XML Digital Signature Service
The XML Digital Signature service composes and verifies digital signatures.
The following table provides an overview of the XML Digital Signature service:
| Category | Description |
|---|---|
| Service Name | XML Digital Signature Service |
| System name | XMLDSigService |
| Graphical Process Modeler (GPM) Category | All Services |
| Description | Use the XML Digital Signature service to compose and verify digital signatures. |
| Business usage | Use this service to create enveloped, enveloping, detached, and a combination of all three signatures. |
| Usage example | A business process that needs a document to be digitally signed or verified can invoke this service by passing the required parameters. |
| Preconfigured? | No |
| Requires third-party files? | Yes. Requires xss4j.jar. This is preloaded in Sterling B2B Integrator. |
| Platform availability | All supported Sterling B2B Integrator platforms |
| Related services | N/A |
| Application requirements | N/A |
| Initiates business processes? | No |
| Invocation | This service is invoked from a business process. |
| Business process context considerations | You must be familiar with the Internal Service (WF/BP parameters) that invokes this adapter. The WF parameters are the values passed into the Internal Service and BP parameters are the values specified within the business process code. |
| Returned status values | Values:
|
| Restrictions | None |
| Persistence level | System Default |
| Testing considerations | You should use the correct certificates for signing. The most common problem encountered is that certificates used for signing are not created with a storepass value and a keypass value of integrator. If you receive an error with this condition, see your system administrator. |
| Restrictions | None |
How the XML Digital Signature Service Works
The XML Digital Signature service signs or verifies the XML signature. It provides integrity and confidentiality of XML documents and messages.
The XML Digital Signature service in Sterling B2B Integrator supports the following types of XML signatures:
- Enveloped (default) - signature of either an entire document or a document fragment where the XML signature is embedded within the signed document.
- Enveloping - signature where signed data is embedded within XML signature structure.
- Detached - signature where the signed entities are not attached to the actual signature
fragment.Note: In Sterling B2B Integrator, a detached-signature type signs on the detached workflow document. The Reference URI of the detached document is the document ID.
- Combination (combination of enveloped, enveloping, and detached)
Implementing the XML Digital Signature Service
To
implement the XML Digital Signature service, complete the following
tasks:
- Create an XML Digital Signature service configuration. For information, see Managing Services and Adapters.
- Configure the XML Digital Signature service. For information, see Configuring the XML Digital Signature Service.
- Use the XML Digital Signature service in a business process.
System Administrator Tasks
The following procedure describes the system administrator tasks for XML Digital Signature service.
Importing a KeyCert
- Log in to Sterling B2B Integrator.
- Select Trading Partner -> Digital Certificates -> Trusted.
- Select New Certificate under Check-in.
- Select the certificate and click Next.
- Enter the Certificate Name and click Next.
- Review and click Finish.
- You can use this certificate in your BPML associated with the appropriate field (signCertificateIdentifier).
Configuring the XML Digital Signature Service
To configure the XML Digital Signature service, you must specify settings for the following fields:
| Field | Description |
|---|---|
| Name | XML Digital Signature Service |
| Description | Signs and validates XML digital signatures |
| Select a Group | Select one of the following options:
Note: For more information about groups, see Managing Services
and Adapters.
|
Output from Business Process to Service
The following table contains
the parameters passed from the business process to the XML Digital
Signature service when it invokes with the output message set to signRequest:
| Parameter | Description |
|---|---|
| action | Required. The required action. The value can be a valid string. Valid value - sign. |
| signatureType | Required. The type of signature. Valid values are:
|
| signCertificateIdentifier | Required. The alias of a private key in the certificate. |
| certificateIdentifier | Optional. The alias of a public key in the certificate.
When this parameter is used during signing, the KeyInfo element
must be included in the signature. |
| nodeToSign | Optional. Indicates the node that needs to be signed.
This parameter is used when signing XML document and the node exists
in the document to be signed. If this parameter is not specified,
the whole document is signed.Multiple nodes can be specified using
comma ( , ) as delimiter. When signing with enveloped signature, the
node to be signed should contain ID attribute.Valid
node names - node1, node2 |
| Transforms | Optional. The required Transforms to be used when
signing. If omitted when signing with enveloped signature type, the
enveloped-signature Transform will be used.If omitted when signing
non-XML document with enveloping signature type, the base64 Transform
will be used.An error will be thrown when the transform algorithm
is invalid in xss4j.A valid example using Transform: |
| documents | Optional. Used to sign multiple documents or when primary document is empty. This
node contains a list of document nodes. This parameter is required when primary document is
empty.Each document node contains:
|
The following table contains the parameters passed
from the business process to the XML Digital Signature service when
it invokes with the output message set to verifyRequest:
| Parameter | Description |
|---|---|
| action | Required. The required action. The value can be a valid string. Valid value - verify. |
| certificateIdentifier | Optional. The alias of a public key in the certificate. If certificateIdentifier is not present, the certificate information is retrieved from the KeyInfo element of signature. |
| documents | Optional. Used for detached signature verification.
