Signature algorithm identifiers appear as the Algorithm attribute of SignatureMethod elements, as shown in Figure 18-3. They take two implicit parameters: their keying material and the octet stream output by CanonicalizationMethod. MAC and signature algorithms are syntactically identical, but a signature implies public key cryptography. 18.4.1 DSADSA Identifier: http://www.w3.org/2000/09/xmldsig#dsa-sha1 The DSA algorithm [DSS] is mandatory to implement for XML Digital Signature applications. It takes no explicit parameters. An example of a DSA SignatureMethod element follows: <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/> The output of the DSA algorithm is a pair of integers usually referred by the pair (r, s). The signature value consists of the base-64 encoding of the concatenation of two octet streams for the values r and s. Integer-to-octet steam conversion must be performed according to the I2OSP operation defined in the PKCS#1 specification [RFC 2437] with an "L" parameter equal to 20. For example, the SignatureValue element for a DSA signature (r, s) with values specified in hexadecimal as r = 8BAC1AB6 6410435C B7181F95 B16AB97C 92B341C0 s = 41E2345F 1F56DF24 58F426D1 55B4BA2D B6DCD8C8 from the example in Appendix 5 of the DSS standard would be <SignatureValue> i6watmQQQ1y3GB+VsWq5fJKzQcBB4jRfH1bfJFj0JtFVtLotttzYyA== </SignatureValue> 18.4.2 RSA-SHA1RSA-SHA1 Identifier: http://www.w3.org/2000/09/xmldsig#rsa-sha1 RSA-SHA1 refers to the RSASSA-PKCS1-v1_5 encoding/padding algorithm [RFC 2437] used with the SHA-1 algorithm (see Section 18.1.2). It is recommended that this algorithm be implemented in XML Digital Signature applications. The RSA algorithm takes no explicit parameters. An example of an RSA SignatureMethod element follows: <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> The SignatureValue content for an RSA signature is the base-64 [RFC 2045] encoding of the octet string computed as per [RFC 2437, Section 8.1.1: signature generation operation for the RSASSA-PKCS1-v1_5 signature scheme]. The EMSA-PKCS1-V1_5-ENCODE function [RFC 2437, Section 9.2.1] specifies that the value input to the signature function must contain a prepended algorithm object identifier for the hash function. However, the availability of an ASN.1 parser and recognition of OIDs are not required of a signature verifier. The PKCS#1 v1.5 representation appears as follows: Note that the padded ASN.1 will have the following form: Here "|" is concatenation; "01", "FF", and "00" are the fixed x01, xFF, and x00 octets, respectively; "message digest" is the SHA1 digest of the data; and "prefix" is the ASN.1 BER SHA1 algorithm designator prefix required in PKCS#1 [RFC 2437], that is, hex 30 21 30 09 06 05 2B 0E 03 02 1A 05 00 04 14 This prefix makes it easier to use standard cryptographic libraries. The xFF octet must be repeated the maximum number of times such that the quantity being encrypted is one octet shorter than the RSA modulus. The resulting base-64 string is the value of the child text node of the SignatureValue element: <SignatureValue>IWijxQjUrcXBYoCei4QxjWo9Kg8D3p9tlWoT4 t0/gyTE96639In0FZFY2/rvP+/bMJ01EArmKZsR5VW3rwoPxw= </SignatureValue> 18.4.3 Additional RSA VariationsAdditional RSA Identifiers: http://www.w3.org/2001/04/xmldsig-more#rsa-md5 http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 http://www.w3.org/2001/04/xmldsig-more#rsa-sha512 http://www.w3.org/2001/04/xmldsig-more#rsa-ripems160 These algorithms all use the same encoding/padding method as RSA-SHA1 but with different message digest functions and a different prefix to indicate the different message digest function. The prefix to use for MD5 follows: MD5 Prefix hex 30 20 30 0C 06 08 2A 86 48 86 F7 0D 02 05 05 00 04 10
|