• XrdOne
• XmlDsigProfile

XML DSig Profile for Simple Signatures

In the XrdOne/SimpleSign page Bill Barnhill commented that it might be a good idea to specify a simplified profile of XML DSig rather than inventing entirely new syntax. After starting to try to write something normative about XML Simple Sign I began to agree with him. I was duplicating way too much work that had already gone into XML DSig core. I decided to try to change as few elements of XML DSig as possible, just stripping out pieces that created complexity that were not necessary for our applications. The result is this document.

Abstract

The XML DSIG specification describes a mechanism for signing of arbitrary XML objects. XML DSIG is flexible, powerful, and complex. This document describes a severely limited subdialect of XML DSIG that favors simplicity over flexibility. Simple XML DSIG eliminates canonicalization of XML documents in favor of signing raw octet streams. In addition, the schema is restricted to using X.509 certificates for document signing. The goal of Simple XML DSIG is to define a mechanism for encoding and transport of digital signatures and public keys that is trivial to implement for anyone with an XML parser and a cryptographic library capable of handling X.509 certificates.

Overview

Relation to 'XML Signature Syntax and Processing'

This document borrows liberally from the [XML‑DSIG] (w3c, w3c., “XML Signature Syntax and Processing,” .) specification. Whenever possible this document specifies a restricted subset of the behavior defined by XML DSIG rather than specifying new behavior.

Signing

The signing process begins with an arbitrary XML document. The signing entity creates an XML DSIG ds:Signature element that includes:

• a description of the signing algorithm used.
• a reference to the location where the digital signature will be published.
• a certificate chain corresponding to the private key used to sign the document.

The ds:Signature element is then embedded into the XML document, and the document is serialized.

The signer then signs the raw octets of the serialized document with a private key. The resulting signature is base64 encoded. The raw octets of the serialized document are saved for later transfer to the verifier.

Verification

The verification process begins with the raw octets of the signed document, and, optionally, the associated signature. The verifier parses the raw octets of the document into an XML document and extracts the signature data.

The verifier then checks the signature data against their local policies. For example, the verifier checks that the signing algorithm used is acceptable, and that the certificates provided with the document are acceptable for signing that document.

If the verifier has not obtained the associated signature out of band, the verifier obtains the signature from the signature location reference within the XML.

The verifier then checks that the signature matches the raw octets of the document and the certificate from the document.

Example

A signed version of a simple "Hello World" XML document might look as follows:

<?xml version="1.0" encoding="UTF-8"?>
<foo>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
      <ds:CanonicalizationMethod
          Algorithm=
"http://docs.oasis-open.org/xri/xrd/2009/01#canonicalize-raw-octets" />
      <ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
    </ds:SignedInfo>
    <sds:SignatureLocation
        xmlns:sds="http://docs.oasis-open.org/xri/xrd/2009/01">
      http://www.example.com/signatures/7d8a89064fa20c75
    </sds:SignatureLocation>
    <ds:KeyInfo>
      <ds:X509Data>
        <ds:X509Certificate>MIIBoDC...</ds:X509Certificate>
        <ds:X509Certificate>MIIBtjC...</ds:X509Certificate>
      </ds:X509Data>
    </ds:KeyInfo>
  </ds:Signature>
  <bar>Hello World</bar>
</foo>

Details

Schema Element Descriptions

• Simple XML Digital Signatures uses a slightly modified version of the XML DSIG Schema.

Signature Element

The Signature element is restricted to SignedInfo, SignatureValue, and KeyInfo children. No attributes are used.

SignedInfo Element

The SignedInfo element is restricted to a CanonicalizationMethod child and a SignatureMethod child.

CanonicalizationMethod Element

The CanonicalizationMethod Algorithm attribute MUST be set to "http://docs.oasis-open.org/xri/xrd/2009/01#canonicalize-raw-octets".

SignatureMethod Element

The SignatureMethod Algorithm attribute SHOULD be set to one of the XML DSIG signature algorithm identifiers. Implementations MUST support the RSA-SHA1 algorithm. Implementations MAY support additional algorithms.

