- From: Meiko Jensen <Meiko.Jensen@ruhr-uni-bochum.de>
- Date: 10 Sep 2010 12:20:16 +0200
- To: "XMLSec WG Public List" <public-xmlsec@w3.org>
- Message-ID: <4C8A0660.2030707@ruhr-uni-bochum.de>
I drafted two examples of how an XML Signature in 2.0 mode actually may look like. These are a bit overloaded since they contain some optional parameters (e.g. for canonicalization), and since I did it rather sketchy I would not guarantee it to be complete or even correct in any way. However, it's some base we can work on. I'd really like to have these reviewed/reproduced by others, to verify they would have done it identically or identify the points of ambiguity. This should close my Action-664 for now. best regards Meiko -- Dipl.-Inf. Meiko Jensen Chair for Network and Data Security Horst Görtz Institute for IT-Security Ruhr University Bochum, Germany _____________________________ Universitätsstr. 150, Geb. ID 2/411 D-44801 Bochum, Germany Phone: +49 (0) 234 / 32-26796 Telefax: +49 (0) 234 / 32-14347 http:// www.nds.rub.de
<!-- XPath-based referencing -->
<Document xmlns:some="http://some.namespace.com">
<some:DataBlock1>
<SomeData>12345...</SomeData>
<NotToBeSigned>This text may change later-on!</NotToBeSigned>
<!-- this is just a comment -->
</some:DataBlock1>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2010/xml-c14n2">
<ExclusiveMode>true</ExclusiveMode>
<InclusiveNamespace>some</InclusiveNamespaces>
<IgnoreComments>true</IgnoreComments>
<TrimTextNodes>false</TrimTextNodes>
<PrefixRewrite>none</PrefixRewrite>
<SortAttributes>true</SortAttributes>
<XmlAncestors>inherit</XmlAncestors>
<QNameAware />
</CanonicalizationMethod>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference>
<Transforms>
<Transform Algorithm="http://www.w3.org/2010/xmldsig2#newTransformModel" xmlns:dsig2="http://www.w3.org/2010/xmldsig2#">
<dsig2:Selection type="http://www.w3.org/2010/xmldsig2#xml" URI="" >
<dsig2:IncludedXPath>
//some:DataBlock1
</dsig2:IncludedXPath>
<dsig2:ExcludedXPath>
//some:DataBlock1/NotToBeSigned
</dsig2:ExcludedXPath>
</dsig2:Selection>
<dsig2:Canonicalization>
<ExclusiveMode>true</ExclusiveMode>
<InclusiveNamespace />
<IgnoreComments>true</IgnoreComments>
<TrimTextNodes>true</TrimTextNodes>
<PrefixRewrite>sequential</PrefixRewrite>
<SortAttributes>true</SortAttributes>
<XmlAncestors>inherit</XmlAncestors>
<QNameAware />
</dsig2:Canonicalization>
<dsig2:Verification>
<dsig2:DigestDataLength>62</dsig2:DigestDataLength>
</dsig2:Verification>
</Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>dGhpcyBpcyBub3QgYSBzaWduYXR1cmUK...</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>kdutrEsAEw56Sefgs34...</SignatureValue>
<KeyInfo>
<KeyValue>
<DSAKeyValue>
<P>...</P><Q>...</Q><G>...</G><Y>...</Y>
</DSAKeyValue>
</KeyValue>
</KeyInfo>
</Signature>
</Document>
<!-- ID-based referencing -->
<Document xmlns:some="http://some.namespace.com">
<some:DataBlock1 unique:ID="mySignedData" xmlns:unique="http://namespace.for.unique.ids">
<SomeData>12345...</SomeData>
<NotToBeSigned>This text may change later-on!</NotToBeSigned>
<!-- this is just a comment -->
</some:DataBlock1>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2010/xml-c14n2">
<ExclusiveMode>true</ExclusiveMode>
<InclusiveNamespace>some</InclusiveNamespaces>
<IgnoreComments>true</IgnoreComments>
<TrimTextNodes>false</TrimTextNodes>
<PrefixRewrite>none</PrefixRewrite>
<SortAttributes>true</SortAttributes>
<XmlAncestors>inherit</XmlAncestors>
<QNameAware />
</CanonicalizationMethod>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference>
<Transforms>
<Transform Algorithm="http://www.w3.org/2010/xmldsig2#newTransformModel" xmlns:dsig2="http://www.w3.org/2010/xmldsig2#">
<dsig2:Selection type="http://www.w3.org/2010/xmldsig2#xml" URI="#mySignedData" >
<dsig2:ExcludedXPath>
//some:DataBlock1/NotToBeSigned
</dsig2:ExcludedXPath>
</dsig2:Selection>
<dsig2:Canonicalization>
<ExclusiveMode>true</ExclusiveMode>
<InclusiveNamespace />
<IgnoreComments>false</IgnoreComments>
<TrimTextNodes>true</TrimTextNodes>
<PrefixRewrite>sequential</PrefixRewrite>
<SortAttributes>true</SortAttributes>
<XmlAncestors>inherit</XmlAncestors>
<QNameAware />
</dsig2:Canonicalization>
<dsig2:Verification>
<dsig2:DigestDataLength>198</dsig2:DigestDataLength>
<dsig2:PositionAssertion>/Document[1]/*[local-name()="DataBlock1" and namespace-uri()="http://some.namespace.com"][1]</dsig2:PositionAssertion>
<dsig2:IDAttributes>
<dsig2:QualifiedID name="ID" ns="http://namespace.for.unique.ids" />
</dsig2:IDAttributes>
</dsig2:Verification>
</Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>dGhpcyBpcyBub3QgYSBzaWduYXR1cmUK...</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>kdutrEsAEw56Sefgs34...</SignatureValue>
<KeyInfo>
<KeyValue>
<DSAKeyValue>
<P>...</P><Q>...</Q><G>...</G><Y>...</Y>
</DSAKeyValue>
</KeyValue>
</KeyInfo>
</Signature>
</Document>
Received on Friday, 10 September 2010 10:20:44 UTC