It contains a list of document nodes and each document contains one documentID.
The sequence of the detached document list should follow the reference
sequence in XML signature. This parameter is not applicable for verifying
enveloped and enveloping signature.A valid example:<documents> <document>
<documentID> xxx
</documentID> </document></documents> |
Business Process Examples
The following example business processes illustrate using the XML Digital Signature service:
Example Business Process 1
The following BPML signs the document based on the parameters passed from BPML to the XML Digital Signature service.
<process name="xmldsig_enveloped">
<sequence>
<operation name="SignMessage">
<participant name="XMLDSigService"/>
<output message="signRequest">
<assign to="." from="*"/>
<assign to="action">sign</assign>
<assign to="signatureType">enveloped</assign>
<assign to="signCertificateIdentifier">test_rsa_priv</assign>
</output>
<input message="signResponse">
<assign to="." from="*"></assign>
</input>
</operation>
<operation name="VerifyMessage">
<participant name="XMLDSigService"/>
<output message="verifyRequest">
<assign to="." from="*"/>
<assign to="action">verify</assign>
<assign to="certificateIdentifier">test_rsa_pub</assign>
</output>
<input message="verifyResponse">
<assign to="." from="*"></assign>
</input>
</operation>
</sequence>
</process>Example Business Process 2
The following BPML shows how to sign the Primary Document and add the KeyInfo element within the Signature element by including the certificateIdentifier parameter in the signing request. The example also includes how to construct the Transforms node.
<process name="xmldsig_enveloped_transform_keyinfo">
<sequence>
<assign to="temp/@Algorithm">http://www.w3.org/2000/09/xmldsig#enveloped-signature</assign>
<assign to="Transforms/Transform" from="temp/@*"/>
<operation name="SignMessage">
<participant name="XMLDSigService"/>
<output message="signRequest">
<assign to="." from="*"/>
<assign to="action">sign</assign>
<assign to="signatureType">enveloped</assign>
<assign to="signCertificateIdentifier">test_rsa_priv</assign>
<assign to="certificateIdentifier">test_rsa_pub</assign>
<assign to="Transforms" from="Transforms/node()"/>
</output>
<input message="signResponse">
<assign to="." from="*"></assign>
</input>
</operation>
<operation name="VerifyMessage">
<participant name="XMLDSigService"/>
<output message="verifyRequest">
<assign to="." from="*"/>
<assign to="action">verify</assign>
</output>
<input message="verifyResponse">
<assign to="." from="*"></assign>
</input>
</operation>
</sequence>
</process>Example Business Process 3
The following BPML shows how to sign particular nodes in the Primary Document. The nodes to be signed are delimited by comma ( , ).The signature type is enveloped.
<process name="xmldsig_enveloped_nodetosign">
<sequence>
<operation name="SignMessage">
<participant name="XMLDSigService"/>
<output message="signRequest">
<assign to="." from="*"/>
<assign to="action">sign</assign>
<assign to="nodeToSign">value1,value2</assign>
<assign to="signatureType">enveloped</assign>
<assign to="signCertificateIdentifier">test_rsa_priv</assign>
</output>
<input message="signResponse">
<assign to="." from="*"></assign>
</input>
</operation>
<operation name="VerifyMessage">
<participant name="XMLDSigService"/>
<output message="verifyRequest">
<assign to="." from="*"/>
<assign to="action">verify</assign>
<assign to="certificateIdentifier">test_rsa_pub</assign>
</output>
<input message="verifyResponse">
<assign to="." from="*"></assign>
</input>
</operation>
</sequence>
</process>Example Business Process 4
The following BPML shows how to sign particular nodes in the Primary Document. The nodes to be signed are delimited by comma ( , ). The signature type is enveloping.
