W3C home > Mailing lists > Public > public-xmlsec@w3.org > September 2010

XML Signature 2.0 examples (as of Sep 10th, 2010)

From: Meiko Jensen <Meiko.Jensen@ruhr-uni-bochum.de>
Date: 10 Sep 2010 12:20:16 +0200
Message-ID: <4C8A0660.2030707@ruhr-uni-bochum.de>
To: "XMLSec WG Public List" <public-xmlsec@w3.org>
I drafted two examples of how an XML Signature in 2.0 mode actually may
look like. These are a bit overloaded since they contain some optional
parameters (e.g. for canonicalization), and since I did it rather
sketchy I would not guarantee it to be complete or even correct in any
way. However, it's some base we can work on.

I'd really like to have these reviewed/reproduced by others, to verify
they would have done it identically or identify the points of ambiguity.

This should close my Action-664 for now.

best regards

Meiko


-- 
Dipl.-Inf. Meiko Jensen
Chair for Network and Data Security 
Horst Görtz Institute for IT-Security 
Ruhr University Bochum, Germany
_____________________________
Universitätsstr. 150, Geb. ID 2/411
D-44801 Bochum, Germany
Phone: +49 (0) 234 / 32-26796
Telefax: +49 (0) 234 / 32-14347
http:// www.nds.rub.de


<!-- XPath-based referencing -->
<Document xmlns:some="http://some.namespace.com">

  <some:DataBlock1>
    <SomeData>12345...</SomeData>
    <NotToBeSigned>This text may change later-on!</NotToBeSigned>
    <!-- this is just a comment -->
  </some:DataBlock1>

  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo> 

      <CanonicalizationMethod Algorithm="http://www.w3.org/2010/xml-c14n2">
        <ExclusiveMode>true</ExclusiveMode>
        <InclusiveNamespace>some</InclusiveNamespaces>
        <IgnoreComments>true</IgnoreComments>
        <TrimTextNodes>false</TrimTextNodes>
        <PrefixRewrite>none</PrefixRewrite>
        <SortAttributes>true</SortAttributes>
        <XmlAncestors>inherit</XmlAncestors>
        <QNameAware />
      </CanonicalizationMethod>

      <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> 
      <Reference>
        <Transforms>
          <Transform Algorithm="http://www.w3.org/2010/xmldsig2#newTransformModel" xmlns:dsig2="http://www.w3.org/2010/xmldsig2#">

            <dsig2:Selection type="http://www.w3.org/2010/xmldsig2#xml" URI="" >
              <dsig2:IncludedXPath>
                //some:DataBlock1
              </dsig2:IncludedXPath>
              <dsig2:ExcludedXPath>
                //some:DataBlock1/NotToBeSigned
              </dsig2:ExcludedXPath>
            </dsig2:Selection>

            <dsig2:Canonicalization>           
              <ExclusiveMode>true</ExclusiveMode>
              <InclusiveNamespace />
              <IgnoreComments>true</IgnoreComments>
              <TrimTextNodes>true</TrimTextNodes>
              <PrefixRewrite>sequential</PrefixRewrite>
              <SortAttributes>true</SortAttributes>
              <XmlAncestors>inherit</XmlAncestors>
              <QNameAware />
            </dsig2:Canonicalization>

            <dsig2:Verification>
              <dsig2:DigestDataLength>62</dsig2:DigestDataLength>
            </dsig2:Verification>

          </Transform>
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
        <DigestValue>dGhpcyBpcyBub3QgYSBzaWduYXR1cmUK...</DigestValue>
      </Reference>
    </SignedInfo>
    <SignatureValue>kdutrEsAEw56Sefgs34...</SignatureValue> 
    <KeyInfo> 
      <KeyValue>
        <DSAKeyValue> 
          <P>...</P><Q>...</Q><G>...</G><Y>...</Y> 
        </DSAKeyValue> 
      </KeyValue> 
    </KeyInfo> 
  </Signature>  

</Document>






<!-- ID-based referencing -->
<Document xmlns:some="http://some.namespace.com">

  <some:DataBlock1 unique:ID="mySignedData" xmlns:unique="http://namespace.for.unique.ids">
    <SomeData>12345...</SomeData>
    <NotToBeSigned>This text may change later-on!</NotToBeSigned>
    <!-- this is just a comment -->
  </some:DataBlock1>

  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo> 

      <CanonicalizationMethod Algorithm="http://www.w3.org/2010/xml-c14n2">
        <ExclusiveMode>true</ExclusiveMode>
        <InclusiveNamespace>some</InclusiveNamespaces>
        <IgnoreComments>true</IgnoreComments>
        <TrimTextNodes>false</TrimTextNodes>
        <PrefixRewrite>none</PrefixRewrite>
        <SortAttributes>true</SortAttributes>
        <XmlAncestors>inherit</XmlAncestors>
        <QNameAware />
      </CanonicalizationMethod>

      <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> 
      <Reference>
        <Transforms>
          <Transform Algorithm="http://www.w3.org/2010/xmldsig2#newTransformModel" xmlns:dsig2="http://www.w3.org/2010/xmldsig2#">

            <dsig2:Selection type="http://www.w3.org/2010/xmldsig2#xml" URI="#mySignedData" >
              <dsig2:ExcludedXPath>
                //some:DataBlock1/NotToBeSigned
              </dsig2:ExcludedXPath>
            </dsig2:Selection>

            <dsig2:Canonicalization>           
              <ExclusiveMode>true</ExclusiveMode>
              <InclusiveNamespace />
              <IgnoreComments>false</IgnoreComments>
              <TrimTextNodes>true</TrimTextNodes>
              <PrefixRewrite>sequential</PrefixRewrite>
              <SortAttributes>true</SortAttributes>
              <XmlAncestors>inherit</XmlAncestors>
              <QNameAware />
            </dsig2:Canonicalization>

            <dsig2:Verification>
              <dsig2:DigestDataLength>198</dsig2:DigestDataLength>
              <dsig2:PositionAssertion>/Document[1]/*[local-name()="DataBlock1" and namespace-uri()="http://some.namespace.com"][1]</dsig2:PositionAssertion>
              <dsig2:IDAttributes>
                <dsig2:QualifiedID name="ID" ns="http://namespace.for.unique.ids" />
              </dsig2:IDAttributes>
            </dsig2:Verification>

          </Transform>
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
        <DigestValue>dGhpcyBpcyBub3QgYSBzaWduYXR1cmUK...</DigestValue>
      </Reference>
    </SignedInfo>
    <SignatureValue>kdutrEsAEw56Sefgs34...</SignatureValue> 
    <KeyInfo> 
      <KeyValue>
        <DSAKeyValue> 
          <P>...</P><Q>...</Q><G>...</G><Y>...</Y> 
        </DSAKeyValue> 
      </KeyValue> 
    </KeyInfo> 
  </Signature>  

</Document>
Received on Friday, 10 September 2010 10:20:44 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 10 September 2010 10:20:45 GMT