This section describes the status of this document at
the time of its publication. Other documents may supersede this
document. A list of current W3C publications and the latest
revision of this technical report can be found in the W3C technical reports index at
http://www.w3.org/TR/.
This is a First Public Working Draft of "XML Signature
2.0".
At the time of this publication, the XML Security WG is also
producing "XML Signature Version 1.1". The most recent XML
Signature Recommendation is "XML Signature, Second
Edition".
This document is expected to be further updated based on
both Working Group input and public comments. The Working Group
anticipates to eventually publish a stabilized version of this
document as a W3C Recommendation.
This version of the XML Signature specification introduces a new,
simpler transform model. While this model is less generic than the one
in the 1.x versions of this specification, we anticipate gains in
terms of simplicity, lower attack surface, and streamability. We
appreciate early comments on this general approach.
This document was developed by the XML Security Working
Group.
Please send comments about this document to public-xmlsec-comments@w3.org
(with public
archive).
Publication as a Working Draft does not imply endorsement by the W3C
Membership. This is a draft document and may be updated,
replaced or obsoleted by other documents at any time. It is
inappropriate to cite this document as other than work in
progress.
This document was produced by a group operating under the 5 February 2004 W3C Patent
Policy. W3C maintains a public list of any patent disclosures
made in connection with the deliverables of the group; that page also includes instructions for
disclosing a patent. An individual who has actual knowledge of a patent which the individual
believes contains Essential Claim(s)
must disclose the information in accordance with section 6 of the W3C
Patent Policy.
This document specifies XML syntax and processing rules
for creating and representing digital signatures. XML
Signatures can be applied to any digital content (data object),
including XML. An XML Signature may be applied to the content
of one or more resources. Enveloped or enveloping signatures are over
data within the same XML document as the signature; detached signatures are
over data external to the signature element. More
specifically, this specification defines an XML signature
element type and an XML signature application;
conformance requirements for each are specified by way of
schema definitions and prose respectively. This specification
also includes other useful types that identify methods for
referencing collections of resources, algorithms, and keying
and management information.
The XML Signature is a method of associating a key with
referenced data (octets); it does not normatively specify how
keys are associated with persons or institutions, nor the
meaning of the data being referenced and signed.
Consequently, while this specification is an important
component of secure XML applications, it itself is not
sufficient to address all application security/trust
concerns, particularly with respect to using signed XML (or
other data formats) as a basis of human-to-human
communication and agreement. Such an application must specify
additional key, algorithm, processing and rendering
requirements. For further information, please see 9 Security Considerations.
XML Signature 2.0 includes a new transform model designed
to address requirements including performance, simplicity and
streamability. This model is significantly different than in
XML Signature 1.x, see 10 Differences from
1.x version. XML Signature 2.0 is designed to be
backward compatible, however, enabling the XML Signature 1.x
model to be used where necessary. Details of this model are
documented in XML Signature, Second Edition.
For readability, brevity, and historic reasons this
document uses the term "signature" to generally refer to
digital authentication values of all types. Obviously, the
term is also strictly used to refer to authentication
values that are based on public keys and that provide
signer authentication. When specifically discussing
authentication values based on symmetric secret key codes
we use the terms authenticators or authentication codes.
(See 9.1 Check the Security
Model
This specification provides a normative XML Schema
[XML-schema].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
"SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",
and "OPTIONAL" in this specification are to be interpreted
as described in RFC2119 [KEYWORDS]:
"they MUST only be used where it is actually required
for interoperation or to limit behavior which has potential
for causing harm (e.g., limiting retransmissions)"
Consequently, we use these capitalized key words to
unambiguously specify requirements over protocol and
application features and behavior that affect the
interoperability and security of implementations. These key
words are not used (capitalized) to describe XML grammar;
schema definitions unambiguously describe such requirements
and we wish to reserve the prominence of these terms for
the natural language descriptions of protocols and
features. For instance, an XML attribute might be described
as being "optional." Compliance with the Namespaces in XML
specification [XML-ns] is
described as "REQUIRED."
The design philosophy and requirements of this
specification are addressed in the XML-Signature
Requirements document [XML-Signature-RD].
This specification makes use of XML namespaces, and uses
Uniform Resource Identifiers [URI]
to identify resources, algorithms, and semantics.
Implementations of this specification MUST use the
following XML namespace URIs:
| URI |
namespace prefix |
XML internal entity |
http://www.w3.org/2000/09/xmldsig# |
default namespace, ds:,
dsig: |
<!ENTITY dsig
"http://www.w3.org/2000/09/xmldsig#"> |
http://www.w3.org/2009/xmldsig11# |
dsig11: |
<!ENTITY dsig11
"http://www.w3.org/2009/xmldsig11#"> |
http://www.w3.org/2008/xmlsec/experimental# |
dsig2: |
<!ENTITY dsig2
"http://www.w3.org/2008/xmlsec/experimental#"> |
| Editorial
note |
|
The Namespace
URI for dsig2, listed as
http://www.w3.org/2008/xmlsec/experimental#, is subject to
change. |
While implementations MUST support XML and XML
namespaces, and while use of the above namespace URIs is
REQUIRED, the namespace prefixes and entity declarations
given are merely editorial conventions used in this
document. Their use by implementations is OPTIONAL.
These namespace URIs are also used as the prefix for
algorithm identifiers that are under control of this
specification. For resources not under the control of this
specification, we use the designated Uniform Resource Names
[URN] or Uniform Resource
Identifiers [URI] defined by the
relevant normative external specification.
For instance:
-
SignatureProperties is identified and
defined by the disg: namespace
http://www.w3.org/2000/09/xmldsig#SignatureProperties
-
ECKeyValue is identified and defined by
the dsig11: namespace
http://www.w3.org/2009/xmldsig11#ECKeyValue
-
XSLT is identified and defined by an external URI
http://www.w3.org/TR/1999/REC-xslt-19991116
-
SHA1 is identified via this specification's
namespace and defined via a normative reference
http://www.w3.org/2001/04/xmlenc#sha256
FIPS PUB 180-3. Secure Hash Standard. U.S.
Department of Commerce/National Institute of Standards
and Technology.
-
Selection is identified and defined by
the dsig2: namespace
http://www.w3.org/2008/xmlsec/experimental#Selection
The http://www.w3.org/2000/09/xmldsig#
(dsig:) namespace was introduced in the first
edition of this specification, and
http://www.w3.org/2009/xmldsig11#
(dsig11:) namespace was introduced in 1.1.
This version does not coin any new elements or algorithm
identifiers in that namespace; instead, the
dsig2: namespace is used.
No provision is made for an explicit version number in
this syntax. If a future version of this specification
requires explicit versioning of the document format, a
different namespace will be used.
The contributions of the following Working Group members
to this specification are gratefully acknowledged:
-
Mark Bartel, Adobe, was Accelio (Author)
-
John Boyer, IBM (Author)
-
Mariano P. Consens, University of Waterloo
-
John Cowan, Reuters Health
-
Donald Eastlake 3rd, Motorola (Chair,
Author/Editor)
-
Barb Fox, Microsoft (Author)
-
Christian Geuer-Pollmann, University Siegen
-
Tom Gindin, IBM
-
Phillip Hallam-Baker, VeriSign Inc
-
Richard Himes, US Courts
-
Merlin Hughes, Baltimore
-
Gregor Karlinger, IAIK TU Graz
-
Brian LaMacchia, Microsoft (Author)
-
Peter Lipp, IAIK TU Graz
-
Joseph Reagle, NYU, was W3C (Chair,
Author/Editor)
-
Ed Simon, XMLsec (Author)
-
David Solo, Citigroup (Author/Editor)
-
Petteri Stenius, Capslock
-
Raghavan Srinivas, Sun
-
Kent Tamura, IBM
-
Winchel Todd Vincent III, GSU
-
Carl Wallace, Corsec Security, Inc.
-
Greg Whitehead, Signio Inc.
As are the Last Call comments from the following:
The following members of the XML Security Specification
Maintenance Working Group contributed to the second
edition:
-
Juan Carlos Cruellas, Universitat Politècnica de
Catalunya
-
Pratik Datta, Oracle Corporation
-
Phillip Hallam-Baker, VeriSign, Inc.
-
Frederick Hirsch, Nokia, (Chair, Editor)
-
Konrad Lanz, Applied Information processing and
Kommunications (IAIK)
-
Hal Lockhart, BEA Systems, Inc.
-
Robert Miller, MITRE Corporation
-
Sean Mullan, Sun Microsystems, Inc.
-
Bruce Rich, IBM Corporation
-
Thomas Roessler, W3C/ERCIM, (Staff contact,
Editor)
-
Ed Simon, W3C Invited Expert
-
Greg Whitehead, HP
Contributions for version 1.1 were received from the
members of the XML Security Working Group:
This section provides an overview and examples of XML
digital signature syntax. The specific processing is given in
3 Processing Rules
(section 3). The formal syntax is found in 4 Core Signature Syntax(section
4) and 5 Additional
Signature Syntax (section 5).
In this section, an informal representation and examples
are used to describe the structure of the XML signature
syntax. This representation and examples may omit attributes,
details and potential features that are fully explained
later.
XML Signatures are applied to arbitrary digital content (data objects) via an
indirection. Data objects are digested, the resulting value
is placed in an element (with other information) and that
element is then digested and cryptographically signed. XML
digital signatures are represented by the
Signature element which has the following
structure (where "?" denotes zero or one occurrence; "+"
denotes one or more occurrences; and "*" denotes zero or more
occurrences):
<Signature ID?>
<SignedInfo>
<CanonicalizationMethod/>
<SignatureMethod/>
(<Reference URI? >
(<Transforms>)?
<DigestMethod>
<DigestValue>
</Reference>)+
</SignedInfo>
<SignatureValue>
(<KeyInfo>)?
(<Object ID?>)*
</Signature>
Signatures are related to data objects via "data selectors" which
usually consist of a URI [URI] and
some attributes.. Within an XML document, signatures are
related to local data objects via fragment identifiers. Such
local data can be included within an enveloping signature or can
enclose an enveloped signature. Detached signatures are
over external network resources or local data objects that
reside within the same XML document as sibling elements; in
this case, the signature is neither enveloping (signature is
parent) nor enveloped (signature is child). Since a
Signature element (and its Id
attribute value/name) may co-exist or be combined with other
elements (and their IDs) within a single XML document, care
should be taken in choosing names such that there are no
subsequent collisions that violate the ID uniqueness validity
constraint [XML].
The following example is a detached signature of the
content of the HTML4 in XML specification.
[s01] <Signature Id="MyFirstSignature" xmlns="http://www.w3.org/2000/09/xmldsig#">
[s02] <SignedInfo>
[s03] <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2009/WD-xml-c14n2-20091022/"/>
[s04] <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
[s05] <Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/">
[s06] <Transforms>
[s07] <Transform Algorithm="http://www.w3.org/2008/xmlsec/experimental#newTransformModel">
[s07a] <Selection type="http://www.w3.org/2008/xmlsec/experimental#xml" xmlns="http://www.w3.org/2008/xmlsec/experimental#">
[s07b] </Selection>
[s07c] <Canonicalization xmlns="http://www.w3.org/2008/xmlsec/experimental#">
[s07d] <Inclusive>false</Inclusive>
[s07e] </Canonicalization>
[s07f] </Transform>
[s08] </Transforms>
[s09] <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
[s10] <DigestValue>dGhpcyBpcyBub3QgYSBzaWduYXR1cmUK...</DigestValue>
[s11] </Reference>
[s12] </SignedInfo>
[s13] <SignatureValue>...</SignatureValue>
[s14] <KeyInfo>
[s15a] <KeyValue>
[s15b] <DSAKeyValue>
[s15c] <P>...</P><Q>...</Q><G>...</G><Y>...</Y>
[s15d] </DSAKeyValue>
[s15e] </KeyValue>
[s16] </KeyInfo>
[s17] </Signature>
[s02-12] The required
SignedInfo element is the information that is
actually signed. Core validation of
SignedInfo consists of two mandatory
processes: validation of the signature
over SignedInfo and validation of each Reference
digest within SignedInfo. Note that the
algorithms used in calculating the
SignatureValue are also included in the signed
information while the SignatureValue element
is outside SignedInfo.
