Please refer to the errata for this document, which may include some normative corrections.
The English version of this specification is the only normative version. Non-normative translations may also be available.
Copyright © 2013 The IETF Trust & W3C ® ( MIT , ERCIM , Keio , Beihang ), All Rights Reserved. W3C liability , trademark and document use rules apply.
This document specifies XML digital signature processing rules and syntax. XML Signatures provide integrity , message authentication , and/or signer authentication services for data of any type, whether located within the XML that includes the signature or elsewhere.
Note : On 23 April 2013, the reference to the "Additional XML Security URIs" RFC was updated. The Director previously authorized the publication knowing that the reference would be updated in a near future.
This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at http://www.w3.org/TR/.
At
the
time
of
this
publication,
This
document
has
been
reviewed
by
W3C
Members,
by
software
developers,
and
by
other
W3C
groups
and
interested
parties,
and
is
endorsed
by
the
most
recent
Director
as
a
W3C
Recommendation
of
XML
Signature
1
Recommendation.
It
is
a
stable
document
and
may
be
used
as
reference
material
or
cited
from
another
document.
W3C
's
role
in
making
the
10
June
2008
XML
Signature
(Second
Edition)
Recommendation
.
The
most
recent
publication
of
this
draft
is
to
draw
attention
to
the
LC
draft
specification
and
to
promote
its
widespread
deployment.
This
enhances
the
functionality
and
interoperability
of
18
October
2012
.
Changes
since
that
LC
publication
include
the
following:
Web.
Please
review
the
differences
between
the
previous
Last
Call
Working
Draft
and
this
Proposed
Recomendation
The
original
version
,
and
the
differences
between
of
this
specification
was
produced
by
the
previous
IETF/
W3C
XML
Signature
Recommendation
and
this
Proposed
Recommendation
Working
Group
;
A
detailed
explanation
of
changes
since
the
last
Recommendation
is
also
available
[
XMLDSIG-CORE1-CHGS
Interoperability
Report
].
shows
at
least
10
implementations
with
at
least
two
interoperable
implementations
over
every
feature.
The
previous
Last
Call
working
draft
followed
Candidate
Recommendation
since
a
feature
Second
Edition
was
removed
due
to
lack
of
implementation,
results
of
a
PAG
recommendation
were
included
in
produced
by
the
specification,
additional
W3C
XML
Security
Specifications
Maintenance
Working
Group
,
adding
Canonical
XML
1.1
as
a
required
canonicalization
algorithm
identifiers
were
added
based
on
review
during
implementation,
and
clarifications
resulted
from
implementation
experience.
This
Last
Call
resulted
in
an
additional
clarification,
but
with
no
objection
to
the
incorporating
known
errata.
A
detailed
list
of
Second
Edition
changes
resulting
in
Last
Call.
is
available
as
is
a
Second
Edition
implementation
report
demonstrating
four
or
more
implementations
of
all
new
features.
Conformance-affecting changes of XML Signature 1.1 against this previous recommendation mainly affect the set of mandatory to implement cryptographic algorithms, including Elliptic Curve DSA (and mark-up for corresponding key material), and additional hash algorithms. A detailed explanation of changes since the last Recommendation are available [ XMLDSIG-CORE1-CHGS ]. Changes are also described in a diff document showing changes since the Second Edition , as well as a diff document showing changes since the previous PR draft .
Please refer to the implementation report for version 1.1 of this specification for additional details about the implementation status of features added in this revision.
This
document
was
published
by
the
XML
Security
Working
Group
as
a
Proposed
Recommendation.
This
document
is
intended
to
become
a
W3C
Recommendation.
The
W3C
Membership
and
other
interested
parties
are
invited
If
you
wish
to
review
the
document
and
send
make
comments
regarding
this
document,
please
send
them
to
[email protected]
(
subscribe
,
archives
)
through
25
February
2013.
Advisory
Committee
Representatives
should
consult
their
WBS
questionnaires
.
Note
that
substantive
technical
).
All
comments
were
expected
during
the
Last
Call
review
period
that
ended
08
November
2012.
Please
see
the
Working
Group's
implementation
report
.
Publication
as
a
Proposed
Recommendation
does
not
imply
endorsement
by
the
W3C
Membership.
This
is
a
draft
document
and
may
be
updated,
replaced
or
obsoleted
by
other
documents
at
any
time.
It
is
inappropriate
to
cite
this
document
as
other
than
work
in
progress.
are
welcome.
This document was produced by a group operating under the 5 February 2004 W3C Patent Policy . W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy .
Additional information related to the IPR status of XML Signature 1.1 is available.
ds:CryptoBinary
Simple
Type
Signature
element
SignatureValue
Element
SignedInfo
Element
KeyInfo
Element
KeyName
Element
KeyValue
Element
RetrievalMethod
Element
X509Data
Element
PGPData
Element
SPKIData
Element
MgmtData
Element
EncryptedKey
and
DerivedKey
Elements
DEREncodedKeyValue
Element
KeyInfoReference
Element
Object
Element
This document specifies XML syntax and processing rules for creating and representing digital signatures. XML Signatures can be applied to any digital content (data object) , including XML. An XML Signature may be applied to the content of one or more resources. Enveloped or enveloping signatures are over data within the same XML document as the signature; detached signatures are over data external to the signature element. More specifically, this specification defines an XML signature element type and an XML signature application ; conformance requirements for each are specified by way of schema definitions and prose respectively. This specification also includes other useful types that identify methods for referencing collections of resources, algorithms, and keying and management information.
The XML Signature is a method of associating a key with referenced data (octets); it does not normatively specify how keys are associated with persons or institutions, nor the meaning of the data being referenced and signed. Consequently, while this specification is an important component of secure XML applications, it itself is not sufficient to address all application security/trust concerns, particularly with respect to using signed XML (or other data formats) as a basis of human-to-human communication and agreement. Such an application must specify additional key, algorithm, processing and rendering requirements. For further information, please see see section 8. Security Considerations .
The Working Group encourages implementers and developers to read XML Signature Best Practices [ XMLDSIG-BESTPRACTICES ]. It contains a number of best practices related to the use of XML Signature, including implementation considerations and practical ways of improving security.
For readability, brevity, and historic reasons this document uses the term "signature" to generally refer to digital authentication values of all types. Obviously, the term is also strictly used to refer to authentication values that are based on public keys and that provide signer authentication. When specifically discussing authentication values based on symmetric secret key codes we use the terms authenticators or authentication codes. (See section 8.2 Check the Security Model .)
This specification provides a normative XML Schema [ XMLSCHEMA-1 ], [ XMLSCHEMA-2 ]. The full normative grammar is defined by the XSD schema and the normative text in this specification. The standalone XSD schema file is authoritative in case there is any disagreement between it and the XSD schema portions in this specification.
The
key
words
"
must
MUST
",
"
must
not
MUST
NOT
",
"
required
REQUIRED
",
"
shall
SHALL
",
"
shall
not
SHALL
NOT
",
"
should
SHOULD
",
"
should
not
SHOULD
NOT
",
"
recommended
RECOMMENDED
",
"
may
MAY
",
and
"
optional
OPTIONAL
"
in
this
specification
are
to
be
interpreted
as
described
in
[
RFC2119
].
"They
mustMUST only be used where it is actually required for interoperation or to limit behavior which has potential for causing harm (e.g., limiting retransmissions)"
Consequently,
we
use
these
capitalized
key
words
to
unambiguously
specify
requirements
over
protocol
and
application
features
and
behavior
that
affect
the
interoperability
and
security
of
implementations.
These
key
words
are
not
used
(capitalized)
to
describe
XML
grammar;
schema
definitions
unambiguously
describe
such
requirements
and
we
wish
to
reserve
the
prominence
of
these
terms
for
the
natural
language
descriptions
of
protocols
and
features.
For
instance,
an
XML
attribute
might
be
described
as
being
"optional."
Compliance
with
the
Namespaces
in
XML
specification
[
XML-NAMES
]
is
described
as
"
required
REQUIRED
."
This document specifies optional and mandatory to support algorithms, providing references for these algorithms. This means that a conformant implementation should for given inputs be able to produce outputs for those algorithms that interoperate as specified in the referenced specification. A conformant implementation may use any technique to achieve the results as-if it were implemented according to the referenced specification, but is not required to follow detailed implementation techniques of that specification.
The design philosophy and requirements of this specification are addressed in the original XML-Signature Requirements document [ XMLDSIG-REQUIREMENTS ] and the XML Security 1.1 Requirements document [ XMLSEC11-REQS ].
This specification makes use of XML namespaces, and uses Uniform Resource Identifiers [ URI ] to identify resources, algorithms, and semantics.
Implementations
of
this
specification
must
MUST
use
the
following
XML
namespace
URIs:
URI | namespace prefix | XML internal entity |
---|---|---|
http://www.w3.org/2000/09/xmldsig#
|
default
namespace
,
ds:
,
dsig:
|
<!ENTITY
dsig
"http://www.w3.org/2000/09/xmldsig#">
|
http://www.w3.org/2009/xmldsig11#
|
dsig11:
|
<!ENTITY
dsig11
"http://www.w3.org/2009/xmldsig11#">
|
While
implementations
must
MUST
support
XML
and
XML
namespaces,
and
while
use
of
the
above
namespace
URIs
is
required
REQUIRED
,
the
namespace
prefixes
and
entity
declarations
given
are
merely
editorial
conventions
used
in
this
document.
Their
use
by
implementations
is
optional
OPTIONAL
.
These namespace URIs are also used as the prefix for algorithm identifiers that are under control of this specification. For resources not under the control of this specification, we use the designated Uniform Resource Names [ URN ], [ RFC3406 ] or Uniform Resource Identifiers [ URI ] defined by the relevant normative external specification.
The
http://www.w3.org/2000/09/xmldsig#
(
dsig:
)
namespace
was
introduced
in
the
first
edition
of
this
specification.
This
version
does
not
coin
any
new
elements
or
algorithm
identifiers
in
that
namespace;
instead,
the
http://www.w3.org/2009/xmldsig11#
(
dsig11:
)
namespace
is
used.
This
specification
uses
algorithm
identifiers
in
the
namespace
http://www.w3.org/2001/04/xmldsig-more#
that
were
originally
coined
in
[
RFC4051
RFC6931
].
RFC
4051
6931
associates
these
identifiers
with
specific
algorithms.
Implementations
of
this
specification
must
MUST
be
fully
interoperable
with
the
algorithms
specified
in
[
RFC4051
RFC6931
],
but
may
MAY
compute
the
requisite
values
through
any
technique
that
leads
to
the
same
output.
Examples of items in various namespaces include:
SignatureProperties
is
identified
and
defined
by
the
disg:
namespace
http://www.w3.org/2000/09/xmldsig#SignatureProperties
ECKeyValue
is
identified
and
defined
by
the
dsig11:
namespace
http://www.w3.org/2009/xmldsig11#ECKeyValue
http://www.w3.org/TR/1999/REC-xslt-19991116
No provision is made for an explicit version number in this syntax. If a future version of this specification requires explicit versioning of the document format, a different namespace will be used.
The contributions of the members of the XML Signature Working Group to the first edition specification are gratefully acknowledged: Mark Bartel, Adobe, was Accelio (Author); John Boyer, IBM (Author); Mariano P. Consens, University of Waterloo; John Cowan, Reuters Health; Donald Eastlake 3rd, Motorola (Chair, Author/Editor); Barb Fox, Microsoft (Author); Christian Geuer-Pollmann, University Siegen; Tom Gindin, IBM; Phillip Hallam-Baker, VeriSign Inc; Richard Himes, US Courts; Merlin Hughes, Baltimore; Gregor Karlinger, IAIK TU Graz; Brian LaMacchia, Microsoft (Author); Peter Lipp, IAIK TU Graz; Joseph Reagle, NYU, was W3C (Chair, Author/Editor); Ed Simon, XMLsec (Author); David Solo, Citigroup (Author/Editor); Petteri Stenius, Capslock; Raghavan Srinivas, Sun; Kent Tamura, IBM; Winchel Todd Vincent III, GSU; Carl Wallace, Corsec Security, Inc.; Greg Whitehead, Signio Inc.
As are the first edition Last Call comments from the following:
The following members of the XML Security Specification Maintenance Working Group contributed to the second edition: Juan Carlos Cruellas, Universitat Politècnica de Catalunya; Pratik Datta, Oracle Corporation; Phillip Hallam-Baker, VeriSign, Inc.; Frederick Hirsch, Nokia, (Chair, Editor); Konrad Lanz, Applied Information processing and Kommunications (IAIK); Hal Lockhart, BEA Systems, Inc.; Robert Miller, MITRE Corporation; Sean Mullan, Sun Microsystems, Inc.; Bruce Rich, IBM Corporation; Thomas Roessler, W3C / ERCIM , (Staff contact, Editor); Ed Simon, W3C Invited Expert; Greg Whitehead, HP.
Contributions for version 1.1 were received from the members of the XML Security Working Group: Scott Cantor, Juan Carlos Cruellas, Pratik Datta, Gerald Edgar, Ken Graf, Phillip Hallam-Baker, Brad Hill, Frederick Hirsch (Chair, Editor), Brian LaMacchia, Konrad Lanz, Hal Lockhart, Cynthia Martin, Rob Miller, Sean Mullan, Shivaram Mysore, Magnus Nyström, Bruce Rich, Thomas Roessler (Staff contact, Editor), Ed Simon, Chris Solc, John Wray, Kelvin Yiu (Editor).
The Working Group thanks Makoto Murata for assistance with the RELAX NG schemas.
This section provides an overview and examples of XML digital signature syntax. The specific processing is given in section 3. Processing Rules . The formal syntax is found in section 4. Core Signature Syntax and section 5. Additional Signature Syntax .
In this section, an informal representation and examples are used to describe the structure of the XML signature syntax. This representation and examples may omit attributes, details and potential features that are fully explained later.
XML
Signatures
are
applied
to
arbitrary
digital
content
(data
objects)
via
an
indirection.
Data
objects
are
digested,
the
resulting
value
is
placed
in
an
element
(with
other
information)
and
that
element
is
then
digested
and
cryptographically
signed.
XML
digital
signatures
are
represented
by
the
Signature
element
which
has
the
following
structure
(where
"?"
denotes
zero
or
one
occurrence;
"+"
denotes
one
or
more
occurrences;
and
"*"
denotes
zero
or
more
occurrences):
<Signature ID?> <SignedInfo> <CanonicalizationMethod /> <SignatureMethod /> (<Reference URI? > (<Transforms>)? <DigestMethod> <DigestValue> </Reference>)+ </SignedInfo> <SignatureValue> (<KeyInfo>)? (<Object ID?>)* </Signature>
Signatures
are
related
to
data
objects
via
URIs
[
URI
].
Within
an
XML
document,
signatures
are
related
to
local
data
objects
via
fragment
identifiers.
Such
local
data
can
be
included
within
an
enveloping
signature
or
can
enclose
an
enveloped
signature.
Detached
signatures
are
over
external
network
resources
or
local
data
objects
that
reside
within
the
same
XML
document
as
sibling
elements;
in
this
case,
the
signature
is
neither
enveloping
(signature
is
parent)
nor
enveloped
(signature
is
child).
Since
a
Signature
element
(and
its
Id
attribute
value/name)
may
co-exist
or
be
combined
with
other
elements
(and
their
IDs)
within
a
single
XML
document,
care
should
be
taken
in
choosing
names
such
that
there
are
no
subsequent
collisions
that
violate
the
ID
uniqueness
validity
constraint
[
XML10
].
Signature
,
SignedInfo
,
Methods
,
and
Reference
s)
The following example is a detached signature of the content of the HTML4 in XML specification.
[s01] <Signature Id="MyFirstSignature" xmlns="http://www.w3.org/2000/09/xmldsig#"> [s02] <SignedInfo> [s03] <CanonicalizationMethod Algorithm="http://www.w3.org/2006/12/xml-c14n11"/> [s04] <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> [s05] <Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/"> [s06] <Transforms> [s07] <Transform Algorithm="http://www.w3.org/2006/12/xml-c14n11"/> [s08] </Transforms> [s09] <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> [s10] <DigestValue>dGhpcyBpcyBub3QgYSBzaWduYXR1cmUK...</DigestValue> [s11] </Reference> [s12] </SignedInfo> [s13] <SignatureValue>...</SignatureValue> [s14] <KeyInfo> [s15a] <KeyValue> [s15b] <DSAKeyValue> [s15c] <P>...</P><Q>...</Q><G>...</G><Y>...</Y> [s15d] </DSAKeyValue> [s15e] </KeyValue> [s16] </KeyInfo> [s17] </ Signature >
[s02-12]
The
required
SignedInfo
element
is
the
information
that
is
actually
signed.
Core
validation
of
SignedInfo
consists
of
two
mandatory
processes:
validation
of
the
signature
over
SignedInfo
and
validation
of
each
Reference
digest
within
SignedInfo
.
Note
that
the
algorithms
used
in
calculating
the
SignatureValue
are
also
included
in
the
signed
information
while
the
SignatureValue
element
is
outside
SignedInfo
.
[s03]
The
CanonicalizationMethod
is
the
algorithm
that
is
used
to
canonicalize
the
SignedInfo
element
before
it
is
digested
as
part
of
the
signature
operation.
Note
that
this
example
is
not
in
canonical
form.
(None
of
the
examples
in
this
specification
are
in
canonical
form.)
[s04]
The
SignatureMethod
is
the
algorithm
that
is
used
to
convert
the
canonicalized
SignedInfo
into
the
SignatureValue
.
It
is
a
combination
of
a
digest
algorithm
and
a
key
dependent
algorithm
and
possibly
other
algorithms
such
as
padding,
for
example
RSA-SHA1.
The
algorithm
names
are
signed
to
resist
attacks
based
on
substituting
a
weaker
algorithm.
To
promote
application
interoperability
we
specify
a
set
of
signature
algorithms
that
must
MUST
be
implemented,
though
their
use
is
at
the
discretion
of
the
signature
creator.
We
specify
additional
algorithms
as
recommended
RECOMMENDED
or
optional
OPTIONAL
for
implementation;
the
design
also
permits
arbitrary
user
specified
algorithms.