<process name="xmldsig_enveloping_nodetosign">
<sequence>
<operation name="SignMessage">
<participant name="XMLDSigService"/>
<output message="signRequest">
<assign to="." from="*"/>
<assign to="action">sign</assign>
<assign to="nodeToSign">value1,value2</assign>
<assign to="signatureType">enveloping</assign>
<assign to="signCertificateIdentifier">test_rsa_priv</assign>
</output>
<input message="signResponse">
<assign to="." from="*"></assign>
</input>
</operation>
<operation name="VerifyMessage">
<participant name="XMLDSigService"/>
<output message="verifyRequest">
<assign to="." from="*"/>
<assign to="action">verify</assign>
<assign to="certificateIdentifier">test_rsa_pub</assign>
</output>
<input message="verifyResponse">
<assign to="." from="*"></assign>
</input>
</operation>
</sequence>
</process>Example Business Process 5
This following input file and BPML shows how to sign multiple documents passed from “documents/document” parameter. The nodes to be signed are delimited by comma ( , ). The signature type is enveloping.
Input file:
<documents>
<document>
<documentID>sgconrad:31e5343c:1158d3b080f:-75fc</documentID>
<nodeToSign>value1,value2</nodeToSign>
<Transforms>
<Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
<XPath>descendant-or-self::Contract</XPath>
</Transform>
</Transforms>
</document>
<document>
<documentID>sgconrad:-3c3ab664:1158cfc1d5d:-5431</documentID>
</document>
</documents>BPML:
<processname="xmldsig_enveloping_documents">
<sequence>
<operation name="XML Encoder">
<participant name="XMLEncoder"/>
<output message="XMLEncoderTypeInputMessage">
<assign to="output_to_process_data">YES</assign>
<assign to="mode">xml_to_process_data</assign>
<assign to="root_element">documents</assign>
<assign to="." from="*"></assign>
</output>
<input message="inmsg">
<assign to="." from="*"></assign>
</input>
</operation>
<operation>
<participant name="ReleaseService"/>
<output message="releaseRequest">
<assign to="TARGET">PrimaryDocument</assign>
</output>
<input message="releaseResponse">
</input>
</operation>
<operation name="SignMessage">
<participant name="XMLDSigService"/>
<output message="signRequest">
<assign to="." from="*"></assign>
<assign to="action">sign</assign>
<assign to="signatureType">enveloping</assign>
<assign to="signCertificateIdentifier">test_rsa_priv</assign>
<assign to="documents" from="documents/node()"></assign>
</output>
<input message="signResponse">
<assign to="." from="*"></assign>
</input>
</operation>
<operation>
<participant name="ReleaseService"/>
<output message="releaseRequest">
<assign to="TARGET" from="'documents'"></assign>
</output>
<input message="releaseResponse">
</input>
</operation>
<operation name="VerifyMessage">
<participant name="XMLDSigService"/>
<output message="verifyRequest">
<assign to="." from="*"></assign>
<assign to="action">verify</assign>
<assign to="certificateIdentifier">test_rsa_pub</assign>
</output>
<input message="verifyResponse">
<assign to="." from="*"></assign>
</input>
</operation>
</sequence>
</process>Example Business Process 6
The following input file and BPML shows how to sign multiple documents passed from “documents/document” parameter, Transforms/Transform/XPath is used to sign specific node. The signature type is detached.
Input file:
<documents>
<document>
<documentID>sgconrad:31e5343c:1158d3b080f:-75fc</documentID>
<Transforms>
<Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
<XPath>descendant-or-self::Contract</XPath>
</Transform>
</Transforms>
</document>
<document>
<documentID>sgconrad:-3c3ab664:1158cfc1d5d:-5431</documentID>
</document>
</documents>BPML:
<process name="xmldsig_enveloping_documents">
<sequence>
<operation name="XML Encoder">
<participant name="XMLEncoder"/>
<output message="XMLEncoderTypeInputMessage">
<assign to="output_to_process_data">YES</assign>
<assign to="mode">xml_to_process_data</assign>
<assign to="root_element">documents</assign>
<assign to="." from="*"></assign>
</output>
<input message="inmsg">
<assign to="." from="*"></assign>
</input>
</operation>
<operation>
<participant name="ReleaseService"/>
<output message="releaseRequest">
<assign to="TARGET">PrimaryDocument</assign>
</output>
<input message="releaseResponse">
</input>
</operation>
<operation name="SignMessage">
<participant name="XMLDSigService"/>
<output message="signRequest">
<assign to="." from="*"></assign>
<assign to="action">sign</assign>
<assign to="signatureType">detached</assign>
<assign to="signCertificateIdentifier">test_rsa_priv</assign>
<assign to="documents" from="documents/node()"></assign>
</output>
<input message="signResponse">
<assign to="." from="*"></assign>
</input>
</operation>
<operation>
<participant name="ReleaseService"/>
<output message="releaseRequest">
<assign to="TARGET" from="'documents'"></assign>
</output>
<input message="releaseResponse">
</input>
</operation>
<assign to="document/documentID">sgconrad:-628e3b67:11569be511e:-6d7a
</assign>
<assign to="documents/document" from="document/node()" append="true">
</assign>
<assign to="document/documentID">sgconrad:-628e3b67:11569be511e:-682f
</assign>
<assign to="documents/document" from="document/node()" append="true">
</assign>
<operation name="VerifyMessage">
<participant name="XMLDSigService"/>
<output message="verifyRequest">
<assign to="." from="*"></assign>
<assign to="action">verify</assign>
<assign to="certificateIdentifier">test_rsa_pub</assign>
</output>
<input message="verifyResponse">
<assign to="." from="*"></assign>
</input>
</operation>
</sequence>
</process>Example Business Process 7
The following input file and BPML shows how to sign multiple documents passed from “documents/document” parameter. The signature type is combination.