[s03] The
CanonicalizationMethod is the algorithm that
is used to canonicalize the SignedInfo element
before it is digested as part of the signature operation.
Note that this example, and all examples in this
specification, are not in canonical form. The URI should be
Canonical XML 2.0 [XML-C14N20] (or a later version) and
all the parameters for Canonical XML 2.0 should be present
as subelements of this element.
[s04] The SignatureMethod is
the algorithm that is used to convert the canonicalized
SignedInfo into the
SignatureValue. It is a combination of a
digest algorithm and a key dependent algorithm and possibly
other algorithms such as padding, for example RSA-SHA1. The
algorithm names are signed to resist attacks based on
substituting a weaker algorithm. To promote application
interoperability we specify a set of signature algorithms
that MUST be implemented, though their use is at the
discretion of the signature creator. We specify additional
algorithms as RECOMMENDED or OPTIONAL for implementation;
the design also permits arbitrary user specified
algorithms.
[s05-11] Each Reference
element includes the digest method and resulting digest
value calculated over the identified data object. Each
reference object has two parts - a Selection
element to choose the data object to be signed, and a
Canonicalization element to convert the data
object to a canonicalized octet stream. Signature 2.0 does
not use the concept of transforms, but the syntax still
uses a Transforms element so that an Signature
1.x implementation can gracefully ignore 2.0 signature, by
giving an "unrecognized transform" error message. A data
object is signed by computing its digest value of that
octet stream and then a signature over that value. The
signature is later checked via reference and signature
validation.
[s14-16] KeyInfo indicates the
key to be used to validate the signature. Possible forms
for identification include certificates, key names, and key
agreement algorithms and information -- we define only a
few. KeyInfo is optional for two reasons.
First, the signer may not wish to reveal key information to
all document processing parties. Second, the information
may be known within the application's context and need not
be represented explicitly. Since KeyInfo is
outside of SignedInfo, if the signer wishes to
bind the keying information to the signature, a
Reference can easily identify and include the
KeyInfo as part of the signature.
[s05] <Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/">
[s06] <Transforms>
[s07] <Transform Algorithm="http://www.w3.org/2008/xmlsec/experimental#newTransformModel">
[s07a] <Selection type="http://www.w3.org/2008/xmlsec/experimental#xml" xmlns="http://www.w3.org/2008/xmlsec/experimental#">
[s07b] </Selection>
[s07c] <Canonicalization xmlns="http://www.w3.org/2008/xmlsec/experimental#">
[s07d] <Inclusive>false</Inclusive>
[s07e] </Canonicalization>
[s07f] </Transform>
[s08] </Transforms>
[s09] <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
[s10] <DigestValue>dGhpcyBpcyBub3QgYSBzaWduYXR1cmUK...</DigestValue>
[s11] </Reference>
[s05] The optional URI
attribute of Reference identifies the data
object to be signed. This attribute may be omitted on at
most one Reference in a
Signature. (This limitation is imposed in
order to ensure that references and objects may be
matched unambiguously.)
[s07a-s07c] The Selection
element identifies the data object to be signed. This
specification only defines two types "xml" and "binary",
but user specified types are also allowed. For example a
new type "database-rows" can be defined to select rows
from the database for signing. Usually a URI and a few
other bits of information is used to identify the data
object, but the URI is not required, for example the
"xml" type can identify a local document subset by using
an XPath.
Although the URI attribute is part of
the Reference, it can be considered as
logically part of the Selection and the
URI is dereferenced in the context of the other
Selection elements.
[s07d-s07f] The
Canonicalization element provides the
mechanism to convert the data object into a canonicalized
octet stream. This specification only addresses
canonicalization for xml data. Other forms of
canonicalization can be defined - e.g. a scheme for
signing mime attachments, can define a canonicalization
for mime headers and data. The output of the
canonicalization is digested.
[s09-10] DigestMethod is the algorithm
applied to the data after canonicalization is applied (if
specified) to yield the DigestValue. The
signing of the DigestValue is what binds a
resources content to the signer's key.
This specification does not address mechanisms for
making statements or assertions. Instead, this document
defines what it means for something to be signed by an XML
Signature (integrity,
message
authentication, and/or signer authentication).
Applications that wish to represent other semantics must
rely upon other technologies, such as [XML], [RDF]. For
instance, an application might use a
foo:assuredby attribute within its own markup
to reference a Signature element.
Consequently, it's the application that must understand and
know how to make trust decisions given the validity of the
signature and the meaning of assuredby syntax.
We also define a SignatureProperties element
type for the inclusion of assertions about the signature
itself (e.g., signature semantics, the time of signing or
the serial number of hardware used in cryptographic
processes). Such assertions may be signed by including a
Reference for the
SignatureProperties in
SignedInfo. While the signing application
should be very careful about what it signs (it should
understand what is in the SignatureProperty) a
receiving application has no obligation to understand that
semantic (though its parent trust engine may wish to). Any
content about the signature generation may be located
within the SignatureProperty element. The
mandatory Target attribute references the
Signature element to which the property
applies.
Consider the preceding example with an additional
reference to a local Object that includes a
SignatureProperty element. (Such a signature
would not only be detached [p02]
but enveloping
[p03].)
[ ] <Signature Id="MySecondSignature" ...>
[p01] <SignedInfo>
[ ] ...
[p02] <Reference>
[ ] ...
[ ] </Reference>
[p03] <Reference URI="#AMadeUpTimeStamp">
[p04]
[p05] <Transforms>
[s06] <Transform Algorithm="http://www.w3.org/2008/xmlsec/experimental#newTransformModel">
[s06a] <Selection type="http://www.w3.org/2008/xmlsec/experimental#xml" xmlns="http://www.w3.org/2008/xmlsec/experimental#">
[s06b] </Selection>
[s06c] <Canonicalization xmlns="http://www.w3.org/2008/xmlsec/experimental#">
[s06d] <Inclusive>false</Inclusive>
[s06e] </Canonicalization>
[p06f] </Transform>
[p07] </Transforms>
[p08] <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
[p09] <DigestValue>dGhpcyBpcyBub3QgYSBzaWduYXR1cmUK...</DigestValue>
[p10] </Reference>
[p11] </SignedInfo>
[p12] ...
[p13] <Object>
[p14] <SignatureProperties>
[p15] <SignatureProperty Id="AMadeUpTimeStamp" Target="#MySecondSignature">
[p16] <timestamp xmlns="http://www.ietf.org/rfcXXXX.txt">
[p17] <date>19990914</date>
[p18] <time>14:34:34:34</time>
[p19] </timestamp>
[p20] </SignatureProperty>
[p21] </SignatureProperties>
[p22] </Object>
[p23]</Signature>
[p13] Object is an optional
element for including data objects within the signature
element or elsewhere. The Object can be
optionally typed and/or encoded.
[p14-21] Signature properties, such as time
of signing, can be optionally signed by identifying them
from within a Reference. (These properties are
traditionally called signature "attributes" although that
term has no relationship to the XML term "attribute".)
The Manifest element is provided to meet
additional requirements not directly addressed by the
mandatory parts of this specification. Two requirements and
the way the Manifest satisfies them
follow.
First, applications frequently need to efficiently sign
multiple data objects even where the signature operation
itself is an expensive public key signature. This
requirement can be met by including multiple
Reference elements within
SignedInfo since the inclusion of each digest
secures the data digested. However, some applications may
not want the core
validation behavior associated with this approach
because it requires every Reference within
SignedInfo to undergo reference validation -- the
DigestValue elements are checked. These
applications may wish to reserve reference validation
decision logic to themselves. For example, an application
might receive a signature valid
SignedInfo element that includes three
Reference elements. If a single
Reference fails (the identified data object
when digested does not yield the specified
DigestValue) the signature would fail
core validation.
However, the application may wish to treat the signature
over the two valid Reference elements as valid
or take different actions depending on which fails.
To accomplish this, SignedInfo would reference
a Manifest element that contains one or more
Reference elements (with the same structure as
those in SignedInfo). Then, reference
validation of the Manifest is under
application control.
Second, consider an application where many signatures
(using different keys) are applied to a large number of
documents. An inefficient solution is to have a separate
signature (per key) repeatedly applied to a large
SignedInfo element (with many
References); this is wasteful and redundant. A
more efficient solution is to include many references in a
single Manifest that is then referenced from
multiple Signature elements.
The example below includes a Reference that
signs a Manifest found within the
Object element.
[ ] ...
[m01] <Reference URI="#MyFirstManifest"
[m02] Type="http://www.w3.org/2000/09/xmldsig#Manifest">
[m03] <Transforms>
[m04] <Transform Algorithm="http://www.w3.org/2008/xmlsec/experimental#newTransformModel">
[s04a] <Selection type="http://www.w3.org/2008/xmlsec/experimental#xml" xmlns="http://www.w3.org/2008/xmlsec/experimental#">
[s04b] </Selection>
[s04c] <Canonicalization xmlns="http://www.w3.org/2008/xmlsec/experimental#">
[s04d] <Inclusive>false</Inclusive>
[s04e] </Canonicalization>
[p04f] </Transform>
[m05] </Transforms>
[m06] <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
[m07] <DigestValue>dGhpcyBpcyBub3QgYSBzaWduYXR1cmUK...=</DigestValue>
[m08] </Reference>
[ ] ...
[m09] <Object>
[m10] <Manifest Id="MyFirstManifest">
[m11] <Reference>
[m12] ...
[m13] </Reference>
[m14] <Reference>
[m15] ...
[m16] </Reference>
[m17] </Manifest>
[m18] </Object>
The sections below describe the operations to be performed
as part of signature generation and validation.
The REQUIRED steps include the generation of
Reference elements and the
SignatureValue over
SignedInfo.
For each Reference:
-
Decide how to represent the data object as a
Selection.
-
Use the Canonicalization to convert
the data object into an octet stream. This is not
required for binary data.
-
Calculate the digest value over the resulting data
object.
-
Create a Reference element, including
the Selection element, Canonicalization element, the
digest algorithm and the DigestValue.
(Note, it is the canonical form of these references
that are signed in 3.1.2 and validated in 3.2.1
.)
XML data objects should be canonicalized using
Canonical XML 2.0 [XML-C14N20] or later.
-
Create SignedInfo element with
SignatureMethod,
CanonicalizationMethod and
Reference(s).
-
Canonicalize and then calculate the
SignatureValue over
SignedInfo based on algorithms specified
in SignedInfo.
-
Construct the Signature element that
includes SignedInfo,
Object(s) (if desired, encoding may be
different than that used for signing),
KeyInfo (if required), and
SignatureValue.
If the Signature includes same-document references,
[XML] or [XML-schema] validation of the
document might introduce changes that break the
signature. Consequently, applications should be careful
to consistently process the document or refrain from
using external contributions (e.g., defaults and
entities).
