way of creating a signature in an XML document. This standard defines how to express the signature within an XML syntax, and how to determine what portions of the XML document are signed.
The XML DSig standard provides a set of rules that determine what content needs to be signed. For instance, it includes a series of filters that let you include or exclude different parts of the XML document from the signature. The standard also determines how those instructions should be added to the document itself. For instance, both the filters and the actual signature must be stored within the XML document.
Signing is handled by an external engine. The XML DSig rules are followed to determine exactly what should be signed (for instance, all elements on page one and two of the form) and then a signature engine, such as Generic RSA, Microsoft™ CryptoAPI or Netscape Security Services, is used to create the actual signature. Once created, that signature is then stored in the document in the way outlined by the XML DSig standard.
There are four main sections to an XML DSig:
- SignedInfo – contains the filter information such as canonicalization method, signature algorithm and references describing what form sections are included or excluded from the signature.
- SignatureValue – contains the signature hash for signed portions of the form. The SignatureValue remains empty until the form is signed.
- KeyInfo – contains information about the signing certificate. The KeyInfo remains empty until the form is signed.
- Object – contains additional signature metadata, storing information such as timestamp and signature format.
The XML DSig created and described below is a very basic model that is bound to a button and signs the entire form. This is only one of many possible digital signatures.
Once the XML DSig is created, the signature instance must be bound something for it to work. For this example, the signature is bound to a XForms button.
The example below shows an XML DSig Generic RSA signature and XForms button in a form.