Input file:
<documents>
<document>
<documentID>sgconrad:31e5343c:1158d3b080f:-75fc</documentID>
<signatureType>enveloped</signatureType>
<nodeToSign>value1,value2</nodeToSign>
</document>
<document>
<documentID>sgconrad:-3c3ab664:1158cfc1d5d:-5431</documentID>
<signatureType>enveloping</signatureType>
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#base64">
</Transform>
</Transforms>
</document>
<document>
<documentID>sgconrad:31e5343c:1158d3b080f:-75bc</documentID>
<signatureType>detached</signatureType>
<nodeToSign>node1,node2</nodeToSign>
</document>
</documents>BPML:
<process name="xmldsig_enveloping_documents">
<sequence>
<operation name="XML Encoder">
<participant name="XMLEncoder"/>
<output message="XMLEncoderTypeInputMessage">
<assign to="output_to_process_data">YES</assign>
<assign to="mode">xml_to_process_data</assign>
<assign to="root_element">documents</assign>
<assign to="." from="*"></assign>
</output>
<input message="inmsg">
<assign to="." from="*"></assign>
</input>
</operation>
<operation>
<participant name="ReleaseService"/>
<output message="releaseRequest">
<assign to="TARGET">PrimaryDocument</assign>
</output>
<input message="releaseResponse">
</input>
</operation>
<operation name="SignMessage">
<participant name="XMLDSigService"/>
<output message="signRequest">
<assign to="." from="*"></assign>
<assign to="action">sign</assign>
<assign to="signatureType">combination</assign>
<assign to="signCertificateIdentifier">test_rsa_priv</assign>
<assign to="documents" from="documents/node()"></assign>
</output>
<input message="signResponse">
<assign to="." from="*"></assign>
</input>
</operation>
<operation>
<participant name="ReleaseService"/>
<output message="releaseRequest">
<assign to="TARGET" from="'documents'"></assign>
</output>
<input message="releaseResponse">
</input>
</operation>
<assign to="document/documentID">sgconrad:-628e3b67:11569be511e:
-6d7a</assign>
<assign to="documents/document" from="document/node()" append=
"true"></assign>
<operation name="VerifyMessage">
<participant name="XMLDSigService"/>
<output message="verifyRequest">
<assign to="." from="*"></assign>
<assign to="action">verify</assign>
<assign to="certificateIdentifier">test_rsa_pub</assign>
</output>
<input message="verifyResponse">
<assign to="." from="*"></assign>
</input>
</operation>
</sequence>
</process>XML Digital Signature Service Examples
The following example signature types illustrate using the XML Digital Signature service:
Example of Enveloped Signature
The following example shows the enveloped signature type:
<?xml version="1.0" encoding="UTF-8"?>
<test>
<value1 ID="1">
testval1</value1>
<value2 ID="2">
testval2</value2>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/
2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/
xmldsig#rsa-sha1"/>
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/
xmldsig#enveloped-signature"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/
xmldsig#sha1"/>
<DigestValue>
fgWg+5VNk9ZqUy86IOIE3QS+bGQ=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