The REQUIRED steps of core validation include
-
establishing trust in the signing key mentioned in
the KeyInfo. (Note in some environments,
the signing key is implicitly known, and
KeyInfo is not used at all)
-
checking the Selection in each
Reference to see if the data object
matches with the expected data object.
-
cryptographic signature validation of
the signature calculated over
SignedInfo
-
reference validation,
compute and verify the digest contained in each
Reference in SignedInfo
These steps are present in ascending order of
complexity, which ensures that the verifier rejects invalid
signatures as quickly as possible.
Note, there may be valid signatures that some signature
applications are unable to validate. Reasons for this
include failure to implement optional parts of this
specification, inability or unwillingness to execute
specified algorithms, or inability or unwillingness to
dereference specified URIs (some URI schemes may cause
undesirable side effects), etc.
Comparison of values in reference and signature
validation are over the numeric (e.g., integer) or decoded
octet sequence of the value. Different implementations may
produce different encoded digest and signature values when
processing the same resources because of variances in their
encoding, such as accidental white space. But if one uses
numeric or octet comparison (choose one) on both the stated
and computed values these problems are eliminated.
-
Process the Selection of each
Reference to return a list of data
objects that are included in the signature. For
example each reference in a signature may point to a
different part of the same document. The signature
implementation should return all these parts
(possibly as DOM elements) to the calling
application, which should then compare against its
policy to make sure what was expected to be signed is
actually signed.
It is very important to check the selection
accurately - for example in a Web Services
scenario, if the reference is pointing to a
soap:Body, it is not sufficient to just check the
name of the "soap:Body" element, as it can lead to
wrapping attacks [McIntosh];Instead the application
should check if this soap:Body is in the correct
position, i.e. as a child of the top level
soap:Envelope.
-
Obtain the keying information from 4.5 KeyInfo Element or from
an external source.
-
Canonicalize the SignedInfo element
based on the CanonicalizationMethod
(which must be C14N 2.0 [XML-C14N20]) in
SignedInfo.
-
Use the algorithm from the
SignatureMethod and the key obtained
from KeyInfo to verify the
SignatureValue over the canonicalized
octets.
Note, 4.5 KeyInfo
Element (or some transformed version thereof) may
be signed via a Reference element.
Transformation and validation of this reference (3.2.1)
is orthogonal to Signature Validation which uses the
KeyInfo as parsed.
-
For each Reference in
SignedInfo:
-
Obtain the data object to be digested by
looking at the Selection
-
Perform the Canonicalization to
compute an octet stream.
-
Digest the resulting octet stream using the
DigestMethod specified in its
Reference specification. The
canonicalization and digesting can be combined in
one step for efficiency.
-
Compare the generated digest value against
DigestValue in the
SignedInfoReference; if
there is any mismatch, validation fails.
The general structure of an XML signature is described in
2 Signature Overview and
Examples (section 2). This section provides detailed
syntax of the core signature features. Features described in
this section are mandatory to implement unless otherwise
indicated. The syntax is defined via an [XML-schema] with the following XML
preamble, declaration, and internal entity.
Schema Definition:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE schema
PUBLIC "-//W3C//DTD XMLSchema 200102//EN" "http://www.w3.org/2001/XMLSchema.dtd"
[
<!ATTLIST schema
xmlns:ds CDATA #FIXED "http://www.w3.org/2000/09/xmldsig#">
<!ENTITY dsig 'http://www.w3.org/2000/09/xmldsig#'>
<!ENTITY % p ''>
<!ENTITY % s ''>
]>
<schema xmlns="http://www.w3.org/2001/XMLSchema"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
targetNamespace="http://www.w3.org/2000/09/xmldsig#"
version="0.1" elementFormDefault="qualified">
Additional markup defined in version 1.1 of this
specification uses the dsig11: namespace, markup
defined in version 2.0 used xmldsig2
namespace.
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE schema
PUBLIC "-//W3C//DTD XMLSchema 200102//EN" "http://www.w3.org/2001/XMLSchema.dtd"
[
<!ENTITY dsig 'http://www.w3.org/2000/09/xmldsig#'>
<!ENTITY dsig11 'http://www.w3.org/2009/xmldsig11#'>
<!ENTITY % p ''>
<!ENTITY % s ''>
]>
<schema xmlns="http://www.w3.org/2001/XMLSchema"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:dsig11="http://www.w3.org/2009/xmldsig11#"
targetNamespace="http://www.w3.org/2009/xmldsig11#"
version="0.1" elementFormDefault="qualified">
This specification defines the
ds:CryptoBinary simple type for representing
arbitrary-length integers (e.g. "bignums") in XML as octet
strings. The integer value is first converted to a "big
endian" bitstring. The bitstring is then padded with
leading zero bits so that the total number of bits == 0 mod
8 (so that there are an integral number of octets). If the
bitstring contains entire leading octets that are zero,
these are removed (so the high-order octet is always
non-zero). This octet string is then base64 [MIME] encoded. (The conversion from
integer to octet string is equivalent to IEEE 1363's I2OSP
[1363] with minimal length).
This type is used by "bignum" values such as
RSAKeyValue and DSAKeyValue. If a
value can be of type base64Binary or
ds:CryptoBinary they are defined as base64Binary.
For example, if the signature algorithm is RSA or DSA then
SignatureValue represents a bignum and could
be ds:CryptoBinary. However, if HMAC-SHA1 is
the signature algorithm then SignatureValue
could have leading zero octets that must be preserved. Thus
SignatureValue is generically defined as of
type base64Binary.
Schema Definition:
<simpleType name="CryptoBinary">
<restriction base="base64Binary">
</restriction>
</simpleType>
The Signature element is the root element
of an XML Signature. Implementation MUST generate
laxly schema valid [XML-schema] Signature
elements as specified by the following schema:
Schema Definition:
<element name="Signature" type="ds:SignatureType"/>
<complexType name="SignatureType">
<sequence>
<element ref="ds:SignedInfo"/>
<element ref="ds:SignatureValue"/>
<element ref="ds:KeyInfo" minOccurs="0"/>
<element ref="ds:Object" minOccurs="0" maxOccurs="unbounded"/>
</sequence>
<attribute name="Id" type="ID" use="optional"/>
</complexType>
The SignatureValue element contains the
actual value of the digital signature; it is always encoded
using base64 [MIME]. While we
identify two SignatureMethod algorithms, one
mandatory and one optional to implement, user specified
algorithms may be used as well.
Schema Definition:
<element name="SignatureValue" type="ds:SignatureValueType"/>
<complexType name="SignatureValueType">
<simpleContent>
<extension base="base64Binary">
<attribute name="Id" type="ID" use="optional"/>
</extension>
</simpleContent>
</complexType>
The structure of SignedInfo includes the
canonicalization algorithm, a signature algorithm, and one
or more references. The SignedInfo element may
contain an optional ID attribute that will allow it to be
referenced by other signatures and objects.
SignedInfo does not include explicit
signature or digest properties (such as calculation time,
cryptographic device serial number, etc.). If an
application needs to associate properties with the
signature or digest, it may include such information in a
SignatureProperties element within an
Object element.
Schema Definition:
<element name="SignedInfo" type="ds:SignedInfoType"/>
<complexType name="SignedInfoType">
<sequence>
<element ref="ds:CanonicalizationMethod"/>
<element ref="ds:SignatureMethod"/>
<element ref="ds:Reference" maxOccurs="unbounded"/>
</sequence>
<attribute name="Id" type="ID" use="optional"/>
</complexType>
CanonicalizationMethod is a required
element that specifies the canonicalization algorithm
applied to the SignedInfo element prior to
performing signature calculations. Only Canonical XML 2.0
[XML-C14N20] or a later
version is allowed here.
The SignedInfo element is presented as a
single subtree with no exclusions to the Canonicalization
2.0 algorithm. All the subelements of
Canonicalization are presented as
parameters.
Schema Definition:
<element name="CanonicalizationMethod" type="ds:CanonicalizationMethodType"/>
<complexType name="CanonicalizationMethodType" mixed="true">
<sequence>
<any namespace="##any" minOccurs="0" maxOccurs="unbounded"/>
<!-- (0,unbounded) elements from (1,1) namespace -->
</sequence>
<attribute name="Algorithm" type="anyURI" use="required"/>
</complexType>
SignatureMethod is a required element
that specifies the algorithm used for signature
generation and validation. This algorithm identifies all
cryptographic functions involved in the signature
operation (e.g. hashing, public key algorithms, MACs,
padding, etc.). This element uses the general structure
here for algorithms described in section 6.1: 6.1 Algorithm Identifiers and
Implementation Requirements. While there is a
single identifier, that identifier may specify a format
containing multiple distinct signature values.
Schema Definition:
<element name="SignatureMethod" type="ds:SignatureMethodType"/>
<complexType name="SignatureMethodType" mixed="true">
<sequence>
<element name="HMACOutputLength" minOccurs="0" type="ds:HMACOutputLengthType"/>
<any namespace="##other" minOccurs="0" maxOccurs="unbounded"/>
<!-- (0,unbounded) elements from (1,1) external namespace -->
</sequence>
<attribute name="Algorithm" type="anyURI" use="required"/>
</complexType>
The ds:HMACOutputLength parameter is used
for HMAC [HMAC] algorithms. The
parameter specifies a truncation length in bits. If this
parameter is trusted without further verification, then
this can lead to a security bypass [CVE-209-0217]. Signatures MUST be
deemed invalid if the truncation length is below half the
underlying hash algorithm's output length, or 80 bits,
whichever of these two values is greater. Note that some
implementations are known to not accept truncation
lengths that are lower than the underlying hash
algorithm's output length.
Reference is an element that may occur
one or more times. It specifies a Selection
element to select the data object, an optional
Canonicalization element to canonicalize the
data object, a digest algorithm and digest value. An
optional ID attribute permits a Reference to
be referenced from elsewhere.
Schema Definition:
<element name="Reference" type="ds:ReferenceType"/>
<complexType name="ReferenceType">
<sequence>
<element ref="ds:Transforms" minOccurs="0"/>
<element ref="ds:DigestMethod"/>
<element ref="ds:DigestValue"/>
</sequence>
<attribute name="Id" type="ID" use="optional"/>
<attribute name="URI" type="anyURI" use="optional"/>
<attribute name="Type" type="anyURI" use="optional"/>
</complexType>
Signature 2.0 does not use the Transform mechanism
at all. Instead each reference has a Selection and an
Canonicalization. To allow signature 1.x
implementations to gracefully ignore this new model,
they have been put inside a special
Transform whose Algorithm name is
"http://www.w3.org/2008/xmlsec/experimental#newTransformModel"
All references should have this and only this special
transform.
The Transforms element schema allows a
list of Transform elements, but it should
contain only this special transform. The schema is left
unchanged for backwards compatibility.