[s05-11]
Each
Reference
element
includes
the
digest
method
and
resulting
digest
value
calculated
over
the
identified
data
object.
It
also
may
include
transformations
that
produced
the
input
to
the
digest
operation.
A
data
object
is
signed
by
computing
its
digest
value
and
a
signature
over
that
value.
The
signature
is
later
checked
via
reference
and
signature
validation
.
[s14-16]
KeyInfo
indicates
the
key
to
be
used
to
validate
the
signature.
Possible
forms
for
identification
include
certificates,
key
names,
and
key
agreement
algorithms
and
information
--
we
define
only
a
few.
KeyInfo
is
optional
for
two
reasons.
First,
the
signer
may
not
wish
to
reveal
key
information
to
all
document
processing
parties.
Second,
the
information
may
be
known
within
the
application's
context
and
need
not
be
represented
explicitly.
Since
KeyInfo
is
outside
of
SignedInfo
,
if
the
signer
wishes
to
bind
the
keying
information
to
the
signature,
a
Reference
can
easily
identify
and
include
the
KeyInfo
as
part
of
the
signature.
Use
of
KeyInfo
is
optional,
however
note
that
senders
and
receivers
must
agree
on
how
it
will
be
used
through
a
mechanism
out
of
scope
for
this
specification.
Reference
[s05] <Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/"> [s06] <Transforms> [s07] <Transform Algorithm="http://www.w3.org/2006/12/xml-c14n11"/> [s08] </Transforms> [s09] <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> [s10] <DigestValue>dGhpcyBpcyBub3QgYSBzaWduYXR1cmUK...</DigestValue> [ s11 ] </ Reference >
[s05]
The
optional
URI
attribute
of
Reference
identifies
the
data
object
to
be
signed.
This
attribute
may
be
omitted
on
at
most
one
Reference
in
a
Signature
.
(This
limitation
is
imposed
in
order
to
ensure
that
references
and
objects
may
be
matched
unambiguously.)
[s05-08]
This
identification,
along
with
the
transforms,
is
a
description
provided
by
the
signer
on
how
they
obtained
the
signed
data
object
in
the
form
it
was
digested
(i.e.
the
digested
content).
The
verifier
may
obtain
the
digested
content
in
another
method
so
long
as
the
digest
verifies.
In
particular,
the
verifier
may
obtain
the
content
from
a
different
location
such
as
a
local
store
than
that
specified
in
the
URI
.
[s06-08]
Transforms
is
an
optional
ordered
list
of
processing
steps
that
were
applied
to
the
resource's
content
before
it
was
digested.
Transforms
can
include
operations
such
as
canonicalization,
encoding/decoding
(including
compression/inflation),
XSLT,
XPath,
XML
schema
validation,
or
XInclude.
XPath
transforms
permit
the
signer
to
derive
an
XML
document
that
omits
portions
of
the
source
document.
Consequently
those
excluded
portions
can
change
without
affecting
signature
validity.
For
example,
if
the
resource
being
signed
encloses
the
signature
itself,
such
a
transform
must
be
used
to
exclude
the
signature
value
from
its
own
computation.
If
no
Transforms
element
is
present,
the
resource's
content
is
digested
directly.
While
the
Working
Group
has
specified
mandatory
(and
optional)
canonicalization
and
decoding
algorithms,
user
specified
transforms
are
permitted.
[s09-10]
DigestMethod
is
the
algorithm
applied
to
the
data
after
Transforms
is
applied
(if
specified)
to
yield
the
DigestValue
.
The
signing
of
the
DigestValue
is
what
binds
the
content
of
a
resource
to
the
signer's
key.
Object
and
SignatureProperty
)
This
specification
does
not
address
mechanisms
for
making
statements
or
assertions.
Instead,
this
document
defines
what
it
means
for
something
to
be
signed
by
an
XML
Signature
(
integrity
,
message
authentication
,
and/or
signer
authentication
).
Applications
that
wish
to
represent
other
semantics
must
rely
upon
other
technologies,
such
as
[
XML10
],
[
RDF-PRIMER
].
For
instance,
an
application
might
use
a
foo:assuredby
attribute
within
its
own
markup
to
reference
a
Signature
element.
Consequently,
it's
the
application
that
must
understand
and
know
how
to
make
trust
decisions
given
the
validity
of
the
signature
and
the
meaning
of
assuredby
syntax.
We
also
define
a
SignatureProperties
element
type
for
the
inclusion
of
assertions
about
the
signature
itself
(e.g.,
signature
semantics,
the
time
of
signing
or
the
serial
number
of
hardware
used
in
cryptographic
processes).
Such
assertions
may
be
signed
by
including
a
Reference
for
the
SignatureProperties
in
SignedInfo
.
While
the
signing
application
should
be
very
careful
about
what
it
signs
(it
should
understand
what
is
in
the
SignatureProperty
)
a
receiving
application
has
no
obligation
to
understand
that
semantic
(though
its
parent
trust
engine
may
wish
to).
Any
content
about
the
signature
generation
may
be
located
within
the
SignatureProperty
element.
The
mandatory
Target
attribute
references
the
Signature
element
to
which
the
property
applies.
Consider
the
preceding
example
with
an
additional
reference
to
a
local
Object
that
includes
a
SignatureProperty
element.
(Such
a
signature
would
not
only
be
detached
[p02]
but
enveloping
[p03]
.)
[ ] <Signature Id="MySecondSignature" ...> [p01] <SignedInfo> [ ] ... [p02] <Reference URI="http://www.w3.org/TR/xml-stylesheet/"> [ ] ... [p03] <Reference URI="#AMadeUpTimeStamp" [p04] Type="http://www.w3.org/2000/09/xmldsig#SignatureProperties"> [p05] <Transforms> [p06] <Transform Algorithm="http://www.w3.org/2006/12/xml-c14n11"/> [p07] </Transforms> [p08] <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> [p09] <DigestValue>dGhpcyBpcyBub3QgYSBzaWduYXR1cmUK...</DigestValue> [p10] </Reference> [p11] </SignedInfo> [p12] ... [p13] <Object> [p14] <SignatureProperties> [p15] <SignatureProperty Id="AMadeUpTimeStamp" Target="#MySecondSignature"> [p16] <timestamp xmlns="http://www.ietf.org/rfcXXXX.txt"> [p17] <date>19990914</date> [p18] <time>14:34:34:34</time> [p19] </timestamp> [p20] </SignatureProperty> [p21] </SignatureProperties> [p22] </Object> [ p23 ]</ Signature >
[p04]
The
optional
Type
attribute
of
Reference
provides
information
about
the
resource
identified
by
the
URI
.
In
particular,
it
can
indicate
that
it
is
an
Object
,
SignatureProperty
,
or
Manifest
element.
This
can
be
used
by
applications
to
initiate
special
processing
of
some
Reference
elements.
References
to
an
XML
data
element
within
an
Object
element
should
SHOULD
identify
the
actual
element
pointed
to.
Where
the
element
content
is
not
XML
(perhaps
it
is
binary
or
encoded
data)
the
reference
should
identify
the
Object
and
the
Reference
Type
,
if
given,
should
SHOULD
indicate
Object
.
Note
that
Type
is
advisory
and
no
action
based
on
it
or
checking
of
its
correctness
is
required
by
core
behavior.
[p13]
Object
is
an
optional
element
for
including
data
objects
within
the
signature
element
or
elsewhere.
The
Object
can
be
optionally
typed
and/or
encoded.
[p14-21]
Signature
properties,
such
as
time
of
signing,
can
be
optionally
signed
by
identifying
them
from
within
a
Reference
.
(These
properties
are
traditionally
called
signature
"attributes"
although
that
term
has
no
relationship
to
the
XML
term
"attribute".)
Object
and
Manifest
)
The
Manifest
element
is
provided
to
meet
additional
requirements
not
directly
addressed
by
the
mandatory
parts
of
this
specification.
Two
requirements
and
the
way
the
Manifest
satisfies
them
follow.
First,
applications
frequently
need
to
efficiently
sign
multiple
data
objects
even
where
the
signature
operation
itself
is
an
expensive
public
key
signature.
This
requirement
can
be
met
by
including
multiple
Reference
elements
within
SignedInfo
since
the
inclusion
of
each
digest
secures
the
data
digested.
However,
some
applications
may
not
want
the
core
validation
behavior
associated
with
this
approach
because
it
requires
every
Reference
within
SignedInfo
to
undergo
reference
validation
--
the
DigestValue
elements
are
checked.
These
applications
may
wish
to
reserve
reference
validation
decision
logic
to
themselves.
For
example,
an
application
might
receive
a
signature
valid
SignedInfo
element
that
includes
three
Reference
elements.
If
a
single
Reference
fails
(the
identified
data
object
when
digested
does
not
yield
the
specified
DigestValue
)
the
signature
would
fail
core
validation
.
However,
the
application
may
wish
to
treat
the
signature
over
the
two
valid
Reference
elements
as
valid
or
take
different
actions
depending
on
which
fails.
To
accomplish
this,
SignedInfo
would
reference
a
Manifest
element
that
contains
one
or
more
Reference
elements
(with
the
same
structure
as
those
in
SignedInfo
).
Then,
reference
validation
of
the
Manifest
is
under
application
control.
Second,
consider
an
application
where
many
signatures
(using
different
keys)
are
applied
to
a
large
number
of
documents.
An
inefficient
solution
is
to
have
a
separate
signature
(per
key)
repeatedly
applied
to
a
large
SignedInfo
element
(with
many
Reference
s);
this
is
wasteful
and
redundant.
A
more
efficient
solution
is
to
include
many
references
in
a
single
Manifest
that
is
then
referenced
from
multiple
Signature
elements.
The
example
below
includes
a
Reference
that
signs
a
Manifest
found
within
the
Object
element.
[ ] ... [m01] <Reference URI="#MyFirstManifest" [m02] Type="http://www.w3.org/2000/09/xmldsig#Manifest"> [m03] <Transforms> [m04] <Transform Algorithm="http://www.w3.org/2006/12/xml-c14n11"/> [m05] </Transforms> [m06] <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> [m07] <DigestValue>dGhpcyBpcyBub3QgYSBzaWduYXR1cmUK...=</DigestValue> [m08] </Reference> [ ] ... [m09] <Object> [m10] <Manifest Id="MyFirstManifest"> [m11] <Reference> [m12] ... [m13] </Reference> [m14] <Reference> [m15] ... [m16] </Reference> [m17] </Manifest> [ m18 ] </ Object >
The sections below describe the operations to be performed as part of signature generation and validation.
The
required
REQUIRED
steps
include
the
generation
of
Reference
elements
and
the
SignatureValue
over
SignedInfo
.
For each data object being signed:
Transforms
,
as
determined
by
the
application,
to
the
data
object.
Reference
element,
including
the
(optional)
identification
of
the
data
object,
any
(optional)
transform
elements,
the
digest
algorithm
and
the
DigestValue
.
(Note,
it
is
the
canonical
form
of
these
references
that
are
signed
in
section
3.1.2
Signature
Generation
and
validated
in
section
3.2.1
Reference
Validation
.)
Transform
elements
is
a
node-set.
We
RECOMMEND
that,
when
generating
signatures,
signature
applications
do
not
rely
on
this
default
behavior,
but
explicitly
identify
the
transformation
that
is
applied
to
perform
this
mapping.
In
cases
in
which
inclusive
canonicalization
is
desired,
we
RECOMMEND
that
Canonical
XML
1.1
[
XML-C14N11
]
be
used.
SignedInfo
element
with
SignatureMethod
,
CanonicalizationMethod
and
Reference
(s).
SignatureValue
over
SignedInfo
based
on
algorithms
specified
in
SignedInfo
.
Signature
element
that
includes
SignedInfo
,
Object
(s)
(if
desired,
encoding
may
be
different
than
that
used
for
signing),
KeyInfo
(if
required),
and
SignatureValue
.
Note,
if
the
Signature
includes
same-document
references,
[
XML10
]
or
[
XMLSCHEMA-1
],
[
XMLSCHEMA-2
]
validation
of
the
document
might
introduce
changes
that
break
the
signature.
Consequently,
applications
should
be
careful
to
consistently
process
the
document
or
refrain
from
using
external
contributions
(e.g.,
defaults
and
entities).
The
required
REQUIRED
steps
of
core
validation
include
(1)
reference
validation
,
the
verification
of
the
digest
contained
in
each
Reference
in
SignedInfo
,
and
(2)
the
cryptographic
signature
validation
of
the
signature
calculated
over
SignedInfo
.
Note, there may be valid signatures that some signature applications are unable to validate. Reasons for this include failure to implement optional parts of this specification, inability or unwillingness to execute specified algorithms, or inability or unwillingness to dereference specified URIs (some URI schemes may cause undesirable side effects), etc.
Comparison of each value in reference and signature validation is over the numeric (e.g., integer) or decoded octet sequence of the value. Different implementations may produce different encoded digest and signature values when processing the same resources because of variances in their encoding, such as accidental white space. But if one uses numeric or octet comparison (choose one) on both the stated and computed values these problems are eliminated.
SignedInfo
element
based
on
the
CanonicalizationMethod
in
SignedInfo
.
Reference
in
SignedInfo
:
URI
and
execute
Transforms
provided
by
the
signer
in
the
Reference
element,
or
it
may
obtain
the
content
through
other
means
such
as
a
local
cache.)
DigestMethod
specified
in
its
Reference
specification.
DigestValue
in
the
SignedInfo
Reference
;
if
there
is
any
mismatch,
validation
fails.
Note,
SignedInfo
is
canonicalized
in
step
1.
The
application
must
ensure
that
the
CanonicalizationMethod
has
no
dangerous
side
effects,
such
as
rewriting
URIs,
(see
note
on
Canonicalization
Method
)
and
that
it
Sees
What
is
Signed
,
which
is
the
canonical
form.
Note,
After
a
Signature
element
has
been
created
in
Signature
Generation
for
a
signature
with
a
same
document
reference,
an
implementation
can
serialize
the
XML
content
with
variations
in
that
serialization.
This
means
that
Reference
Validation
needs
to
canonicalize
the
XML
document
before
digesting
in
step
1
to
avoid
issues
related
to
variations
in
serialization.
KeyInfo
or
from
an
external
source.
SignatureMethod
using
the
CanonicalizationMethod
and
use
the result
(and
previously
obtained
KeyInfo
)
to
confirm
the
SignatureValue
over
the
SignedInfo
element.
Note,
KeyInfo
(or
some
transformed
version
thereof)
may
be
signed
via
a
Reference
element.
Transformation
and
validation
of
this
reference
(3.2.1)
is
orthogonal
to
Signature
Validation
which
uses
the
KeyInfo
as
parsed.
Additionally,
the
SignatureMethod
URI
may
have
been
altered
by
the
canonicalization
of
SignedInfo
(e.g.,
absolutization
of
relative
URIs)
and
it
is
the
canonical
form
that
must
MUST
be
used.
However,
the
required
canonicalization
[
XML-C14N
]
of
this
specification
does
not
change
URIs.
The general structure of an XML signature is described in section 2. Signature Overview and Examples . This section provides detailed syntax of the core signature features. Features described in this section are mandatory to implement unless otherwise indicated. The syntax is defined via an [ XMLSCHEMA-1 ][ XMLSCHEMA-2 ] with the following XML preamble, declaration, and internal entity.
Schema Definition :
<? xml version = "1.0" encoding = "utf-8" ?> <!DOCTYPE schema PUBLIC "-//W3C//DTD XMLSchema 200102//EN" [ <!ATTLIST schema xmlns:ds CDATA #FIXED "http://www.w3.org/2000/09/xmldsig#"> <!ENTITY dsig 'http://www.w3.org/2000/09/xmldsig#'> <!ENTITY % p ''> <!ENTITY % s ''> ]> <schema xmlns = "http://www.w3.org/2001/XMLSchema" xmlns:ds = "http://www.w3.org/2000/09/xmldsig#" targetNamespace = "http://www.w3.org/2000/09/xmldsig#" version = "0.1" elementFormDefault = "qualified" >
Additional
markup
defined
in
version
1.1
of
this
specification
uses
the
dsig11:
namespace.
The
syntax
is
defined
in
an
XML
schema
with
the
following
preamble:
Schema Definition :
<? xml version = "1.0" encoding = "utf-8" ?> <!DOCTYPE schema PUBLIC "-//W3C//DTD XMLSchema 200102//EN" [ <!ENTITY dsig 'http://www.w3.org/2000/09/xmldsig#'> <!ENTITY dsig11 'http://www.w3.org/2009/xmldsig11#'> <!ENTITY % p ''> <!ENTITY % s ''> ]> <schema xmlns = "http://www.w3.org/2001/XMLSchema" xmlns:ds = "http://www.w3.org/2000/09/xmldsig#" xmlns:dsig11 = "http://www.w3.org/2009/xmldsig11#" targetNamespace = "http://www.w3.org/2009/xmldsig11#" version = "0.1" elementFormDefault = "qualified" >
ds:CryptoBinary
Simple
Type
This
specification
defines
the
ds:CryptoBinary
simple
type
for
representing
arbitrary-length
integers
(e.g.
"bignums")
in
XML
as
octet
strings.
The
integer
value
is
first
converted
to
a
"big
endian"
bitstring.
The
bitstring
is
then
padded
with
leading
zero
bits
so
that
the
total
number
of
bits
==
0
mod
8
(so
that
there
are
an
integral
number
of
octets).
If
the
bitstring
contains
entire
leading
octets
that
are
zero,
these
are
removed
(so
the
high-order
octet
is
always
non-zero).
This
octet
string
is
then
base64
[
RFC2045
]
encoded.
(The
conversion
from
integer
to
octet
string
is
equivalent
to
IEEE
1363's
I2OSP
[
IEEE1363
]
with
minimal
length).
This
type
is
used
by
"bignum"
values
such
as
RSAKeyValue
and
DSAKeyValue
.
If
a
value
can
be
of
type
base64Binary
or
ds:CryptoBinary
they
are
defined
as
base64Binary
.
For
example,
if
the
signature
algorithm
is
RSA
or
DSA
then
SignatureValue
represents
a
bignum
and
could
be
ds:CryptoBinary
.
