Digitale Signatur bei XML-Dokumenten (XML-Signatur)
XML-BasisinformationEine Besonderheit von XML ist, dass ein und dasselbe XML Dokument mehrere physische (=byte-)Repräsentationen besitzen kann. Ein Beispiel:
<?xml version="1.0" encoding="UTF-8" ?>
<hello>Hello World!</hello>
test2.xml:
<?xml version="1.0" encoding="ISO-8859-15" ?>
<hello>Hello World!</hello>
<rechnung>
<empfaenger>
<vorname>Daniel</vorname>
<nachname>Weller</nachname>
</empfaenger>
</rechnung>
Enveloped Signature:
<rechnung>
<empfaenger>
<vorname>Daniel</vorname>
<nachname>Weller</nachname>
</empfaenger>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>YHkJTgkmev7VDyv1/Iiqm6RMRYk=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
C377H6bQoX39eNFxcdB0GQ/CMMxstEsErhK91CHCnsYnLr+9DZd6Wv+KwdlyINtiYWInBGJJzjPg
W2dp7acCbZYO1lt60qYlnZYTvoCpC1JW9KQhkLg0h5AiRegBJqPj7h+gz6lYrZ1g3kWxg0ZzUEmB
dT0yUjwhp9SqKRoiUXQ=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIFCzCCA/OgAwIBAgICAPAwDQYJKoZIhvcNAQEFBQAwgcwxCzAJBgNVBAYTAkFUMRAwDgYDVQQI
EwdBdXN0cmlhMQ8wDQYDVQQHEwZWaWVubmExOjA4BgNVBAoTMUFSR0UgREFURU4gLSBBdXN0cmlh
biBTb2NpZXR5IGZvciBEYXRhIFByb3RlY3Rpb24xJTAjBgNVBAsTHEEtQ0VSVCBDZXJ0aWZpY2F0
aW9uIFNlcnZpY2UxGDAWBgNVBAMTD0EtQ0VSVCBBRFZBTkNFRDEdMBsGCSqGSIb3DQEJARYOaW5m
b0BhLWNlcnQuYXQwHhcNMDUwOTA2MDAwMDAwWhcNMDcwOTA2MTM0NjMzWjCBgTELMAkGA1UEBhMC
QVQxCjAIBgNVBAgTAS0xDTALBgNVBAcTBFdpZW4xCjAIBgNVBAoTAS0xLDAqBgNVBAMTI0Rhbmll
bCBXZWxsZXIsIE5FVUFVU1NURUxMVU5HKFRlc3QpMR0wGwYJKoZIhvcNAQkBFg5kLndAZnJlZW5l
dC5hdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsi4csbc69/NYQqm9X1VdLcgPf2nkfDgi
8C4JDKji3UWoNISFA8UzuNvk65Hfm9ZNaBXK5E/sE7BgCuvNiTKDlyg9u0iJwKqboWoSTvSvQrLc
ADBtqD0wl0K1y8mF1Dra0CInPIMC/x0tJSpDs6vwSKSR5d6yIgH6YNjBXx1LqvcCAwEAAaOCAcIw
ggG+MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFC51MRVwN//xQPfZQO0ZhW1sgA5LMB8GA1UdIwQY
MBaAFDd/Pj6ZcWDKJNSRE3nQdCm0qCTYMBkGA1UdEQQSMBCBDmQud0BmcmVlbmV0LmF0MC8GA1Ud
EgQoMCaBDmluZm9AYS1jZXJ0LmF0hhRodHRwOi8vd3d3LmEtY2VydC5hdDA5BgNVHR8EMjAwMC6g
LKAqhihodHRwOi8vd3d3LmEtY2VydC5hdC9zdGF0aWMvYWR2YW5jZWQuY3JsMA4GA1UdDwEB/wQE