MYWSLB0T9qX+Qu2BnMWpGC4KmKT5pws0M9GtQQsMGYT5rxXCMe2qeMKAV65WoY0ib7mTxjj9
nChQSdyN1yYYn6nRvvKl9lX8LWVNpJj
58lE7/alohe8/+0hOAWKxBsiFDhBbUC0jHG1+Qp2f
M3KAe2kyBUPjN57isAmmH64y/LI= </SignatureValue>
<KeyInfo>
<KeyValue>
<RSAKeyValue>
<Modulus>
kFhwg4m9hjFmrlxVR3w0XmYx7fgGsoh+aelmXlzCug5gRV0t0XeSpaeoX1jXu6gacJ
Vl/pOlNs+av+iviDKmS94LDPJtjAcl7C9dZbbt39N+/2S9WBAtJGXk5MOIu0aab50D
UFK55mUbpsZzwoVQrisW+KArnWlbrUP5xWXsnwM=
</Modulus>
<Exponent>
AQAB</Exponent>
</RSAKeyValue>
</KeyValue>
<X509Data>
<X509IssuerSerial>
<X509IssuerName>
CommonName=serena_rsa,Country=SG,EmailAddress=serena_li@stercomm.com
</X509IssuerName>
<X509SerialNumber>
1190704157</X509SerialNumber>
</X509IssuerSerial>
<X509SubjectName>
CommonName=serena_rsa,Country=SG,EmailAddress=serena_li@stercomm.com
</X509SubjectName>
<X509Certificate>
MIICBjCCAW8CBEb4tB0wDQYJKoZIhvcNAQEFBQAwSTElMCMGCSqGSIb3DQEJARYWc2VyZ
W5hX2xp QHN0ZXJjb21tLmNvbTELMAkGA1UEBhMCU0cxEzARBgNVBAMTCnNlcmVuYV9yc
2EwIBcNMDcwOTI1 MDcwOTE3WhgPMjA2MjA2MjgwNzA5MTdaMEkxJTAjBgkqhk
iG9w0BCQEWFnNlcmVuYV9saUBzdGVy Y29tbS5jb20xCzAJBgNVBAYTAlNHMRMw
EQYDVQQDEwpzZXJlbmFfcnNhMIGfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQCQWHCD
ib2GMWauXFVHfDReZjHt+AayiH5p6WZeXMK6DmBFXS3Rd5Klp6hf WNe7qBpwlWX+k6U2
z5q/6K+IMqZL3gsM8m2MByXsL11ltu3f037/ZL1YEC0kZeTkw4i7RppvnQNQ UrnmZRum
xnPChVCuKxb4oCudaVutQ/nFZeyfAwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAC+7glCs
TKBSURkwmbA4k/SYVOOhhz3VkBX0he3r1/Vd6Qk8IlRJwQj5AT8e40gz+vqO0Gvj
aYAx70bvIGqn yYE/VVJJOG5Zw6Tott69Dx4AOCrmbZb96zOAjlcEI3Ol7U1h+9+Uo2h5
ZC8AMWnC3rk3VudrSB8dAhBwZmY9l8AB
</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
</test>Example of Enveloped Signature with particular nodes
The following example shows the enveloped signature type with particular nodes:
<?xml version="1.0" encoding="UTF-8"?>
<test>
<value1 ID="1">
testval1</value1>
<value2 ID="2">
testval2</value2>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/
REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/
xmldsig#rsa-sha1"/>
<Reference URI="#1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/
xmldsig#enveloped-signature"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/
xmldsig#sha1"/>
<DigestValue>
XEZm5p6sjqi+Gt61BHQTOWtL2Nw=</DigestValue>
</Reference>
<Reference URI="#2">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/
xmldsig#enveloped-signature"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/
xmldsig#sha1"/>
<DigestValue>
1k1M9eAUMUWM4FP4OA1/YC9qS/Y=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
UmZlQ5g4ummBZu4IRg+BHDpZeeX4ix1GXODhyG+f5tvw+4ZDKIGn8qm5wdAj3+/wJS84Lx/
V hRgjyaucMjM3qEoMAEXEWYRTag0PdeOmfrSUffictYcTaGpPUYjDiWfKyFXAlCL5XmSeBW
5sMGgy5Bi/Y0HB1gwlmu+Jsh6FsGM= </SignatureValue>
<KeyInfo>
<KeyValue>
<RSAKeyValue>
<Modulus>
kFhwg4m9hjFmrlxVR3w0XmYx7fgGsoh+aelmXlzCug5gRV0t0XeSpaeoX1jXu6gacJ
Vl/pOlNs+av+iviDKmS94LDPJtjAcl7C9dZbbt39N+/2S9WBAtJGXk5MOIu0aab50D UFK55m
UbpsZzwoVQrisW+KArnWlbrUP5xWXsnwM=
</Modulus>
<Exponent>
AQAB</Exponent>
</RSAKeyValue>
</KeyValue>