However,
if
HMAC-SHA1
is
the
signature
algorithm
then
SignatureValue
could
have
leading
zero
octets
that
must
be
preserved.
Thus
SignatureValue
is
generically
defined
as
of
type
base64Binary
.
Schema Definition :
<simpleType name = "CryptoBinary" > <restriction base = "base64Binary" /> </simpleType>
Signature
element
The
Signature
element
is
the
root
element
of
an
XML
Signature.
Implementation
must
MUST
generate
laxly
schema
valid
[
XMLSCHEMA-1
][
XMLSCHEMA-2
]
Signature
elements
as
specified
by
the
following
schema:
Schema Definition :
<element name = "Signature" type = "ds:SignatureType" /> <complexType name = "SignatureType" > <sequence> <element ref = "ds:SignedInfo" /> <element ref = "ds:SignatureValue" /> <element ref = "ds:KeyInfo" minOccurs = "0" /> <element ref = "ds:Object" minOccurs = "0" maxOccurs = "unbounded" /> </sequence> <attribute name = "Id" type = "ID" use = "optional" /> </complexType>
SignatureValue
Element
The
SignatureValue
element
contains
the
actual
value
of
the
digital
signature;
it
is
always
encoded
using
base64
[
RFC2045
].
Schema Definition :
<element name = "SignatureValue" type = "ds:SignatureValueType" /> <complexType name = "SignatureValueType" > <simpleContent> <extension base = "base64Binary" > <attribute name = "Id" type = "ID" use = "optional" /> </extension> </simpleContent> </complexType>
SignedInfo
Element
The
structure
of
SignedInfo
includes
the
canonicalization
algorithm,
a
signature
algorithm,
and
one
or
more
references.
The
SignedInfo
element
may
contain
an
optional
ID
attribute
that
will
allow
it
to
be
referenced
by
other
signatures
and
objects.
SignedInfo
does
not
include
explicit
signature
or
digest
properties
(such
as
calculation
time,
cryptographic
device
serial
number,
etc.).
If
an
application
needs
to
associate
properties
with
the
signature
or
digest,
it
may
include
such
information
in
a
SignatureProperties
element
within
an
Object
element.
Schema Definition :
<element name = "SignedInfo" type = "ds:SignedInfoType" /> <complexType name = "SignedInfoType" > <sequence> <element ref = "ds:CanonicalizationMethod" /> <element ref = "ds:SignatureMethod" /> <element ref = "ds:Reference" maxOccurs = "unbounded" /> </sequence> <attribute name = "Id" type = "ID" use = "optional" /> </complexType>
CanonicalizationMethod
Element
CanonicalizationMethod
is
a
required
element
that
specifies
the
canonicalization
algorithm
applied
to
the
SignedInfo
element
prior
to
performing
signature
calculations.
This
element
uses
the
general
structure
for
algorithms
described
in
section
6.1
Algorithm
Identifiers
and
Implementation
Requirements
.
Implementations
must
MUST
support
the
required
REQUIRED
canonicalization
algorithms
.
Alternatives
to
the
required
REQUIRED
canonicalization
algorithms
(section
6.5),
such
as
Canonical
XML
with
Comments
(section
6.5.1)
or
a
minimal
canonicalization
(such
as
CRLF
and
charset
normalization)
,
may
be
explicitly
specified
but
are
not
required
NOT
REQUIRED
.
Consequently,
their
use
may
not
interoperate
with
other
applications
that
do
not
support
the
specified
algorithm
(see
XML
Canonicalization
and
Syntax
Constraint
Considerations
,
section
7).
Security
issues
may
also
arise
in
the
treatment
of
entity
processing
and
comments
if
non-XML
aware
canonicalization
algorithms
are
not
properly
constrained
(see
section
8.1.2:
Only
What
is
"Seen"
Should
be
Signed
).
The
way
in
which
the
SignedInfo
element
is
presented
to
the
canonicalization
method
is
dependent
on
that
method.
The
following
applies
to
algorithms
which
process
XML
as
nodes
or
characters:
SignedInfo
and
currently
indicating
the
SignedInfo
,
its
descendants,
and
the
attribute
and
namespace
nodes
of
SignedInfo
and
its
descendant
elements.
SignedInfo
element,
from
the
first
character
to
the
last
character
of
the
XML
representation,
inclusive.
This
includes
the
entire
text
of
the
start
and
end
tags
of
the
SignedInfo
element
as
well
as
all
descendant
markup
and
character
data
(i.e.,
the
text
)
between
those
tags.
Use
of
text
based
canonicalization
of
SignedInfo
is
We
recommend
applications
that
implement
a
text-based
instead
of
XML-based
canonicalization
--
such
as
resource
constrained
apps
--
generate
canonicalized
XML
as
their
output
serialization
so
as
to
mitigate
interoperability
and
security
concerns.
For
instance,
such
an
implementation
should
SHOULD
(at
least)
generate
standalone
XML
instances
[
XML10
].
Note
:
The
signature
application
must
exercise
great
care
in
accepting
and
executing
an
arbitrary
CanonicalizationMethod
.
For
example,
the
canonicalization
method
could
rewrite
the
URIs
of
the
Reference
s
being
validated.
Or,
the
method
could
massively
transform
SignedInfo
so
that
validation
would
always
succeed
(i.e.,
converting
it
to
a
trivial
signature
with
a
known
key
over
trivial
data).
Since
CanonicalizationMethod
is
inside
SignedInfo
,
in
the
resulting
canonical
form
it
could
erase
itself
from
SignedInfo
or
modify
the
SignedInfo
element
so
that
it
appears
that
a
different
canonicalization
function
was
used!
Thus
a
Signature
which
appears
to
authenticate
the
desired
data
with
the
desired
key,
DigestMethod
,
and
SignatureMethod
,
can
be
meaningless
if
a
capricious
CanonicalizationMethod
is
used.
Schema Definition :
<element name = "CanonicalizationMethod" type = "ds:CanonicalizationMethodType" /> <complexType name = "CanonicalizationMethodType" mixed = "true" > <sequence> <any namespace = "##any" minOccurs = "0" maxOccurs = "unbounded" /> <!-- (0,unbounded) elements from (1,1) namespace --> </sequence> <attribute name = "Algorithm" type = "anyURI" use = "required" /> </complexType>
SignatureMethod
Element
SignatureMethod
is
a
required
element
that
specifies
the
algorithm
used
for
signature
generation
and
validation.
This
algorithm
identifies
all
cryptographic
functions
involved
in
the
signature
operation
(e.g.
hashing,
public
key
algorithms,
MACs,
padding,
etc.).
This
element
uses
the
general
structure
here
for
algorithms
described
in
section
6.1
Algorithm
Identifiers
and
Implementation
Requirements
.
While
there
is
a
single
identifier,
that
identifier
may
specify
a
format
containing
multiple
distinct
signature
values.
Schema Definition :
<element name = "SignatureMethod" type = "ds:SignatureMethodType" /> <complexType name = "SignatureMethodType" mixed = "true" > <sequence> <element name = "HMACOutputLength" minOccurs = "0" type = "ds:HMACOutputLengthType" /> <any namespace = "##other" minOccurs = "0" maxOccurs = "unbounded" /> <!-- (0,unbounded) elements from (1,1) external namespace --> </sequence> <attribute name = "Algorithm" type = "anyURI" use = "required" /> </complexType>
The
ds:HMACOutputLength
parameter
is
used
for
HMAC
[
HMAC
]
algorithms.
The
parameter
specifies
a
truncation
length
in
bits.
If
this
parameter
is
trusted
without
further
verification,
then
this
can
lead
to
a
security
bypass
[
CVE-2009-0217
].
Signatures
must
MUST
be
deemed
invalid
if
the
truncation
length
is
below
the
larger
of
(a)
half
the
underlying
hash
algorithm's
output
length,
and
(b)
80
bits.
Note
that
some
implementations
are
known
to
not
accept
truncation
lengths
that
are
lower
than
the
underlying
hash
algorithm's
output
length.
Reference
Element
Reference
is
an
element
that
may
occur
one
or
more
times.
It
specifies
a
digest
algorithm
and
digest
value,
and
optionally
an
identifier
of
the
object
being
signed,
the
type
of
the
object,
and/or
a
list
of
transforms
to
be
applied
prior
to
digesting.
The
identification
(URI)
and
transforms
describe
how
the
digested
content
(i.e.,
the
input
to
the
digest
method)
was
created.
The
Type
attribute
facilitates
the
processing
of
referenced
data.
For
example,
while
this
specification
makes
no
requirements
over
external
data,
an
application
may
wish
to
signal
that
the
referent
is
a
Manifest
.
An
optional
ID
attribute
permits
a
Reference
to
be
referenced
from
elsewhere.
Schema Definition :
<element name = "Reference" type = "ds:ReferenceType" /> <complexType name = "ReferenceType" > <sequence> <element ref = "ds:Transforms" minOccurs = "0" /> <element ref = "ds:DigestMethod" /> <element ref = "ds:DigestValue" /> </sequence> <attribute name = "Id" type = "ID" use = "optional" /> <attribute name = "URI" type = "anyURI" use = "optional" /> <attribute name = "Type" type = "anyURI" use = "optional" /> </complexType>
URI
Attribute
The
URI
attribute
identifies
a
data
object
using
a
URI-Reference
[
URI
].
The
mapping
from
this
attribute's
value
to
a
URI
reference
must
MUST
be
performed
as
specified
in
section
3.2.17
of
[
XMLSCHEMA-2
].
Additionally:
Some
existing
implementations
are
known
to
verify
the
value
of
the
URI
attribute
against
the
grammar
in
[
URI
].
It
is
therefore
safest
to
perform
any
necessary
escaping
while
generating
the
URI
attribute.
We
RECOMMEND
XML
Signature
applications
be
able
to
dereference
URIs
in
the
HTTP
scheme.
Dereferencing
a
URI
in
the
HTTP
scheme
must
MUST
comply
with
the
Status
Code
Definitions
of
[
HTTP11
]
(e.g.,
302,
305
and
307
redirects
are
followed
to
obtain
the
entity-body
of
a
200
status
code
response).
Applications
should
also
be
cognizant
of
the
fact
that
protocol
parameter
and
state
information,
(such
as
HTTP
cookies,
HTML
device
profiles
or
content
negotiation),
may
affect
the
content
yielded
by
dereferencing
a
URI.
If a resource is identified by more than one URI, the most specific should be used (e.g. http://www.w3.org/2000/06/interop-pressrelease.html.en instead of http://www.w3.org/2000/06/interop-pressrelease). (See section 3.2 Core Validation for further information on reference processing.)
If
the
URI
attribute
is
omitted
altogether,
the
receiving
application
is
expected
to
know
the
identity
of
the
object.
For
example,
a
lightweight
data
protocol
might
omit
this
attribute
given
the
identity
of
the
object
is
part
of
the
application
context.
This
attribute
may
be
omitted
from
at
most
one
Reference
in
any
particular
SignedInfo
,
or
Manifest
.
The
optional
Type
attribute
contains
information
about
the
type
of
object
being
signed
after
all
ds:Reference
transforms
have
been
applied.
This
is
represented
as
a
URI.
For
example:
Type=
"http://www.w3.org/2000/09/xmldsig#Object"
Type=
"http://www.w3.org/2000/09/xmldsig#Manifest"
The
Type
attribute
applies
to
the
item
being
pointed
at,
not
its
contents.
For
example,
a
reference
that
results
in
the
digesting
of
an
Object
element
containing
a
SignatureProperties
element
is
still
of
type
#Object
.
The
Type
attribute
is
advisory.
No
validation
of
the
type
information
is
required
by
this
specification.
Note
:
XPath
is
recommended
RECOMMENDED
.
Signature
applications
need
not
conform
to
[
XPATH
]
specification
in
order
to
conform
to
this
specification.
However,
the
XPath
data
model,
definitions
(e.g.,
node-sets
)
and
syntax
is
used
within
this
document
in
order
to
describe
functionality
for
those
that
want
to
process
XML-as-XML
(instead
of
octets)
as
part
of
signature
generation.
For
those
that
want
to
use
these
features,
a
conformant
[
XPATH
]
implementation
is
one
way
to
implement
these
features,
but
it
is
not
required.
Such
applications
could
use
a
sufficiently
functional
replacement
to
a
node-set
and
implement
only
those
XPath
expression
behaviors
required
REQUIRED
by
this
specification.
However,
for
simplicity
we
generally
will
use
XPath
terminology
without
including
this
qualification
on
every
point.
Requirements
over
"XPath
node-sets"
can
include
a
node-set
functional
equivalent.
Requirements
over
XPath
processing
can
include
application
behaviors
that
are
equivalent
to
the
corresponding
XPath
behavior.
The data-type of the result of URI dereferencing or subsequent Transforms is either an octet stream or an XPath node-set.
The
Transforms
specified
in
this
document
are
defined
with
respect
to
the
input
they
require.
The
following
is
the
default
signature
application
behavior:
Users
may
specify
alternative
transforms
that
override
these
defaults
in
transitions
between
transforms
that
expect
different
inputs.
The
final
octet
stream
contains
the
data
octets
being
secured.
The
digest
algorithm
specified
by
DigestMethod
is
then
applied
to
these
data
octets,
resulting
in
the
DigestValue
.
Note: The section 3.1.1 Reference Generation includes further restrictions on the reliance upon defined default transformations when applications generate signatures.
In this specification, a 'same-document' reference is defined as a URI-Reference that consists of a hash sign ('#') followed by a fragment or alternatively consists of an empty URI [ URI ].
Unless
the
URI-Reference
is
such
a
'same-document'
reference
,
the
result
of
dereferencing
the
URI-Reference
must
MUST
be
an
octet
stream.
In
particular,
an
XML
document
identified
by
URI
is
not
parsed
by
the
signature
application
unless
the
URI
is
a
same-document
reference
or
unless
a
transform
that
requires
XML
parsing
is
applied.
(See
Transforms
(section
4.4.3.4).)
When
a
fragment
is
preceded
by
an
absolute
or
relative
URI
in
the
URI-Reference,
the
meaning
of
the
fragment
is
defined
by
the
resource's
MIME
type
[
RFC2045
].
Even
for
XML
documents,
URI
dereferencing
(including
the
fragment
processing)
might
be
done
for
the
signature
application
by
a
proxy.
Therefore,
reference
validation
might
fail
if
fragment
processing
is
not
performed
in
a
standard
way
(as
defined
in
the
following
section
for
same-document
references).
Consequently,
we
RECOMMEND
in
this
case
that
the
URI
attribute
not
include
fragment
identifiers
and
that
such
processing
be
specified
as
an
additional
XPath
Transform
or
XPath
Filter
2
Transform
[
XMLDSIG-XPATH-FILTER2
].
When
a
fragment
is
not
preceded
by
a
URI
in
the
URI-Reference,
XML
Signature
applications
must
MUST
support
the
null
URI
and
shortname
XPointer
[
XPTR-FRAMEWORK
].
We
RECOMMEND
support
for
the
same-document
XPointers
'
#xpointer(/)
'
and
'
#xpointer(id('ID'))
'
if
the
application
also
intends
to
support
any
canonicalization
that
preserves
comments.
(Otherwise
URI="#foo"
will
automatically
remove
comments
before
the
canonicalization
can
even
be
invoked
due
to
the
processing
defined
in
Same-Document
URI-References
(section
4.4.3.3).)
All
other
support
for
XPointers
is
optional
OPTIONAL
,
especially
all
support
for
shortname
and
other
XPointers
in
external
resources
since
the
application
may
not
have
control
over
how
the
fragment
is
generated
(leading
to
interoperability
problems
and
validation
failures).
'
#xpointer(/)
'
must
MUST
be
interpreted
to
identify
the
root
node
[
XPATH
]
of
the
document
that
contains
the
URI
attribute.
'
#xpointer(id('
ID
'))
'
must
MUST
be
interpreted
to
identify
the
element
node
identified
by
'
#element(
ID
)
'
[
XPTR-ELEMENT
]
when
evaluated
with
respect
to
the
document
that
contains
the
URI
attribute.
The
original
edition
of
this
specification
[
XMLDSIG-CORE
]
referenced
the
XPointer
Candidate
Recommendation
[
XPTR-XPOINTER-CR2001
]
and
some
implementations
support
it
optionally.
That
Candidate
Recommendation
has
been
superseded
by
the
[
XPTR-FRAMEWORK
],
[
XPTR-XMLNS
]
and
[
XPTR-ELEMENT
]
Recommendations,
and
--
at
the
time
of
this
edition
--
the
[
XPTR-XPOINTER
]
Working
Draft.
Therefore,
the
use
of
the
xpointer()
scheme
[
XPTR-XPOINTER
]
beyond
the
usage
discussed
in
this
section
is
discouraged.
The following examples demonstrate what the URI attribute identifies and how it is dereferenced:
URI="http://example.com/bar.xml"
URI="http://example.com/bar.xml#chapter1"
URI=""
URI="#chapter1"
Dereferencing
a
same-document
reference
must
MUST
result
in
an
XPath
node-set
suitable
for
use
by
Canonical
XML
[
XML-C14N
].
Specifically,
dereferencing
a
null
URI
(
URI=""
)
must
MUST
result
in
an
XPath
node-set
that
includes
every
non-comment
node
of
the
XML
document
containing
the
URI
attribute.
In
a
fragment
URI,
the
characters
after
the
number
sign
('#')
character
conform
to
the
XPointer
syntax
[
XPTR-FRAMEWORK
].
When
processing
an
XPointer,
the
application
must
MUST
behave
as
if
the
XPointer
was
evaluated
with
respect
to
the
XML
document
containing
the
URI
attribute
.
The
application
must
MUST
behave
as
if
the
result
of
XPointer
processing
[
XPTR-FRAMEWORK
]
were
a
node-set
derived
from
the
resultant
subresource
as
follows:
The second to last replacement is necessary because XPointer typically indicates a subtree of an XML document's parse tree using just the element node at the root of the subtree, whereas Canonical XML treats a node-set as a set of nodes in which absence of descendant nodes results in absence of their representative text from the canonical form.
The
last
step
is
performed
for
null
URIs
and
shortname
XPointers
.
