Re: Digitally signing XML files

Roedy Green <my_email_is_posted_on_my_website@xxxxxxxxxxxxxx> writes:

I wonder if there is a standard way to digitally sign XML files.

There is, W3C has a specification for XML Signatures, see
<http://www.w3.org/TR/xmldsig-core/>. Apache has a Java
implementation as a part of the XML-Security project.

1. where do you put the signature, the public key? Can you tack them
on the end, embed them in special tags?

You put in a new element called Signature. This contains references
to the signed parts of the document and digests for each, as well as
the computed signature value. It can also contain information on the
key used, either by including the public key or a reference to it.

2. what do you sign, the encoded bytes or the chars?

Crypto algorithms typically require their input to be bytes, so that's
what you need to produce.

3. how do you deal with transient white space that might disappear if
someone tidied the file.

4. how do you deal with platform-specific new line chars? do you
treat them as if nl, do you transform the document first, do you
preserve them?

5. what about lead trail space on fields. It this removed first?

These are easiest to answer with a single word: canonicalization.
There are a couple of W3C-specified canonicalization algorithms (see,
e.g., <http://www.w3.org/TR/2001/REC-xml-c14n-20010315>). Such an
algorithm takes XML and attempts to remove any incidentals so that the
same output is produced even after some reasonable XML processing.

To go to specifics, canonicalization does not permit you to alter
whitespace content of an XML document, so your point 3 would create a
different document, I cannot find anything that says newlines are
converted to any other form, and in point 5, if by "field" you mean
element content or attribute value, all whitespace is retained.

--
Jaakko Kangasharju, Helsinki Institute for Information Technology
You don't have to be crazy to work here...and it doesn't help either
.

Relevant Pages

  • Re: How to verify CA for a X.509 certificate
    ... There has been a lot of work done around X509 for the 2.0 release of the framework. ... Both XML Encryption and XML Digital Signatures have ... >>> The article DOES check if the public key is in the store, ... >>> to use it to explicitly verify the signature on the cert. ...
    (microsoft.public.dotnet.security)
  • Re: Digitally signing XML files
    ... PrivateKey privateKey, boolean debug) throws WSSecurityException ... //Add SecurityHelper.class header to the SOAP message if it does ... Append the signature element to proper location before signing ... // SOAP XML document, the SOAP body is referenced as a URI ...
    (comp.lang.java.programmer)
  • Re: Reading a C struct in java
    ... what are the uses of a data format canonicalization? ... of XML data. ... two XML streams that differ only in ... In order that my signature could remain valid if the XML body were removed from one envelope and inserted in another for onward processing, clever things have to be done with namespace declarations in the envelope that are used in the body. ...
    (comp.lang.java.programmer)
  • XmlDSig trouble
    ... I'll start with a xml snippet of a signature: ... a customer wants to sign xml that is to be validated ... The problem is related to the first reference in the SignedInfo with ... Transform it with Enveloped Signature ...
    (microsoft.public.dotnet.security)
  • Manually computing sha1 digest of reference containing base64 encoded string and comparing it to dig
    ... The XML has two nodes one which has public part which is not encrypted ... Once I compute the signature I append the signature node to XMLDoc and ... Issue is user says that the digest information of the referenced data ... //Load the node in XMLDoc ...
    (microsoft.public.dotnet.security)