Signature algorithm identifiers appear as the Algorithm attribute of SignatureMethod elements, as shown in Figure 183. They take two implicit parameters: their keying material and the octet stream output by CanonicalizationMethod. MAC and signature algorithms are syntactically identical, but a signature implies public key cryptography. 18.4.1 DSADSA Identifier: http://www.w3.org/2000/09/xmldsig#dsasha1 The DSA algorithm [DSS] is mandatory to implement for XML Digital Signature applications. It takes no explicit parameters. An example of a DSA SignatureMethod element follows: <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsasha1"/> The output of the DSA algorithm is a pair of integers usually referred by the pair (r, s). The signature value consists of the base64 encoding of the concatenation of two octet streams for the values r and s. Integertooctet steam conversion must be performed according to the I2OSP operation defined in the PKCS#1 specification [RFC 2437] with an "L" parameter equal to 20. For example, the SignatureValue element for a DSA signature (r, s) with values specified in hexadecimal as r = 8BAC1AB6 6410435C B7181F95 B16AB97C 92B341C0 s = 41E2345F 1F56DF24 58F426D1 55B4BA2D B6DCD8C8 from the example in Appendix 5 of the DSS standard would be <SignatureValue> i6watmQQQ1y3GB+VsWq5fJKzQcBB4jRfH1bfJFj0JtFVtLotttzYyA== </SignatureValue> 18.4.2 RSASHA1RSASHA1 Identifier: http://www.w3.org/2000/09/xmldsig#rsasha1 RSASHA1 refers to the RSASSAPKCS1v1_5 encoding/padding algorithm [RFC 2437] used with the SHA1 algorithm (see Section 18.1.2). It is recommended that this algorithm be implemented in XML Digital Signature applications. The RSA algorithm takes no explicit parameters. An example of an RSA SignatureMethod element follows: <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsasha1"/> The SignatureValue content for an RSA signature is the base64 [RFC 2045] encoding of the octet string computed as per [RFC 2437, Section 8.1.1: signature generation operation for the RSASSAPKCS1v1_5 signature scheme]. The EMSAPKCS1V1_5ENCODE function [RFC 2437, Section 9.2.1] specifies that the value input to the signature function must contain a prepended algorithm object identifier for the hash function. However, the availability of an ASN.1 parser and recognition of OIDs are not required of a signature verifier. The PKCS#1 v1.5 representation appears as follows: Note that the padded ASN.1 will have the following form: Here "" is concatenation; "01", "FF", and "00" are the fixed x01, xFF, and x00 octets, respectively; "message digest" is the SHA1 digest of the data; and "prefix" is the ASN.1 BER SHA1 algorithm designator prefix required in PKCS#1 [RFC 2437], that is, hex 30 21 30 09 06 05 2B 0E 03 02 1A 05 00 04 14 This prefix makes it easier to use standard cryptographic libraries. The xFF octet must be repeated the maximum number of times such that the quantity being encrypted is one octet shorter than the RSA modulus. The resulting base64 string is the value of the child text node of the SignatureValue element: <SignatureValue>IWijxQjUrcXBYoCei4QxjWo9Kg8D3p9tlWoT4 t0/gyTE96639In0FZFY2/rvP+/bMJ01EArmKZsR5VW3rwoPxw= </SignatureValue> 18.4.3 Additional RSA VariationsAdditional RSA Identifiers: http://www.w3.org/2001/04/xmldsigmore#rsamd5 http://www.w3.org/2001/04/xmldsigmore#rsasha256 http://www.w3.org/2001/04/xmldsigmore#rsasha512 http://www.w3.org/2001/04/xmldsigmore#rsaripems160 These algorithms all use the same encoding/padding method as RSASHA1 but with different message digest functions and a different prefix to indicate the different message digest function. The prefix to use for MD5 follows: MD5 Prefix hex 30 20 30 0C 06 08 2A 86 48 86 F7 0D 02 05 05 00 04 10