It
is
necessary
because
when
[
XML-C14N
]
or
[
XML-C14N11
]
is
passed
a
node-set,
it
processes
the
node-set
as
is:
with
or
without
comments.
Only
when
it
is
called
with
an
octet
stream
does
it
invoke
its
own
XPath
expressions
(default
or
without
comments).
Therefore
to
retain
the
default
behavior
of
stripping
comments
when
passed
a
node-set,
they
are
removed
in
the
last
step
if
the
URI
is
not
a
scheme-based
XPointer.
To
retain
comments
while
selecting
an
element
by
an
identifier
ID
,
use
the
following
scheme-based
XPointer:
URI='#xpointer(id('
ID
'))'
.
To
retain
comments
while
selecting
the
entire
document,
use
the
following
scheme-based
XPointer:
URI='#xpointer(/)'
.
The interpretation of these XPointers is defined in The Reference Processing Model (section 4.4.3.2).
Transforms
Element
The
optional
Transforms
element
contains
an
ordered
list
of
Transform
elements;
these
describe
how
the
signer
obtained
the
data
object
that
was
digested.
The
output
of
each
Transform
serves
as
input
to
the
next
Transform
.
The
input
to
the
first
Transform
is
the
result
of
dereferencing
the
URI
attribute
of
the
Reference
element.
The
output
from
the
last
Transform
is
the
input
for
the
DigestMethod
algorithm.
When
transforms
are
applied
the
signer
is
not
signing
the
native
(original)
document
but
the
resulting
(transformed)
document.
(See
Only
What
is
Signed
is
Secure
(section
8.1.1).)
Each
Transform
consists
of
an
Algorithm
attribute
and
content
parameters,
if
any,
appropriate
for
the
given
algorithm.
The
Algorithm
attribute
value
specifies
the
name
of
the
algorithm
to
be
performed,
and
the
Transform
content
provides
additional
data
to
govern
the
algorithm's
processing
of
the
transform
input.
(See
section
6.1
Algorithm
Identifiers
and
Implementation
Requirements
)
As described in The Reference Processing Model (section 4.4.3.2), some transforms take an XPath node-set as input, while others require an octet stream. If the actual input matches the input needs of the transform, then the transform operates on the unaltered input. If the transform input requirement differs from the format of the actual input, then the input must be converted.
Some
Transform
s
may
require
explicit
MIME
type,
charset
(IANA
registered
"character
set"),
or
other
such
information
concerning
the
data
they
are
receiving
from
an
earlier
Transform
or
the
source
data,
although
no
Transform
algorithm
specified
in
this
document
needs
such
explicit
information.
Such
data
characteristics
are
provided
as
parameters
to
the
Transform
algorithm
and
should
be
described
in
the
specification
for
the
algorithm.
Examples
of
transforms
include
but
are
not
limited
to
base64
decoding
[
RFC2045
],
canonicalization
[
XML-C14N
],
XPath
filtering
[
XPATH
],
and
XSLT
[
XSLT
].
The
generic
definition
of
the
Transform
element
also
allows
application-specific
transform
algorithms.
For
example,
the
transform
could
be
a
decompression
routine
given
by
a
Java
class
appearing
as
a
base64
encoded
parameter
to
a
Java
Transform
algorithm.
However,
applications
should
refrain
from
using
application-specific
transforms
if
they
wish
their
signatures
to
be
verifiable
outside
of
their
application
domain.
Transform
Algorithms
(section
6.6)
defines
the
list
of
standard
transformations.
Schema Definition :
<element name = "Transforms" type = "ds:TransformsType" /> <complexType name = "TransformsType" > <sequence> <element ref = "ds:Transform" maxOccurs = "unbounded" /> </sequence> </complexType> <element name = "Transform" type = "ds:TransformType" /> <complexType name = "TransformType" mixed = "true" > <choice minOccurs = "0" maxOccurs = "unbounded" > <any namespace = "##other" processContents = "lax" /> <!-- (1,1) elements from (0,unbounded) namespaces --> <element name = "XPath" type = "string" /> </choice> <attribute name = "Algorithm" type = "anyURI" use = "required" /> </complexType>
DigestMethod
Element
DigestMethod
is
a
required
element
that
identifies
the
digest
algorithm
to
be
applied
to
the
signed
object.
This
element
uses
the
general
structure
here
for
algorithms
specified
in
section
6.1
Algorithm
Identifiers
and
Implementation
Requirements
.
If the result of the URI dereference and application of Transforms is an XPath node-set (or sufficiently functional replacement implemented by the application) then it must be converted as described in section 4.4.3.2 The Reference Processing Model . If the result of URI dereference and application of transforms is an octet stream, then no conversion occurs (comments might be present if the Canonical XML with Comments was specified in the Transforms). The digest algorithm is applied to the data octets of the resulting octet stream.
Schema Definition :
<element name = "DigestMethod" type = "ds:DigestMethodType" /> <complexType name = "DigestMethodType" mixed = "true" > <sequence> <any namespace = "##other" processContents = "lax" minOccurs = "0" maxOccurs = "unbounded" /> </sequence> <attribute name = "Algorithm" type = "anyURI" use = "required" /> </complexType>
DigestValue
Element
DigestValue is an element that contains the encoded value of the digest. The digest is always encoded using base64 [ RFC2045 ].
Schema Definition :
<element name = "DigestValue" type = "ds:DigestValueType" /> <simpleType name = "DigestValueType" > <restriction base = "base64Binary" /> </simpleType>
KeyInfo
Element
KeyInfo
is
an
optional
element
that
enables
the
recipient(s)
to
obtain
the
key
needed
to
validate
the
signature.
KeyInfo
may
contain
keys,
names,
certificates
and
other
public
key
management
information,
such
as
in-band
key
distribution
or
key
agreement
data.
This
specification
defines
a
few
simple
types
but
applications
may
extend
those
types
or
all
together
replace
them
with
their
own
key
identification
and
exchange
semantics
using
the
XML
namespace
facility
[
XML-NAMES
].
However,
questions
of
trust
of
such
key
information
(e.g.,
its
authenticity
or
strength)
are
out
of
scope
of
this
specification
and
left
to
the
application.
Details
of
the
structure
and
usage
of
element
children
of
KeyInfo
other
than
simple
types
described
in
this
specification
are
out
of
scope.
For
example,
the
definition
of
PKI
certificate
contents,
certificate
ordering,
certificate
revocation
and
CRL
management
are
out
of
scope.
If
KeyInfo
is
omitted,
the
recipient
is
expected
to
be
able
to
identify
the
key
based
on
application
context.
Multiple
declarations
within
KeyInfo
refer
to
the
same
key.
While
applications
may
define
and
use
any
mechanism
they
choose
through
inclusion
of
elements
from
a
different
namespace,
compliant
versions
must
MUST
implement
KeyValue
(
section
4.5.2
The
KeyValue
Element
)
and
should
SHOULD
implement
KeyInfoReference
(
section
4.5.10
The
KeyInfoReference
Element
).
KeyInfoReference
is
preferred
over
use
of
RetrievalMethod
as
it
avoids
use
of
Transform
child
elements
that
introduce
security
risk
and
implementation
challenges.
Support
for
other
children
of
KeyInfo
is
optional
OPTIONAL
.
The
schema
specification
of
many
of
KeyInfo
's
children
(e.g.,
PGPData
,
SPKIData
,
X509Data
)
permit
their
content
to
be
extended/complemented
with
elements
from
another
namespace.
This
may
be
done
only
if
it
is
safe
to
ignore
these
extension
elements
while
claiming
support
for
the
types
defined
in
this
specification.
Otherwise,
external
elements,
including
alternative
structures
to
those
defined
by
this
specification,
must
MUST
be
a
child
of
KeyInfo
.
For
example,
should
a
complete
XML-PGP
standard
be
defined,
its
root
element
must
MUST
be
a
child
of
KeyInfo
.
(Of
course,
new
structures
from
external
namespaces
can
incorporate
elements
from
the
dsig:
namespace
via
features
of
the
type
definition
language.
For
instance,
they
can
create
a
schema
that
permits,
includes,
imports,
or
derives
new
types
based
on
dsig:
elements.)
The
following
list
summarizes
the
KeyInfo
types
that
are
allocated
an
identifier
in
the
dsig:
namespace;
these
can
be
used
within
the
RetrievalMethod
Type
attribute
to
describe
a
remote
KeyInfo
structure.
The
following
list
summarizes
the
additional
KeyInfo
types
that
are
allocated
an
identifier
in
the
dsig11:
namespace.
In addition to the types above for which we define an XML structure, we specify one additional type to indicate a binary (ASN.1 DER) X.509 Certificate .
Schema Definition :
<element name = "KeyInfo" type = "ds:KeyInfoType" /> <complexType name = "KeyInfoType" mixed = "true" > <choice maxOccurs = "unbounded" > <element ref = "ds:KeyName" /> <element ref = "ds:KeyValue" /> <element ref = "ds:RetrievalMethod" /> <element ref = "ds:X509Data" /> <element ref = "ds:PGPData" /> <element ref = "ds:SPKIData" /> <element ref = "ds:MgmtData" /> <!-- <element ref="dsig11:DEREncodedKeyValue"/> --> <!-- DEREncodedKeyValue (XMLDsig 1.1) will use the any element --> <!-- <element ref="dsig11:KeyInfoReference"/> --> <!-- KeyInfoReference (XMLDsig 1.1) will use the any element --> <!-- <element ref="xenc:EncryptedKey"/> --> <!-- EncryptedKey (XMLEnc) will use the any element --> <!-- <element ref="xenc:Agreement"/> --> <!-- Agreement (XMLEnc) will use the any element --> <any processContents = "lax" namespace = "##other" /> <!-- (1,1) elements from (0,unbounded) namespaces --> </choice> <attribute name = "Id" type = "ID" use = "optional" /> </complexType>
KeyName
Element
The
KeyName
element
contains
a
string
value
(in
which
white
space
is
significant)
which
may
be
used
by
the
signer
to
communicate
a
key
identifier
to
the
recipient.
Typically,
KeyName
contains
an
identifier
related
to
the
key
pair
used
to
sign
the
message,
but
it
may
contain
other
protocol-related
information
that
indirectly
identifies
a
key
pair.
(Common
uses
of
KeyName
include
simple
string
names
for
keys,
a
key
index,
a
distinguished
name
(DN),
an
email
address,
etc.)
Schema Definition :
<element name = "KeyName" type = "string" />
KeyValue
Element
The
KeyValue
element
contains
a
single
public
key
that
may
be
useful
in
validating
the
signature.
Structured
formats
for
defining
DSA
(
required
REQUIRED
),
RSA
(
required
REQUIRED
)
and
ECDSA
(
required
REQUIRED
)
public
keys
are
defined
in
section
6.4
Signature
Algorithms
.
The
KeyValue
element
may
include
externally
defined
public
keys
values
represented
as
PCDATA
or
element
types
from
an
external
namespace.
Schema Definition :
<element name = "KeyValue" type = "ds:KeyValueType" /> <complexType name = "KeyValueType" mixed = "true" > <choice> <element ref = "ds:DSAKeyValue" /> <element ref = "ds:RSAKeyValue" /> <!-- <element ref="dsig11:ECKeyValue"/> --> <!-- ECC keys (XMLDsig 1.1) will use the any element --> <any namespace = "##other" processContents = "lax" /> </choice> </complexType>
DSAKeyValue
Element
Type="
http://www.w3.org/2000/09/xmldsig#DSAKeyValue
"
(this
can
be
used
within
a
RetrievalMethod
or
Reference
element
to
identify
the
referent's
type)
DSA keys and the DSA signature algorithm are specified in [ FIPS-186-3 ]. DSA public key values can have the following fields:
P
Q
G
Y
J
seed
pgenCounter
Parameter
J
is
available
for
inclusion
solely
for
efficiency
as
it
is
calculatable
from
P
and
Q
.
Parameters
seed
and
pgenCounter
are
used
in
the
DSA
prime
number
generation
algorithm
specified
in
[
FIPS-186-3
].
As
such,
they
are
optional
but
must
either
both
be
present
or
both
be
absent.
This
prime
generation
algorithm
is
designed
to
provide
assurance
that
a
weak
prime
is
not
being
used
and
it
yields
a
P
and
Q
value.
Parameters
P
,
Q
,
and
G
can
be
public
and
common
to
a
group
of
users.
They
might
be
known
from
application
context.
As
such,
they
are
optional
but
P
and
Q
must
either
both
appear
or
both
be
absent.
If
all
of
P
,
Q
,
seed
,
and
pgenCounter
are
present,
implementations
are
not
required
to
check
if
they
are
consistent
and
are
free
to
use
either
P
and
Q
or
seed
and
pgenCounter
.
All
parameters
are
encoded
as
base64
[
RFC2045
]
values.
Arbitrary-length
integers
(e.g.
"bignums"
such
as
RSA
moduli)
are
represented
in
XML
as
octet
strings
as
defined
by
the
ds:CryptoBinary
type
.
Schema Definition :
<element name = "DSAKeyValue" type = "ds:DSAKeyValueType" /> <complexType name = "DSAKeyValueType" > <sequence> <sequence minOccurs = "0" > <element name = "P" type = "ds:CryptoBinary" /> <element name = "Q" type = "ds:CryptoBinary" /> </sequence> <element name = "G" type = "ds:CryptoBinary" minOccurs = "0" /> <element name = "Y" type = "ds:CryptoBinary" /> <element name = "J" type = "ds:CryptoBinary" minOccurs = "0" /> <sequence minOccurs = "0" > <element name = "Seed" type = "ds:CryptoBinary" /> <element name = "PgenCounter" type = "ds:CryptoBinary" /> </sequence> </sequence> </complexType>
RSAKeyValue
Element
Type="
http://www.w3.org/2000/09/xmldsig#RSAKeyValue
"
(this
can
be
used
within
a
RetrievalMethod
or
Reference
element
to
identify
the
referent's
type)
RSA
key
values
have
two
fields:
Modulus
and
Exponent
.
<RSAKeyValue> <Modulus>xA7SEU+e0yQH5rm9kbCDN9o3aPIo7HbP7tX6WOocLZAtNfyxSZDU16ksL6W jubafOqNEpcwR3RdFsT7bCqnXPBe5ELh5u4VEy19MzxkXRgrMvavzyBpVRgBUwUlV 5foK5hhmbktQhyNdy/6LpQRhDUDsTvK+g9Ucj47es9AQJ3U= </Modulus> <Exponent>AQAB</Exponent> </RSAKeyValue>
Arbitrary-length
integers
(e.g.
"bignums"
such
as
RSA
moduli)
are
represented
in
XML
as
octet
strings
as
defined
by
the
ds:CryptoBinary
type
.
Schema Definition :
<element name = "RSAKeyValue" type = "ds:RSAKeyValueType" /> <complexType name = "RSAKeyValueType" > <sequence> <element name = "Modulus" type = "ds:CryptoBinary" /> <element name = "Exponent" type = "ds:CryptoBinary" /> </sequence> </complexType>
ECKeyValue
Element
Type="
http://www.w3.org/2009/xmldsig11#ECKeyValue
"
(this
can
be
used
within
a
RetrievalMethod
or
Reference
element
to
identify
the
referent's
type)
The
ECKeyValue
element
is
defined
in
the
http://www.w3.org/2009/xmldsig11#
namespace.
EC
public
key
values
consists
of
two
sub
components:
Domain
parameters
and
PublicKey
.
<ECKeyValue xmlns="http://www.w3.org/2009/xmldsig11#"> <NamedCurve URI="urn:oid:1.2.840.10045.3.1.7" /> <PublicKey> vWccUP6Jp3pcaMCGIcAh3YOev4gaa2ukOANC7Ufg Cf8KDO7AtTOsGJK7/TA8IC3vZoCy9I5oPjRhyTBulBnj7Y </PublicKey> </ECKeyValue>
Note
-
A
line
break
has
been
added
to
the
PublicKey
content
to
preserve
printed
page
width.
Domain
parameters
can
be
encoded
explicitly
using
the
dsig11:ECParameters
element
or
by
reference
using
the
dsig11:NamedCurve
element.
A
named
curve
is
specified
through
the
URI
attribute.
For
named
curves
that
are
identified
by
OIDs,
such
as
those
defined
in
[
RFC3279
]
and
[
RFC4055
],
the
OID
should
SHOULD
be
encoded
according
to
[
URN-OID
].
Conformant
applications
must
MUST
support
the
dsig11:NamedCurve
element
and
the
256-bit
prime
field
curve
as
identified
by
the
OID
1.2.840.10045.3.1.7
.
The
PublicKey
element
contains
a
Base64
encoding
of
a
binary
representation
of
the
x
and
y
coordinates
of
the
point.
Its
value
is
computed
as
follows:
Schema Definition :
<!-- targetNamespace="http://www.w3.org/2009/xmldsig11#" --> <element name = "ECKeyValue" type = "dsig11:ECKeyValueType" /> <complexType name = "ECKeyValueType" > <sequence> <choice> <element name = "ECParameters" type = "dsig11:ECParametersType" /> <element name = "NamedCurve" type = "dsig11:NamedCurveType" /> </choice> <element name = "PublicKey" type = "dsig11:ECPointType" /> </sequence> <attribute name = "Id" type = "ID" use = "optional" /> </complexType> <complexType name = "NamedCurveType" > <attribute name = "URI" type = "anyURI" use = "required" /> </complexType> <simpleType name = "ECPointType" > <restriction base = "ds:CryptoBinary" /> </simpleType>
The
ECParameters
element
consists
of
the
following
subelements.
Note
these
definitions
are
based
on
the
those
described
in
[
RFC3279
].
FieldID
element
identifies
the
finite
field
over
which
the
elliptic
curve
is
defined.
Additional
details
on
the
structures
for
defining
prime
and
characteristic
two
fields
is
provided
below.
dsig11:Curve
element
specifies
the
coefficients
a
and
b
of
the
elliptic
curve
E.
Each
coefficient
is
first
converted
from
a
field
element
to
an
octet
string
as
specified
in
section
6.2
of
[
ECC-ALGS
],
then
the
resultant
octet
string
is
encoded
in
base64.
Base
element
specifies
the
base
point
P
on
the
elliptic
curve.
The
base
point
is
represented
as
a
value
of
type
ECPointType
.
