What Is XML Signature Syntax and Processing?

SOAP Web Service Tutorials - Herong's Tutorial Examples - Version 5.02, by Dr. Herong Yang

SOAP Web Service Tutorials - Herong's Tutorial Examples

∟What Is XML Signature Syntax and Processing?

This section describes the XML Signature Syntax and Processing specification developed by W3C that specifies XML digital signature processing rules and syntax.

What is "XML Signature Syntax and Processing"? XML Signature Syntax and Processing is a specification developed by W3C that specifies XML digital signature processing rules and syntax. XML Signatures provide integrity, message authentication, and/or signer authentication services for data of any type, whether located within the XML that includes the signature or elsewhere.

The XML syntax defined by the XML Signature Syntax and Processing specification is relatively simple. Here is the structure of an XML signature example:

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">

 <SignedInfo>
  <CanonicalizationMethod Algorithm="..."/>
  <SignatureMethod Algorithm="..."/>

  <Reference URI="...">
   <Transforms>
    <Transform Algorithm="..."/>
   </Transforms>
   <DigestMethod Algorithm="..."/>
   <DigestValue>...</DigestValue>
  </Reference>

 </SignedInfo>

 <SignatureValue>...</SignatureValue>

 <KeyInfo>...</KeyInfo>

</Signature>

Notice that how the XML signature information is divided into 3 sub elements:

1. "Signature/SignedInfo" sub element contains information about what data is actually signed. It has several important sub elements and attributes:

The attribute "CanonicalizationMethod[@Algorithm]" indicates what algorithm is used to serialize the data.
The attribute "SignatureMethod[@Algorithm]" indicates what algorithm is used to generated the signature.
The attribute "Reference[@URI]" indicates where the data is located. It could be a fully qualified address pointing to an extenal data location like "http://herongyang.com/Service/Hello_WSDL_11_SOAP.wsdl", or a fragment identifier pointing to a local XML element ID like "#CreateTimeStamp".
The sub element "Reference/Transforms" contains information on any transformations that are performed on the data before generating the signature.
The attribute "Reference/DigestMethod[@Algorithm]" indicates what algorithm is used to generated the digest, which is encrypted to produce the signature.
The sub element "Reference/DigestValue" contains the actual digest generated from the data in Base64 format, which is not really needed.

2. "Signature/SignatureValue" sub element contains the actual signature in Base64 format.

3. "Signature/KeyInfo" sub element contains information about the public key that is needed for the receiver to validate the signature. It may have the following options:

Provide the actual public key in the sub element.
Provide an X.509 certificate of the public key in the sub element.
Provide the reference to where the public key's X.509 certificate of the public is located in the XML document.
Provide an identifier of the public key's X.509 certificate, so the receiver can find it somewhere else.

"XML Signature Syntax and Processing" specification can be used together with "WS-Security X.509 Certificate Token Profile" to protect the SOAP message integrity by signing a single or multiple parts of the SOAP message.

For more information on "XML Signature Syntax and Processing", see the full specification at http://www.w3.org/TR/xmldsig-core/.

Last update: 2014.

Table of Contents

About This Book

Introduction to Web Service

Introduction to SOAP (Simple Object Access Protocol)

SOAP Message Structure

SOAP Message Transmission and Processing

SOAP Data Model

SOAP Encoding

SOAP RPC Presentation

SOAP Properties Model