AwIE8DARBglghkgBhvhCAQEEBAMCBPAwUQYDVR0gBEowSDBGBggqKAAYAQEBAzA6MDgGCCsGAQUF
wIBFixodHRwOi8vd3d3LmEtY2VydC5hdC9jZXJ0aWZpY2F0ZS1wb2xpY3kuaHRtbDA7BglghkgB
hvhCAQgELhYsaHR0cDovL3d3dy5hLWNlcnQuYXQvY2VydGlmaWNhdGUtcG9saWN5Lmh0bWwwNAYJ
YIZIAYb4QgENBCcWJUEtQ0VSVCBBRFZBTkNFRCBDZXJ0aWZpY2F0aW9uIFNlcnZpY2UwDQYJKoZI
hvcNAQEFBQADggEBAI7lW+WJbVm6E3qwY0w9F21LjKI3nf19NxWg9jmHN8vwfLsWnwatW3cBpxQO
4jAfxl8xqpX36e3QGXOiDPnYOJ3blmcOxZ3sNL15s+Iq6P9DPyLv/7L0La2FRh4gfWGEbh15BEfh
S65VdxR+LTr9prIt1FSTpl2qIO/nIs+6ouN6TQ6B2JUAeXXaMuQGxM7LNL4XcWVveOaC3oem+Ym7
c2omf3Sge5nRj6Eg7KYh5VCvy6Dhvk8AT25f2qimhXAyl1hMV3ESpZOJVxPqMSoQO8+hSlXbLPsC
MWk88fnm2YdRTU4RKVbmCrfjvrFO6Rvx1/3AaJQ7gFJdbmLUCOm3LUc=
</ds:X509Certificate>
</ds:X509Data>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
si4csbc69/NYQqm9X1VdLcgPf2nkfDgi8C4JDKji3UWoNISFA8UzuNvk65Hfm9ZNaBXK5E/sE7Bg
CuvNiTKDlyg9u0iJwKqboWoSTvSvQrLcADBtqD0wl0K1y8mF1Dra0CInPIMC/x0tJSpDs6vwSKSR
5d6yIgH6YNjBXx1Lqvc=
</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature></rechnung>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="#5pg5d8xpho">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>FJw+7uwssGSno6pC01roT5pCrOE=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
Me4KrnkhFFP6+1wcw0r54UMS4sn0pyCgLWKJbEMEIvQw9NJ0Jrw/QfRegg0AcHvuYidCS5dDnLm2
vXM5TQFhzsW2PtpBWKG4cdX9D/HYjve4rhdgkH/z9ATqIJEtF1bARL3J46xm93NcnNOHb1vY8m9D
YHUrkPjrmnwirfLm2Wg=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIFCzCCA/OgAwIBAgICAPAwDQYJKoZIhvcNAQEFBQAwgcwxCzAJBgNVBAYTAkFUMRAwDgYDVQQI
EwdBdXN0cmlhMQ8wDQYDVQQHEwZWaWVubmExOjA4BgNVBAoTMUFSR0UgREFURU4gLSBBdXN0cmlh
biBTb2NpZXR5IGZvciBEYXRhIFByb3RlY3Rpb24xJTAjBgNVBAsTHEEtQ0VSVCBDZXJ0aWZpY2F0
aW9uIFNlcnZpY2UxGDAWBgNVBAMTD0EtQ0VSVCBBRFZBTkNFRDEdMBsGCSqGSIb3DQEJARYOaW5m
b0BhLWNlcnQuYXQwHhcNMDUwOTA2MDAwMDAwWhcNMDcwOTA2MTM0NjMzWjCBgTELMAkGA1UEBhMC
QVQxCjAIBgNVBAgTAS0xDTALBgNVBAcTBFdpZW4xCjAIBgNVBAoTAS0xLDAqBgNVBAMTI0Rhbmll
bCBXZWxsZXIsIE5FVUFVU1NURUxMVU5HKFRlc3QpMR0wGwYJKoZIhvcNAQkBFg5kLndAZnJlZW5l