Order
element
specifies
the
order
n
of
the
base
point
and
is
encoded
as
a
positiveInteger.
Cofactor
element
is
an
optional
element
that
specifies
the
integer
h
=
#E(Fq)/n.
The
cofactor
is
not
required
to
support
ECDSA,
except
in
parameter
validation.
The
cofactor
dsig11:ValidationData
element
is
an
optional
element
that
specifies
the
hash
algorithm
used
to
generate
the
elliptic
curve
E
and
the
base
point
G
verifiably
at
random.
It
also
specifies
the
seed
that
was
used
to
generate
the
curve
and
the
base
point.
Schema Definition :
<!-- targetNamespace="http://www.w3.org/2009/xmldsig11#" --> <complexType name = "ECParametersType" > <sequence> <element name = "FieldID" type = "dsig11:FieldIDType" /> <element name = "Curve" type = "dsig11:CurveType" /> <element name = "Base" type = "dsig11:ECPointType" /> <element name = "Order" type = "ds:CryptoBinary" /> <element name = "CoFactor" type = "integer" minOccurs = "0" /> <element name = "ValidationData" type = "dsig11:ECValidationDataType" minOccurs = "0" /> </sequence> </complexType> <complexType name = "FieldIDType" > <choice> <element ref = "dsig11:Prime" /> <element ref = "dsig11:TnB" /> <element ref = "dsig11:PnB" /> <element ref = "dsig11:GnB" /> <any namespace = "##other" processContents = "lax" /> </choice> </complexType> <complexType name = "CurveType" > <sequence> <element name = "A" type = "ds:CryptoBinary" /> <element name = "B" type = "ds:CryptoBinary" /> </sequence> </complexType> <complexType name = "ECValidationDataType" > <sequence> <element name = "seed" type = "ds:CryptoBinary" /> </sequence> <attribute name = "hashAlgorithm" type = "anyURI" use = "required" /> </complexType>
Prime
fields
are
described
by
a
single
subelement
P
,
which
represents
the
field
size
in
bits.
It
is
encoded
as
a
positiveInteger.
Schema Definition :
<!-- targetNamespace="http://www.w3.org/2009/xmldsig11#" --> <element name = "Prime" type = "dsig11:PrimeFieldParamsType" /> <complexType name = "PrimeFieldParamsType" > <sequence> <element name = "P" type = "ds:CryptoBinary" /> </sequence> </complexType>
Structures are defined for three types of characteristic two fields: gaussian normal basis, pentanomial basis and trinomial basis.
Schema Definition :
<!-- targetNamespace="http://www.w3.org/2009/xmldsig11#" --> <element name = "GnB" type = "dsig11:CharTwoFieldParamsType" /> <complexType name = "CharTwoFieldParamsType" > <sequence> <element name = "M" type = "positiveInteger" /> </sequence> </complexType> <element name = "TnB" type = "dsig11:TnBFieldParamsType" /> <complexType name = "TnBFieldParamsType" > <complexContent> <extension base = "dsig11:CharTwoFieldParamsType" > <sequence> <element name = "K" type = "positiveInteger" /> </sequence> </extension> </complexContent> </complexType> <element name = "PnB" type = "dsig11:PnBFieldParamsType" /> <complexType name = "PnBFieldParamsType" > <complexContent> <extension base = "dsig11:CharTwoFieldParamsType" > <sequence> <element name = "K1" type = "positiveInteger" /> <element name = "K2" type = "positiveInteger" /> <element name = "K3" type = "positiveInteger" /> </sequence> </extension> </complexContent> </complexType>
Implementations that need to support the [ RFC4050 ] format for ECDSA keys can avoid known interoperability problems with that specification by adhering to the following profile:
ECDSAKeyValue
element
against
the
[
RFC4050
]
schema.
XML
schema
validators
may
not
support
integer
types
with
decimal
data
exceeding
18
decimal
digits.
[
XMLSCHEMA-1
][
XMLSCHEMA-2
].
NamedCurve
element.
urn:oid:1.2.840.10045.3.1.7
.
The
following
is
an
example
of
a
ECDSAKeyValue
element
that
meets
the
profile
described
in
this
section.
<ECDSAKeyValue xmlns="http://www.w3.org/2001/04/xmldsig-more#"> <DomainParameters> <NamedCurve URN="urn:oid:1.2.840.10045.3.1.7" /> </DomainParameters> <PublicKey> <X Value="5851106065380174439324917904648283332 0204931884267326155134056258624064349885" /> <Y Value="1024033521368277752409102672177795083 59028642524881540878079119895764161434936" /> </PublicKey> </ECDSAKeyValue>
Note
-
A
line
break
has
been
added
to
the
X
and
Y
Value
attribute
values
to
preserve
printed
page
width.
RetrievalMethod
Element
A
RetrievalMethod
element
within
KeyInfo
is
used
to
convey
a
reference
to
KeyInfo
information
that
is
stored
at
another
location.
For
example,
several
signatures
in
a
document
might
use
a
key
verified
by
an
X.509v3
certificate
chain
appearing
once
in
the
document
or
remotely
outside
the
document;
each
signature's
KeyInfo
can
reference
this
chain
using
a
single
RetrievalMethod
element
instead
of
including
the
entire
chain
with
a
sequence
of
X509Certificate
elements.
RetrievalMethod
uses
the
same
syntax
and
dereferencing
behavior
as
the
Reference
URI
attribute
(
section
4.4.3.1
The
URI
Attribute
)
and
the
Reference
Processing
Model
except
that
there
are
no
DigestMethod
or
DigestValue
child
elements
and
presence
of
the
URI
attribute
is
mandatory.
Type
is
an
optional
identifier
for
the
type
of
data
retrieved
after
all
transforms
have
been
applied.
The
result
of
dereferencing
a
RetrievalMethod
Reference
for
all
KeyInfo
types
defined
by
this
specification
(
section
4.5
The
KeyInfo
Element
)
with
a
corresponding
XML
structure
is
an
XML
element
or
document
with
that
element
as
the
root.
The
rawX509Certificate
KeyInfo
(for
which
there
is
no
XML
structure)
returns
a
binary
X509
certificate.
Note
that
when
referencing
one
of
the
defined
KeyInfo
types
within
the
same
document,
or
some
remote
documents,
at
least
one
Transform
is
required
to
turn
an
ID-based
reference
to
a
KeyInfo
element
into
a
child
element
located
inside
it.
This
is
due
to
the
lack
of
an
XML
ID
attribute
on
the
defined
KeyInfo
types.
In
such
cases,
use
of
KeyInfoReference
is
encouraged
instead,
see
section
4.5.10
The
KeyInfoReference
Element
.
Note:
The
KeyInfoReference
element
is
preferred
over
use
of
RetrievalMethod
as
it
avoids
use
of
Transform
child
elements
that
introduce
security
risk
and
implementation
challenges.
Schema Definition :
<element name = "RetrievalMethod" type = "ds:RetrievalMethodType" /> <complexType name = "RetrievalMethodType" > <sequence> <element ref = "ds:Transforms" minOccurs = "0" /> </sequence> <attribute name = "URI" type = "anyURI" /> <attribute name = "Type" type = "anyURI" use = "optional" /> </complexType>
Note:
The
schema
for
the
URI
attribute
of
RetrievalMethod
erroneously
omitted
the
attribute:
use="required"
.
However,
this
error
only
results
in
a
more
lax
schema
which
permits
all
valid
RetrievalMethod
elements.
Because
the
existing
schema
is
embedded
in
many
applications,
which
may
include
the
schema
in
their
signatures,
the
schema
has
not
been
corrected
to
be
more
restrictive.
X509Data
Element
Type="
http://www.w3.org/2000/09/xmldsig#X509Data
"
RetrievalMethod
or
Reference
element
to
identify
the
referent's
type)
An
X509Data
element
within
KeyInfo
contains
one
or
more
identifiers
of
keys
or
X509
certificates
(or
certificates'
identifiers
or
a
revocation
list).
The
content
of
X509Data
is
at
least
one
element,
from
the
following
set
of
element
types;
any
of
these
may
appear
together
or
more
than
once
iff
(if
and
only
if)
each
instance
describes
or
is
related
to
the
same
certificate:
X509IssuerSerial
element,
which
contains
an
X.509
issuer
distinguished
name/serial
number
pair.
The
distinguished
name
X509SubjectName
element,
which
contains
an
X.509
subject
distinguished
name
that
X509SKI
element,
which
contains
the
base64
encoded
plain
(i.e.
non-DER-encoded)
value
of
a
X509
V.3
SubjectKeyIdentifier
extension,
X509Certificate
element,
which
contains
a
base64-encoded
[
X509V3
]
certificate,
and
X509CRL
element,
which
contains
a
base64-encoded
certificate
revocation
list
(CRL)
[
X509V3
].
dsig11:X509Digest
element
contains
a
base64-encoded
digest
of
a
certificate.
The
digest
algorithm
URI
is
identified
with
a
required
Algorithm
attribute.
The
input
to
the
digest
Any
X509IssuerSerial
,
X509SKI
,
X509SubjectName
,
and
dsig11:X509Digest
elements
that
appear
must
MUST
refer
to
the
certificate
or
certificates
containing
the
validation
key.
All
such
elements
that
refer
to
a
particular
individual
certificate
must
MUST
be
grouped
inside
a
single
X509Data
element
and
if
the
certificate
to
which
they
refer
appears,
it
must
MUST
also
be
in
that
X509Data
element.
Any
X509IssuerSerial
,
X509SKI
,
X509SubjectName
,
and
dsig11:X509Digest
elements
that
relate
to
the
same
key
but
different
certificates
must
MUST
be
grouped
within
a
single
KeyInfo
but
may
MAY
occur
in
multiple
X509Data
elements.
Note
that
if
X509Data
child
elements
are
used
to
identify
a
trusted
certificate
(rather
than
solely
as
an
untrusted
hint
supplemented
by
validation
by
policy),
the
complete
set
of
such
elements
that
are
intended
to
identify
a
certificate
should
SHOULD
be
integrity
protected,
typically
by
signing
an
entire
X509Data
or
KeyInfo
element.
All
certificates
appearing
in
an
X509Data
element
must
MUST
relate
to
the
validation
key
by
either
containing
it
or
being
part
of
a
certification
chain
that
terminates
in
a
certificate
containing
the
validation
key.
No ordering is implied by the above constraints. The comments in the following instance demonstrate these constraints:
<KeyInfo> <X509Data> <!-- two pointers to certificate-A --> <X509IssuerSerial> <X509IssuerName> CN=TAMURA Kent, OU=TRL, O=IBM, L=Yamato-shi, ST=Kanagawa, C=JP </X509IssuerName> <X509SerialNumber>12345678</X509SerialNumber> </X509IssuerSerial> <X509SKI>31d97bd7</X509SKI> </X509Data> <X509Data><!-- single pointer to certificate-B --> <X509SubjectName>Subject of Certificate B</X509SubjectName> </X509Data> <X509Data> <!-- certificate chain --> <!--Signer cert, issuer CN=arbolCA,OU=FVT,O=IBM,C=US, serial 4--> <X509Certificate>MIICXTCCA..</X509Certificate> <!-- Intermediate cert subject CN=arbolCA,OU=FVT,O=IBM,C=US issuer CN=tootiseCA,OU=FVT,O=Bridgepoint,C=US --> <X509Certificate>MIICPzCCA...</X509Certificate> <!-- Root cert subject CN=tootiseCA,OU=FVT,O=Bridgepoint,C=US --> <X509Certificate>MIICSTCCA...</X509Certificate> </X509Data> </KeyInfo>
Note,
there
is
no
direct
provision
for
a
PKCS#7
encoded
"bag"
of
certificates
or
CRLs.
However,
a
set
of
certificates
and
CRLs
can
occur
within
an
X509Data
element
and
multiple
X509Data
elements
can
occur
in
a
KeyInfo
.
Whenever
multiple
certificates
occur
in
an
X509Data
element,
at
least
one
such
certificate
must
contain
the
public
key
which
verifies
the
signature.
While
in
principle
many
certificate
encodings
are
possible,
it
is
recommended
RECOMMENDED
that
certificates
appearing
in
an
X509Certificate
element
be
limited
to
an
encoding
of
BER
or
its
DER
subset,
allowing
that
within
the
certificate
other
content
may
be
present.
The
use
of
other
encodings
may
lead
to
interoperability
issues.
In
any
case,
XML
Signature
implementations
should
not
SHOULD
NOT
alter
or
re-encode
certificates,
as
doing
so
could
invalidate
their
signatures.
The
X509IssuerSerial
element
has
been
deprecated
in
favor
of
the
newly-introduced
dsig11:X509Digest
element.
The
XML
Schema
type
of
the
serial
number
was
defined
to
be
an
integer,
and
XML
Schema
validators
may
not
support
integer
types
with
decimal
data
exceeding
18
decimal
digits
[
XMLSCHEMA-2
].
This
has
proven
insufficient,
because
many
Certificate
Authorities
issue
certificates
with
large,
random
serial
numbers
that
exceed
this
limit.
As
a
result,
deployments
that
do
make
use
of
this
element
should
take
care
if
schema
validation
is
involved.
New
deployments
should
SHOULD
avoid
use
of
the
element.
To
encode
a
distinguished
name
(
X509IssuerSerial
,
X509SubjectName
,
and
KeyName
if
appropriate),
the
encoding
rules
in
section
2
of
RFC
4514
[
LDAP-DN
]
should
SHOULD
be
applied,
except
that
the
character
escaping
rules
in
section
2.4
of
RFC
4514
[
LDAP-DN
]
may
MAY
be
augmented
as
follows:
Since an XML document logically consists of characters, not octets, the resulting Unicode string is finally encoded according to the character encoding used for producing the physical representation of the XML document.
Schema Definition :
<element name = "X509Data" type = "ds:X509DataType" /> <complexType name = "X509DataType" > <sequence maxOccurs = "unbounded" > <choice> <element name = "X509IssuerSerial" type = "ds:X509IssuerSerialType" /> <element name = "X509SKI" type = "base64Binary" /> <element name = "X509SubjectName" type = "string" /> <element name = "X509Certificate" type = "base64Binary" /> <element name = "X509CRL" type = "base64Binary" /> <!-- <element ref="dsig11:X509Digest"/> --> <!-- The X509Digest element (XMLDSig 1.1) will use the any element --> <any namespace = "##other" processContents = "lax" /> </choice> </sequence> </complexType> <complexType name = "X509IssuerSerialType" > <sequence> <element name = "X509IssuerName" type = "string" /> <element name = "X509SerialNumber" type = "integer" /> </sequence> </complexType> <!-- Note, this schema permits X509Data to be empty; this is precluded by the text in <a href="#sec-KeyInfo" class="sectionRef"></a> which states that at least one element from the dsig namespace should be present in the PGP, SPKI, and X509 structures. This is easily expressed for the other key types, but not for X509Data because of its rich structure. --> <!-- targetNameSpace="http://www.w3.org/2009/xmldsig11#" --> <element name = "X509Digest" type = "dsig11:X509DigestType" /> <complexType name = "X509DigestType" > <simpleContent> <extension base = "base64Binary" > <attribute name = "Algorithm" type = "anyURI" use = "required" /> </extension> </simpleContent> </complexType>
PGPData
Element
Type="
http://www.w3.org/2000/09/xmldsig#PGPData
"
RetrievalMethod
or
Reference
element
to
identify
the
referent's
type)
The
PGPData
element
within
KeyInfo
is
used
to
convey
information
related
to
PGP
public
key
pairs
and
signatures
on
such
keys.
The
PGPKeyID
's
value
is
a
base64Binary
sequence
containing
a
standard
PGP
public
key
identifier
as
defined
in
[
PGP
]
section
11.2].
The
PGPKeyPacket
contains
a
base64-encoded
Key
Material
Packet
as
defined
in
[
PGP
]
section
5.5].
These
children
element
types
can
be
complemented/extended
by
siblings
from
an
external
namespace
within
PGPData
,
or
PGPData
can
be
replaced
all
together
with
an
alternative
PGP
XML
structure
as
a
child
of
KeyInfo
.
PGPData
must
contain
one
PGPKeyID
and/or
one
PGPKeyPacket
and
0
or
more
elements
from
an
external
namespace.
Schema Definition :
<element name = "PGPData" type = "ds:PGPDataType" /> <complexType name = "PGPDataType" > <choice> <sequence> <element name = "PGPKeyID" type = "base64Binary" /> <element name = "PGPKeyPacket" type = "base64Binary" minOccurs = "0" /> <any namespace = "##other" processContents = "lax" minOccurs = "0" maxOccurs = "unbounded" /> </sequence> <sequence> <element name = "PGPKeyPacket" type = "base64Binary" /> <any namespace = "##other" processContents = "lax" minOccurs = "0" maxOccurs = "unbounded" /> </sequence> </choice> </complexType>
SPKIData
Element
Type="
http://www.w3.org/2000/09/xmldsig#SPKIData
"
RetrievalMethod
or
Reference
element
to
identify
the
referent's
type)
The
SPKIData
element
within
KeyInfo
is
used
to
convey
information
related
to
SPKI
public
key
pairs,
certificates
and
other
SPKI
data.
SPKISexp
is
the
base64
encoding
of
a
SPKI
canonical
S-expression.
SPKIData
must
have
at
least
one
SPKISexp
;
SPKISexp
can
be
complemented/extended
by
siblings
from
an
external
namespace
within
SPKIData
,
or
SPKIData
can
be
entirely
replaced
with
an
alternative
SPKI
XML
structure
as
a
child
of
KeyInfo
.
Schema Definition :
<element name = "SPKIData" type = "ds:SPKIDataType" /> <complexType name = "SPKIDataType" > <sequence maxOccurs = "unbounded" > <element name = "SPKISexp" type = "base64Binary" /> <any namespace = "##other" processContents = "lax" minOccurs = "0" /> </sequence> </complexType>
MgmtData
Element
Type="
http://www.w3.org/2000/09/xmldsig#MgmtData
"
RetrievalMethod
or
Reference
element
to
identify
the
referent's
type)
MgmtData
element
within
KeyInfo
is
a
string
value
used
to
convey
in-band
key
distribution
or
agreement
data.
