3
� ���� ��� ��� �� �� ࠡ�⠥�. �� ��-����� ������뢠���� ����� �� ����
4
���㬥��, � ⮫쪮 ��� ��।������ ���. �� �������� ���쪨�
5
���짮��⥫� ࠡ���� ��� ����� � ⥬ �� ���㬥�⮬.
7
����� ⠣� "Signature" ����� ������⢮���� ���� (��� �����) ⠣��
8
"Reference", ����� � ������� ���ਡ�� "URI" ������ �����-� ���� ���㬥��,
9
����� ������ ���� �����ᠭ� (��� ������ �� �⮬ �����).
11
�� �ந�室�� �����: ������� ���� XML �८�ࠧ���� � ������� �����⬮�
12
�������� � ⠣� "Transforms" (a 䨣� ����� ��祬), ��室 ���
13
�८�ࠧ������ ��।����� ������� "DigestMethod", ����� ��⠥� Hash ���
14
������� ��᪠ XML� � ��࠭�� ��� ����� ⠣� "DigestValue".
16
� � ������� ᥪ�⭮�� ���� ���������� ������� ��� �ᥣ� ⠣� "Signature",
17
⠪�� ��ࠧ�� ����� ����� �� �� "DigestValues" �뫨 ��।��� ��������묨,
18
� 㦥 �� ��� �㤨�� � ����������� �ᥣ� (��� ��⥩) xml ���㬥��.
20
XML Signatures �� ��������� �ந������� ������ ������!
25
<Signature Id="Signature-1" xmlns="http://www.w3.org/2000/02/xmldsig#">
27
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2000/WD-xml-c14n-20000119"/>
28
<SignatureMethod Algorithm="http://www.w3.org/2000/02/xmldsig#dsa"/>
29
<Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/">
31
<Transform Algorithm="http://www.w3.org/2000/02/xmldsig#c14n"/>
33
<DigestMethod Algorithm="http://www.w3.org/2000/02/xmldsig#sha1"/>
34
<DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue>
37
<SignatureValue>MC0CFFrVLtRlk=...</SignatureValue>
40
<X509SubjectName>CN=csa,O=DarkSoft,C=AM</X509SubjectName>
41
<X509Certificate>MIID5...</X509Certificate>
47
CanonicalizationMethod
48
----------------------
49
���� � �� �� XML ���㬥�� ����� ������ ࠧ�� �।�⠢����� (�� ���� ⠬,
50
� ��猪� ���� 䨣��). ����� ��ࠬ��� ������ ������ ����� �ਢ���� XML
51
� ��ଠ�쭮� �ଥ (Cannonical XML (XML-C14N)).
56
Alogrithm to be used for signature generation/validation: (RSA,DSA)
61
The SignatureValue element contains the actual value of the digital signature;
62
it is always encoded using base64
70
DigestMethod is a required element that identifies the digest algorithm
71
to be applied to the signed object. This element uses the general
72
structure here for algorithms specified in Algorithm Identifiers and
73
Implementation Requirements.
77
DigestValue is an element that contains the encoded value of the digest.
78
The digest is always encoded using base64.
82
The optional Transforms element contains an ordered list of Transform
83
elements; these describe how the signer obtained the data object that
84
was digested. The output of each Transform serves as input to the next
85
Transform. The input to the first Transform is the result of
86
dereferencing the URI attribute of the Reference element. The output
87
from the last Transform is the input for the DigestMethod algorithm.
89
Each Transform consists of an Algorithm attribute and content
90
parameters, if any, appropriate for the given algorithm. The Algorithm
91
attribute value specifies the name of the algorithm to be performed,
92
and the Transform content provides additional data to govern the
93
algorithm's processing of the transform input. (See Algorithm
94
Identifiers and Implementation Requirements (section 6).)
99
��樮���쭮 ����� ��।��� � ���ଠ�� �� ���䨪�� ������
103
Determine which resources to be signed
104
--------------------------------------
106
1. URI � ������� XPointer ������ XML ���㬥�� ��� ��� �������
108
2. XPath Filter - �������� �⨫쭠� ��⮤���:
120
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"
121
xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2">
124
<dsig:Reference URI="">
126
<dsig:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2">
127
<dsig-xpath:XPath Filter="intersect"> //ToBeSigned </dsig-xpath:XPath>
128
<dsig-xpath:XPath Filter="subtract"> //NotToBeSigned </dsig-xpath:XPath>
129
<dsig-xpath:XPath Filter="union"> //ReallyToBeSigned </dsig-xpath:XPath>
133
<dsig-xpath:XPath Filter="substract"> here()/ancestor::dsig:Signature[1] </dsig-xpath:XPath>
134
<dsig-xpath:XPath Filter="intersect"> id("PrimarySig") </dsig-xpath:XPath>