Schema Definition:
<element name="Transforms" type="ds:TransformsType"/>
<complexType name="TransformsType">
<sequence>
<element ref="ds:Transform" maxOccurs="unbounded"/>
</sequence>
</complexType>
<element name="Transform" type="ds:TransformType"/>
<complexType name="TransformType" mixed="true">
<choice minOccurs="0" maxOccurs="unbounded">
<any namespace="##other" processContents="lax"/>
<!-- (1,1) elements from (0,unbounded) namespaces -->
<element name="XPath" type="string"/>
</choice>
<attribute name="Algorithm" type="anyURI" use="required"/>
</complexType>
Definition for the special transform
Schema definition
<xs:complexType name="XMLSignature2_0Transform">
<xs:sequence>
<xs:element name="Selection" type="ds2:SelectionType"/>
<xs:element name="Canonicalization" type="ds2:CanonicalizationType" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="SelectionType">
<xs:sequence>
<xs:element name="IncludedXPath" type="xs:string" minOccurs="0"/>
<xs:element name="ExcludedXPath" type="xs:string" minOccurs="0"/>
<xs:element name="EnvelopedSignature" type="xs:boolean" minOccurs="0"/>
<xs:element name="ByteRange" type="xs:string" minOccurs="0"/>
<xs:any namespace="##any" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="type" type="xs:string" use="required"/>
<xs:attribute name="subtype" type="xs:string" use="optional"/>
<xs:anyAttribute namespace="##any"/>
</xs:complexType>
<xs:complexType name="CanonicalizationType">
<xs:sequence>
<xs:element name="ExclusiveMode" type="xs:boolean" minOccurs="0"/>
<xs:element name="InclusiveNamespacePrefixList" minOccurs="0">
<xs:simpleType>
<xs:list itemType="xs:string"/>
</xs:simpleType>
</xs:element>
<xs:element name="IgnoreComments" type="xs:boolean" minOccurs="0"/>
<xs:element name="TrimTextNodes " type="xs:boolean" minOccurs="0"/>
<xs:element name="Serialization" minOccurs="0">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="XML"/>
<xs:enumeration value="EXI"/>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element name="PrefixRewrite" minOccurs="0">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="none"/>
<xs:enumeration value="sequential"/>
<xs:enumeration value="derived"/>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element name="SortAttributes" type="xs:boolean" minOccurs="0"/>
<xs:element name="IgnoreDTD" type="xs:boolean" minOccurs="0"/>
<xs:element name="ExpandEntities" type="xs:boolean" minOccurs="0"/>
<xs:element name="XmlBaseAncestors" minOccurs="0">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="none"/>
<xs:enumeration value="inherit"/>
<xs:enumeration value="combine"/>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element name="XmlIdAncestors" minOccurs="0">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="none"/>
<xs:enumeration value="inherit"/>
<xs:enumeration value=""/>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element name="XmlLangAncestors" minOccurs="0">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="none"/>
<xs:enumeration value="inherit"/>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element name="XmlSpaceAncestors" minOccurs="0">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="none"/>
<xs:enumeration value="inherit"/>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element name="XsiTypeAware" type="xs:boolean" minOccurs="0"/>
<xs:any namespace="##any" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="algorithm" type="xs:string" use="required"/>
</xs:complexType>
Example usage
<Transform Algorithm="http://www.w3.org/2008/xmlsec/experimental#newTransformModel">
<Selection type="..." subtype="...">
<IncludedXPath>...</IncludedXPath>
<ExcludedXPath>...</ExcludedXPath>
<EnvelopedSignature>...</EnvelopedSignature>
...
</Selection>
<Canonicalization Algorithm="...c14n20" >
<Inclusive;>...</Inclusive>
...
</Canonicalization>
</Transform>
The Selection element chooses the data
object that is to be signed. The type and
subtype attributes specifies what kind of
data is being signed. type can be
"http://www.w3.org/2008/xmlsec/experimental#xml"
or
"http://www.w3.org/2008/xmlsec/experimental#binary"
or any other user defined value.
| type and subtype |
Parameters |
Meaning |
type="...xml" |
URI,
IncludedXPath,
ExcludedXPath,
EnvelopedSignature
|
Used for identifying XML data objects.
Selects a set of subtrees, with complete
subtree exclusions. This selection model is
compatible with the Canonical XML 2.0 model.
For example
-
URI="#chapter1"indicates
that complete subtree identified by the ID
"chapter1", in current document is being
signed.
-
IncludedXPath="/book/chapter"
indicates that all the subtrees indicated
by "/book/chapter" in the current document
are signed
-
URI="#chapter1" and
ExcludedXPath="price"
indicates the subtree identified by the ID
"chapter1" minus any subtrees with "price"
element are being signed.
-
URI="http://example.com/bar.xml"
indicates that the entire external document
bar.xml is signed
-
URI="http://example.com/bar.xml"
and
IncludedXPath="/book/chapter"indicates
that the /book/chapter subtrees of the
external document bar.xml are signed.
-
URI="http://example.com/bar.xml#chapter1"
and
ExcludedXPath="price"indicates
that the subtree identifiedby ID "chapter1"
in the external document bar.xml is signed,
but from that subtree any subtrees with
"price" element are removed.
Note: it is illegal to use a URI with a
fragment identifier in conjunction with
IncludedXPath.
If the EnvelopedSignature parameter is set,
the subtree for this signature should be
excluded.
|
type = "...binary" and
subtype = "...fromURI" |
URI,
ByteRange
|
This indicates that binary data directly
fetched from an external URI is signed. The URI
should be an external URI without any fragment
ID.
The optional byte range parameter can be
used to indicate that only a portion of the
binary data should be signed. E.g.
byteRange="0-20,220-270,320-"
indicates that the first 20 bytes, then bytes
220 to 270, and finally bytes 320 to end of
file are included.
|
type = "...binary" and
subtype = "...fromBase64Node" |
URI,
IncludedXPath,
ByteRange
|
This indicates that binary data which is
present in the XML as a base64 text node is
being signed. Just like the
type="...xml" an combination of
URI and IncludedXPath attributes can be used to
identify an element have text node children.
These text nodes will be coalesced and then
base64 decoded, to get the binary data. This is
similar to Base64Decode transform, however
Base64Decode transform works with nodeset
containing multiple element nodes, but this one
is only defined for a single element node.
The optional byte range parameter can be
used to indicate that only a portion of the
binary data should be signed.
|
The URI attribute identifies a data
object using a URI-Reference [URI].
The mapping from this attribute's value to a URI
reference MUST be performed as specified in section
3.2.17 of [XML-schema].
Additionally: Some existing implementations are known
to verify the value of the URI attribute against the
grammar in [URI]. It is
therefore safest to perform any necessary escaping
while generating the URI attribute.
We RECOMMEND XML signature applications be able to
dereference URIs in the HTTP scheme. Dereferencing a
URI in the HTTP scheme MUST comply with the
Status Code Definitions of [HTTP] (e.g., 302, 305 and 307
redirects are followed to obtain the entity-body of a
200 status code response). Applications should also be
cognizant of the fact that protocol parameter and state
information, (such as HTTP cookies, HTML device
profiles or content negotiation), may affect the
content yielded by dereferencing a URI.
If a resource is identified by more than one URI,
the most specific should be used (e.g.
http://www.w3.org/2000/06/interop-pressrelease.html.en
instead of
http://www.w3.org/2000/06/interop-pressrelease). (See
the 3.2 Core
Validation (section 3.2.1) for a further
information on reference processing.)
In this specification, a 'same-document' reference
is defined as a URI-Reference that consists of a hash
sign ('#') followed by a fragment or alternatively
consists of an empty URI .
XML Signature applications MUST support the null URI
and shortname XPointer [XPointer-Framework]
(e.g. URI="#foo"). We RECOMMEND support
for the same-document XPointers
'#xpointer(/)' and
'#xpointer(id('ID')) as this was
RECOMMENDED in the 1.x specification. All other support
for XPointers was OPTIONAL in 1.x, but is dropped from
2.0, because it is not compatible with the new
Reference processing model. The
IncludedXPath can be used instead.
Dereferencing a same-document reference MUST result
in a subtree. Dereferencing a null URI
(URI="") MUST result in subtree pointing
to the document root. In a fragment URI, the characters
after the number sign ('#') character conform to the
XPointer syntax [XPointer-Framework].
When processing an XPointer, the application MUST
behave as if the XPointer was evaluated with respect to
the XML document containing the URI
attribute . The application MUST behave as if the
result of XPointer processing [XPointer-Framework] were
a subtree rooted at the element node pointed to by the
XPointer.
The XPath mentioned in the IncludedXPath and
ExcludedXPath are "normal" XPath, i.e. it is not like
the XPath in XPath Filter transform which is evaluated
as a binary expression. Instead this XPath is a path to
the root of the subtree being included or excluded.
E.g. /book/chapter refers to the all chapter children
of all book children of root node. The IncludedXPath
element should only select Element nodes, whereas the
ExcludedXPath element can choose element or attribute
nodes. Again this is consistent with the C14N 2.0 data
model.
We have identified a profile of XPath, with the
following goals in mind.
-
The profile should produce results that are
compatible with the C14N 2.0 data model. I.e it
should only result in element nodes or attribute
nodes (but not xml: attribute and namespace
attributes).
-
It should possible to execute this XPath in a
streamable XPath implementation. The capabilities
of various streamable XPath implementations vary.
Some XPaths cans be executed by even the most
rudimentary streaming XPath implementations e.g.
/book/chapter, whereas some can be
executed by none of them e.g.
child::para[position()=last()-1].
Streaming XPath implementation by definition do a
forward only pass over the document, so knowing
that a particular element's position is last but
one, requires it to reach the end and then
backtrack.
Streaming parsers read the document one "event"
at a time. Usually the entire element tag including
all the attributes are read in a single event,
however text nodes can are often split up into
separate events because some text nodes can be very
large. So any XPath that requires comparison of
text node value may not work in streaming XPath
implementations.
-
This XPath subset should include some of the
known usages of XPath in XML Signatures.
-
ebXML messages require a signature to
exclude elements whose @SOAP:actor
attribute matches a certain value. Refer
section 4.1.3 of [ebXML-Msg]
-
UK government specification requires
signature to include the
GovTalkMessage/Body subtree, but
exclude the
GovTalkMessage/Body/IRevenvelope/IRHeader/IRmark
subtree. [HMRMC]
This subset can be expressed precisely using the
following grammar, which is still under development.
|
Grammar
|
Explanation
|
|
[0a] IncludedXPath ::=
( LocationPath '|' )* LocationPath
[0b] ExcludedXPath ::=
( LocationPath '|' )* LocationPath
|
The Included and Excluded Xpath do not use the generic XPath Expr. Instead they are
just a union of LocationPath. There is a slight difference between IncludedXPath and
ExcludedXPath, ExcludedXpath can select attributes and element, whereas IncludedXPath can
only select elements.
|
|
[1] LocationPath ::=
RelativeLocationPath | AbsoluteLocationPath
[2] AbsoluteLocationPath ::=
'/' RelativeLocationPath? | AbbreviatedAbsoluteLocationPath
[3] RelativeLocationPath ::=
Step | RelativeLocationPath '/'
Step ( StepNoPredicate '/')* Step
| AbbreviatedRelativeLocationPath
|
- RelativeLocationPath is not allowed, only Absolute is allowed. This is because if
you use relative, it would probably mean relative to the <Signature> element, and
then you would have to support the ancestor axis to reach the other nodes, but that axis
is not streamable.
- Only the last Step can have a predicate. So I have created a non-terminal
"StepNoPredicate"
|
|
[4] Step ::=
AxisSpecifier NodeTest Predicate* | AbbreviatedStep
[4a] StepNoPredicate ::=
AxisSpecifier NodeTest | AbbreviatedStep
[4b] StepAttributeOnly ::=
'attribute' '::' NameTest | '@' '::' NameTest
|
Added two new versions of Step.
