Enveloped Signatures
[This sample code uses features that were implemented in MSXML 5.0 for Microsoft Office Applications. XML digital signatures are not supported in MXSML 6.0 and later.]
In an enveloped signature, the signed or to-be-signed data is an XML document and contains the <ds:Signature>
element as its child element. The content of <ds:Signature>
element must be excluded from the calculations of the data digest and signature value (that is, the content of <ds:DigestValue>
and <ds:SignatureValue>
). This can be achieved by enabling enveloped-signature Transform (whose identifier is "http://www.w3.org/2000/09/xmldsig#enveloped-signature
"), as shown in the following example.
<!DOCTYPE Envelope [
<!ENTITY ds "http://www.w3.org/2000/09/xmldsig#">
<!ENTITY c14n "http://www.w3.org/TR/2001/REC-xml-c14n-20010315">
<!ENTITY enveloped "http://www.w3.org/2000/09/xmldsig#enveloped-signature">
<!ENTITY xslt "http://www.w3.org/TR/1999/REC-xslt-19991116">
<!ENTITY digest "http://www.w3.org/2000/09/xmldsig#sha1">
]>
<Letter>
<Return-address>address</Return-address>
<To>You</To>
<Message>msg body</Message>
<From>
<ds:Signature xmlns:ds="&ds;">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm=
"http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod Algorithm=
"http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform Algorithm="&enveloped;">
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="&digest;"/>
<ds:DigestValue></ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue/>
</ds:Signature>
</From>
<Attach>attachement</Attach>
</Letter>
The data referenced in the <ds:Signature>
element and specified by the "URI=''" attribute of the <ds:Reference>
descendant element is the entire <Letter> element, including <ds:Signature>
itself. The instruction <ds:Transform Algorithm="&enveloped;"/> ensures that the <ds:Signature> element is excluded from the signature processing.