<X509Data>
<X509IssuerSerial>
<X509IssuerName>
CommonName=serena_rsa,Country=SG,EmailAddress=serena_li@stercomm.com
</X509IssuerName>
<X509SerialNumber>
1190704157</X509SerialNumber>
</X509IssuerSerial>
<X509SubjectName>
CommonName=serena_rsa,Country=SG,EmailAddress=serena_li@stercomm.com
</X509SubjectName>
<X509Certificate>
MIICBjCCAW8CBEb4tB0wDQYJKoZIhvcNAQEFBQAwSTElMCMGCSqGSIb3DQEJARYWc2VyZW
5hX2xp QHN0ZXJjb21tLmNvbTELMAkGA1UEBhMCU0cxEzARBgNVBAMTCnNlcmVuYV9yc2Ew
IBcNMDcwOTI1 MDcwOTE3WhgPMjA2MjA2MjgwNzA5MTdaMEkxJTAjBgkqhk
iG9w0BCQEWFnNlcmVuYV9saUBzdGVy Y29tbS5jb20xCzAJBgNVBAYTAlNHMRMwEQYDVQQDE
wpzZXJlbmFfcnNhMIGfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQCQWHCDib2GMWauXFVH
fDReZjHt+AayiH5p6WZeXMK6DmBFXS3Rd5Klp6hf WNe7qBpwlWX+k6U2z
5q/6K+IMqZL3gsM8m2MByXsL11ltu3f037/ZL1YEC0kZeTkw4i7RppvnQNQ UrnmZRumxnPCh
VCuKxb4oCudaVutQ/nFZeyfAwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAC+7glCs TKBSURkwmb
A4k/SYVOOhhz3VkBX0he3r1/Vd6Qk8IlRJwQj5AT8e40gz+vqO0GvjaY
Ax70bvIGqn yYE/VVJJOG5Zw6Tott69Dx4AOCrmbZb96zOAjlcEI3Ol7U1h+9+Uo2h5ZC8AMWn
C3rk3VudrSB8dAhBwZmY9l8AB
</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
</test>Example of Enveloping Signature
The following example shows the enveloping signature type:
<?xml version="1.0" encoding="UTF-8"?>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/
REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#test">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>
ILdA0tPr6GHE9C2/aLX4GQZc3XI=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
gJ5H1D5gYydhG5NgFitWeiDs+K49CoFyauodfGG8m1vnBfCfPieu14dt4CG2/w7OxbsS5Kjy
J8+iHePiaVxdu3xYJu0ox4UkCK/wwxvnXzWv+AlS+Kj2fwkvzp6++auDOSC2Ucwe1ncwZFX5
xCSNq9wQYH12aULKsVB/bYtcvwo= </SignatureValue>
<KeyInfo>
<KeyValue>
<RSAKeyValue>
<Modulus>
kFhwg4m9hjFmrlxVR3w0XmYx7fgGsoh+aelmXlzCug5gRV0t0XeSpaeoX1jXu6gacJ
Vl/pOlNs+av+iviDKmS94LDPJtjAcl7C9dZbbt39N+/2S9WBAtJGXk5MOIu0aab50D
UFK55mUbpsZzwoVQrisW+KArnWlbrUP5xWXsnwM=
</Modulus>
<Exponent>
AQAB</Exponent>
</RSAKeyValue>
</KeyValue>
<X509Data>
<X509IssuerSerial>
<X509IssuerName>
CommonName=serena_rsa,Country=SG,EmailAddress=serena_li@stercomm.com
</X509IssuerName>
<X509SerialNumber>
1190704157</X509SerialNumber>
</X509IssuerSerial>
<X509SubjectName>
CommonName=serena_rsa,Country=SG,EmailAddress=serena_li@stercomm.com
</X509SubjectName>
<X509Certificate>
MIICBjCCAW8CBEb4tB0wDQYJKoZIhvcNAQEFBQAwSTElMCMGCSqGSIb3DQEJARYWc2VyZW5hX
2xp QHN0ZXJjb21tLmNvbTELMAkGA1UEBhMCU0cxEzARBgNVBAMTCnNlcmVuYV9yc2EwIBcNMD
cwOTI1 MDcwOTE3WhgPMjA2MjA2MjgwNzA5MTdaMEkxJTAjBgkqhkiG9w0BCQEWFnNlcmVuYV9
saUBzdGVy Y29tbS5jb20xCzAJBgNVBAYTAlNHMRMwEQYDVQQDEwpzZXJlbmFfcnNhMIGfMA0G
CSqGSIb3DQEB AQUAA4GNADCBiQKBgQCQWHCDib2GMWauXFVHfDReZjHt+AayiH5p6WZeXMK6D
mBFXS3Rd5Klp6hf WNe7qBpwlWX+k6U2z5q/6K+IMqZL3gsM8m2MByXsL11ltu3f037/ZL1YEC0
kZeTkw4i7RppvnQNQ UrnmZRumxnPChVCuKxb4oCudaVutQ/nFZeyfAwIDAQABMA0GCSqGSIb3D
QEBBQUAA4GBAC+7glCs TKBSURkwmbA4k/SYVOOhhz3VkBX0he3r1/Vd6Qk8IlRJwQj5AT8e40gz
+vqO0GvjaYAx70bvIGqn yYE/VVJJOG5Zw6Tott69Dx4AOCrmbZb96zOAjlcEI3Ol7U1h+9+Uo2h