One is a Step with no Predicate, and the
other is a step attribute only
e.g. in this XPath expression:
/doc/chapter[@type="warning"]
/doc is StepNoPredicatechapter[@type="warning"] is Step@type is StepAttributeOnly
|
|
[5] AxisSpecifier ::=
AxisName '::' | AbbreviatedAxisSpecifier
|
unchanged
|
|
[6] AxisName ::=
'ancestor'
| 'ancestor-or-self'
| 'attribute'
| 'child'
| 'descendant'
| 'descendant-or-self'
| 'following'
| 'following-sibling'
| 'namespace'
| 'parent'
| 'preceding'
| 'preceding-sibling'
| 'self'
|
All the non streamable axes have been removed - ancestor, ancestor-or-self, following,
following-sibling, namespace, parent, preceding, preceding-sibling
|
|
[7] NodeTest ::=
NameTest | NodeType '(' ')'
| 'processing-instruction' '(' Literal ')'
|
processing instruction test is not allowed.
only the node() node test is allowed, not comment(), text() and
processing-instruction()
|
|
[8] Predicate ::= '[' PredicateExpr ']'
[9] PredicateExpr ::= Expr
|
unchanged
but the definition of Expr has changed, so it is only a additive/relative expressions
of StepAttributeOnly and Literals.
|
|
[10] AbbreviatedAbsoluteLocationPath ::=
'//' RelativeLocationPath
[11] AbbreviatedRelativeLocationPath ::=
RelativeLocationPath '//' Step
[12] AbbreviatedStep ::= '.' | '..'
[13] AbbreviatedAxisSpecifier ::= '@'?
|
unchanged
|
|
[14] Expr ::= OrExpr
[15] PrimaryExpr ::=
VariableReference
| '(' Expr ')'
| Literal
| Number
| FunctionCall
|
unchanged
|
|
[16] FunctionCall ::= FunctionName '(' ( Argument ( ',' Argument )* )? ')'
[17] Argument ::= Expr
|
unchanged
|
|
[18] UnionExpr ::=
PathExpr | UnionExpr '|' PathExpr
[19] PathExpr ::=
LocationPath
| FilterExpr
| FilterExpr '/' RelativeLocationPath
| FilterExpr '//' RelativeLocationPath
[20] FilterExpr ::= PrimaryExpr
| FilterExpr Predicate
|
UnionExpr, PathExpr and FilterExpr have been removed.
|
|
[21] OrExpr ::=
AndExpr | OrExpr 'or' AndExpr
[22] AndExpr ::=
EqualityExpr | AndExpr 'and' EqualityExpr
[23] EqualityExpr ::=
RelationalExpr
| EqualityExpr '=' RelationalExpr
| EqualityExpr '!=' RelationalExpr
[24] RelationalExpr ::= AdditiveExpr
| RelationalExpr '<' AdditiveExpr
| RelationalExpr '>' AdditiveExpr
| RelationalExpr '<=' AdditiveExpr
| RelationalExpr '>=' AdditiveExpr
|
unchanged
|
|
[25] AdditiveExpr ::=
MultiplicativeExpr
| AdditiveExpr '+' MultiplicativeExpr
| AdditiveExpr '-' MultiplicativeExpr
[26] MultiplicativeExpr ::= UnaryExpr
| MultiplicativeExpr MultiplyOperator UnaryExpr
| MultiplicativeExpr 'div' UnaryExpr
| MultiplicativeExpr 'mod' UnaryExpr
[27] UnaryExpr ::= UnionExpr
PrimaryExpr
| StepAttributeOnly
| '-' UnaryExpr
|
The unaryExpr is changed to only allow a PrimaryExpr or StepAttributeOnly
|
|
[28] ExprToken ::=
'(' | ')' | '[' | ']' | '.' | '..' | '@' | ',' | '::'
| NameTest
| NodeType
| Operator
| FunctionName
| AxisName
| Literal
| Number
| VariableReference
[29] Literal ::= '"' [^"]* '"' | "'" [^']* "'"
[30] Number ::= Digits ('.' Digits?)? | '.' Digits
[31] Digits ::= [0-9]+
[32] Operator ::=
OperatorName | MultiplyOperator
| '/' | '//' | '|' | '+' | '-' | '=' | '!='
| '<' | '<=' | '>' | '>='
[33] OperatorName ::=
'and' | 'or' | 'mod' | 'div'
[34] MultiplyOperator ::= '*'
[35] FunctionName ::= QName - NodeType
[36] VariableReference ::= '$' QName
[37] NameTest ::=
'*' | NCName ':' '*' | QName
[38] NodeType ::=
'comment'
| 'text'
| 'processing-instruction'
| 'node'
[39] ExprWhitespace ::= S
|
unchanged, expect for the NodeTest
|
|
Node set functions
-
last()
-
position()
-
count(nodeset)
-
id()
-
local-name(nodeset)
-
namespace-uri(nodeset)
-
name(nodeset)
String functions
-
string(object)
-
concat(string, string, string*)
-
starts-with(string, string)
-
contains(string, string)
-
substring-before(string, string)
-
substring-after(string, string)
-
substring(string, number, number)
-
string-length(string?)
-
normalize-space(string?)
Boolean functions
-
boolean(object)
-
true()
-
false()
-
lang(string)
Number functions
-
number(object?)
-
sum(node-set)
-
floor(number)
-
ceiling(number)
-
round(number)
|
Note:
As mentioned before, only the last Step can have a Predicate, and this predicate's
expression can only involve attribute nodes of the current element. Functions can only be
used inside this last step's predicate, and this function can only accept a single
attribute as an argument. There is no way to use element names, text nodes,
comments and processing instructions in functions.
The "string-value" become just the attributes value.
All functions involving context position and context size are not supported i.e.. last,
position, count or their shortcut versions e.g. foo[1]. the streaming parser cannot
maintain counts.
String, number and boolean functions are all supported.
|
Here is an algorithm for Streaming XPath. For
simplicity this algorithm assumes that excludedXPath is
not present:
For parsing:
-
Split up the union expression by
"|". i.e. break up the
locationPath | locationPath | .. into
individual location paths.
-
Split up each location paths to get individual
steps and the final predicate. i.e. break up the
/ step / step / step .. / step [ predicate
] to get the steps and optional predicate.
Two slashes together indicates descendant axis.
-
The predicate will have an expression involving
attribute names e.g. @a = "foo" and
@b > "bar" You need to have an
expression parsing and evaluating engine to do
this.
For executing:
-
A streaming XML Parser (e.g. StAX), reads an XML
document and produces "events" like StartElement,
EndElement, TextNode etc. At any point this parser
only remembers the current node. If the current
node is an start element, then it also reads all
the attributes for that element. To execute a
streaming XPath you maintain a stack of ancestor
element names, i.e whenever you get a StartElement
tag, you need to push the element QName onto this
stack, and when you get an EndElement tag you need
to pop it off.
-
As you stream through the nodes, you need to
execute this XPath expression for every node. I.e.
utilize the current element, the current element's
attributes and the stack of ancestors to evaluate
the XPath expression.
For each locationPath, match up the
steps to the ancestor stack, If they
match, evaluate the predicate with the current
element's expression. If that passes too, this
element and all its descendants are included.
The processing of these Selection
depends on the type and
subtype attributes.
DigestMethod is a required element that
identifies the digest algorithm to be applied to the
signed object. This element uses the general structure
here for algorithms specified in 6.1 Algorithm Identifiers and
Implementation Requirements (section 6.1).
The digest algorithm is applied to the data octets
of the octet stream that results from canonicalization
of the data object in the Reference. Note if the data
object is an octet stream then canonicalization is
optional, in which case the data object is directly
digested.
Schema Definition:
<element name="DigestMethod" type="ds:DigestMethodType"/>
<complexType name="DigestMethodType" mixed="true">
<sequence>
<any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
</sequence>
<attribute name="Algorithm" type="anyURI" use="required"/>
</complexType>
DigestValue is an element that contains the encoded
value of the digest. The digest is always encoded using
base64 [MIME].
Schema Definition:
<element name="DigestValue" type="ds:DigestValueType"/>
<simpleType name="DigestValueType">
<restriction base="base64Binary"/>
</simpleType>
This section will be derived from XML Signature 1.1 but
has not yet been added. Please refer to XML Signature 1.1
[XMLDSIG11]. Note the
Transforms inside the
RetrievalMethod is deprecated.
- Identifier
-
Type= "http://www.w3.org/2000/09/xmldsig#Object"
(this can be used within a Reference
element to identify the referent's type)
Object is an optional element that may
occur one or more times. When present, this element may
contain any data. The Object element may
include optional MIME type, ID, and encoding
attributes.
The Object's Encoding
attributed may be used to provide a URI that identifies the
method by which the object is encoded (e.g., a binary
file).
The MimeType attribute is an optional
attribute which describes the data within the
Object (independent of its encoding). This is
a string with values defined by [MIME]. For example, if the
Object contains base64 encoded PNG, the
Encoding may be specified as
'http://www.w3.org/2000/09/xmldsig#base64' and the
MimeType as 'image/png'. This attribute is
purely advisory; no validation of the MimeType
information is required by this specification. Applications
which require normative type and encoding information for
signature validation should specify 4.4.3.1 Transforms Element
with well defined resulting types and/or encodings.
The Object's Id is commonly
referenced from a Reference in
SignedInfo, or Manifest. This
element is typically used for enveloping signatures where
the object being signed is to be included in the signature
element. The digest is calculated over the entire
Object element including start and end
tags.
Note, if the application wishes to exclude the
<Object> tags from the digest
calculation the Reference must identify the
actual data object (easy for XML documents) or a transform
must be used to remove the Object tags (likely
where the data object is non-XML). Exclusion of the object
tags may be desired for cases where one wants the signature
to remain valid if the data object is moved from inside a
signature to outside the signature (or vice versa), or
where the content of the Object is an encoding
of an original binary document and it is desired to extract
and decode so as to sign the original bitwise
representation.
Schema Definition:
<element name="Object" type="ds:ObjectType"/>
<complexType name="ObjectType" mixed="true">
<sequence minOccurs="0" maxOccurs="unbounded">
<any namespace="##any" processContents="lax"/>
</sequence>
<attribute name="Id" type="ID" use="optional"/>
<attribute name="MimeType" type="string" use="optional"/>
<attribute name="Encoding" type="anyURI" use="optional"/>
</complexType>
This section describes the optional to implement
Manifest and SignatureProperties
elements and describes the handling of XML processing
instructions and comments. With respect to the elements
Manifest and SignatureProperties
this section specifies syntax and little behavior -- it is
left to the application. These elements can appear anywhere
the parent's content model permits; the
Signature content model only permits them within
Object.
- Identifier
-
Type= "http://www.w3.org/2000/09/xmldsig#Manifest"
(this can be used within a Reference
element to identify the referent's type)
The Manifest element provides a list of
References. The difference from the list in
SignedInfo is that it is application defined
which, if any, of the digests are actually checked against
the objects referenced and what to do if the object is
inaccessible or the digest compare fails. If a
Manifest is pointed to from
SignedInfo, the digest over the
Manifest itself will be checked by the core
signature validation behavior. The digests within such a
Manifest are checked at the application's
discretion. If a Manifest is referenced from
another Manifest, even the overall digest of
this two level deep Manifest might not be
checked.