dC5hdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsi4csbc69/NYQqm9X1VdLcgPf2nkfDgi
8C4JDKji3UWoNISFA8UzuNvk65Hfm9ZNaBXK5E/sE7BgCuvNiTKDlyg9u0iJwKqboWoSTvSvQrLc
ADBtqD0wl0K1y8mF1Dra0CInPIMC/x0tJSpDs6vwSKSR5d6yIgH6YNjBXx1LqvcCAwEAAaOCAcIw
ggG+MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFC51MRVwN//xQPfZQO0ZhW1sgA5LMB8GA1UdIwQY
MBaAFDd/Pj6ZcWDKJNSRE3nQdCm0qCTYMBkGA1UdEQQSMBCBDmQud0BmcmVlbmV0LmF0MC8GA1Ud
EgQoMCaBDmluZm9AYS1jZXJ0LmF0hhRodHRwOi8vd3d3LmEtY2VydC5hdDA5BgNVHR8EMjAwMC6g
LKAqhihodHRwOi8vd3d3LmEtY2VydC5hdC9zdGF0aWMvYWR2YW5jZWQuY3JsMA4GA1UdDwEB/wQE
AwIE8DARBglghkgBhvhCAQEEBAMCBPAwUQYDVR0gBEowSDBGBggqKAAYAQEBAzA6MDgGCCsGAQUF
BwIBFixodHRwOi8vd3d3LmEtY2VydC5hdC9jZXJ0aWZpY2F0ZS1wb2xpY3kuaHRtbDA7BglghkgB
hvhCAQgELhYsaHR0cDovL3d3dy5hLWNlcnQuYXQvY2VydGlmaWNhdGUtcG9saWN5Lmh0bWwwNAYJ
YIZIAYb4QgENBCcWJUEtQ0VSVCBBRFZBTkNFRCBDZXJ0aWZpY2F0aW9uIFNlcnZpY2UwDQYJKoZI
hvcNAQEFBQADggEBAI7lW+WJbVm6E3qwY0w9F21LjKI3nf19NxWg9jmHN8vwfLsWnwatW3cBpxQO
4jAfxl8xqpX36e3QGXOiDPnYOJ3blmcOxZ3sNL15s+Iq6P9DPyLv/7L0La2FRh4gfWGEbh15BEfh
S65VdxR+LTr9prIt1FSTpl2qIO/nIs+6ouN6TQ6B2JUAeXXaMuQGxM7LNL4XcWVveOaC3oem+Ym7
c2omf3Sge5nRj6Eg7KYh5VCvy6Dhvk8AT25f2qimhXAyl1hMV3ESpZOJVxPqMSoQO8+hSlXbLPsC
MWk88fnm2YdRTU4RKVbmCrfjvrFO6Rvx1/3AaJQ7gFJdbmLUCOm3LUc=
</ds:X509Certificate>
</ds:X509Data>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
si4csbc69/NYQqm9X1VdLcgPf2nkfDgi8C4JDKji3UWoNISFA8UzuNvk65Hfm9ZNaBXK5E/sE7Bg
CuvNiTKDlyg9u0iJwKqboWoSTvSvQrLcADBtqD0wl0K1y8mF1Dra0CInPIMC/x0tJSpDs6vwSKSR
5d6yIgH6YNjBXx1Lqvc=
</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
<ds:Object Id="5pg5d8xpho"><rechnung>
<empfaenger>
<vorname>Daniel</vorname>
<nachname>Weller</nachname>
</empfaenger>
</rechnung></ds:Object>
</ds:Signature>
Diese Reference-Tags ermöglichen es also, genau zu bestimmen, auf was sich die Signatur bezieht: Ganze XML Dokumente, Teile von XML Dokumenten, nicht-XML Daten.
Es ist auch möglich, einen über eine XPath Expression definierten Bereich eines XML Files zu unterschreiben - die Möglichkeiten sind quasi endlos.
