Altova Technology Primer: XML Signature Technology Overview

XML Digital Signatures

The XML signature, as its name suggests, is a type of XML-based digital signature and a key XML security measure. (For an overview of the technology supporting digital signatures please refer to the Digital Signatures Technology Overview from the Technical Primers section of our Web site.)

XML digital signatures rely on the same basic technology as other digital signatures.

A file is transformed into a message digest via algorithm.
The message digest is then encrypted and sent to the intended recipient.
The recipient “unlocks” the message digest with the public key of a private-public key pair.
The same algorithm that transformed the file into a message digest on the sender’s end is applied to the recipient’s file.
The reconstructed message digest is then compared to the message digest that accompanied the file.
If the message digests match each other the file has not been altered since it was signed.

Click image to enlarge.

However XML’s structure necessitates some adaptations to this otherwise straightforward process.

The Hash Algorithm

The algorithm or “hash” that translates the file into a message digest uses a completely literal interpretation of that file – the message digest for a file with two spaces at the end of a particular sentence will differ from that created for a file with one space at the end of that same sentence. Because XML is a language that recognizes “logical equivalency” between XML files (e.g., <ref>loop</ref> is syntactically the same as <ref > loop </ref>), XML syntax is not rendered in a standardized manner by XML processers.

Therefore it is imperative that formatting and other potentially confounding differences be “normalized” so that the hash will create the same message digest on both the sender’s and recipient’s ends.

XML Canonicalization

An XML file is “normalized” through canonicalization.

Canonicalization is the process of altering the structure, formatting, and other “physical” attributes of an XML file – not its manifestation, which is based on the “logic” imparted by XML tags – so that it complies with the W3C standards Canonical XML 1.0 or Canonical XML 1.1. This is akin to posting an article from a newspaper to a series of different Web sites – the words that appear on the screen are exactly the same but the HTML used by each site will differ at least slightly from the others.

Applying the hash to an XML file in its canonical form, rather than to the original XML file (which may have been altered slightly by an XML processor on the recipient’s end), prevents a “false negative” result. Canonicalization allows you to reliably compare the original and reconstructed message digests to ensure the integrity of the file.

Canonicalization for stand-alone XML files will produce different output than that for XML files embedded in another document because of the presence of namespaces outside of an embedded XML file. To overcome this, W3C developed the Exclusive XML Canonicalization standard.

Exclusive Canonicalization includes only the namespaces used in the signed portion of the XML file – “Inclusive” Canonicalization on the other hand will include the namespaces from the document in which the signed XML file has been embedded.

The canonicalization algorithm applied is identified in the CanonicalizationMethod element in the XML <Signature> element. (In Altova XMLSpy and StyleVision, users are prompted to select which form of canonicalization is to be applied as well as how to handle whitespaces. This information is populated to the XML signature.)

Fun fact: Canonicalization is often abbreviated C14n, with “c” and “n” representing the first and last letters of the term and 14 the number of letters in between the two.

Inserting an XML Signature

In keeping with the hierarchical structure of Extensible Markup Language, XML signatures can be attached to different sections of a file.

An enveloping signature is one in which the XML signature is a parent element – the <Signature> element is created as a root element and the XML is inserted into it. In this example notice the <xsig:SignedInfo> element that appears under the root element <Signature>.

enveloping XML signature

An XML signature is said to be enveloped when it appears inside the root element – the <Signature> element is inserted as its last child.

enveloped XML signature

Finally, a detached XML signature resides in a file external to the XML document with which it is associated. A reference back to the associated document appears within the signature file (<xsig:Reference URI="DetachedXMLSignature.xsd"> in this example).

detached XML signature

Altova XMLSpy, Altova MapForce, Altova StyleVision, and Altova Authentic support XML digital signatures. Please click for more information about XML digital signatures in XMLSpy, MapForce, StyleVision, and Authentic.

Altova MissionKit wins Jolt Award for “Best Development Environment”

...and get the most from our products

The techies at Altova love to show off what our applications can do! Our in-depth coverage of individual features helps you deliver exceptional projects. Subscribe here!

(ăk'rə-nĭmă'fōbē-ə)

Noun. Condition caused by exposure to overwhelming number of technology acronyms and buzzwords. Easily cured by the Altova Technology & Acronym Glossary.