Services > Signing XML files

Signing XML files with BlueRidge

The current version of BlueRidge supports the signing of XML documents according to the XMLDSIG standard. The next version of BlueRidge will support XML Advanced Electronic Signatures (XAdES). XAdES extends the XMLDSIG specification, it is a standard that is designed and used to sign XML documents. Functionally, it has much in common with PKCS#7 but is more extensible and focused on signing XML documents.   The extensions are addressing non-repudiation in particular. This is achieved by adding several additions to the XMLDSIG node in a XML document. These additions can be thought of as being organised in ‘layers’ around the core electronic signature defined by XMLDSIG. The different methods of adding information to achieve a signature that cannot be repudiated, even over many years of time, are below:
     
Level Type Description
0 XAdES Basic extensions that do not provide non-repudiation, but add useful information to the XMLDSIG nodes.
1 XAdES-T Adds a timestamp to the signature.
2 XAdES-C Adds the complete certificate information and revocation information at the time of signing.
3 XAdES-X The information that XAdES-T and –C adds is not signed or protected by a signature. Therefore the XAdES-X adds a timestamp that is calculated over (part of) the information that was added by the lower layers.
4 XAdES-X-L Extension for the long term. Adds additional certificate and revocation data.
5 XAdES-A Extension that protects the signature against cryptographic data becoming weak. This is achieved by an additional archiving timestamp.
 

 

The XML signing services

     

The BlueRidge Sign/Validate Service to sign XML documents consists of the following main components:

  • BlueRidge server
  • Optionally HSM: for instance BankSys Dep PCI/64
    (FIPS 140-2 Level 2)
  • Includes the electronic signature service
  • Includes the server component for signature generation (with time stamping and OCSP certificate revocation checking support)
  • Includes the server component for signature validation
  • Client component for signature generation and validation

There are several schemes that BlueRidge supports to sign a XML document. In particular we use detached, enveloped and enveloping signature schemes, each with their advantages and disadvantages. This section will discuss these schemes and how they are used in BlueRidge.

Detached signature

A detached signature is created as a separate document and includes the electronic signature and all properties needed to achieve a XML-signature. The advantage of this method is that the original document is left untouched, this means a third party can view the document using the proper visualisation program (e.g. MS Word) without any further requirement. A disadvantage is that the management to keep the signature linked to the original document is more complex as they are both different documents that do not necessarily reference each other. The detached signature is normally used to sign non-XML (or non text based) documents.

  

Enveloped and enveloping signature

Enveloped and enveloping signatures both reside in the document that is being signed. This has the advantage that the signature and the signed contents are both contained into the same document, which makes archiving management less complex.

Although enveloped and enveloping signatures are most frequently used to sign XML data, they can both be used to sign non-XML document types. In the latter case the following procedure is used:

  • The original document is converted to a text based octet string by converting it to base64.
  • A new XML document is created which embeds the encoded content along with metadata that indicates the type of document.
  • Then the signature (enveloped or enveloping) is applied on the document.

A disadvantage of this method is that the original document is not viewable anymore without an extra step, which is decoding the base64 data to binary data and then opening it with the appropriate visualisation program. This extra step requires an extra program that does the conversion. On Windows systems the decoding software can be integrated into the shell so that if users double click a signed XML file the decoding is done automatically and the resulting file is opened in the appropriate visualisation program.
    << previous | Document Services | next >>