Enveloped Signatures


[This sample code uses features that were implemented in MSXML 5.0 for Microsoft Office Applications. XML digital signatures are not supported in MXSML 6.0 and later.]

In an enveloped signature, the signed or to-be-signed data is an XML document and contains the <ds:Signature> element as its child element. The content of <ds:Signature> element must be excluded from the calculations of the data digest and signature value (that is, the content of <ds:DigestValue> and <ds:SignatureValue>). This can be achieved by enabling enveloped-signature Transform (whose identifier is "http://www.w3.org/2000/09/xmldsig#enveloped-signature"), as shown in the following example.

<!DOCTYPE Envelope [
  <!ENTITY ds "http://www.w3.org/2000/09/xmldsig#">
  <!ENTITY c14n "http://www.w3.org/TR/2001/REC-xml-c14n-20010315">
  <!ENTITY enveloped "http://www.w3.org/2000/09/xmldsig#enveloped-signature">
  <!ENTITY xslt "http://www.w3.org/TR/1999/REC-xslt-19991116">
  <!ENTITY digest "http://www.w3.org/2000/09/xmldsig#sha1">
   <Message>msg body</Message>
      <ds:Signature xmlns:ds="&ds;">
            <ds:CanonicalizationMethod Algorithm=
            <ds:SignatureMethod Algorithm=
            <ds:Reference URI="">
                  <ds:Transform Algorithm="&enveloped;">
               <ds:DigestMethod Algorithm="&digest;"/>

The data referenced in the <ds:Signature> element and specified by the "URI=''" attribute of the <ds:Reference> descendant element is the entire <Letter> element, including <ds:Signature> itself. The instruction <ds:Transform Algorithm="&enveloped;"/> ensures that the <ds:Signature> element is excluded from the signature processing.