Creating XML Signatures
To create an XML signature for an XML document, open the XML document for which you wish to create a signature. Then click the menu command XML | Create XML Signature. This opens the Create XML Signature dialog (screenshot below), the settings of which are explained below.
Authentication method: certificate or password
The signature can be based on a certificate or a password. Select the radio button of the method you wish to use.
•Certificate: Click the Select button and browse for the certificate you want. The certificate you select must have a private key. The signature is generated using the private key of the certificate. To verify the signature, access to the certificate (or to a public-key version of it) is required. The public key of the certificate is used to verify the signature. For more details about certificates, see the section Working with Certificates.
•Password: Enter a password with a length of five to 16 characters. This password will subsequently be required to verify the signature.
|Note:||Starting with XMLSpy 2018, the algorithm that is used to sign documents based on passwords was updated from HMAC-SHA1 to HMAC-SHA256. Previous versions of XMLSpy will not be able to verify signatures using passwords generated with XMLSpy 2018.|
The XML data is transformed and the result of the transformation is used for the creation of the signature. You can specify the canonicalization algorithm to be applied to the file's XML data (the SignedInfo content) prior to performing signature calculations. Significant points of difference between the algorithms are noted below:
•Canonical XML with or without comments: If comments are included for signature calculation, then any change to comments in the XML data will result in verification failure. Otherwise, comments may be modified or be added to the XML document after the document has been signed, and the signature will still be verified as authentic.
•Base64: The root (or document) element of the XML document is considered to be Base64 encoded, and is read in its binary form. If the root element is not Base64, an error is returned or the element is read as empty.
•None: No transformation is carried out and the XML data from the binary file saved on disk is passed directly for signature creation. Any subsequent change in the data will result in a failed verification of the signature. However, if the Strip Whitespace check box option is selected, then all whitespace is stripped and changes in whitespace will be ignored. A major difference between the None option and a Canonicalization option is that canonicalization produces an XML data stream, in which some differences, such as attribute order, are normalized. As a result, a canonicalization transformation will normalize any changes such as that of attribute order (so verification will succeed), while no-transformation will reflect such a change (verification will fail). Note, however, that a default canonicalization is performed if the signature is embedded (enveloped or enveloping). So the XML data will be used as is (i.e. with no transformation), when the signature is detached, None is selected, and the Strip Whitespaces checkbox is unchecked.
The signature can be placed within the XML file or be created as a separate file. The following options are available:
•Enveloped: The Signature element is created as the last child element of the root (document) element.
•Enveloping: The Signature element is created as the root (document) element and the XML document is inserted as a child element.
•Detached: The XML signature is created as a separate file. In this case, you can specify the file extension of the signature file and whether the file name is created with: (i) the extension appended to the name of the XML file (for example, test.xml.xsig), or (ii) the extension replacing the XML extension of the XML file (for example, test.xsig). You can also specify whether, in the signature file, the reference to the XML file is a relative or an absolute path.
|Note:||XML signatures for XML Schema (.xsd) files can be created from Schema View as detached signature files (not embedded). XML signatures for XBRL files can be created from XBRL View as detached signature files (not embedded). XML signatures for WSDL files can be created from WSDL View as detached signature files, or they can be "enveloped" in the WSDL file.|
|Note:||If the XML signature is created as a detached (separate) file, then the XML file and signature file are associated with each other via a reference in the signature file. Consequently, signature verification in cases where the signature is in an external fie must be done with the signature file active—not with the XML file active.|
Append key information
The Append Keyinfo option is available when the signature is certificate-based. It is unavailable if the signature is password-based.
If the option is selected, public-key information is placed inside the signature, otherwise key information is not included in the signature. The advantage of including key information is that the certificate itself (specifically the public-key information in it) will not be required for the verification process (since the key information is present in the signature).