Safelayer Secure Communications
 
 
 Search
Home arrow Try arrow SOAP examples arrow XML Signature Generation


TeleTrust Innovation Price

Innovation Award
for TrustedX 2007
The European ICT Price. Nominee

for TrustedX 2007
Safelayer Labs
 
Try

SOAP examples

XML Signature Generation Print E-mail
03 December 2007

In order to understand this example, it is recommended that first you understand the previously seen example: CMS/PKCS#7 Signature Generation.

The dss:SignRequest element indicates to the system that it is a signature request. In turn, this element contains all the desired optional elements, e.g. the css:Name element indicates the signer certificate – in this case the format is Distinguished Name/X509SubjectName.

In addition, the css:KeyInfoType element with the X509SubjectName format is used, to indicate that the response request will return key information in the Distinguished Name/X509SubjectName format.

As we are signing a document, we must add the dss:Document element, which includes the XML document that is to be signed.

And finally, as you can see in the example, the type of XML signature has not been explicitly included. By this, it is understood that a detached signature from the original document is being requested in the response.

Later, in other signature requests, we will show the other two types of requests possible with an XML signature, i.e. the signature request type for adding the resulting signature inside the original document, known as enveloped signature, and the signature request type for adding the document inside the generated signature, known as enveloping signature. 

<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
	<SOAP-ENV:Header><wsse:Security><wsse:UsernameToken wsu:Id="SecurityToken-4505729303387484391"><wsse:Username>trustedx</wsse:Username><wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">trustedx</wsse:Password></wsse:UsernameToken></wsse:Security></SOAP-ENV:Header>
	<SOAP-ENV:Body wsu:Id="Id-9027040566202249815">
		<dss:SignRequest xmlns:css="http://www.safelayer.com/TWS" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dss="http://www.docs.oasis-open.org/dss/2004/06/oasis-dss-1.0-core-schema-wd-27.xsd" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:xades="http://uri.etsi.org/01903/v1.2.2#" Profile="urn:safelayer:tws:dss:1.0:profiles:xades:1.0:sign" RequestID="Id-2828846405853607976"> 
		<dss:OptionalInputs><dss:KeySelector><css:KeySelector><css:Name Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=trustedx, OU=Demo, O=TrustedX, C=ES</css:Name></css:KeySelector></dss:KeySelector><css:AddSignatureKeyInfo><css:KeyInfoType>X509SubjectName</css:KeyInfoType></css:AddSignatureKeyInfo></dss:OptionalInputs><dss:InputDocuments><dss:Document><dss:XMLData><trustedx Id="data"><example Id="node1">Simple xml file</example><description Id="node2" format="text">XMLDSig/XAdES TrustedX signatures</description></trustedx></dss:XMLData></dss:Document></dss:InputDocuments></dss:SignRequest>
	</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
 
 
 

The following explanation refers to the response that the TrustedX platform obtains once the request has been sent. Therefore, you should press the "try" button (above) to generate this response.

Firstly, the signature (dsig:Signature) has been produced using the XML format. We can see that it is a detached signature, due to the fact that the dsig:Object element does not contain the document to be signed. Otherwise, it would be an enveloping signature.

An XML signature is made up of various parts, the first being a reference (dsig:Reference) from the signature to the signed data. This reference is indicated in the URI="#data" attribute. As a means of checking that the data presented from the reference always match, canonicalization or c14n (dsig:Transform) is used, in this case exclusive canonicalization. This ensures that all possible XML representations of the same document match. Once the document has been canonicalized, a hash is generated and placed in the dsig:DigestValue element. There is a second reference that performs the same operations; however, in this case using the signed properties (xades:SignedProperties).

The value of the signature can be found in the dsig:SignatureValue element.

Given that the optional element, css:AddSignatureKeyInfo, was included in the signature request, in the response, we can now see who the document signer is (dsig:KeyInfo). In particular, in this case, the style is Distinguished Name/X509SubjectName.

 

 
© 2009 labs.safelayer.com