Digitally Sign Parts of a XML document

S

6

2

I have an XML document having structure similar to the following

<envelop>
    <header>blaa</header>
    <message>blaa blaa</message>
    <footer></footer>
</envelop>

I want to digitally sign the header and message elements and add the signature to the footer element.

How can I sign the elements and then later verify the signature (using .net c#) ?

Sokul answered 23/6, 2009 at 10:55 Comment(0)

L

3

You should be able to add an XPath-Transform to the Signature. It should look something like this:

       <Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
         <XPath xmlns:dsig="&dsig;">
         ...
         </XPath>
       </Transform>

I am not fluent in XPath, but it should be easy to formulate an XPath-expression that excludes the Footer-element. (But note that XPath is an optional part of XML-DSIG, so not all implementations may support it).

Alternatively, if you could restructure your document to be

<envelop>
  <header>blaa</header>
  <message>blaa blaa</message>
  <Signature></Signature>
</envelop>

or

<envelop>
  <signedEnvelope>
    <header>blaa</header>
    <message>blaa blaa</message>
  </signedEnvelope>
  <Signature></Signature>
</envelop>

you could handle it by using an Enveloped Signature Transform (first case) or by signing the signedEnvelope element (second case).

Litch answered 23/6, 2009 at 12:58 Comment(1)

Hi Rasmus, I dont have the option to restructure the xml as the format is decided by a third party app. I will look into the XPath transformation. Thanks – Sokul 23/6, 2009 at 15:40

J

2

Read This http://msdn.microsoft.com/en-us/library/ms229745.aspx

Jeanajeanbaptiste answered 23/6, 2009 at 10:58 Comment(1)

the link explains how you can sign the entire document (setting Uri property to ""). How can I extend this to partially sign elements of xml, and then later verify the signature ? – Sokul 23/6, 2009 at 11:2

T

2

There's a Microsoft partner which could be pretty good for this. They allow you to add digital signatures for XML (as well as all other platforms). I recommend checking their product, it's called cosign.

Thermotherapy answered 26/1, 2011 at 20:3 Comment(0)

U

1

http://social.msdn.microsoft.com/Search/en-US/?query=digital%20signature%20xml&ac=3

Uncommonly answered 23/6, 2009 at 11:0 Comment(0)

C

1

Why not follow w3 recomendation for XML signing http://www.w3.org/2000/09/xmldsig# it has a basic structure:

<Signature>
   <SignedInfo>
      <SignatureMethod />
      <CanonicalizationMethod />
      <Reference>
         <Transforms>
         <DigestMethod>
         <DigestValue>
      </Reference>
      <Reference /> etc.
   </SignedInfo>
   <SignatureValue />
   <KeyInfo />
   <Object />
</Signature>

If you want more advanced features, read about XAdES - i think it's avalible in c#.

Concerto answered 24/6, 2009 at 8:47 Comment(0)

S

0

I see this post is old, but maybe somebody has the same need now. What you need is somehow like an enveloped signature in XMLDSIG. The difference is that in XMLDSIG you have to include the signature data in a Signature node.

If you want to do this, you have to implement it your own.

I'm involved in a project to develope a library to provide XAdES support for the .NET Framework.

We've just released version 1.0, that provides early support for XAdES-BES.

You can find it in XAdES .NET Project

I hope the source code may help you somehow.

Regards.

Salpiglossis answered 10/12, 2010 at 19:9 Comment(0)

Recommended topics

Hot tags