Signing Xml elements in same document with different keys

Question

Business Scenario:

• An Update can contain packages.
• A Package can contain changes.
• Each package must be approved by somebody.
• After approval, a package may not be changed.

To be executed, an Update must have 100% approved packages.

Development Thoughts:

• All Data is saved as XML files.
• Xml "Package" elements will be signed upon approval.

Problem:

No matter what I try and google up, all examples are always about signing a whole document or signing sub-elements with the same key for the whole document. But I would like to sign every sub-element (Package) with a different key, the key of the one who approves a package. So I need one signature per element. While all .NET Framework functions seem to support this, I get strange behaviours. For example when signing elements, you need to give to URI of the element. If I give the same ID to all packages, it verifies, if I give a different ID to each element and refer to this ID in their respective signatures, I can only verify the first. The idea of an ID doesn't make sense for my scenario in the first place because I have the signature with my element in a 1:1 relationship.

I can post code, but before I do, I would like to know if something like this is possible? I have not seen anything that would prohibit what I want to do, but I have not seen any indicator that it should work either. Has anybody done this or can anybody point me to a resource I have not yet found? Or does anyone have a better idea how to implement the requirements using standards?

Answer 1

It certainly is possible to sign different elements in the same XML document with different keys. This basically adds multiple signatures with different internal references (#<ID>) to the document.
The internal reference with the ID is required, there is no way around it that is supported by standards. A reference with an empty or missing URI does not indicate that the parent element is to be signed but that the complete document is to be signed.
If you can't add IDs to your packages you can use non-standard means to achieve your goal by effectivly treating each package like an independent XML document and leaving the reference URI empty. But that would mean that your XML document with all packages can only be verified by your program, because it would have to split the XML document into multiple documents before the verification.

In the .NET implementation it doesn't work if the signatures are placed inside the tags that should be signed. This is either due to me missing something or due to a bug.
Placing the signatures at the top level directly inside the root element works.
A working implementation can be found in my answer to your other question.