Schema Definition:
<element name="Manifest" type="ds:ManifestType"/>
<complexType name="ManifestType">
<sequence>
<element ref="ds:Reference" maxOccurs="unbounded"/>
</sequence>
<attribute name="Id" type="ID" use="optional"/>
</complexType>
- Identifier
-
Type="
http://www.w3.org/2000/09/xmldsig#SignatureProperties"
(this can be used within a Reference
element to identify the referent's type)
Additional information items concerning the generation
of the signature(s) can be placed in a
SignatureProperty element (i.e., date/time
stamp or the serial number of cryptographic hardware used
in signature generation).
Schema Definition:
<element name="SignatureProperties" type="ds:SignaturePropertiesType"/>
<complexType name="SignaturePropertiesType">
<sequence>
<element ref="ds:SignatureProperty" maxOccurs="unbounded"/>
</sequence>
<attribute name="Id" type="ID" use="optional"/>
</complexType>
<element name="SignatureProperty" type="ds:SignaturePropertyType"/>
<complexType name="SignaturePropertyType" mixed="true">
<choice maxOccurs="unbounded">
<any namespace="##other" processContents="lax"/>
<!-- (1,1) elements from (1,unbounded) namespaces -->
</choice>
<attribute name="Target" type="anyURI" use="required"/>
<attribute name="Id" type="ID" use="optional"/>
</complexType>
No XML processing instructions (PIs) are used by this
specification.
Note that PIs placed inside SignedInfo by
an application will be signed unless the
CanonicalizationMethod algorithm discards
them. (This is true for any signed XML content.) All of the
CanonicalizationMethods identified within this
specification retain PIs. When a PI is part of content that
is signed (e.g., within SignedInfo or
referenced XML documents) any change to the PI will
obviously result in a signature failure.
XML comments are not used by this specification.
Note that unless CanonicalizationMethod
removes comments within SignedInfo or any
other referenced XML (which [XML-C14N] does), they will be signed.
Consequently, if they are retained, a change to the comment
will cause a signature failure. Similarly, the XML
signature over any XML data will be sensitive to comment
changes unless a comment-ignoring
canonicalization/transform method, such as the Canonical
XML [XML-C14N], is
specified.
This section will be derived from XML Signature 1.1 but
has not yet been added. Please refer to XML Signature 1.1
[XMLDSIG11].
Digital signatures only work if the verification
calculations are performed on exactly the same bits as the
signing calculations. If the surface representation of the
signed data can change between signing and verification, then
some way to standardize the changeable aspect must be used
before signing and verification. For example, even for simple
ASCII text there are at least three widely used line ending
sequences. If it is possible for signed text to be modified
from one line ending convention to another between the time
of signing and signature verification, then the line endings
need to be canonicalized to a standard form before signing
and verification or the signatures will break.
XML is subject to surface representation changes and to
processing which discards some surface information. For this
reason, XML digital signatures have a provision for
indicating canonicalization methods in the signature so that
a verifier can use the same canonicalization as the
signer.
Throughout this specification we distinguish between the
canonicalization of a Signature element and
other signed XML data objects. It is possible for an isolated
XML document to be treated as if it were binary data so that
no changes can occur. In that case, the digest of the
document will not change and it need not be canonicalized if
it is signed and verified as such. However, XML that is read
and processed using standard XML parsing and processing
techniques is frequently changed such that some of its
surface representation information is lost or modified. In
particular, this will occur in many cases for the
Signature and enclosed SignedInfo
elements since they, and possibly an encompassing XML
document, will be processed as XML.
Similarly, these considerations apply to
Manifest, Object, and
SignatureProperties elements if those elements
have been digested, their DigestValue is to be
checked, and they are being processed as XML.
The kinds of changes in XML that may need to be
canonicalized can be divided into four categories. There are
those related to the basic [XML], as
described in 7.1 XML 1.0, Syntax
Constraints, and Canonicalization below. There are
those related to [DOM], [SAX], or similar processing as described in
7.2 DOM/SAX Processing and
Canonicalization below. Third, there is the
possibility of coded character set conversion, such as
between UTF-8 and UTF-16, both of which all [XML] compliant processors are required to
support, which is described in the paragraph immediately
below. And, fourth, there are changes that related to
namespace declaration and XML namespace attribute context as
described in 7.3 Namespace
Context and Portable Signatures below.
Any canonicalization algorithm should yield output in a
specific fixed coded character set. All canonicalization
6.4 Canonicalization
Algorithms identified in this document use UTF-8
(without a byte order mark (BOM)) and do not provide
character normalization. We RECOMMEND that signature
applications create XML content (Signature
elements and their descendants/content) in Normalization Form
C [NFC], [NFC-Corrigendum] and check that
any XML being consumed is in that form as well; (if not,
signatures may consequently fail to validate). Additionally,
none of these algorithms provide data type normalization.
Applications that normalize data types in varying formats
(e.g., (true, false) or (1,0)) may not be able to validate
each other's signatures.
XML 1.0 [XML] defines an
interface where a conformant application reading XML is
given certain information from that XML and not other
information. In particular,
-
line endings are normalized to the single character
#xA by dropping #xD characters if they are immediately
followed by a #xA and replacing them with #xA in all
other cases,
-
missing attributes declared to have default values
are provided to the application as if present with the
default value,
-
character references are replaced with the
corresponding character,
-
entity references are replaced with the
corresponding declared entity,
-
attribute values are normalized by
-
replacing character and entity references as
above,
-
replacing occurrences of #x9, #xA, and #xD with
#x20 (space) except that the sequence #xD#xA is
replaced by a single space, and
-
if the attribute is not declared to be CDATA,
stripping all leading and trailing spaces and
replacing all interior runs of spaces with a single
space.
Note that items (2), (4), and (5.3) depend on the
presence of a schema, DTD or similar declarations. The
Signature element type is
laxly schema valid [XML-schema], consequently external
XML or even XML within the same document as the signature
may be (only) well-formed or from another namespace (where
permitted by the signature schema); the noted items may not
be present. Thus, a signature with such content will only
be verifiable by other signature applications if the
following syntax constraints are observed when generating
any signed material including the SignedInfo
element:
-
attributes having default values be explicitly
present,
-
all entity references (except "amp", "lt", "gt",
"apos", "quot", and other character entities not
representable in the encoding chosen) be expanded,
-
attribute value white space be normalized
In addition to the canonicalization and syntax
constraints discussed above, many XML applications use the
Document Object Model [DOM] or the
Simple API for XML [SAX]. DOM maps
XML into a tree structure of nodes and typically assumes it
will be used on an entire document with subsequent
processing being done on this tree. SAX converts XML into a
series of events such as a start tag, content, etc. In
either case, many surface characteristics such as the
ordering of attributes and insignificant white space within
start/end tags is lost. In addition, namespace declarations
are mapped over the nodes to which they apply, losing the
namespace prefixes in the source text and, in most cases,
losing where namespace declarations appeared in the
original instance.
If an XML Signature is to be produced or verified on a
system using the DOM or SAX processing, a canonical method
is needed to serialize the relevant part of a DOM tree or
sequence of SAX events. XML canonicalization
specifications, such as [XML-C14N], are based only on
information which is preserved by DOM and SAX. For an XML
Signature to be verifiable by an implementation using DOM
or SAX, not only must the 7.1 XML
1.0, Syntax Constraints, and Canonicalization be
followed but an appropriate XML canonicalization MUST be
specified so that the verifier can re-serialize DOM/SAX
mediated input into the same octet stream that was
signed.
In [XPath] and consequently the
Canonical XML data model an element has namespace nodes
that correspond to those declarations within the element
and its ancestors:
An element E has namespace nodes that
represent its namespace declarations as well
as
- any namespace declarations made by its ancestors
that have not been overridden in E's
declarations,
- the default namespace if it is non-empty, and
- the declaration of the prefix
xml.
[XML-C14N]
When serializing a Signature element or
signed XML data that's the child of other elements using
these data models, that Signature element and
its children, may contain namespace declarations from its
ancestor context. In addition, the Canonical XML and
Canonical XML with Comments algorithms import all xml
namespace attributes (such as xml:lang) from
the nearest ancestor in which they are declared to the apex
node of canonicalized XML unless they are already declared
at that node. This may frustrate the intent of the signer
to create a signature in one context which remains valid in
another. For example, given a signature which is a child of
B and a grandchild of A:
<A xmlns:n1="&foo;">
<B xmlns:n2="&bar;">
<Signature xmlns="&dsig;"> ...
<Reference URI="#signme"/> ...
</Signature>
<C ID="signme" xmlns="&baz;"/>
</B>
</A>
when either the element B or the signed
element C is moved into a [SOAP] envelope for transport:
<SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/">
...
<SOAP:Body>
<B xmlns:n2="&bar;">
<Signature xmlns="&dsig;">
...
</Signature>
<C ID="signme" xmlns="&baz;"/>
</B>
</SOAP:Body>
</SOAP:Envelope>
The canonical form of the signature in this context will
contain new namespace declarations from the
SOAP:Envelope context, invalidating the
signature. Also, the canonical form will lack namespace
declarations it may have originally had from element
A's context, also invalidating the signature.
To avoid these problems, the application may:
-
Rely upon the enveloping application to properly
divorce its body (the signature payload) from the
context (the envelope) before the signature is
validated. Or,
-
Use a canonicalization method that "repels/excludes"
instead of "attracts" ancestor context. [XML-C14N] purposefully attracts
such context.
The main change in Signature 2.0 is the replacement of the
Transform model of Signature 1.x. The 1.x transform model is
very general and open-ended, which complicates implementation
and allows for misuse, leading to performance and security
difficulties. Instead it has been replaced by a more
declarative syntax, that clearly separates selection and
canonicalization.
Although this approach takes away a the flexibility that
was possible with Transforms, loss of flexibility is actually
a good thing for reducing the attack surface. Often signature
verification is performed on completely untrusted messages,
and these message might contain attacks exploiting the
expressiveness of transforms. The verifier needs to be able
to reject these attack messages very quickly. The new
declarative way of expressing the selection allows does not
require the verifier to run any processing on the message to
determine what was signed, thereby reducing the likelihood of
denial of service attacks.
But these modifications are done in such a way that the
older Transform model is still allowed - it is just
deprecated. It is expected that implementations support both
models for some time, and then gradually migrate to the new
model. Many 1.0 signatures can be expressed in the 2.0
syntax, so a new implementation which supports only 2.0 style
signatures, can also process 1.x signatures by converting
them into the 2.0 syntax. The reverse is also true, many 2.0
signatures can be expressed in 1.0 syntax as well.
1.3 Versions, Namespaces and
Identifiers :
2 Signature Overview and
Examples :
2.1 Simple Example (Signature,
SignedInfo, Methods, and Reference)s :
2.1.1 More on
Reference :
-
This example has also been modified to show the
<Selection> and
<Canonicalization> elements.
-
The explanation mentions that this spec only defines
two types of data "xml" and "binary", but it allows user
specified types e.g. "database-rows".
2.2 Extended Example
(Object and SignatureProperty) :
-
This example has also been modified to show the
<Selection> and
<Canonicalization> elements.
-
In Signature 1.x the optional Type attribute of
Reference provides information about the resource
identified by the URI. In particular, it can indicate
that it is an Object,
SignatureProperty, or Manifest
element. This is not used any more in Signature 2.0.
Instead the type attribute in
Selection provides information about the
resource identified by the URI. However this is a
different kind of information,
Selection@type doesn't distinguish between
Object, Manifest and SignatureProperty, instead it
distinguishes between xml and binary content.