However,
use
of
this
element
is
KeyInfo
types
for
conveying
key
information.
Schema Definition :
<element name = "MgmtData" type = "string" />
EncryptedKey
and
DerivedKey
Elements
<xenc:EncryptedKey>
and
<xenc:DerivedKey>
elements
defined
in
[
XMLENC-CORE1
]
as
children
of
ds:KeyInfo
can
be
used
to
convey
in-band
encrypted
or
derived
key
material.
In
particular,
the
xenc:DerivedKey
>
element
may
be
present
when
the
key
used
in
calculating
a
Message
Authentication
Code
is
derived
from
a
shared
secret.
DEREncodedKeyValue
Element
Type="
http://www.w3.org/2009/xmldsig11#DEREncodedKeyValue
"
(this
can
be
used
within
a
RetrievalMethod
or
Reference
element
to
identify
the
referent's
type)
The public key algorithm and value are DER-encoded in accordance with the value that would be used in the Subject Public Key Info field of an X.509 certificate, per section 4.1.2.7 of [ RFC5280 ]. The DER-encoded value is then base64-encoded.
For the key value types supported in this specification, refer to the following for normative references on the format of Subject Public Key Info and the relevant OID values that identify the key/algorithm type:
Specifications that define additional key types should provide such a normative reference for their own key types where possible.
Schema Definition :
<!-- targetNamespace="http://www.w3.org/2009/xmldsig11#" --> <element name = "DEREncodedKeyValue" type = "dsig11:DEREncodedKeyValueType" /> <complexType name = "DEREncodedKeyValueType" > <simpleContent> <extension base = "base64Binary" > <attribute name = "Id" type = "ID" use = "optional" /> </extension> </simpleContent> </complexType>
Historical
note:
The
DEREncodedKeyValue
element
was
added
to
XML
Signature
1.1
in
order
to
support
certain
interoperability
scenarios
where
at
least
one
of
signer
and/or
verifier
are
not
able
to
serialize
keys
in
the
XML
formats
described
in
section
4.5.2
The
KeyValue
Element
above.
The
KeyValue
element
is
to
be
used
for
"bare"
XML
key
representations
(not
XML
wrappings
around
other
binary
encodings
like
ASN.1
DER);
for
this
reason
the
DEREncodedKeyValue
element
is
not
a
child
of
KeyValue
.
The
DEREncodedKeyValue
element
is
also
not
a
child
of
the
X509Data
element,
as
the
keys
represented
by
DEREncodedKeyValue
may
not
have
X.509
certificates
associated
with
them
(a
requirement
for
X509Data
).
KeyInfoReference
Element
A
KeyInfoReference
element
within
KeyInfo
is
used
to
convey
a
reference
to
a
KeyInfo
element
at
another
location
in
the
same
or
different
document.
For
example,
several
signatures
in
a
document
might
use
a
key
verified
by
an
X.509v3
certificate
chain
appearing
once
in
the
document
or
remotely
outside
the
document;
each
signature's
KeyInfo
can
reference
this
chain
using
a
single
KeyInfoReference
element
instead
of
including
the
entire
chain
with
a
sequence
of
X509Certificate
elements
repeated
in
multiple
places.
KeyInfoReference
uses
the
same
syntax
and
dereferencing
behavior
as
Reference
's
URI
(
section
4.4.3.1
The
URI
Attribute
)
and
the
Reference
Processing
Model
(
section
4.4.3.2
The
Reference
Processing
Model
)
except
that
there
are
no
child
elements
and
the
presence
of
the
URI
attribute
is
mandatory.
The
result
of
dereferencing
a
KeyInfoReference
must
MUST
be
a
KeyInfo
element,
or
an
XML
document
with
a
KeyInfo
element
as
the
root.
Note:
The
KeyInfoReference
element
is
a
desirable
alternative
to
the
use
of
RetrievalMethod
when
the
data
being
referred
to
is
a
KeyInfo
element
and
the
use
of
RetrievalMethod
would
require
one
or
more
Transform
child
elements,
which
introduce
security
risk
and
implementation
challenges.
Schema Definition :
<!-- targetNamespace="http://www.w3.org/2009/xmldsig11#" --> <element name = "KeyInfoReference" type = "dsig11:KeyInfoReferenceType" /> <complexType name = "KeyInfoReferenceType" > <attribute name = "URI" type = "anyURI" use = "required" /> <attribute name = "Id" type = "ID" use = "optional" /> </complexType>
Object
Element
Type=
"http://www.w3.org/2000/09/xmldsig#Object"
(this
can
be
used
within
a
Reference
element
to
identify
the
referent's
type)
Object
is
an
optional
element
that
may
occur
one
or
more
times.
When
present,
this
element
may
contain
any
data.
The
Object
element
may
include
optional
MIME
type,
ID,
and
encoding
attributes.
The
Object
's
Encoding
attributed
may
be
used
to
provide
a
URI
that
identifies
the
method
by
which
the
object
is
encoded
(e.g.,
a
binary
file).
The
MimeType
attribute
is
an
optional
attribute
which
describes
the
data
within
the
Object
(independent
of
its
encoding).
This
is
a
string
with
values
defined
by
[
RFC2045
].
For
example,
if
the
Object
contains
base64
encoded
PNG
,
the
Encoding
may
be
specified
as
'http://www.w3.org/2000/09/xmldsig#base64'
and
the
MimeType
as
'image/png'.
This
attribute
is
purely
advisory;
no
validation
of
the
MimeType
information
is
required
by
this
specification.
Applications
which
require
normative
type
and
encoding
information
for
signature
validation
should
specify
Transforms
with
well
defined
resulting
types
and/or
encodings.
The
Object
's
Id
is
commonly
referenced
from
a
Reference
in
SignedInfo
,
or
Manifest
.
This
element
is
typically
used
for
enveloping
signatures
where
the
object
being
signed
is
to
be
included
in
the
signature
element.
The
digest
is
calculated
over
the
entire
Object
element
including
start
and
end
tags.
Note,
if
the
application
wishes
to
exclude
the
<Object>
tags
from
the
digest
calculation
the
Reference
must
identify
the
actual
data
object
(easy
for
XML
documents)
or
a
transform
must
be
used
to
remove
the
Object
tags
(likely
where
the
data
object
is
non-XML).
Exclusion
of
the
object
tags
may
be
desired
for
cases
where
one
wants
the
signature
to
remain
valid
if
the
data
object
is
moved
from
inside
a
signature
to
outside
the
signature
(or
vice
versa),
or
where
the
content
of
the
Object
is
an
encoding
of
an
original
binary
document
and
it
is
desired
to
extract
and
decode
so
as
to
sign
the
original
bitwise
representation.
Schema Definition :
<element name = "Object" type = "ds:ObjectType" /> <complexType name = "ObjectType" mixed = "true" > <sequence minOccurs = "0" maxOccurs = "unbounded" > <any namespace = "##any" processContents = "lax" /> </sequence> <attribute name = "Id" type = "ID" use = "optional" /> <attribute name = "MimeType" type = "string" use = "optional" /> <attribute name = "Encoding" type = "anyURI" use = "optional" /> </complexType>
This
section
describes
the
optional
to
implement
Manifest
and
SignatureProperties
elements
and
describes
the
handling
of
XML
processing
instructions
and
comments.
With
respect
to
the
elements
Manifest
and
SignatureProperties
this
section
specifies
syntax
and
little
behavior
--
it
is
left
to
the
application.
These
elements
can
appear
anywhere
the
parent's
content
model
permits;
the
Signature
content
model
only
permits
them
within
Object
.
Manifest
Element
Type=
"http://www.w3.org/2000/09/xmldsig#Manifest"
(this
can
be
used
within
a
Reference
element
to
identify
the
referent's
type)
The
Manifest
element
provides
a
list
of
Reference
s.
The
difference
from
the
list
in
SignedInfo
is
that
it
is
application
defined
which,
if
any,
of
the
digests
are
actually
checked
against
the
objects
referenced
and
what
to
do
if
the
object
is
inaccessible
or
the
digest
compare
fails.
If
a
Manifest
is
pointed
to
from
SignedInfo
,
the
digest
over
the
Manifest
itself
will
be
checked
by
the
core
signature
validation
behavior.
The
digests
within
such
a
Manifest
are
checked
at
the
application's
discretion.
If
a
Manifest
is
referenced
from
another
Manifest
,
even
the
overall
digest
of
this
two
level
deep
Manifest
might
not
be
checked.
Schema Definition :
<element name = "Manifest" type = "ds:ManifestType" /> <complexType name = "ManifestType" > <sequence> <element ref = "ds:Reference" maxOccurs = "unbounded" /> </sequence> <attribute name = "Id" type = "ID" use = "optional" /> </complexType>
SignatureProperties
Element
Type="
http://www.w3.org/2000/09/xmldsig#SignatureProperties
"
(this
can
be
used
within
a
Reference
element
to
identify
the
referent's
type)
Additional
information
items
concerning
the
generation
of
the
signature(s)
can
be
placed
in
a
SignatureProperty
element
(i.e.,
date/time
stamp
or
the
serial
number
of
cryptographic
hardware
used
in
signature
generation).
Schema Definition :
<element name = "SignatureProperties" type = "ds:SignaturePropertiesType" /> <complexType name = "SignaturePropertiesType" > <sequence> <element ref = "ds:SignatureProperty" maxOccurs = "unbounded" /> </sequence> <attribute name = "Id" type = "ID" use = "optional" /> </complexType> <element name = "SignatureProperty" type = "ds:SignaturePropertyType" /> <complexType name = "SignaturePropertyType" mixed = "true" > <choice maxOccurs = "unbounded" > <any namespace = "##other" processContents = "lax" /> <!-- (1,1) elements from (1,unbounded) namespaces --> </choice> <attribute name = "Target" type = "anyURI" use = "required" /> <attribute name = "Id" type = "ID" use = "optional" /> </complexType>
No XML processing instructions (PIs) are used by this specification.
Note
that
PIs
placed
inside
SignedInfo
by
an
application
will
be
signed
unless
the
CanonicalizationMethod
algorithm
discards
them.
(This
is
true
for
any
signed
XML
content.)
All
of
the
CanonicalizationMethod
s
identified
within
this
specification
retain
PIs.
When
a
PI
is
part
of
content
that
is
signed
(e.g.,
within
SignedInfo
or
referenced
XML
documents)
any
change
to
the
PI
will
obviously
result
in
a
signature
failure.
XML comments are not used by this specification.
Note
that
unless
CanonicalizationMethod
removes
comments
within
SignedInfo
or
any
other
referenced
XML
(which
[
XML-C14N
]
does),
they
will
be
signed.
Consequently,
if
they
are
retained,
a
change
to
the
comment
will
cause
a
signature
failure.
Similarly,
the
XML
signature
over
any
XML
data
will
be
sensitive
to
comment
changes
unless
a
comment-ignoring
canonicalization/transform
method,
such
as
the
Canonical
XML
[
XML-C14N
],
is
specified.
This
section
identifies
algorithms
used
with
the
XML
digital
signature
specification.
Entries
contain
the
identifier
to
be
used
in
Signature
elements,
a
reference
to
the
formal
specification,
and
definitions,
where
applicable,
for
the
representation
of
keys
and
the
results
of
cryptographic
operations.
Algorithms
are
identified
by
URIs
that
appear
as
an
attribute
to
the
element
that
identifies
the
algorithms'
role
(
DigestMethod
,
Transform
,
SignatureMethod
,
or
CanonicalizationMethod
).
All
algorithms
used
herein
take
parameters
but
in
many
cases
the
parameters
are
implicit.
For
example,
a
SignatureMethod
is
implicitly
given
two
parameters:
the
keying
info
and
the
output
of
CanonicalizationMethod
.
Explicit
additional
parameters
to
an
algorithm
appear
as
content
elements
within
the
algorithm
role
element.
Such
parameter
elements
have
a
descriptive
element
name,
which
is
frequently
algorithm
specific,
and
must
MUST
be
in
the
XML
Signature
namespace
or
an
algorithm
specific
namespace.
This specification defines a set of algorithms, their URIs, and requirements for implementation. Requirements are specified over implementation, not over requirements for signature use. Furthermore, the mechanism is extensible; alternative algorithms may be used by signature applications.
*note:
Note
that
the
same
URI
is
used
to
identify
base64
both
in
"encoding"
context
(e.g.
within
the
Object
element)
as
well
as
in
"transform"
context
(when
identifying
a
base64
transform).
**note:
The
Enveloped
Signature
transform
removes
the
Signature
element
from
the
calculation
of
the
signature
when
the
signature
is
within
the
content
that
it
is
being
signed.
This
may
MAY
be
implemented
via
the
XPath
specification
specified
in
6.6.4:
Enveloped
Signature
Transform
;
it
must
MUST
have
the
same
effect
as
that
specified
by
the
XPath
Transform.
When using transforms, we RECOMMEND selecting the least expressive choice that still accomplishes the needs of the use case at hand: Use of XPath filter 2.0 is recommended over use of XPath filter. Use of XPath filter is recommended over use of XSLT.
Note:
Implementation
requirements
for
the
XPath
transform
may
be
downgraded
to
optional
OPTIONAL
in
a
future
version
of
this
specification.
This
specification
defines
several
possible
digest
algorithms
for
the
DigestMethod
element,
including
required
REQUIRED
algorithm
SHA-256.
Use
of
SHA-256
is
strongly
recommended
over
SHA-1
because
recent
advances
in
cryptanalysis
(see
e.g.
[
SHA-1-Analysis
])
have
cast
doubt
on
the
long-term
collision
resistance
of
SHA-1.
Therefore,
SHA-1
support
is
required
REQUIRED
in
this
specification
only
for
backwards-compatibility
reasons.
Digest
algorithms
that
are
known
not
to
be
collision
resistant
should
not
SHOULD
NOT
be
used
in
DigestMethod
elements.
For
example,
the
MD5
message
digest
algorithm
should
not
SHOULD
NOT
be
used
as
specific
collisions
have
been
demonstrated
for
that
algorithm.
Note: Use of SHA-256 is strongly recommended over SHA-1 because recent advances in cryptanalysis (see e.g. [ SHA-1-Analysis ], [ SHA-1-Collisions ] ) have cast doubt on the long-term collision resistance of SHA-1.
The SHA-1 algorithm [ FIPS-186-3 ] takes no explicit parameters. An example of an SHA-1 DigestAlg element is:
<DigestMethod Algorithm = "http://www.w3.org/2000/09/xmldsig#sha1" />
A SHA-1 digest is a 160-bit string. The content of the DigestValue element shall be the base64 encoding of this bit string viewed as a 20-octet octet stream. For example, the DigestValue element for the message digest:
A9993E36 4706816A BA3E2571 7850C26C 9CD0D89D
from Appendix A of the SHA-1 standard would be:
<DigestValue> qZk+NkcGgWq6PiVxeFDCbJzQ2J0= </DigestValue>
The SHA-224 algorithm [ FIPS-180-3 ] takes no explicit parameters. A SHA-224 digest is a 224-bit string. The content of the DigestValue element shall be the base64 encoding of this bit string viewed as a 28-octet octet stream.
The SHA-256 algorithm [ FIPS-180-3 ] takes no explicit parameters. A SHA-256 digest is a 256-bit string. The content of the DigestValue element shall be the base64 encoding of this bit string viewed as a 32-octet octet stream.
The SHA-384 algorithm [ FIPS-180-3 ] takes no explicit parameters. A SHA-384 digest is a 384-bit string. The content of the DigestValue element shall be the base64 encoding of this bit string viewed as a 48-octet octet stream.
The SHA-512 algorithm [ FIPS-180-3 ] takes no explicit parameters. A SHA-512 digest is a 512-bit string. The content of the DigestValue element shall be the base64 encoding of this bit string viewed as a 64-octet octet stream.
MAC
algorithms
take
two
implicit
parameters,
their
keying
material
determined
from
KeyInfo
and
the
octet
stream
output
by
CanonicalizationMethod
.
MACs
and
signature
algorithms
are
syntactically
identical
but
a
MAC
implies
a
shared
secret
key.
The
HMAC
algorithm
(RFC2104
[
HMAC
])
takes
the
output
(truncation)
length
in
bits
as
a
parameter;
this
specification
REQUIRES
that
the
truncation
length
be
a
multiple
of
8
(i.e.
fall
on
a
byte
boundary)
because
Base64
encoding
operates
on
full
bytes.
If
the
truncation
parameter
is
not
specified
then
all
the
bits
of
the
hash
are
output.
Any
signature
with
a
truncation
length
that
is
less
than
half
the
output
length
of
the
underlying
hash
algorithm
must
MUST
be
deemed
invalid.
An
example
of
an
HMAC
SignatureMethod
element:
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"> <HMACOutputLength>128</HMACOutputLength> </SignatureMethod>
The
output
of
the
HMAC
algorithm
is
ultimately
the
output
(possibly
truncated)
of
the
chosen
digest
algorithm.
This
value
shall
be
base64
encoded
in
the
same
straightforward
fashion
as
the
output
of
the
digest
algorithms.
Example:
the
SignatureValue
element
for
the
HMAC-SHA1
digest
9294727A 3638BB1C 13F48EF8 158BFC9D
from the test vectors in [ HMAC ] would be
<SignatureValue> kpRyejY4uxwT9I74FYv8nQ== </SignatureValue>
Schema Definition :
<simpleType name = "HMACOutputLengthType" > <restriction base = "integer" /> </simpleType>
Signature
algorithms
take
two
implicit
parameters,
their
keying
material
determined
from
KeyInfo
and
the
octet
stream
output
by
CanonicalizationMethod
.
Signature
and
MAC
algorithms
are
syntactically
identical
but
a
signature
implies
public
key
cryptography.
The DSA family of algorithms is defined in FIPS 186-3 [ FIPS-186-3 ]. FIPS 186-3 defines DSA in terms of two security parameters L and N where L = |p|, N = |q|, p is the prime modulus, q is a prime divisor of (p-1). FIPS 186-3 defines four valid pairs of (L, N); they are: (1024, 160), (2048, 224), (2048, 256) and (3072, 256). The pair (1024, 160) corresponds to the algorithm DSAwithSHA1, which is identified in this specification by the URI http://www.w3.org/2000/09/xmldsig#dsa-sha1 . The pairs (2048, 256) and (3072, 256) correspond to the algorithm DSAwithSHA256, which is identified in this specification by the URI http://www.w3.org/2009/xmldsig11#dsa-sha256 . This specification does not use the (2048, 224) instance of DSA (which corresponds to DSAwithSHA224).
