Can the XML signature be last child element under root node?

StackOverflow https://stackoverflow.com/questions/19048090

  •  29-06-2022
  •  | 
  •  

Question

As per w3c xmlsec specification which can be found at http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/#sec-Overview , I would like to know are we allowed to add the xml signature element as the last child element under the root node ?

I tried to read through the spec, but its not explicitly mentioned at which location should we add the signature element. I would like to know for sure whether spec emphasizes where should we add the signature element ?

Was it helpful?

Solution

The spec does not emphasize a specific location for the signature element. The URI mechanism allows any location; in particular the following settings :

  • Enveloped signature your ds:Signature is a descendant of your document root (signed root) :

<SignedDocumentRoot>
....
    <ds:Signature>....</ds:Signature>
</SignedDocucmentRoot>

In this setting you must use the Enveloped Transform defined in the spec. Note that the ds:Signature may be the last child but this is not necessary.

  • Enveloping signature your document root (signed root) is a descendant of the ds:Signature :

<ds:Signature>
....
    <ds:Object>
        <SignedDocumentRoot>...</SignedDocumentRoot>
    </ds:Object>
</ds:Signature>

The ds:Object is defined in the spec. Here, no special transform is mandated.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top