XML Signature

http://www.w3.org/Signature


基础知识

XML Signature(也称作XMLDsigXML-DSigXML-Sig)是一个定义数字签名的XML语法的W3C推荐标准。从功能上或,XML Signature与PKCS#7有很多共同点,但是XML签名具有更好的可扩展性,并为签名XML文档做了调整。XML Signature在许多Web技术,如SOAP, SAML等中使用。

XML signature可以用来签名任何类型的数据(称作资源),最常见的是XML文档,但是任何可以通过URL访问的资源都可以被签名。如果XML签名用于对包含该签名的XML文档之外的资源签名,则称为detached signature; 如果XML签名用于对包含它的XML文档的某个部分进行签名,则称为enveloped signature; 如果XML签名包含被签名的数据(但要排除掉该签名),则称为enveloping signature。

XML Signatures provide integrity, message authentication, and/or signer authentication services for data of any type. (因为XML Signature不仅是指用公钥密码算法进行签名,还包括使用HMAC,所以这里and/or signer authentication)

This Second Edition of XML Signature Syntax and Processing adds Canonical XML 1.1 as a required canonicalization algorithm and recommends its use for inclusive canonicalization. (所谓canonicalization,就是类似于编码,从而保证验签时,能够验签成功)

Signature元素可与其他元素在同一个XML文件中共存,因此其ID属性应恰当选取,从而保证不违背ID uniqueness validity constraint。XML Signature的XML Schema如下所示,其中SignedInfo元素是正在被签名的部分。对SignedInfo的签名验证包括两个环节:验证SignedInfo的签名,验证SignedInfo中每个Reference的hash值。计算SignatureValue的算法也同样包含在SignedInfo中,可以避免对其篡改,以选用较弱的密码算法。CanonicalizationMethod是用来在计算hash(用于签名的)前对SignedInfo元素进行Canonicalize的。每个Reference元素包括digest method以及相应的摘要值,其还可以包含transformation(用于生成digest的输入值)。KeyInfo表示用于验证签名的密钥,形式包括证书、key name、key agreement algorithms及相应信息。


XML Signature_第1张图片




针对XML Signature的批评

针对的是第一版

The problem with XML security can be traced back to two fundamental causes:

1. XML is an inherently unstable and therefore unsignable data format. XML-Dsig attempts to fix this via canonicalistion rules, but they don't really work.

2. The use of an "If it isn't XML, it's crap" design approach that lead to the rejection of conventional, proven designs in an attempt to prove that XML was more flexible than existing stuff.

XML is an inherently unsignable data format. you need to handle text-canonicalisation for whitespace, line endings, character-set encoding, word wrapping, escape sequences, and so on. the X.509 canonicalisation rules are vastly simpler than the XML ones.

Much more worrying though is the fact that at the semantic level XML, like MS Word, consists of highly dynamic content, but about two orders of magnitude more complex than Word.  With XML you have to deal with XSLT (transformations that handle tree construction, format control, pattern selection, and other issues), XPath selection, the fact that the data can be affected (often drastically) by external forces such as style sheets, schemas, and DTDs, XML namespace declarations and namespace attributes, and about a million other things, none of which anyone can quite agree on how to handle, mostly because there is no way to handle them.

你可能感兴趣的:(XML Signature)