DSA
takes
no
explicit
parameters;
an
example
of
a
DSA
SignatureMethod
element
is:
<SignatureMethod
Algorithm
=
"http://www.w3.org/2009/xmldsig11#dsa-sha256"
/>
The
output
of
the
DSA
algorithm
consists
of
a
pair
of
integers
usually
referred
by
the
pair
(r,
s).
The
signature
value
consists
of
the
base64
encoding
of
the
concatenation
of
two
octet-streams
that
respectively
result
from
the
octet-encoding
of
the
values
r
and
s
in
that
order.
Integer
to
octet-stream
conversion
must
be
done
according
to
the
I2OSP
operation
defined
in
the
RFC
3447
[
PKCS1
]
specification
with
a
l
parameter
equal
to
20.
For
example,
the
SignatureValue
element
for
a
DSA
signature
(
r
,
s
)
with
values
specified
in
hexadecimal:
r = 8BAC1AB6 6410435C B7181F95 B16AB97C 92B341C0
s = 41E2345F 1F56DF24 58F426D1 55B4BA2D B6DCD8C8
from the example in Appendix 5 of the DSS standard would be
<SignatureValue>
i6watmQQQ1y3GB+VsWq5fJKzQcBB4jRfH1bfJFj0JtFVtLotttzYyA== </SignatureValue>
Per FIPS 186-3 [ FIPS-186-3 ], the DSA security parameter L is defined to be 1024, 2048 or 3072 bits and the corresponding DSA q value is defined to be 160, 224/256 and 256 bits respectively.
NIST provides guidance on the use of keys of various strength for various time frames in special Publication SP 800-57 Part 1 [ SP800-57 ]. Implementers should consult this publication for guidance on acceptable key lengths for applications, however 2048-bit public keys are the minimum recommended key length and 3072-bit keys are recommended for securing information beyond 2030. SP800-57 Part 1 states that DSA 1024-bit key sizes should not be used except to verify and honor signatures created using older legacy systems.
Since
XML
Signature
1.0
requires
implementations
to
support
DSA-based
digital
signatures,
this
XML
Signature
1.1
revision
allows
verifiers
to
verify
DSA
signatures
for
DSA
keys
of
1024
bits
in
order
to
validate
existing
signatures.
XML
Signature
1.1
implementations
may
MAY
but
are
not
required
NOT
REQUIRED
to
support
DSA-based
signature
generation.
Given
the
short
key
size
and
SP800-57
guidelines,
DSA
with
1024-bit
prime
moduli
should
not
SHOULD
NOT
be
used
to
create
signatures.
DSA
with
1024-bit
prime
moduli
may
MAY
be
used
to
verify
older
legacy
signatures,
with
an
understanding
of
the
associated
risks.
Important
older
signatures
should
SHOULD
be
re-signed
with
stronger
signatures.
The expression "RSA algorithm" as used in this specification refers to the RSASSA-PKCS1-v1_5 algorithm described in RFC 3447 [ PKCS1 ]. The RSA algorithm takes no explicit parameters. An example of an RSA SignatureMethod element is:
<SignatureMethod
Algorithm
=
"http://www.w3.org/2000/09/xmldsig#rsa-sha1"
/>
The
SignatureValue
content
for
an
RSA
signature
is
the
base64
[
RFC2045
]
encoding
of
the
octet
string
computed
as
per
RFC
3447
[
PKCS1
],
section
8.2.1:
Signature
generation
for
the
RSASSA-PKCS1-v1_5
signature
scheme].
Computation
of
the
signature
will
require
concatenation
of
the
hash
value
and
a
constant
string
determined
by
RFC
3447.
Signature
computation
and
verification
does
not
require
implementation
of
an
ASN.1
parser.
The resulting base64 [ RFC2045 ] string is the value of the child text node of the SignatureValue element, e.g.
<SignatureValue> IWijxQjUrcXBYoCei4QxjWo9Kg8D3p9tlWoT4t0/gyTE96639In0FZFY2/rvP+/bMJ01EArmKZs R5VW3rwoPxw= </SignatureValue>
Note - A line break has been added to preserve printed page width.
NIST provides guidance on the use of keys of various strength for various time frames in special Publication SP 800-57 Part 1 [ SP800-57 ]. Implementers should consult this publication for guidance on acceptable key lengths for applications, however 2048-bit public keys are the minimum recommended key length and 3072-bit keys are recommended for securing information beyond 2030.
All
conforming
implementations
of
XML
Signature
1.1
must
MUST
support
RSA
signature
generation
and
verification
with
public
keys
at
least
2048
bits
in
length.
RSA
public
keys
of
1024
bits
or
less
should
not
SHOULD
NOT
be
used
to
create
new
signatures
but
may
MAY
be
used
to
verify
signatures
created
by
older
legacy
systems.
XML
Signature
1.1
implementations
must
MUST
use
at
least
2048-bit
keys
for
creating
signatures,
and
should
SHOULD
use
at
least
3072-bit
keys
for
signatures
that
will
be
verified
beyond
2030.
The
ECDSA
algorithm
[
FIPS-186-3
]
takes
no
explicit
parameters.
An
example
of
a
ECDSA
SignatureMethod
element
is:
<SignatureMethod Algorithm = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256" />
The
output
of
the
ECDSA
algorithm
consists
of
a
pair
of
integers
usually
referred
by
the
pair
(r,
s).
The
signature
value
consists
of
the
base64
encoding
of
the
concatenation
of
two
octet-streams
that
respectively
result
from
the
octet-encoding
of
the
values
r
and
s
in
that
order.
Integer
to
octet-stream
conversion
must
be
done
according
to
the
I2OSP
operation
defined
in
the
RFC
3447
[
PKCS1
]
specification
with
the
l
parameter
equal
to
the
size
of
the
base
point
order
of
the
curve
in
bytes
(e.g.
32
for
the
P-256
curve
and
66
for
the
P-521
curve).
This
specification
REQUIRES
implementations
to
implement
an
algorithm
that
leads
to
the
same
results
as
ECDSA
over
the
P-256
prime
curve
specified
in
Section
D.2.3
of
FIPS
186-3
[
FIPS-186-3
]
(and
using
the
SHA-256
hash
algorithm),
referred
to
as
the
ECDSAwithSHA256
signature
algorithm
[
ECC-ALGS
].
It
is
further
recommended
RECOMMENDED
that
implementations
also
implement
algorithms
that
lead
to
the
same
results
as
ECDSA
over
the
P-384
and
P-521
prime
curves;
these
curves
are
defined
in
Sections
D.2.4
and
D.2.5
of
FIPS
186-3,
respectively
[
ECC-ALGS
].
Note: As described in IETF RFC 6090, the Elliptic Curve DSA (ECDSA) and KT-I signature methods are mathematically and functionally equivalent for fields of characteristic greater than three. See IETF RFC 6090 Section 7.2 [ ECC-ALGS ].
If canonicalization is performed over octets, the canonicalization algorithms take two implicit parameters: the content and its charset. The charset is derived according to the rules of the transport protocols and media types (e.g, [ XML-MEDIA-TYPES ] defines the media types for XML). This information is necessary to correctly sign and verify documents and often requires careful server side configuration.
Various
canonicalization
algorithms
require
conversion
to
[
UTF-8
].
The
algorithms
below
understand
at
least
[
UTF-8
]
and
[
UTF-16
]
as
input
encodings.
We
RECOMMEND
that
externally
specified
algorithms
do
the
same.
Knowledge
of
other
encodings
is
optional
OPTIONAL
.
Various canonicalization algorithms transcode from a non-Unicode encoding to Unicode. The output of these algorithms will be in NFC [ NFC ]. This is because the XML processor used to prepare the XPath data model input is required (by the Data Model) to use Normalization Form C when converting an XML document to the UCS character domain from any encoding that is not UCS-based.
We RECOMMEND that externally specified canonicalization algorithms do the same. (Note, there can be ambiguities in converting existing charsets to Unicode, for an example see the XML Japanese Profile Note [ XML-Japanese ].)
This specification REQUIRES implementation of Canonical XML 1.0 [ XML-C14N ], Canonical XML 1.1 [ XML-C14N11 ]] and Exclusive XML Canonicalization [ XML-EXC-C14N ]. We RECOMMEND that applications that generate signatures choose Canonical XML 1.1 [ XML-C14N11 ] when inclusive canonicalization is desired.
Note : Canonical XML 1.0 [ XML-C14N ] and Canonical XML 1.1 [ XML-C14N11 ] specify a standard serialization of XML that, when applied to a subdocument, includes the subdocument's ancestor context including all of the namespace declarations and some attributes in the 'xml:' namespace. However, some applications require a method which, to the extent practical, excludes unused ancestor context from a canonicalized subdocument. The Exclusive XML Canonicalization Recommendation [ XML-EXC-C14N ] may be used to address requirements resulting from scenarios where a subdocument is moved between contexts.
An example of an XML canonicalization element is:
<CanonicalizationMethod Algorithm = "
http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
The normative specification of Canonical XML1.0 is [ XML-C14N ]. The algorithm is capable of taking as input either an octet stream or an XPath node-set (or sufficiently functional alternative). The algorithm produces an octet stream as output. Canonical XML is easily parameterized (via an additional URI) to omit or retain comments.
The normative specification of Canonical XML 1.1 is [ XML-C14N11 ]. The algorithm is capable of taking as input either an octet stream or an XPath node-set (or sufficiently functional alternative). The algorithm produces an octet stream as output. Canonical XML 1.1 is easily parameterized (via an additional URI) to omit or retain comments.
The normative specification of Exclusive XML Canonicalization 1.0 is [XML-EXC-C14N]].
Transform
Algorithms
A
Transform
algorithm
has
a
single
implicit
parameter:
an
octet
stream
from
the
Reference
or
the
output
of
an
earlier
Transform
.
For
implementation
requirements,
please
see
Algorithm
Identifiers
and
Implementation
Requirements
.
Application
developers
are
strongly
encouraged
to
support
all
transforms
that
are
listed
as
recommended
RECOMMENDED
unless
the
application
environment
has
resource
constraints
that
would
make
such
support
impractical.
Compliance
with
this
recommendation
will
maximize
application
interoperability
and
libraries
should
be
available
to
enable
support
of
these
transforms
in
applications
without
extensive
development.
Any
canonicalization
algorithm
that
can
be
used
for
CanonicalizationMethod
(such
as
those
in
Canonicalization
Algorithms
(section
6.5))
can
be
used
as
a
Transform
.
The
normative
specification
for
base64
decoding
transforms
is
[
RFC2045
].
The
base64
Transform
element
has
no
content.
The
input
is
decoded
by
the
algorithms.
This
transform
is
useful
if
an
application
needs
to
sign
the
raw
data
associated
with
the
encoded
content
of
an
element.
This
transform
accepts
either
an
octet-stream
or
a
node-set
as
input.
If
an
octet-string
is
given
as
input,
then
this
octet-stream
is
processed
directly.
If
an
XPath
node-set
(or
sufficiently
functional
alternative)
is
given
as
input,
then
it
is
converted
to
an
octet
stream
by
performing
operations
logically
equivalent
to
1)
applying
an
XPath
transform
with
expression
self::text()
,
then
2)
sorting
the
nodeset
by
document
order,
then
concatenating
the
string-value
of
each
of
the
nodes
into
one
long
string.
Thus,
if
an
XML
element
is
identified
by
a
shortname
XPointer
in
the
Reference
URI,
and
its
content
consists
solely
of
base64
encoded
character
data,
then
this
transform
automatically
strips
away
the
start
and
end
tags
of
the
identified
element
and
any
of
its
descendant
elements
as
well
as
any
descendant
comments
and
processing
instructions.
The
output
of
this
transform
is
an
octet
stream.
The
normative
specification
for
XPath
expression
evaluation
is
[
XPATH
].
The
XPath
expression
to
be
evaluated
appears
as
the
character
content
of
a
transform
parameter
child
element
named
XPath
.
The
input
required
by
this
transform
is
an
XPath
node-set
or
an
octet-stream.
Note
that
if
the
actual
input
is
an
XPath
node-set
resulting
from
a
null
URI
or
shortname
XPointer
dereference,
then
comment
nodes
will
have
been
omitted.
If
the
actual
input
is
an
octet
stream,
then
the
application
must
MUST
convert
the
octet
stream
to
an
XPath
node-set
suitable
for
use
by
Canonical
XML
with
Comments.
(A
subsequent
application
of
the
required
REQUIRED
Canonical
XML
algorithm
would
strip
away
these
comments.)
In
other
words,
the
input
node-set
should
be
equivalent
to
the
one
that
would
be
created
by
the
following
process:
(//.
|
//@*
|
//namespace::*)
The evaluation of this expression includes all of the document's nodes (including comments) in the node-set representing the octet stream.
The
transform
output
is
always
an
XPath
node-set.
The
XPath
expression
appearing
in
the
XPath
parameter
is
evaluated
once
for
each
node
in
the
input
node-set.
The
result
is
converted
to
a
boolean.
If
the
boolean
is
true,
then
the
node
is
included
in
the
output
node-set.
If
the
boolean
is
false,
then
the
node
is
omitted
from
the
output
node-set.
Note:
Even
if
the
input
node-set
has
had
comments
removed,
the
comment
nodes
still
exist
in
the
underlying
parse
tree
and
can
separate
text
nodes.
For
example,
the
markup
<e>Hello,
<!--
comment
-->world!</e>
contains
two
text
nodes.
Therefore,
the
expression
self::text()[string()="Hello,
world!"]
would
fail.
Should
this
problem
arise
in
the
application,
it
can
be
solved
by
either
canonicalizing
the
document
before
the
XPath
transform
to
physically
remove
the
comments
or
by
matching
the
node
based
on
the
parent
element's
string
value
(e.g.
by
using
the
expression
self::text()[string(parent::e)="Hello,
world!"]
).
The primary purpose of this transform is to ensure that only specifically defined changes to the input XML document are permitted after the signature is affixed. This is done by omitting precisely those nodes that are allowed to change once the signature is affixed, and including all other input nodes in the output. It is the responsibility of the XPath expression author to include all nodes whose change could affect the interpretation of the transform output in the application context.
Note that the XML-Signature XPath Filter 2.0 Recommendation [ XMLDSIG-XPATH-FILTER2 ] may be used for this purpose. That recommendation defines an XPath transform that permits the easy specification of subtree selection and omission that can be efficiently implemented.
An important scenario would be a document requiring two enveloped signatures. Each signature must omit itself from its own digest calculations, but it is also necessary to exclude the second signature element from the digest calculations of the first signature so that adding the second signature does not break the first signature.
The XPath transform establishes the following evaluation context for each node of the input node-set:
As
a
result
of
the
context
node
setting,
the
XPath
expressions
appearing
in
this
transform
will
be
quite
similar
to
those
used
in
used
in
[
XSLT
],
except
that
the
size
and
position
are
always
1
to
reflect
the
fact
that
the
transform
is
automatically
visiting
every
node
(in
XSLT,
one
recursively
calls
the
command
apply-templates
to
visit
the
nodes
of
the
input
tree).
The
function
here()
is
defined
as
follows:
The here function returns a node-set containing the attribute or processing instruction node or the parent element of the text node that directly bears the XPath expression. This expression results in an error if the containing XPath expression does not appear in the same XML document against which the XPath expression is being evaluated.
As
an
example,
consider
creating
an
enveloped
signature
(a
Signature
element
that
is
a
descendant
of
an
element
being
signed).
Although
the
signed
content
should
not
be
changed
after
signing,
the
elements
within
the
Signature
element
are
changing
(e.g.
the
digest
value
must
be
put
inside
the
DigestValue
and
the
SignatureValue
must
be
subsequently
calculated).
One
way
to
prevent
these
changes
from
invalidating
the
digest
value
in
DigestValue
is
to
add
an
XPath
Transform
that
omits
all
Signature
elements
and
their
descendants.
For
example,
<Document> ... <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> ... <Reference URI=""> <Transforms> <Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116"> <XPath xmlns:dsig="&dsig;"> not(ancestor-or-self::dsig:Signature) </XPath> </Transform> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue></DigestValue> </Reference> </SignedInfo> <SignatureValue></SignatureValue> </Signature> ... </Document>
Due
to
the
null
Reference
URI
in
this
example,
the
XPath
transform
input
node-set
contains
all
nodes
in
the
entire
parse
tree
starting
at
the
root
node
(except
the
comment
nodes).
For
each
node
in
this
node-set,
the
node
is
included
in
the
output
node-set
except
if
the
node
or
one
of
its
ancestors
has
a
tag
of
Signature
that
is
in
the
namespace
given
by
the
replacement
text
for
the
entity
&dsig;
.
A
more
elegant
solution
uses
the
here
function
to
omit
only
the
Signature
containing
the
XPath
Transform,
thus
allowing
enveloped
signatures
to
sign
other
signatures.
In
the
example
above,
use
the
XPath
element:
<XPath xmlns:dsig="&dsig;"> count(ancestor-or-self::dsig:Signature | here()/ancestor::dsig:Signature[1]) > count(ancestor-or-self::dsig:Signature) </XPath>
Since
the
XPath
equality
operator
converts
node
sets
to
string
values
before
comparison,
we
must
instead
use
the
XPath
union
operator
(|).
For
each
node
of
the
document,
the
predicate
expression
is
true
if
and
only
if
the
node-set
containing
the
node
and
its
Signature
element
ancestors
does
not
include
the
enveloped
Signature
element
containing
the
XPath
expression
(the
union
does
not
produce
a
larger
set
if
the
enveloped
Signature
element
is
in
the
node-set
given
by
ancestor-or-self::Signature
).
An
enveloped
signature
transform
T
removes
the
whole
Signature
element
containing
T
from
the
digest
calculation
of
the
Reference
element
containing
T
.
The
entire
string
of
characters
used
by
an
XML
processor
to
match
the
Signature
with
the
XML
production
element
is
removed.
