Digital signature algorithm
220
J
AVA
XML D
IGITAL
S
IGNATURE
API
into account changes that can invalidate a signature over that data. Canonicaliza-
tion is necessary due to the nature of XML and the way it is parsed by different
processors and intermediaries, which can change the data such that the signature
is no longer valid but the signed data is still logically equivalent.
The required
SignatureMethod
element defines the digital signature algorithm
used to generate the signature, in this case DSA with SHA-1.
One or more
Reference
elements identify the data that is digested. Each
Refer-
ence
element identifies the data via a URI. In this example, the value of the URI
is the empty String (""), which indicates the root of the document. The optional
Transforms
element contains a list of one or more
Transform
elements, each of
which describes a transformation algorithm used to transform the data before it
is digested. In this example, there is one
Transform
element for the enveloped
transform algorithm. The enveloped transform is required for enveloped signa-
tures so that the signature element itself is removed before calculating the signa-
ture value. The required
DigestMethod
element defines the algorithm used to
digest the data, in this case SHA1. Finally the required
DigestValue
element
contains the actual base64-encoded digested value.
The required
SignatureValue
element contains the base64-encoded signature
value of the signature over the
SignedInfo
element.
The optional
KeyInfo
element contains information about the key that is needed
to validate the signature:
<KeyInfo>
<KeyValue>
<DSAKeyValue>
<P>
/KaCzo4Syrom78z3EQ5SbbB4sF7ey80etKII864WF64B81uRpH5t9jQTxe
Eu0ImbzRMqzVDZkVG9xD7nN1kuFw==
</P>
<Q>li7dzDacuo67Jg7mtqEm2TRuOMU=</Q>
<G>Z4Rxsnqc9E7pGknFFH2xqaryRPBaQ01khpMdLRQnG541Awtx/
XPaF5Bpsy4pNWMOHCBiNU0NogpsQW5QvnlMpA==
</G>
<Y>
qV38IqrWJG0V/mZQvRVi1OHw9Zj84nDC4jO8P0axi1gb6d+475yhMjSc/
BrIVC58W3ydbkK+Ri4OKbaRZlYeRA==
</Y>
</DSAKeyValue>
</KeyValue>
</KeyInfo>
