XML Signature

(This page is part of the X-Smiles features document.)

X-Smiles has an experimental XML Signature-XForms integration.

XForms Extension: sign action element
Namespace: http://www.xsmiles.org/2002/signature

Attributes

single node binding attributes: Selects a node in the instance data to be signed.
type: an optional attribute specifying the signature type. Can be one of "enveloped" or "enveloping". Default is "enveloped".
to: an xpath expression specifying the node under which the signed content is placed. All previous content is destroyed. The result of the evaluation must be document or element. If the node is the document node, then the content is placed as the document element.
purge: an optional attribute, with xsd:boolean content, specifying whether the irrelevant nodes should be removed for signing purposes. Default value "true".

QUESTION: Also probably needed: attributes for selecting the signing and canonicalization algorithms.

QUESTION: how to include user agent info

QUESTION: should the user agent default stylesheets be added as objects into the signature?

Operation

With the following definitions in place:

"ref": The node referenced by the single node binding attributes
"to": The node referenced by the @to attribute
"refcopy": A copy of "ref" with irrelevant nodes possibly purged (@purge)

The signature operation consists of the following steps:

Create a signature with the following references:
- For enveloping signature, create an dsig:Object id="arbitraryN" element and move "refcopy" inside it. Create dsig:Reference URI="#arbitraryN" element.
- For enveloped signature, append the signature as the last child of "refcopy". Create a dsig:Reference with URI = "".
Create detached references to all URLs referenced by the host document:
- The host document
- All referenced URLs separately: images,objects,applets,stylesheets,scripts,xforms external instances, xinclude, xlink, XSLT, etc.
Create a valid signature over all the references
Create a valid dsig:KeyInfo element containing the signers public key
For enveloping signature, place the dsig:Signature element, containing the copy of "ref" as the only child of the node "to".
For enveloped signature, place the copy of "ref", which includes the dsig:Signature element, as the only child of the node "to".

QUESTIONS

+ QUESTION: how far do you go, there can be e.g. an object which is an XHTML document referencing other objects.

+ QUESTION: what if the current document is not a top level window (e.g. inside a frameset or an object). Should the content in the whole browser window be referenced and signed.)

+ QUESTION: what if an object could not be loaded, but the document still works (e.g. wrong URL in img)

+ QUESTION: should there be author control on some URLs to be added as enveloping objects

Example

<?xml version="1.0" ?>
<html>
<head>
  <link rel="stylesheet" type="text/css" href="email.css" />
  <xf:model id="form1">
    <xf:submission ref="instance('signature')" id="send"
          method="post" action="signatureverify"/>
    <xf:instance id="email" xmlns="">
      <email>
        <to><recipient/></to>
        <subject/>
        <message/>
      </email>
    </xf:instance>
    <xf:instance id="signature" xmlns="">
    </xf:instance>
  </xf:model>
</head>


<body>
<p class="headline">Send E-Mail</p>
<xf:input class="header" ref="/email/to/recipient">
  <xf:label>To: </xf:label>
</xf:input>
<!-- ... -->
</p>
<xf:trigger>
  <xf:label>Sign message</xf:label>
      <sign:sign ref="instance('email')/.." type="enveloping"
      to="instance('signature')/.." ev:event="DOMActivate"
      xmlns:sign="http://www.xsmiles.org/2002/signature"/>
</xf:trigger>


<xf:submit submission="send">
  <xf:label>Send message</xf:label>
</xf:submit>
</body>
</html>

For working example, see the Extensions/XML Signature demo.

X-Smiles makes use of Apache XML Security ( v 1.1.0).