Skip to main content

<Signature>

<Signature>

The purpose of <Signature> is to carry a digital signature that can be verified by the recipient of the message. You use digital signatures to detect message alteration or to simply validate that a certain part of a message was really generated by the entity which is listed. As with the traditional manually written signature, a digital signature is an addition to the document that can be created only by the creator of that document and that cannot easily be forged.

The following shows a partial example:

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
   <SignedInfo>
      <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
      </CanonicalizationMethod>
      <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha256"></SignatureMethod>
      <Reference URI="#Timestamp-48CEE53E-E6C3-456C-9214-B7D533B2663F">
         <Transforms>
            <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
         </Transforms>
         <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
         <DigestValue>waSMFeYMruQn9XHx85HqunhMGIA=</DigestValue>
      </Reference>
      <Reference URI="#Body-73F08A5C-0FFD-4FE9-AC15-254423DBA6A2">
         <Transforms>
            <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
         </Transforms>
         <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
         <DigestValue>wDCqAzy5bLKKF+Rt0+YV/gxTQws=</DigestValue>
      </Reference>
   </SignedInfo>
   <SignatureValue>j6vtht/[parts omitted]trCQ==</SignatureValue>
   <KeyInfo>
      <SecurityTokenReference xmlns="[parts omitted]oasis-200401-wss-wssecurity-secext-1.0.xsd">
         <Reference URI="#SecurityToken-411A262D-990E-49F3-8D12-7D7E56E15081" 
                    ValueType="[parts omitted]oasis-200401-wss-x509-token-profile-1.0#X509v3">
         </Reference>
      </SecurityTokenReference>
   </KeyInfo>
</Signature>

Details

The parts of this element are as follows:

  • <SignedInfo> indicates the parts of the message that are signed by this signature and indicates how those parts were processed before signing.

    In InterSystems IRIS, you can specify the digest method (shown by the Algorithm attribute of <DigestMethod>). See Specifying the Digest Method.

    You can also specify the algorithm used to compute the signature (shown by the Algorithm attribute of <SignatureMethod>). See Specifying the Signature Method.

  • <SignatureValue> holds the actual signature. In this case, the signature is 6vtht/[parts omitted]trCQ==

    This value is computed by encrypting the concatenated digests of the signed parts. The encryption is performed with the private key of the sender.

  • <KeyInfo> identifies the key that was used to create the signature. In InterSystems IRIS, <KeyInfo> includes a <SecurityTokenReference>, which has one of several forms:

    • A reference to a <BinarySecurityToken> earlier in the WS-Security header, as shown in the preceding example. In this case, the corresponding private key was used to create the signature.

    • Information to identify a certificate, which presumably the message recipient has previously received and stored. For example, the <SecurityTokenReference> could include the SHA1 thumbprint of the certificate, as follows:

      <SecurityTokenReference xmlns="[parts omitted]oasis-200401-wss-wssecurity-secext-1.0.xsd">
   <KeyIdentifier EncodingType="[parts omitted]#Base64Binary" 
                  ValueType="[parts omitted]#ThumbprintSHA1">
      maedm8CNoh4zH8SMoF+3xV1MYtc=
   </KeyIdentifier>
</SecurityTokenReference>

      As with the previous case, the corresponding private key was used to create the signature.

    • A reference to a <DerivedKeyToken> earlier in the WS-Security header. For example:

      <SecurityTokenReference xmlns="[parts omitted]oasis-200401-wss-wssecurity-secext-1.0.xsd">
   <Reference URI="#Enc-BACCE807-DB34-46AB-A9B8-42D05D0D1FFD"></Reference>
</SecurityTokenReference>

      In this case, the signature was created by the symmetric key indicated by that token.

    • A reference to an implied <DerivedKeyToken>. For example:

      <SecurityTokenReference xmlns="[parts omitted]oasis-200401-wss-wssecurity-secext-1.0.xsd" 
              s01:Nonce="mMDk0zn8V7WTsFaIjUJ7zg==" 
              xmlns:s01="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512">
   <Reference URI="#Id-93F97220-568E-47FC-B3E1-A2CF3F70B29B"></Reference>
</SecurityTokenReference>

      In this case, the URI attribute in <Reference> points to the <EncryptedKey> element used to generate the <DerivedKeyToken>, and the Nonce attribute indicates the nonce value that was used.

      As with the previous case, the derived key was used to encrypt the data.

Position in Message

A <Signature> element should be included within <Security> after the <BinarySecurityToken> or <DerivedKeyToken> that it uses, if any.

Next section<DerivedKeyToken>
Previous section<EncryptedData>
FeedbackOpens in a new tab