Generating XADES-BES with “ds” prefix

3.8k views Asked by At

I used signedxml class for generating xml signature. And the result xml like below;

  <Signature Id="orderSignature" xmlns="http://www.w3.org/2000/09/xmldsig#">
                        <SignedInfo>
                            <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
                            <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
           .............
           ......
           ...
    </Signature>
    <Object>....</Object>

I need to generate XADES-BES xml format,, thats wy I want to add Prefix "ds:" to signedxml.

without "ds", my sigature validating is working fine ,, its format is XMLDSIG as you know,

When I want to generate XADES-BES , we have to add "ds" prefix to all signature and child elements like below;

<ds:Signature Id="orderSignature" xmlns="http://www.w3.org/2000/09/xmldsig#">
                            <ds:SignedInfo>
                                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
                                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
               .............
               ......
               ...
        </ds:Signature>
        <ds:Object>....</ds:Object>

And if you add that prefix after signing , it doesn't work.

So, I ve read all issues about that and there wasnt any sollituon ,,

I really need to xmlsignature with "ds" prefix.

Is there anyone to help me about this question???

Thanks.

1

There are 1 answers

0
albciff On

I don't really understand why do you want to add ds prefix in the namespace.

Having this:

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature">
  <ds:SignedInfo Id="SignedInfo">
 <ds:CanonicalizationMethod ...

Is totally equivalent to:

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#" Id="Signature">
   <SignedInfo Id="SignedInfo">
 <CanonicalizationMethod ...

In the first case you have to specify ds for elements in http://www.w3.org/2000/09/xmldsig# namespace, in the second case this namespace is the default namespace so each element in the xml without declared prefix is from this namespace.

Furthermore you say that you need to add ds prefix in order to have a XAdES-BES, and you comment something about difference between xmldsig and xades signatures. You have to know that XAdES is only a specification which says what attributes are needed by an XMLDSIG signature to become XAdES signature. Roughly XAdES is an XMLDSIG signature which incorporates:<Object http://www.w3.org/2000/09/xmldsig#> that will be the bag for the whole set of qualifying properties, some of them signed (signedProperties) and some of them unsigned (unsignedProperties). For a XAdES-BES case you must add <xades:SigningCertificate xmlns:xades="http://uri.etsi.org/01903/v1.3.2#"> inside <xades:SignedProperties> element.

Here I give you an example of XAdES-BES signature "without" ds prefix.

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#" Id="Signature">
<SignedInfo Id="SignedInfo">
    <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
    <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
    <Reference Id="SignedProperties-Reference" Type="http://uri.etsi.org/01903/v1.2.2#SignedProperties" URI="#SignedProperties">
        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <DigestValue>fiKTaqJzLSmC73cMXZSzjhd877w=</DigestValue>
    </Reference>
    <Reference Id="SignedDataObject-Reference-1" URI="DetachedObjectReference-1">
        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <DigestValue>8ruIS/4MRp2wAwVX4/pTCYxTyWc=</DigestValue>
    </Reference>
</SignedInfo>
<SignatureValue Id="DocumentSignatureValue">
    R40YdEEEl0YIZVdl4pm3yyF7qGAG8ZN8PPf0aBRXbvRgdIcvJZtI5AS5NexaO5T4O0gMHWRIKjNb
    2QzlfwxlQ3/KqMW4W0QkMLpF4csBpXt9bJ3t+smEeTnxkBcQRXAw5v9kwf20mfz1LtIUhbsU/PMd
    YwaGCsItF2rzl3rtcq4=
</SignatureValue>
<KeyInfo Id="KeyInfo">
    <X509Data>
        <X509Certificate>
            MIIIUTCCBzmgAwI...
        </X509Certificate>
    </X509Data>
    <KeyValue>
        <RSAKeyValue>
            <Modulus>
              pb0cJiodddCDVe/t+7...
            </Modulus>
            <Exponent>AQAB</Exponent>
        </RSAKeyValue>
    </KeyValue>
</KeyInfo>
<Object>
    <xades:QualifyingProperties xmlns:xades="http://uri.etsi.org/01903/v1.3.2#" Id="QualifyingProperties" Target="#Signature">
        <xades:SignedProperties Id="SignedProperties">
            <xades:SignedSignatureProperties>
                <xades:SigningCertificate>
                    <xades:Cert>
                        <xades:CertDigest>
                            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                            <DigestValue>UZq4NIL9eVVA7aJixPeiUTM3nOM=</DigestValue>
                        </xades:CertDigest>
                        <xades:IssuerSerial>
                            <X509IssuerName>XXXXXXXXXXXX....</X509IssuerName>
                            <X509SerialNumber>705964899...</X509SerialNumber>
                        </xades:IssuerSerial>
                    </xades:Cert>
                </xades:SigningCertificate>
            </xades:SignedSignatureProperties>
            <xades:SignedDataObjectProperties/>
        </xades:SignedProperties>
    </xades:QualifyingProperties>
</Object>

Hope this helps,