Thursday, December 20, 2012

Interoperable XML Digital Signatures (C#-Java), part 1

XMLDsig is a W3C Standard for digital signatures of XML documents. It is a reliable platform for building interoperable solutions where the data can be produced and/or consumed in different systems developed with different technologies.

I am going to show how to create and validate digital signatures in C# and Java so that both can sign and validate interoperably (sign in C# or Java, validate in C# or Java).

Let’s start with some theory. Assume we have an XML document we are going to sign.

<?xml version="1.0" encoding="UTF-8"?>
<Osoba>
    <DaneOsobowe>
        <Nazwisko>Kowalski</Nazwisko>
        <Imie>Jan</Imie>
        <PESEL>12341234243</PESEL>
        <DataUrodzenia>1990-02-01T16:45:58.433+01:00</DataUrodzenia>
    </DaneOsobowe>
</Osoba>

There are three types of signatures:

  • enveloped – the signature is embedded in the document as a descendant node of the root node of the document
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<Osoba>
    <DaneOsobowe>
        <Nazwisko>Kowalski</Nazwisko>
        <Imie>Jan</Imie>
        <PESEL>12341234243</PESEL>
        <DataUrodzenia>1990-02-01T16:45:58.433+01:00</DataUrodzenia>
    </DaneOsobowe>
    <Signature ... >
       ...
    </Signature>
</Osoba>
  • enveloping – the signature becomes the root of the document and the actual document becomes a direct child of the signature’s root element (possibly wrapped in an auxiliary tag, Object in the example below)
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<Signature ... >
    ... the signature comes here
    <Object Id="MyObjectID1">
        <Osoba>
            <DaneOsobowe>
                <Nazwisko>Kowalski</Nazwisko>
                <Imie>Jan</Imie>
                <PESEL>12341234243</PESEL>
                <DataUrodzenia>1990-02-01T16:45:58.433+01:00</DataUrodzenia>
            </DaneOsobowe>
        </Osoba>
    </Object>
</Signature>
  • detached – the signature and the document become siblings and are contained in a shared root element (Envelope in the example below) (for technical reasons we will discuss, the document is possibly wrapped in an auxiliary tag, Message in the example below)
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<Envelope>
    <Message Id="foo">
        <Osoba>
            <DaneOsobowe>
                <Nazwisko>Kowalski</Nazwisko>
                <Imie>Jan</Imie>
                <PESEL>12341234243</PESEL>
                <DataUrodzenia>1990-02-01T16:45:58.433+01:00</DataUrodzenia>
            </DaneOsobowe>
        </Osoba>
    </Message>
    <Signature ...>
        ...
    </Signature>
</Envelope>

The signing is performed in in three steps and two different crypto algorithms must be used:

  1. the signed document is canonicalized with the C14N algorithm to ensure that different formatting does not impact on the signature
  2. a hash of the signed document is computed using one of hashing algorithms (e.g. MD5/SHA1/SHA256)
  3. the signature is encrypted with the private key of an asymmetric algorithm (DSA/RSA)

The signature is then composed with all these elements so that it contains the information on the combination of algorithms used, the public key of the asymmetric algorithm and the actual value of the encrypted hash:

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
        <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
        <Reference URI="">
        <Transforms>
            <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <DigestValue>H5jIw0xEKDAqwMtnrTiEgPDzJSM=</DigestValue>
        </Reference>
    </SignedInfo>
    <SignatureValue>Emkieu2ETVAMP4KQNVQKp...FWD==</SignatureValue>
    <KeyInfo>
        <X509Data>
            <X509Certificate>MIICkT...AmQ==</X509Certificate>
        </X509Data>
    </KeyInfo>
</Signature>

This example signature says that the combination of SHA1 (hash)/RSA(asymmetric) will be used together with the C14N canonicalizer.

Then, there is the DigestValue which is the Base64-ed value of the computed hash of the document. The hash is encrypted and included in the SignatureValue tag. At the end, there is the information on the certificate used to encrypt the signature – the public key is included in the signature. If an X509 certificate was used then the KeyInfo contains the Base64-ed value of the X509 certificate (the private key is not included!).

To validate the signature the client performs following steps:

  1. the document is canonicalized
  2. the hash of the signature is recomputed and compared to the declared DigestValue. If they do not match then the validation fails
  3. the public key from the KeyInfo section of the signature is used to decrypt the signature and compare the decrypted value to the DigestValue. If the comparison fails then the validation fails.

What we are going to do in subsequent entries is to be able to create any of the three types of signatures in C# and in Java and to be able to verify signatures in C# and in Java. The most interesting case is of course when one signs and the other one verifies – which will truly prove that XML signatures are interoperable.

This is not as obvious as it sounds just because both C# and Java have sligthly different XMLDSig API so that you could potentially have signatures created in C# that validate in C# but not in Java and vice versa.

5 comments:

Julia Patrick said...

Looks like a good piece of code. As only a non-advanced user, I'd like to ask a kind of silly question: which kind of software application could it be used for? Sorry in advance.
electronic signatures

Jimmy Saints said...

Julia as a fellow non-advanced user I was also wondering if there is any tool available to generate those kind of signature and certificate..

Wiktor Zychla said...

@Jimmy: certificates can be generated with many tools, including free ones like Portecle. Signatures are created and verified with a C# code.

Rcarlos said...

Dear Wiktor

To this code we can addd the private key and try with RSA-256 or there is no way with this?

thanks a lot.

Rihard Ċ korjanec said...

Thank's, thank's a lot.
I was struggling for few days to Sign a XML Document in C# that is Send to Java Service.

Hvala :)