Generating Signatures
The steps for signing package contents follow the algorithm outlined in §3.1 of the W3C Recommendation “XML-Signature Syntax and Processing,” with some modification for package-specific constructs.
The steps below might not be sufficient for generating signatures that contain application-specific Object elements. Format designers that utilize application-specific Object elements shall also define the additional steps that shall be performed to sign the application-specific Object elements.
To generate references:
For each package part being signed:
- The package implementer shall apply the transforms, as determined by the producer, to the contents of the part.Note: Relationships transforms are applied only to Relationship parts. When applied, the relationship transform filters the subset of relationships within the entire Relationship part for purposes of signing.
The package implementer shall calculate the digest value using the resulting contents of the part.
The package implementer shall create a
<Reference>
element that includes the reference of the part with the query component matching the content type of the target part, necessary<Transform>
elements, the<DigestMethod>
element and the<DigestValue element.>
The package implementer shall construct the package-specific
<Object>
element containing a Manifest element with both the child<Reference>
elements obtained from the preceding step and a child< SignatureProperties >
element, which, in turn, contains a child<SignatureTime>
element.The package implementer shall create a reference to the resulting package-specific
<Object >
element.
When signing <Object element>
data, package implementers shall follow the generic reference creation algorithm described in §3.1 of the W3C Recommendation “XML-Signature Syntax and Processing”. [M6.28]
To generate signatures:
The package implementer shall create the
<SignedInfo>
element with a<SignatureMethodelement>
, a<CanonicalizationMethod>
element, and at least one<Reference>
element.The package implementer shall canonicalize the data and then calculate the
<SignatureValue >
element using the<SignedInfo element>
based on the algorithms specified in the<SignedInfo element.>
The package implementer shall construct a
<Signature>
element that includes<SignedInfo,>
<Object, >
and<SignatureValue >
elements.< >
If a certificate is embedded in the signature, the package implementer shall also include the<KeyInfo element.>