Understanding XML Digital Signature Elements
To have a better understanding of different elements and nodes that constitute XML digital signatures, look at Figure 2, which contains just the naked elements without any data.
Figure 2 XML digital signature elements.
Each signed resource (the transmitted XML document, in this case) that the signature authenticates has to be enclosed within the <Reference> elements. Because one signature may be applied to sign multiple resources, it is common to find several <Reference>...</Reference> nodes within a single signature.
Each <Reference> node contains the following:
A reference URI to the signed resource that the signature attests (optional).
The URI for the signed resource is optional because there will be many cases in which digital signatures are sent along with the document, so providing this URI might not be necessary. (See the "Detached Signatures" bullet in the next section.
An ordered list of transformations applied to the original document before it was digested (optional).
<Transforms> <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> </Transforms>
For additional security, the sender might apply one or more transformations over the original data before signing the same. These transforms, as well as the order in which they were applied, must be communicated to the receiver so that he is aware of them.
The digest algorithm that was applied on the signed resource, to generate the digest (mandatory).
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
The actual digest value, which was generated by applying the digest algorithm over the signed resource (mandatory).
In the earlier section on XMLDSig terminology, you learned that the digest value and the method used for transforming the digest become integral parts of XML digital signatures. <DigestMethod> and <DigestValue> elements precisely contain this data. Note that both are mandatory elements per the specifications.
The mandatory SignedInfo element is the one that contains all required information regarding the signed resource. It includes the following:
The canonicalization algorithm applied to the signed resource(s)
As discussed previously, to address the variations arising due to textual representations, the signed resources must be canonicalized before they are signed. Please note that the same algorithm is used to canonicalize multiple resources specified in the <Reference> elements.
The algorithm that is used for digital signature generation and validation is
This algorithm combines a digest algorithm and a key-based algorithm. It is applied over the canonicalized SignedInfo to calculate the digital signature. Although the signing methodology is inside the <SignedInfo> element, the actual signature (in <SignatureValue> element) itself is outside this element.
The XML DSig specifications include a set of recommended signature algorithms.
One or more <Reference> elements (discussed earlier)
This mandatory element carries the value of the digital signature, calculated by applying the signature algorithm over the SignedInfo.
The optional KeyInfo element carries references to the public key of the sender, which can then be used by the receiver to validate the digital signature and resources. It is optional because it is unnecessary to send the public key with each and every signed document the sender is transmitting to the same receiver.
KeyInfo typically contains public keys, key names, certificates, and other public key management information. (I will discuss the XML public key infrastructure in a separate article later in this series.) Take a look at Figure 3.
Figure 3 XML digital signature KeyInfo elements.
KeyInfo includes the following:
A string value that represents a specific key pair
The key itself
Depending upon the type of key (RSA, DSA, and so on), the KeyValue element can define itself further, as follows:
<KeyInfo> <KeyValue> <RSAKeyValue> <Modules>y32K..4NE=</Modules> <Exponent>Aw==</Exponent> </RSAKeyValue> </KeyValue> </KeyInfo>
The Signature element is the root element of all standard XML Digital Signatures. It encloses all the three main elements (discussed earlier):