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="file:///home/gast/test2.xml">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>YHkJTgkmev7VDyv1/Iiqm6RMRYk=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
bdGQ7KXzwCESRRMW49Wd+Fg3LPpzs7KKjGwQfnr0EYMVqku75HaLoxjtssGzwAylvemQEkIiEhIO
szZeH/LeM97e4knNwNSXN4Wor2djqQFQOsMJQt4x9vW+9i+uPVlXF1jOMPDS2TSsgoQWTZog9+h4
/veQvi10H6LVxp+XHIM=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIFCzCCA/OgAwIBAgICAPAwDQYJKoZIhvcNAQEFBQAwgcwxCzAJBgNVBAYTAkFUMRAwDgYDVQQI
EwdBdXN0cmlhMQ8wDQYDVQQHEwZWaWVubmExOjA4BgNVBAoTMUFSR0UgREFURU4gLSBBdXN0cmlh
biBTb2NpZXR5IGZvciBEYXRhIFByb3RlY3Rpb24xJTAjBgNVBAsTHEEtQ0VSVCBDZXJ0aWZpY2F0
aW9uIFNlcnZpY2UxGDAWBgNVBAMTD0EtQ0VSVCBBRFZBTkNFRDEdMBsGCSqGSIb3DQEJARYOaW5m
b0BhLWNlcnQuYXQwHhcNMDUwOTA2MDAwMDAwWhcNMDcwOTA2MTM0NjMzWjCBgTELMAkGA1UEBhMC
QVQxCjAIBgNVBAgTAS0xDTALBgNVBAcTBFdpZW4xCjAIBgNVBAoTAS0xLDAqBgNVBAMTI0Rhbmll
bCBXZWxsZXIsIE5FVUFVU1NURUxMVU5HKFRlc3QpMR0wGwYJKoZIhvcNAQkBFg5kLndAZnJlZW5l
dC5hdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsi4csbc69/NYQqm9X1VdLcgPf2nkfDgi
8C4JDKji3UWoNISFA8UzuNvk65Hfm9ZNaBXK5E/sE7BgCuvNiTKDlyg9u0iJwKqboWoSTvSvQrLc
ADBtqD0wl0K1y8mF1Dra0CInPIMC/x0tJSpDs6vwSKSR5d6yIgH6YNjBXx1LqvcCAwEAAaOCAcIw
ggG+MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFC51MRVwN//xQPfZQO0ZhW1sgA5LMB8GA1UdIwQY
MBaAFDd/Pj6ZcWDKJNSRE3nQdCm0qCTYMBkGA1UdEQQSMBCBDmQud0BmcmVlbmV0LmF0MC8GA1Ud
EgQoMCaBDmluZm9AYS1jZXJ0LmF0hhRodHRwOi8vd3d3LmEtY2VydC5hdDA5BgNVHR8EMjAwMC6g
LKAqhihodHRwOi8vd3d3LmEtY2VydC5hdC9zdGF0aWMvYWR2YW5jZWQuY3JsMA4GA1UdDwEB/wQE
AwIE8DARBglghkgBhvhCAQEEBAMCBPAwUQYDVR0gBEowSDBGBggqKAAYAQEBAzA6MDgGCCsGAQUF
BwIBFixodHRwOi8vd3d3LmEtY2VydC5hdC9jZXJ0aWZpY2F0ZS1wb2xpY3kuaHRtbDA7BglghkgB
hvhCAQgELhYsaHR0cDovL3d3dy5hLWNlcnQuYXQvY2VydGlmaWNhdGUtcG9saWN5Lmh0bWwwNAYJ
YIZIAYb4QgENBCcWJUEtQ0VSVCBBRFZBTkNFRCBDZXJ0aWZpY2F0aW9uIFNlcnZpY2UwDQYJKoZI
hvcNAQEFBQADggEBAI7lW+WJbVm6E3qwY0w9F21LjKI3nf19NxWg9jmHN8vwfLsWnwatW3cBpxQO
4jAfxl8xqpX36e3QGXOiDPnYOJ3blmcOxZ3sNL15s+Iq6P9DPyLv/7L0La2FRh4gfWGEbh15BEfh
S65VdxR+LTr9prIt1FSTpl2qIO/nIs+6ouN6TQ6B2JUAeXXaMuQGxM7LNL4XcWVveOaC3oem+Ym7
c2omf3Sge5nRj6Eg7KYh5VCvy6Dhvk8AT25f2qimhXAyl1hMV3ESpZOJVxPqMSoQO8+hSlXbLPsC
MWk88fnm2YdRTU4RKVbmCrfjvrFO6Rvx1/3AaJQ7gFJdbmLUCOm3LUc=
</ds:X509Certificate>
</ds:X509Data>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
si4csbc69/NYQqm9X1VdLcgPf2nkfDgi8C4JDKji3UWoNISFA8UzuNvk65Hfm9ZNaBXK5E/sE7Bg
CuvNiTKDlyg9u0iJwKqboWoSTvSvQrLcADBtqD0wl0K1y8mF1Dra0CInPIMC/x0tJSpDs6vwSKSR
5d6yIgH6YNjBXx1Lqvc=
</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature>