|
Let’s look at the elements that make up the Signed Content portion of the message. Line 5, <CanonicalizationMethod Algorithm=”http://www.w3.org/2001/10/xml-exc-c14n#”/>, identifies
the canonicalization algorithm that is used to create a canonicalized form of the information being
signed — in this case, the digest. This step is needed because of the nature of XML documents
and the programming tools that work with them. XML documents, in some cases, can have slight
textual differences, yet be essentially the same logical document. Small variations in the way
comments are represented or in the way an XML parser handles line delimiters when serializing/
deserializing an XML data structure can create slightly different binary representations of the
same content. If the algorithm that verifies the digital signature were to be run against a slightly
different serialized version of the data, the result could be a fail when indeed it should be a pass.
To avoid this problem, the document is first transformed into its canonicalized form through the
use of a canonicalization algorithm. This algorithm, an implementation of the W3C Exclusive XML
Canonicalization Version 1.0 Specification (see Resources), a W3C recommendation, transforms
the document into its basic canonicalized form. This allows us to get a consistent binary
representation that can be correctly compared and thus yield the correct result.
Line 6, <SignatureMethod Algorithm=”http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>,
indicates the Signature Method Algorithm. This is the algorithm that is used to convert the
output of the canonicalization algorithm into the Signature Value. Our signature algorithm is a
combination of a key dependent algorithm (RSA) and a hash algorithm (SHA1). This algorithm is
an implementation of the RSASSA-PKCS1-v1_5 specification described in W3C RFC 2437 (see
Resources).
Line 7, <Reference URI=”#sign_content_1043176028580">, indicates the reference element. The
optional URI attribute of Reference identifies the data object that was signed. The Reference
block includes the algorithm that is used to compute the digest, the digest value that was
computed, and the final transform that is performed prior to computing the digest value. Lines 8-
10, <Transforms> <Transform Algorithm=”http://www.w3.org/2001/10/xml-exc-c14n#”/> </
Transforms>, indicate the transformation algorithm, while lines 11 and 12 specify the digest
algorithm and the computed digest value, <DigestMethod Algorithm=”http://www.w3.org/2000/
09/xmldsig#sha1"/> <DigestValue>FLuQTa/LqDIZ5F2JSaMRHSRuaiQ=</DigestValue>.
In our application, the Transform algorithm is once again the W3C Exclusive XML Canonicalization
algorithm discussed above. The method used to compute the digest, the Secure Hash Algorithm,
is part of the U.S. Department of Commerce/National Institute of Standards and Technology’s
Secure Hash standard.
Lines 15-16, <SignatureValue>kGlrrXjKku/WXKxID+JJkEXY+aGNYHc5dy8GwbLFtB5Msll2/
MhwdnO9wastJ0gLPzLy3oHL
7A8ggkMkjgAqnLg6PTzM7MdKoIAhe+xRHdOysamGucFJQRMrU+JQ4WATJt0bpdClwJy6mexT Su48mq1q5rM9YZh61P7UEUKt+EQ=</SignatureValue>, contain the signature value, which is
actually the encrypted digest value. This value is the output of the Signature Method Algorithm
indicated on line 6 Keys.
Lines 20-48 introduce the concept of keys. A key is used to mathematically transform a normal,
readable text message into an unreadable one for transmission across the internet. Our Web
service will use a public/private-key (a pair of mathematically related keys) or an asymmetric key
encryption scheme. One of these keys is kept secret; this is the private key. In our application,
the Web service requester will sign the digest with his private key prior to sending the document to the service provider. |
