The Create XML Signature command is enabled in Text View, Grid View, Schema View, WSDL View and XBRL View, and enables you to create an XML signature for the active XML document. Clicking the command opens the Create XML Signature dialog (screenshot below), the settings of which are explained below.
Authentication method: certificate or password
The signature can be based on a certificate or a password. Select the radio button of the method you wish to use.
•Certificate: If you wish to use a certificate, the certificate must have a private key and be located in an accessible certificate store. The signature is generated using the private key of the certificate. To verify the signature, access to the certificate (or a public-key version of it) is required. The public key of the certificate is used to verify the signature. To select the private-public-key certificate you wish to use, click the Select button and browse for the certificate. For more details about certificates, see the section Working with Certificates.
•Password: Enter a password with a length of five to 16 characters. This password will subsequently be required to verify the signature.
The XML data is transformed and the result of the transformation is used for the creation of the signature. You can specify the canonicalization algorithm to be applied to the file's XML data (the SignedInfo content) prior to performing signature calculations. Significant points of difference between the algorithms are noted below:
•Canonical XML with or without comments: If comments are included for signature calculation, then any change to comments in the XML data will result in verification failure. Otherwise, comments may be modified or be added to the XML document after the document has been signed, and the signature will still be verified as authentic.
•Base64: The root (or document) element of the XML document is considered to be Base64 encoded, and is read in its binary form. If the root element is not Base64, an error is returned or the element is read as empty, depending on what type of element is encountered.
•None: No transformation is carried out and the XML data from the binary file saved on disk is passed directly for signature creation. Any subsequent change in the data will result in a failed verification of the signature. However, if the Strip Whitespace check box option is selected, then all whitespace is stripped and changes in whitespace will be ignored. A major difference between the None option and a Canonicalization option is that canonicalization produces an XML data stream, in which some differences, such as attribute order, are normalized. As a result, a canonicalization transformation will normalize any changes such as that of attribute order (so verification will succeed), while no-transformation will reflect such a change (verification will fail).
The signature can be placed within the XML file or be created as a separate file. The following options are available:
•Enveloped: The signature element is created as the last child element of the root (document) element.
•Enveloping: The signature element is created as the root (document) element and the XML document is inserted as a child element.
•Detached: The XML signature is created as a separate file. In this case, you can specify the file extension of the signature file and whether the file name is created with: (i) the extension appended to the name of the XML file (for example, test.xml.xsig), or (ii) the extension replacing the XML extension of the XML file (for example, test.xsig). You can also specify whether, in the signature file, the reference to the XML file is a relative or an absolute path.
|Note:||XML signatures for XML Schema (.xsd) files and for XBRL files can only be created as external signature files. For WSDL files, signatures can be created as external files and can be "enveloped" in the WSDL file.|
|Note:||If the XML signature is created as a separate file, then the XML file and signature file are associated with each other via a reference in the signature file. Consequently, signature verification in cases where the signature is in an external file must be done with the signature file active—not with the XML file active.|
Append key information
The Append Keyinfo option is available when the signature is certificate-based. It is unavailable if the signature is password-based.
If the option is selected, public-key information is placed inside the signature, otherwise key information is not included in the signature. The advantage of including key information is that the certificate itself (specifically the public-key information in it) will not be required for the verification process (since the key information is present in the signature).