The
output
of
the
transform
is
equivalent
to
the
output
that
would
result
from
replacing
T
with
an
XPath
transform
containing
the
following
XPath
parameter
element:
<XPath xmlns:dsig="&dsig;"> count(ancestor-or-self::dsig:Signature | here()/ancestor::dsig:Signature[1]) > count(ancestor-or-self::dsig:Signature) </XPath>
The
input
and
output
requirements
of
this
transform
are
identical
to
those
of
the
XPath
transform,
but
may
only
be
applied
to
a
node-set
from
its
parent
XML
document.
Note
that
it
is
not
necessary
to
use
an
XPath
expression
evaluator
to
create
this
transform.
However,
this
transform
must
MUST
produce
output
in
exactly
the
same
manner
as
the
XPath
transform
parameterized
by
the
XPath
expression
above.
The
normative
specification
for
XSL
Transformations
is
[
XSLT
].
Specification
of
a
namespace-qualified
stylesheet
element,
which
must
MUST
be
the
sole
child
of
the
Transform
element,
indicates
that
the
specified
style
sheet
should
be
used.
Whether
this
instantiates
in-line
processing
of
local
XSLT
declarations
within
the
resource
is
determined
by
the
XSLT
processing
model;
the
ordered
application
of
multiple
stylesheet
may
require
multiple
Transforms
.
No
special
provision
is
made
for
the
identification
of
a
remote
stylesheet
at
a
given
URI
because
it
can
be
communicated
via
an
xsl:include
or
xsl:import
within
the
stylesheet
child
of
the
Transform
.
This transform requires an octet stream as input.
The output of this transform is an octet stream. The processing rules for the XSL style sheet [ XSL10 ] or transform element are stated in the XSLT specification [ XSLT ].
We
RECOMMEND
that
XSLT
transform
authors
use
an
output
method
of
xml
for
XML
and
HTML.
As
XSLT
implementations
do
not
produce
consistent
serializations
of
their
output,
we
further
RECOMMEND
inserting
a
transform
after
the
XSLT
transform
to
canonicalize
the
output.
These
steps
will
help
to
ensure
interoperability
of
the
resulting
signatures
among
applications
that
support
the
XSLT
transform.
Note
that
if
the
output
is
actually
HTML,
then
the
result
of
these
steps
is
logically
equivalent
[
XHTML10
].
Digital signatures only work if the verification calculations are performed on exactly the same bits as the signing calculations. If the surface representation of the signed data can change between signing and verification, then some way to standardize the changeable aspect must be used before signing and verification. For example, even for simple ASCII text there are at least three widely used line ending sequences. If it is possible for signed text to be modified from one line ending convention to another between the time of signing and signature verification, then the line endings need to be canonicalized to a standard form before signing and verification or the signatures will break.
XML is subject to surface representation changes and to processing which discards some surface information. For this reason, XML digital signatures have a provision for indicating canonicalization methods in the signature so that a verifier can use the same canonicalization as the signer.
Throughout
this
specification
we
distinguish
between
the
canonicalization
of
a
Signature
element
and
other
signed
XML
data
objects.
It
is
possible
for
an
isolated
XML
document
to
be
treated
as
if
it
were
binary
data
so
that
no
changes
can
occur.
In
that
case,
the
digest
of
the
document
will
not
change
and
it
need
not
be
canonicalized
if
it
is
signed
and
verified
as
such.
However,
XML
that
is
read
and
processed
using
standard
XML
parsing
and
processing
techniques
is
frequently
changed
such
that
some
of
its
surface
representation
information
is
lost
or
modified.
In
particular,
this
will
occur
in
many
cases
for
the
Signature
and
enclosed
SignedInfo
elements
since
they,
and
possibly
an
encompassing
XML
document,
will
be
processed
as
XML.
Similarly,
these
considerations
apply
to
Manifest
,
Object
,
and
SignatureProperties
elements
if
those
elements
have
been
digested,
their
DigestValue
is
to
be
checked,
and
they
are
being
processed
as
XML.
The kinds of changes in XML that may need to be canonicalized can be divided into four categories. There are those related to the basic [ XML10 ], as described in 7.1 below. There are those related to [ DOM-LEVEL-1 ], [ SAX ], or similar processing as described in 7.2 below. Third, there is the possibility of coded character set conversion, such as between UTF-8 and UTF-16, both of which all [ XML10 ] compliant processors are required to support, which is described in the paragraph immediately below. And, fourth, there are changes that related to namespace declaration and XML namespace attribute context as described in 7.3 below.
Any
canonicalization
algorithm
should
yield
output
in
a
specific
fixed
coded
character
set.
All
canonicalization
algorithms
identified
in
this
document
use
UTF-8
(without
a
byte
order
mark
(BOM))
and
do
not
provide
character
normalization.
We
RECOMMEND
that
signature
applications
create
XML
content
(
Signature
elements
and
their
descendants/content)
in
Normalization
Form
C
[
NFC
]
and
check
that
any
XML
being
consumed
is
in
that
form
as
well;
(if
not,
signatures
may
consequently
fail
to
validate).
Additionally,
none
of
these
algorithms
provide
data
type
normalization.
Applications
that
normalize
data
types
in
varying
formats
(e.g.,
(true,
false)
or
(1,0))
may
not
be
able
to
validate
each
other's
signatures.
XML 1.0 [ XML10 ]] defines an interface where a conformant application reading XML is given certain information from that XML and not other information. In particular,
Note
that
items
(2),
(4),
and
(5.3)
depend
on
the
presence
of
a
schema,
DTD
or
similar
declarations.
The
Signature
element
type
is
laxly
schema
valid
[
XMLSCHEMA-1
][
XMLSCHEMA-2
],
consequently
external
XML
or
even
XML
within
the
same
document
as
the
signature
may
be
(only)
well-formed
or
from
another
namespace
(where
permitted
by
the
signature
schema);
the
noted
items
may
not
be
present.
Thus,
a
signature
with
such
content
will
only
be
verifiable
by
other
signature
applications
if
the
following
syntax
constraints
are
observed
when
generating
any
signed
material
including
the
SignedInfo
element:
In addition to the canonicalization and syntax constraints discussed above, many XML applications use the Document Object Model [ DOM-LEVEL-1 ] or the Simple API for XML [ SAX ]. DOM maps XML into a tree structure of nodes and typically assumes it will be used on an entire document with subsequent processing being done on this tree. SAX converts XML into a series of events such as a start tag, content, etc. In either case, many surface characteristics such as the ordering of attributes and insignificant white space within start/end tags is lost. In addition, namespace declarations are mapped over the nodes to which they apply, losing the namespace prefixes in the source text and, in most cases, losing where namespace declarations appeared in the original instance.
If
an
XML
Signature
is
to
be
produced
or
verified
on
a
system
using
the
DOM
or
SAX
processing,
a
canonical
method
is
needed
to
serialize
the
relevant
part
of
a
DOM
tree
or
sequence
of
SAX
events.
XML
canonicalization
specifications,
such
as
[
XML-C14N
],
are
based
only
on
information
which
is
preserved
by
DOM
and
SAX.
For
an
XML
Signature
to
be
verifiable
by
an
implementation
using
DOM
or
SAX,
not
only
must
the
XML
1.0
syntax
constraints
given
in
the
section
7.1
XML
1.0
Syntax
Constraints,
and
Canonicalization
be
followed
but
an
appropriate
XML
canonicalization
must
MUST
be
specified
so
that
the
verifier
can
re-serialize
DOM/SAX
mediated
input
into
the
same
octet
stream
that
was
signed.
In [ XPATH ] and consequently the Canonical XML data model an element has namespace nodes that correspond to those declarations within the element and its ancestors:
" Note: An element E has namespace nodes that represent its namespace declarations as well as any namespace declarations made by its ancestors that have not been overridden in E 's declarations, the default namespace if it is non-empty, and the declaration of the prefix
xml
." [ XML-C14N ]
When
serializing
a
Signature
element
or
signed
XML
data
that's
the
child
of
other
elements
using
these
data
models,
that
Signature
element
and
its
children
may
have
in-scope
namespaces
inherited
from
its
ancestral
context.
In
addition,
the
Canonical
XML
and
Canonical
XML
with
Comments
algorithms
define
special
treatment
for
attributes
in
the
XML
namespace,
which
can
cause
them
to
be
part
of
the
canonicalized
XML
even
if
they
were
outside
of
the
document
subset.
Simple
inheritable
attributes
(i.e.
attributes
that
have
a
value
that
requires
at
most
a
simple
redeclaration
such
as
xml:lang
and
xml:space
)
are
inherited
from
nearest
ancestor
in
which
they
are
declared
to
the
apex
node
of
canonicalized
XML
unless
they
are
already
declared
at
that
node.
This
may
frustrate
the
intent
of
the
signer
to
create
a
signature
in
one
context
which
remains
valid
in
another.
For
example,
given
a
signature
which
is
a
child
of
B
and
a
grandchild
of
A
:
<A xmlns:n1="http://foo.example"> <B xmlns:n2="http://bar.example"> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> ... <Reference URI="#signme"/> ... </Signature> <C ID="signme" xmlns="http://baz.example" /> </B> </A>
when
either
the
element
B
or
the
signed
element
C
is
moved
into
a
[
SOAP12-PART1
]
envelope
for
transport:
<SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/"> ... <SOAP:Body> <B xmlns:n2="http://bar.example"> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> ... </Signature> <C ID="signme" xmlns="http://baz.example" /> </B> </SOAP:Body> </SOAP:Envelope>
The
canonical
form
of
the
signature
in
this
context
will
contain
new
namespace
declarations
from
the
SOAP:Envelope
context,
invalidating
the
signature.
Also,
the
canonical
form
will
lack
namespace
declarations
it
may
have
originally
had
from
element
A
's
context,
also
invalidating
the
signature.
To
avoid
these
problems,
the
application
may:
The XML Signature specification provides a very flexible digital signature mechanism. Implementers must give consideration to their application threat models and to the following factors. For additional security considerations in implementation and deployment of this specification, see [ XMLDSIG-BESTPRACTICES ].
A
requirement
of
this
specification
is
to
permit
signatures
to
"apply
to a
part
or
totality
of
a
XML
document."
(See
[
XMLDSIG-REQUIREMENTS
],
section
3.1.3].)
The
Transforms
mechanism
meets
this
requirement
by
permitting
one
to
sign
data
derived
from
processing
the
content
of
the
identified
resource.
For
instance,
applications
that
wish
to
sign
a
form,
but
permit
users
to
enter
limited
field
data
without
invalidating
a
previous
signature
on
the
form
might
use
[
XPATH
]
to
exclude
those
portions
the
user
needs
to
change.
Transforms
may
be
arbitrarily
specified
and
may
include
encoding
transforms,
canonicalization
instructions
or
even
XSLT
transformations.
Three
cautions
are
raised
with
respect
to
this
feature
in
the
following
sections.
Note, core validation behavior does not confirm that the signed data was obtained by applying each step of the indicated transforms. (Though it does check that the digest of the resulting content matches that specified in the signature.) For example, some applications may be satisfied with verifying an XML signature over a cached copy of already transformed data. Other applications might require that content be freshly dereferenced and transformed.
First, obviously, signatures over a transformed document do not secure any information discarded by transforms: only what is signed is secure.
Note
that
the
use
of
Canonical
XML
[
XML-C14N
]
ensures
that
all
internal
entities
and
XML
namespaces
are
expanded
within
the
content
being
signed.
All
entities
are
replaced
with
their
definitions
and
the
canonical
form
explicitly
represents
the
namespace
that
an
element
would
otherwise
inherit.
Applications
that
do
not
canonicalize
XML
content
(especially
the
SignedInfo
element)
should
not
SHOULD
NOT
use
internal
entities
and
should
SHOULD
represent
the
namespace
explicitly
within
the
content
being
signed
since
they
can
not
rely
upon
canonicalization
to
do
this
for
them.
Also,
users
concerned
with
the
integrity
of
the
element
type
definitions
associated
with
the
XML
instance
being
signed
may
wish
to
sign
those
definitions
as
well
(i.e.,
the
schema,
DTD,
or
natural
language
description
associated
with
the
namespace/identifier).
Second, an envelope containing signed information is not secured by the signature. For instance, when an encrypted envelope contains a signature, the signature does not protect the authenticity or integrity of unsigned envelope headers nor its ciphertext form, it only secures the plaintext actually signed.
Additionally, the signature secures any information introduced by the transform: only what is "seen" (that which is represented to the user via visual, auditory or other media) should be signed. If signing is intended to convey the judgment or consent of a user (an automated mechanism or person), then it is normally necessary to secure as exactly as practical the information that was presented to that user. Note that this can be accomplished by literally signing what was presented, such as the screen images shown a user. However, this may result in data which is difficult for subsequent software to manipulate. Instead, one can sign the data along with whatever filters, style sheets, client profile or other information that affects its presentation.
Just
as
a
user
should
only
sign
what
he
or
she
"sees,"
persons
and
automated
mechanism
that
trust
the
validity
of
a
transformed
document
on
the
basis
of
a
valid
signature
should
operate
over
the
data
that
was
transformed
(including
canonicalization)
and
signed,
not
the
original
pre-transformed
data.
This
recommendation
applies
to
transforms
specified
within
the
signature
as
well
as
those
included
as
part
of
the
document
itself.
For
instance,
if
an
XML
document
includes
an
embedded
style
sheet
[
XSLT
]
it
is
the
transformed
document
that
should
be
represented
to
the
user
and
signed.
To
meet
this
recommendation
where
a
document
references
an
external
style
sheet,
the
content
of
that
external
resource
should
also
be
signed
as
via
a
signature
Reference
otherwise
the
content
of
that
external
content
might
change
which
alters
the
resulting
document
without
invalidating
the
signature.
Some applications might operate over the original or intermediary data but should be extremely careful about potential weaknesses introduced between the original and transformed data. This is a trust decision about the character and meaning of the transforms that an application needs to make with caution. Consider a canonicalization algorithm that normalizes character case (lower to upper) or character composition ('e and accent' to 'accented-e'). An adversary could introduce changes that are normalized and consequently inconsequential to signature validity but material to a DOM processor. For instance, by changing the case of a character one might influence the result of an XPath selection. A serious risk is introduced if that change is normalized for signature validation but the processor operates over the original data and returns a different result than intended.
As a result:
This specification uses public key signatures and keyed hash authentication codes. These have substantially different security models. Furthermore, it permits user specified algorithms which may have other models.
With public key signatures, any number of parties can hold the public key and verify signatures while only the parties with the private key can create signatures. The number of holders of the private key should be minimized and preferably be one. Confidence by verifiers in the public key they are using and its binding to the entity or capabilities represented by the corresponding private key is an important issue, usually addressed by certificate or online authority systems.
Keyed hash authentication codes, based on secret keys, are typically much more efficient in terms of the computational effort required but have the characteristic that all verifiers need to have possession of the same key as the signer. Thus any verifier can forge signatures.
This specification permits user provided signature algorithms and keying information designators. Such user provided algorithms may have different security models. For example, methods involving biometrics usually depend on a physical characteristic of the authorized user that can not be changed the way public or secret keys can be and may have other security model differences.
The strength of a particular signature depends on all links in the security chain. This includes the signature and digest algorithms used, the strength of the key generation [ RANDOM ] and the size of the key, the security of key and certificate authentication and distribution mechanisms, certificate chain validation policy, protection of cryptographic processing from hostile observation and tampering, etc.
Care must be exercised by applications in executing the various algorithms that may be specified in an XML signature and in the processing of any "executable content" that might be provided to such algorithms as parameters, such as XSLT transforms. The algorithms specified in this document will usually be implemented via a trusted library but even there perverse parameters might cause unacceptable processing or memory demand. Even more care may be warranted with application defined algorithms.
The security of an overall system will also depend on the security and integrity of its operating procedures, its personnel, and on the administrative enforcement of those procedures. All the factors listed in this section are important to the overall security of a system; however, most are beyond the scope of this specification.
Implementations
should
not
SHOULD
NOT
provide
detailed
error
responses
related
to
security
algorithm
processing.
Error
messages
should
be
limited
to
a
generic
error
message
to
avoid
providing
information
to
a
potential
attacker
related
to
the
specifics
of
the
algorithm
implementation.
For
example,
if
an
error
occurs
in
signature
verification
processing
the
error
response
should
be
a
generic
message
providing
no
specifics
on
the
details
of
the
processing
error.
This section is non-normative.
Non-normative RELAX NG schema [ RELAXNG-SCHEMA ] information is available in a separate document [ XMLSEC-RELAXNG ].
Object
designates
a
specific
XML
element.
Occasionally
we
refer
to
a
data
object
as
a
document
or
as
a
resource
's
content
.
The
term
element
content
is
used
to
describe
the
data
between
XML
start
and
end
tags
[
XML10
].
The
term
XML
document
is
used
to
describe
data
objects
which
conform
to
the
XML
specification
[
XML10
].
Object
element
is
merely
one
type
of
digital
data
(or
document)
that
can
be
signed
via
a
Reference
.
Signature
element
type
and
its
children
(including
SignatureValue
)
and
the
specified
algorithms.
Signature
element,
and
can
be
identified
via
a
URI
or
transform.
Consequently,
the
signature
is
"detached"
from
the
content
it
signs.
This
definition
typically
applies
to
separate
data
objects,
but
it
also
includes
the
instance
where
the
Signature
and
data
object
reside
within
the
same
XML
document
but
are
sibling
elements.
Object
element
of
the
signature
itself.
The
Object
(or
its
content)
is
identified
via
a
Reference
(via
a
URI
fragment
identifier
or
transform).
SignatureValue
.
SignedInfo
reference
validation
.
Reference
,
matches
its
specified
DigestValue
.
SignatureValue
matches
the
result
of
processing
SignedInfo
with
CanonicalizationMethod
and
SignatureMethod
as
specified
in
Core
Validation
(section
3.2).
Dated references below are to the latest known or appropriate edition of the referenced work. The referenced works may be subject to revision, and conformant implementations may follow, and are encouraged to investigate the appropriateness of following, some or all more recent editions or replacements of the works cited. It is in each case implementation-defined which editions are supported.