5ZC8AMWnC3rk3VudrSB8dAhBwZmY9l8AB </X509Certificate>
</X509Data>
</KeyInfo>
<Object xmlns="" Id="test">
<test>
<value1 ID="1">
testval1</value1>
<value2 ID="2">
testval2</value2>
</test>
</Object>
</Signature>Example of Enveloping Signature with particular nodes
The following example shows the enveloping signature type with particular nodes:
<?xml version="1.0" encoding="UTF-8"?>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/
REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#value1">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>
mb5wQZvkO1C4+YzJUQ0Q2eL1nNg=</DigestValue>
</Reference>
<Reference URI="#value2">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>
cITL2XfG2q9roG/XpFaoa/JSiGU=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
Z6hxQRWv1+RZMU5UYIN06LmhFfGVtNIniIfeAmNy5TGX6SZAY5vgYbuhhZtq+LWG5nwzSQLX Kv7TIb8
N++LYgJeUtcwumCvI6t6rl6PJuSQiJZnucdpGxChrE1rra2WrRZYXxaLkoSUrBJc1 pCnXscU6F0eHmK
akIV0ZypdFZT4=
</SignatureValue>
<KeyInfo>
<KeyValue>
<RSAKeyValue>
<Modulus>
kFhwg4m9hjFmrlxVR3w0XmYx7fgGsoh+aelmXlzCug5gRV0t0XeSpaeoX1jXu6gacJ
Vl/pOlNs+av+iviDKmS94LDPJtjAcl7C9dZbbt39N+/2S9WBAtJGXk5MOIu0aab50D UFK55mUbps
ZzwoVQrisW+KArnWlbrUP5xWXsnwM=</Modulus>
<Exponent>
AQAB</Exponent>
</RSAKeyValue>
</KeyValue>
<X509Data>
<X509IssuerSerial>
<X509IssuerName>
CommonName=serena_rsa,Country=SG,EmailAddress=serena_li@stercomm.com
</X509IssuerName>
<X509SerialNumber>
1190704157</X509SerialNumber>
</X509IssuerSerial>
<X509SubjectName>
CommonName=serena_rsa,Country=SG,EmailAddress=serena_li@stercomm.com
</X509SubjectName>
<X509Certificate>
MIICBjCCAW8CBEb4tB0wDQYJKoZIhvcNAQEFBQAwSTElMCMGCSqGSIb3DQEJARYWc2VyZW5hX2xp QHN0
ZXJjb21tLmNvbTELMAkGA1UEBhMCU0cxEzARBgNVBAMTCnNlcmVuYV9yc2EwIBcNMDcwOTI1 MDcwOTE3
WhgPMjA2MjA2MjgwNzA5MTdaMEkxJTAjBgkqhkiG9w0BCQEWFnNlcmVuYV9saUBzdGVy Y29tbS5jb20x
CzAJBgNVBAYTAlNHMRMwEQYDVQQDEwpzZXJlbmFfcnNhMIGfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBg
QCQWHCDib2GMWauXFVHfDReZjHt+AayiH5p6WZeXMK6DmBFXS3Rd5Klp6hf WNe7qBpwlWX+k6U2z5q/6K
+IMqZL3gsM8m2MByXsL11ltu3f037/ZL1YEC0kZeTkw4i7RppvnQNQ UrnmZRumxnPChVCuKxb4oCudaVut
Q/nFZeyfAwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAC+7glCs TKBSURkwmbA4k/SYVOOhhz3VkBX0he3r1/
Vd6Qk8IlRJwQj5AT8e40gz+vqO0GvjaYAx70bvIGqn yYE/VVJJOG5Zw6Tott69Dx4AOCrmbZb96zOAjlc
EI3Ol7U1h+9+Uo2h5ZC8AMWnC3rk3VudrSB8dAhBwZmY9l8AB
</X509Certificate>
</X509Data>
</KeyInfo>
<Object xmlns="" Id="value1">
<value1 ID="1">
testval1</value1>
</Object>
<Object xmlns="" Id="value2">
<value2 ID="2">
testval2</value2>
</Object>
</Signature>Example of Enveloping Signature with non-XML Input File
The following example shows the enveloping signature type with non-XML input file:
<?xml version="1.0" encoding="UTF-8"?>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/
REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#sgconrad:-7cd5f978:1159315afbc:-6124">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>
UWdFQL/JwoDirPg/AJdp+m5+bT4=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