2.3 Extended Example (Object
and Manifest) :
3.1.1 Reference
Generation :
3.2 Core
Validation :
-
The code validation steps have been rearranged in
order of execution complexity to ensure that the verifier
rejects invalid signatures as quickly as possible, which
would minimize denial of service attacks. Specifically
Signature 1.x has Reference Validation was the first
step, but this a very expensive step and it can
potentially have many attack points, so in 2.0 it has
been moved to the last step.
3.2.1 Selection
Validation :
3.2.2 Signature
Validation :
-
Signature 1.x asked to convert the SignatureMethod to
canonical form, but this is removed in 2.0, because
canonicalization to bytes and then parsing those bytes
back to xml are expensive operations. Canonicalization
2.0 should not change any URIs, so there is no need to
perform this expensive step.
-
In Signature 1.x canonicalization of SignedInfo was
part of the Reference Validation, but in 2.x it has been
moved to Signature validation.
3.2.3 Reference
Validation :
4.4.1
CanonicalizationMethod Element :
-
Unlike Signature 1.x, other alternative
canonicalization algorithms are not allowed. Canonical
XML 2.0 must be used.
-
Security concerns about other canonicalization
algorithms rewriting the URIs or massively transforming
the SignedInfo are not applicable any more. Text based
canonicalization algorithms are not allowed either.
-
Since there is only a fixed Canonicalization
algorithm, the way in which the SignedInfo
is presented to the Canonicalization algorithm is clearly
defined. Canonical XML 2.0 expects subtrees and the whole
SignedInfo goes in as a subtree.
4.4.3 Reference
Element :
-
Reference does not have a list of
Transforms, instead has a
Selection and Canonicalization
element.
-
Reference does not use use the
Type attribute, although it is still present
in the schema for backwards compatibility.
4.4.3.2 Selection
element :
4.4.3.3 URI Attribute :
-
The Type attribute of
Reference is no longer used. Instead there
is a type attribute in
Selection. In 1.x. "The Type attribute
applies to the item being pointed at, not its contents.",
but the Selection@type attribute applies to
the contents, not to the item.
-
Apart from #xpointer(/)' and
'#xpointer(id('ID'))' all other forms of
Xpointer are disallowed in 2.0. In 1.x they were
"discouraged".
4.4.3.4 Same-Document
URI-References :
-
Dereferencing a same document reference doesn't result
in a nodeset, but in a subtree.
-
In 1.x there was a difference between
URI="" and URI='#xpointer(/)',
the latter did not strip out comments. In 2.0 this
distinction is gone - both of the them produce the same
result - the complete document, which includes all
comments
-
Similarly URI="#foo" and
URI="#xpointer(id('foo'))" produce exactly
the same results - a subtree rooted at the element with
ID foo, including all comments.
4.4.3.1 Transforms
Element :
4.4.3.6
Reference Processing Model :
-
The reference processing model is completely changed,
Transforms do not exist any more, instead they have been
broken up into two distinct steps Selection which
specifies how the data object is selection, and
Canoncalization which converts the data object to octet
stream.
-
Unlike Signature 1.x, Signature 2.x does not use the
XPath data model at all. There is conversion in between
XPath nodeset and octet stream to match impedance between
transforms.
- Authentication Code(Protected
Checksum)
-
A value generated from the application of a shared key
to a message via a cryptographic algorithm such that it
has the properties of message authentication
(and integrity) but
not signer
authentication. Equivalent to protected
checksum, "A checksum that is computed for a data
object by means that protect against active attacks that
would attempt to change the checksum to make it match
changes made to the data object." [SEC]
- Authentication,
Message
-
The property, given an authentication
code/protected checksum, that
tampering with both the data and checksum, so as to
introduce changes while seemingly preserving integrity, are still detected.
"A signature should identify what is signed, making it
impracticable to falsify or alter either the signed
matter or the signature without detection." [Digital
Signature Guidelines, ABA].
- Authentication, Signer
-
The property that the identity of the signer is as
claimed. "A signature should indicate who signed a
document, message or record, and should be difficult for
another person to produce without authorization."
[Digital
Signature Guidelines, ABA] Note, signer authentication is an
application decision (e.g., does the signing key actually
correspond to a specific identity) that is supported by,
but out of scope, of this specification.
- Checksum
-
"A value that (a) is computed by a function that is
dependent on the contents of a data object and (b) is
stored or transmitted together with the object, for the
purpose of detecting changes in the data."
[SEC]
- Core
-
The syntax and processing defined by this
specification, including core validation. We use this
term to distinguish other markup, processing, and
applications semantics from our own.
- Data Object (Content/Document)
-
The actual binary/octet data being operated on
(transformed, digested, or signed) by an application --
frequently an
HTTP entity [HTTP].
Note that the proper noun Object designates
a specific XML element. Occasionally we refer to a data
object as a document or as a resource's content. The
term element content is used to describe the
data between XML start and end tags [XML]. The term XML document is
used to describe data objects which conform to the XML
specification [XML].
- Integrity
-
"The property that data has not been changed,
destroyed, or lost in an unauthorized or accidental
manner." [SEC] A simple
checksum can provide
integrity from incidental changes in the data; message
authentication is similar but also protects against
an active attack to alter the data whereby a change in
the checksum is introduced so as to match the change in
the data.
- Object
-
An XML Signature element wherein arbitrary
(non-core) data may be
placed. An Object element is merely one type
of digital data (or document) that can be signed via a
Reference.
- Resource
-
"A resource can be anything that has identity.
Familiar examples include an electronic document, an
image, a service (e.g., 'today's weather report for Los
Angeles'), and a collection of other resources.... The
resource is the conceptual mapping to an entity or set of
entities, not necessarily the entity which corresponds to
that mapping at any particular instance in time. Thus, a
resource can remain constant even when its content---the
entities to which it currently corresponds---changes over
time, provided that the conceptual mapping is not changed
in the process." [URI] In
order to avoid a collision of the term entity
within the URI and XML specifications, we use the term
data object, content or
document to refer to the actual bits/octets
being operated upon.
- Signature
-
Formally speaking, a value generated from the
application of a private key to a message via a
cryptographic algorithm such that it has the properties
of integrity,
message
authentication and/or signer authentication.
(However, we sometimes use the term signature generically
such that it encompasses Authentication Code values
as well, but we are careful to make the distinction when
the property of signer authentication is
relevant to the exposition.) A signature may be
(non-exclusively) described as detached, enveloping, or enveloped.
- Signature, Application
-
An application that implements the MANDATORY
(REQUIRED/MUST) portions of this specification; these
conformance requirements are over application behavior,
the structure of the Signature element type
and its children (including SignatureValue)
and the specified algorithms.
- Signature, Detached
-
The signature is over content external to the
Signature element, and can be identified via
a URI or transform. Consequently, the
signature is "detached" from the content it signs. This
definition typically applies to separate data objects,
but it also includes the instance where the
Signature and data object reside within the
same XML document but are sibling elements.
- Signature, Enveloping
-
The signature is over content found within an
Object element of the signature itself. The
Object (or its content) is identified via a
Reference (via a URI fragment
identifier or transform).
- Signature, Enveloped
-
The signature is over the XML content that contains
the signature as an element. The content provides the
root XML document element. Obviously, enveloped
signatures must take care not to include their own value
in the calculation of the
SignatureValue.
- Transform
-
The processing of a data from its source to its
derived form. Typical transforms include XML
Canonicalization, XPath, and XSLT.
- Validation, Core
-
The core processing requirements of this specification
requiring signature validation and
SignedInfo reference validation.
- Validation, Reference
-
The hash value of the identified and transformed
content, specified by Reference, matches its
specified DigestValue.
- Validation, Signature
-
The SignatureValue matches the result of
processing SignedInfo with
CanonicalizationMethod and
SignatureMethod as specified in Core Validation (section
3.2).
- Validation,
Trust/Application
-
The application determines that the semantics
associated with a signature are valid. For example, an
application may validate the time stamps or the integrity
of the signer key -- though this behavior is external to
this core
specification.
- http://www.w3.org/TR/2008/REC-xml-c14n11-20080502/
- 1363
- IEEE 1363: Standard Specifications for Public Key
Cryptography. August 2000.
- ABA
- Digital
Signature Guidelines. http://www.abanet.org/scitech/ec/isc/dsgfree.html
- ANSI-X9-62
- ANSI X9.62:2005.
ANSI X9.62:2005 Temporarily here... 2005. http://nist.gov/
- CVE-209-0217
-
CVE-2009-0217, Common Vulnerabilities and Exposures
List
- DOM
- Document
Object Model (DOM) Level 1 Specification. W3C
Recommendation. V. Apparao, S. Byrne, M. Champion, S.
Isaacs, I. Jacobs, A. Le Hors, G. Nicol, J. Robie, R.
Sutor, C. Wilson, L. Wood. October 1998. http://www.w3.org/TR/1998/REC-DOM-Level-1-19981001/
- DSS
-
FIPS PUB 186-3. Digital Signature Standard
(DSS). U.S. Department of Commerce/National Institute
of Standards and Technology.
http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf
- HMAC
- RFC
2104. HMAC: Keyed-Hashing for Message
Authentication. H. Krawczyk, M. Bellare, R. Canetti.
February 1997. http://www.ietf.org/rfc/rfc2104.txt
- HMRMC
- HM
Revenue and customs Her Majesty's Revenue and Customs.
Sample
response message with XML signature
- HTTP
- RFC
2616. Hypertext Transfer Protocol -- HTTP/1.1.
J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, T.
Berners-Lee. June 1999. http://www.ietf.org/rfc/rfc2616.txt
- KEYWORDS
- RFC
2119. Key words for use in RFCs to Indicate
Requirement Levels. S. Bradner. March 1997. http://www.ietf.org/rfc/rfc2119.txt
- LDAP-DN
- RFC4514 .
Lightweight Directory Access Protocol : String
Representation of Distinguished Names. K. Zeilenga,
Ed. June 2006. http://www.ietf.org/rfc/rfc2253.txt
http://www.ietf.org/rfc/rfc4514.txt
- MD5
- RFC
1321. The MD5 Message-Digest Algorithm. R.
Rivest. April 1992. http://www.ietf.org/rfc/rfc1321.txt
- MIME
- RFC
2045. Multipurpose Internet Mail Extensions (MIME)
Part One: Format of Internet Message Bodies. N. Freed
& N. Borenstein. November 1996. http://www.ietf.org/rfc/rfc2045.txt
- NFC
- TR15, Unicode Normalization Forms. M. Davis,
M. Dürst. Revision 18: November 1999. http://www.unicode.org/unicode/reports/tr15/tr15-18.html.
- NFC-Corrigendum
- Normalization Corrigendum. The Unicode
Consortium.
http://www.unicode.org/unicode/uni2errata/Normalization_Corrigendum.html.
- OCSP
- RFC
2560. X.509 Internet Public Key Infrastructure
Online Certificate Status Protocol - OCSP. M. Myers,
R. Ankney, A. Malpani S. Galperin, C. Adams. June 1999.
http://www.ietf.org/rfc/rfc2560.txt
- PGP
- RFC
2440. OpenPGP Message Format. J. Callas, L.
Donnerhacke, H. Finney, R. Thayer. November 1998. http://www.ietf.org/rfc/rfc2440.txt
- PKCS1
- RFC
2437. PKCS #1: RSA Cryptography Specifications
Version 2.0. B. Kaliski, J. Staddon. October 1998.
http://www.ietf.org/rfc/rfc2437.txt
- RANDOM
- RFC
1750. Randomness Recommendations for Security.
D. Eastlake, S. Crocker, J. Schiller. December 1994.
http://www.ietf.org/rfc/rfc1750.txt
- RDF
- Resource
Description Framework (RDF) Schema Specification 1.0.