SignatureLocation Element

The SignatureValue element is not used, because including the signature value in the signed XML document would require XML canonicalization and significantly complicate implementation. Instead, the SignatureValue element is replaced with the SignatureLocation element, in the http://docs.oasis-open.org/xri/xrd/2009/01 namespace.

The value of the SignatureLocation element is the absolute URI of a location where the signature bytes may be found. The contents of the document returned from that URI MUST be the base64 encoded octets of the signature.

The SignatureLocation element is OPTIONAL. If not present, the signature bytes MUST be distributed out of band. For signed documents downloaded from an HTTP server, use of the Signature HTTP Header (Signature HTTP Header) is RECOMMENDED.

KeyInfo, X509Data, and X509Certificate Elements

The KeyInfo element MUST be present, and MUST have a single child X509Data element. The X509Data element MUST have one or more X509Certificate child elements.

The X509Certificate elements correspond to the private key used to sign the document. The first X509Certificate element MUST contain the public key used to validate the signature. Subsequent X509Certificate elements SHOULD provide the certificate chain used to validate the signing certificate against a trusted root certificate.

The X509Certificate elements MUST be ordered from subject certificate to issuer certificate. The trusted root certificate MUST NOT be included in the certificate chain. For example:

Cert 1: Subject = Signer
        Issuer = Intermediate CA
Cert 2: Subject = Intermediate CA
        Issuer = Root CA

If a self-signed certificate is being used to sign a document, the certificate MUST be included in the document. (This allows applications that trust multiple self-signed certificates to easily identify which certificate was used for a document.)

Signature HTTP Header

If a signed XML file is being retrieved from an HTTP server, the HTTP server MAY provide the associated signature in the "Signature" HTTP header. The value of the header MUST be the base64 encoded octets of the signature.

Schema

The XML schema for the Signature element is reproduced here. The namespace identifier sds refers to the XML namespace http://docs.oasis-open.org/xri/xrd/2009/01. The namespace identifier ds refers to the XML DSIG namespace http://www.w3.org/2000/09/xmldsig#.

  <element name="Signature" type="ds:SignatureType" />
  <complexType name="SignatureType">
    <sequence>
      <element ref="ds:SignedInfo"/>
      <element ref="sds:SignatureLocation" minOccurs="0"/>
      <element ref="ds:KeyInfo"/>
    </sequence>
  </complexType>

  <element name="SignedInfo" type="ds:SignedInfoType" />
  <complexType name="SignedInfo">
    <sequence>
      <element ref="ds:CanonicalizationMethod" />
      <element ref="ds:SignatureMethod" />
    </sequence>
  </complexType>

  <element name="CanonicalizationMethod" type="ds:CanonicalizationMethodType"/>
  <complexType name="CanonicalizationMethod">
    <attribute name="Algorithm" type="anyURI" use="required"/>
  </complexType>

  <element name="SignatureMethod" type="ds:SignatureMethodType"/>
  <complexType name="SignatureMethodType">
    <attribute name="Algorithm" type="anyURI" use="required"/>
  </complexType>

  <element name="SignatureLocation" type="sds:SignatureLocationType"/>
  <simpleType name="SignatureLocationType">
    <restriction base="anyURI" />
  </simpleType>

  <element name="KeyInfo" type="ds:KeyInfoType"/>
  <complexType name="KeyInfoType">
    <sequence>
      <element ref="ds:X509Data" />
    </sequence>
  </complexType>

  <element name="X509Data" type="ds:X509DataType"/>
  <complexType name="X509DataType">
    <sequence>
      <element ref="ds:X509Certificate" minOccurs="1" maxOccurs="unbounded" />
    </sequence>
  </complexType>

  <element name="X509Data" type="ds:X509DataType"/>
  <complexType name="X509DataType">
    <sequence>
      <element name="X509Certificate" minOccurs="1" maxOccurs="unbounded"
          type="base64Binary" />
    </sequence>
  </complexType>

Security Considerations

Signing vs Trust

Questions of trust are out of scope of this specification. Individual applications should specify how to determine whether a particular certificate is authorized to sign a particular XML document

Semantics of Signed Documents

Signing arbitrary documents is poor cryptographic hygiene. Individual application should specify the semantics of signed documents.