cAtHLlmNUVRmWzn4mDvWkcRvFDoKOkes+gMsnC4pHAKclg99j+e2xxR0SsE5HnvNPEH3IrwT GZyaT
XVlx3UTaX1C+215t0
mW4CYn4nyZpwJTbM18pRZq8tijquydg4roZz/yawz856uow3KH z+khzOuwt78GzwQXVyqQymyVrQk=
</SignatureValue>
<Object xmlns="" Encoding="base64" Id="sgconrad:-7cd5f978:1159315afbc:-6124">
dGhpcyBpcyB0ZXN0 </Object>
</Signature>Example of Detached Signature
The following example shows the detached signature type:
<?xml version="1.0" encoding="UTF-8"?>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/
REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="sgconrad:31e5343c:1158d3b080f:-75fc">
<Transforms>
<Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
<XPath>
descendant-or-self::Contract</XPath>
</Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>
1ybLCHRnYSGKCoswkUOuD650Mr0=</DigestValue>
</Reference>
<Reference URI="sgconrad:-3c3ab664:1158cfc1d5d:-5431">
<Transforms>
<Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
<XPath>
descendant-or-self::FILLER</XPath>
</Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>
2jmj7l5rSw0yVb/vlWAYkK/YBwk=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
CBML9dFb/hEQXXR7oYfTuu4qit/VhUjwIfvPhSUQTQg0j+BFiTZFwNZaCJkZGswxDnSKhH1p
CuLn/Fpzl2CJpNduDU0Ff0pstd7MITS0l0/IvhDVS+Tf6WiYkN8UYTCkJeg063zlbW+15mR1
Z25jCs0gWO9qESthX34qXRi7ii0= </SignatureValue>
</Signature>Example of Combination Signature of Enveloped/Enveloping/Detached
The following example shows the combination signature type:
<?xml version="1.0" encoding="UTF-8"?>
<test>
<value1 ID="1">
testval1</value1>
<value2 ID="2">
testval2</value2>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/
REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>
IpBpovbT2WG7C+gTME1Np/V2fqo=</DigestValue>
</Reference>
<Reference URI="#2">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/
xmldsig#enveloped-signature"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>
pFXQ3ZZv4Fivm2MFs6vpfEanEDI=</DigestValue>
</Reference>
<Reference URI="#sgconrad:-56000361:115d676b12e:-7988">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>
7bPj9pPMJpsJw1OJ1b2jsrhxYMY=</DigestValue>
</Reference>
<Reference URI="sgconrad:-56000361:115d676b12e:-795f">
<Transforms>
<Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
<XPath>
descendant-or-self::node1</XPath>
</Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>
2gFHdr03uDeDqwcxGveD+uYDIjM=</DigestValue>
</Reference>
<Reference URI="sgconrad:-56000361:115d676b12e:-795f">
<Transforms>
<Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
<XPath>
descendant-or-self::node2</XPath>
</Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>
nn7t7PJs5RqDp1BKZ4j1BxhX2ik=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
Ui7XYcZNkXG+9OqNgKrcRJoyCuhpoRtVmFnXVOMf8aAuGXZw3FwFxz7VLKv9c1K8ZUNW9vCs G4
EpahlCS4AcpbVBwv00HvkhA11/tqYYB9kRK/wM4cb6sN5ULbQ4Ab0j9xyFKOQ6sr2MawOx
fdNEes6XAHbpWZvxKDR4vWxAFnE= </SignatureValue>
<Object xmlns="" Encoding="base64" Id="sgconrad:-56000361:115d676b12e:-7988">
dGhpcyBpcyBhbiBpbnZhbGlkIHRlc3QgZG9jIGZvciB4bWwgZHNpZyBzZXJ2aWNlLgo=</Object>
</Signature>
</test>