W3C Candidate Recommendation. D. Brickley, R.V. Guha. March
2000. http://www.w3.org/TR/2000/CR-rdf-schema-20000327/
Resource
Description Framework (RDF) Model and Syntax
Specification. W3C Recommendation. O. Lassila, R.
Swick. February 1999. http://www.w3.org/TR/1999/REC-rdf-syntax-19990222/
- RFC3279
- RFC
3279Algorithms and Identifiers for the Internet X.509
Public Key Infrastructure Certificate and Certificate
Revocation List (CRL) Profile. W. Polk, R. Housley, L.
Bassham. April 2002.http://www.ietf.org/rfc/rfc3279.txt
- RFC4050
- RFC
4050. Using the Elliptic Curve Signature Algorithm
(ECDSA) for XML Digital Signatures. S. Blake-Wilson, G.
Karlinger, T. Kobayashi, Y. Wang. April 2005. http://www.ietf.org/rfc/rfc4050.txt
- RFC5280
- RFC
5280. Internet X.509 Public Key Infrastructure
Certificate and Certificate Revocation List (CRL) Profile.
D. Cooper, et. al. May 2008. http://www.ietf.org/rfc/rfc5280.txt
- RFC5480
- RFC
5480. Elliptic Curve Cryptography Subject Public Key
Information. S. Turner, et. al. March 2009. http://www.ietf.org/rfc/rfc5480.txt
- SAX
- SAX:
The Simple API for XML. D. Megginson, et al. May 1998.
http://www.megginson.com/downloads/SAX/
- SEC
- RFC
2828. Internet Security Glossary. R. Shirey.
May 2000. http://www.faqs.org/rfcs/rfc2828.html
- SECG
- SEC
1. SEC 1: Elliptic Curve Cryptography, Version 1.0,
Standards for Efficient Cryptography Group, September 2000.
http://www.secg.org/download/aid-385/sec1_final.pdf
- SECG2
- SEC
2. SEC 2: Elliptic Curve Cryptography, Version 1.0,
Standards for Efficient Cryptography Group, September 2000.
http://www.secg.org/download/aid-386/sec2_final.pdf
- SHA-1
-
FIPS PUB 180-3. Secure Hash Standard. U.S.
Department of Commerce/National Institute of Standards and
Technology.
http://csrc.nist.gov/publications/fips/fips180-3/fips180-3_final.pdf
- SHA-1-Analysis
- McDonald, C., Hawkes, P., and J. Pieprzyk.
SHA-1 collisions now 2^52 , EuroCrypt 2009 Rump
session.
http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf
- SHA-256
-
FIPS PUB 180-3. Secure Hash Standard. U.S.
Department of Commerce/National Institute of Standards and
Technology.
http://csrc.nist.gov/publications/fips/fips180-3/fips180-3_final.pdf
- SHA-384
-
FIPS PUB 180-3. Secure Hash Standard. U.S.
Department of Commerce/National Institute of Standards and
Technology.
http://csrc.nist.gov/publications/fips/fips180-3/fips180-3_final.pdf
- SHA-512
-
FIPS PUB 180-3. Secure Hash Standard. U.S.
Department of Commerce/National Institute of Standards and
Technology.
http://csrc.nist.gov/publications/fips/fips180-3/fips180-3_final.pdf
- SOAP
- Simple
Object Access Protocol (SOAP) Version 1.1. W3C Note. D.
Box, D. Ehnebuske, G. Kakivaya, A. Layman, N. Mendelsohn,
H. Frystyk Nielsen, S. Thatte, D. Winer. May 2001. http://www.w3.org/TR/2000/NOTE-SOAP-20000508/
- SP800-57
-
SP 800-57. Recommendation for Key Management – Part
1: General (Revised). U.S. Department of
Commerce/National Institute of Standards and Technology.
http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf
- URI
- RFC
3986. Uniform Resource Identifiers (URI): Generic
Syntax. T. Berners-Lee, R. Fielding, L. Masinter.
January 2005. http://www.ietf.org/rfc/rfc3986.txt
- URL
- RFC
1738. Uniform Resource Locators (URL). T.
Berners-Lee, L. Masinter, and M. McCahill. December 1994.
http://www.ietf.org/rfc/rfc1738.txt
- URN
- RFC
2141. URN Syntax. R. Moats. May 1997. http://www.ietf.org/rfc/rfc2141.txt
RFC 2611.
URN Namespace Definition Mechanisms. L. Daigle, D.
van Gulik, R. Iannella, P. Falstrom. June 1999. http://www.ietf.org/rfc/rfc2611.txt
- URN-OID
- RFC
3061. A URN Namespace of Object Identifiers.
M. Mealling. February 2001. http://www.ietf.org/rfc/rfc3061.txt
- UTF-16
- RFC
2781. UTF-16, an encoding of ISO 10646. P.
Hoffman , F. Yergeau. February 2000. http://www.ietf.org/rfc/rfc2781.txt
- UTF-8
- RFC
2279. UTF-8, a transformation format of ISO
10646. F. Yergeau. January 1998. http://www.ietf.org/rfc/rfc2279.txt
- X509v3
- ITU-T Recommendation X.509 version 3 (1997).
"Information Technology - Open Systems Interconnection -
The Directory Authentication Framework" ISO/IEC
9594-8:1997.
- XHTML
- XHTML(tm)
1.0: The Extensible Hypertext Markup Language. W3C
Recommendation. S. Pemberton, D. Raggett, et al. January
2000. http://www.w3.org/TR/2000/REC-xhtml1-20000126/
- XLink
- XML Linking
Language. W3C Recommendation. S. DeRose, E. Maler, D.
Orchard. June 2001. http://www.w3.org/TR/2001/REC-xlink-20010627/
- XML
- Extensible
Markup Language (XML) 1.0 (Fourth Edition). W3C
Recommendation T. Bray, E. Maler, J. Paoli, C. M.
Sperberg-McQueen, F.Yergeau. 16 August 2006, edited in
place 29 September 2006. http://www.w3.org/TR/2006/REC-xml-20060816/
- XML-C14N
- Canonical
XML. W3C Recommendation. J. Boyer. March 2001. http://www.w3.org/TR/2001/REC-xml-c14n-20010315
http://www.ietf.org/rfc/rfc3076.txt
- XML-C14N11
- Canonical
XML 1.1. W3C Recommendation. J. Boyer, G. Marcy. 2 May
2008. http://www.w3.org/TR/2008/REC-xml-c14n11-20080502/
- XML-C14N20
- Canonical XML 2.0, J. Boyer, G. Marcy, P. Datta,
F. Hirsch. W3C Working Draft 22 October 2009. http://www.w3.org/TR/2009/WD-xml-c14n2-20091022/
- XML-Enc
- XML
Encryption Syntax and Processing.W3C Recommendation. D.
Eastlake 3rd., J. Reagle. December 2002.http://www.w3.org/TR/xmlenc-core/
- XML-Japanese
- XML
Japanese Profile. W3C Note. M. Murata. April 2000
http://www.w3.org/TR/2000/NOTE-japanese-xml-20000414/
- XML-MT
- RFC
2376 . XML Media Types. E. Whitehead, M.
Murata. July 1998. http://www.ietf.org/rfc/rfc2376.txt
- XML-Signature-RD
- RFC
2807. XML Signature
Requirements. W3C Working Draft. J. Reagle, April 2000.
http://www.w3.org/TR/1999/WD-xmldsig-requirements-19991014.html
http://www.ietf.org/rfc/rfc2807.txt
http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/
- XML-exc-C14N
- Exclusive
XML Canonicalization Version 1.0 W3C Recommendation. J.
Boyer, D. Eastlake 3rd., J. Reagle. July 2002. http://www.w3.org/TR/2002/REC-xml-exc-c14n-20020718/
- XML-ns
- Namespaces
in XML 1.0 (Second Edition). W3C Recommendation. T.
Bray, D. Hollander, A. Layman, R. Tobin. 16 August 2006.
http://www.w3.org/TR/2006/REC-xml-names-20060816/
- XML-schema
- XML
Schema Part 1: Structures. W3C Recommendation. H.
Thompson,D. Beech, M. Maloney, N. Mendelsohn. October 2004.
http://www.w3.org/TR/2004/REC-xmlschema-1-20041028/
XML
Schema Part 2: Datatypes W3C Recommendation. P. Biron,
A. Malhotra. May 2001. http://www.w3.org/TR/2001/REC-xmlschema-2-20010502/
- XMLDSIG-2002
- XML-Signature
Syntax and Processing. D. Eastlake, J. Reagle, and D.
Solo. W3C Recommendation, February 2002. http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/
- XMLDSIG11
- XML
Signature Syntax and Processing 1.1. D. Eastlake, J.
Reagle, et al. Working Draft, 30 July 2009. This is a draft
and subject to change. http://www.w3.org/TR/xmldsig-core1/
- XPTR-2001
- XML Pointer
Language (XPointer). W3C Candidate Recommendation. S.
DeRose, R. Daniel, E. Maler. January 2001. http://www.w3.org/TR/2001/CR-xptr-20010911/
- XPath
- XPath XML Path
Language (XPath) Version 1.0. W3C Recommendation. J.
Clark, S. DeRose. October 1999. http://www.w3.org/TR/1999/REC-xpath-19991116
- XPath-Filter-2
- XML-Signature XPath
Filter 2.0. W3C Recommendation. J. Boyer, M. Hughes, J.
Reagle. November 2002. http://www.w3.org/TR/2002/REC-xmldsig-filter2-20021108/
- XPointer-Element
- XPointer
element() Scheme. W3C Recommendation. P. Grosso, E.
Maler, J. Marsh, N. Walsh. March 2003. http://www.w3.org/TR/2003/REC-xptr-element-20030325/
- XPointer-Framework
- XPointer-Framework XPointer
Framework. W3C Recommendation. P. Grosso, E. Maler, J.
Marsh, N. Walsh. March 2003. http://www.w3.org/TR/2003/REC-xptr-framework-20030325/
- XPointer-xmlns
- XPointer
xmlns() Scheme. W3C Working Recommendation. S. DeRose,
R. Daniel, E. Maler, J. Marsh. March 2003. http://www.w3.org/TR/2003/REC-xptr-xmlns-20030325/
- XPointer-xpointer
- XPointer
xpointer() Scheme. W3C Working Draft. S. DeRose, E.
Maler, R. Daniel. December 2002. http://www.w3.org/TR/2002/WD-xptr-xpointer-20021219/
- XSL
- Extensible
Stylesheet Language (XSL). W3C Recommendation. S.
Adler, A. Berglund, J. Caruso, S. Deach, T. Graham, P.
Grosso, E. Gutentag, A. Milowski, S. Parnell, J. Richman,
S. Zilles. October 2001. http://www.w3.org/TR/2001/REC-xsl-20011015/
- XSLT
- XSL
Transforms (XSLT) Version 1.0. W3C Recommendation. J.
Clark. November 1999. http://www.w3.org/TR/1999/REC-xslt-19991116.html
- ebXML-Msg
-
ebXML Messsage Service Specification Version 2.0 OASIS
ebXML Messaging Services Technical Committee
- rfc4051
- RFC
4051. Additional XML Security Uniform Resource
Identifiers. D. Eastlake 3rd. April 2005. http://www.ietf.org/rfc/rfc4051.txt