Notes about the signature

XML signatures are digital signatures designed for use in XML transactions. The W3C standard defines a schema for capturing the result of a digital signature operation applied to an infoset. XML signatures add authentication, data integrity, and support for non-repudiation to the data that they sign.
However, it is beyond the scope of this documentation to explain all details of a signature or the signing process. Detailed information about all aspects of signatures can be found at W3C.

Boundary conditions and critical aspects

  • the signature is optional!
     
  • if an infoset is signed then the private certificate of the sender must be used and this certificate is applied to the payload element. This inherently qualifies for a detached signature.

    In this context sender is used in terms of the communication and therefore is defined as the EAN entity given in the transport@from attribute
     

  • the URI attribute of the reference element must use a XPointer syntax of the payload element, e.g. <ds:Reference URI="#xpointer(/ccr:request/ccr:payload)">
     
  • it is recommended to add the public key via a X509Data element such that a key store can be built at the recipient's site
     
  • The signature algorithm is fixed to PKCS1 (RSA-SHA1) (RFC 2437: RSA Cryptography Specifications)
     
  • The digest algorithm is fixed to SHA-1
     
  • the used canonicalization algorithm must be http://www.w3.org/2001/10/xml-exc-c14n#, the exclusive XML Canonicalization

The careCreditRequest module does obey all these conditions whenever signature is "turned on" by setting the private certificate and password of the "fromEAN" entity (cf. ICareCreditRequest::SetTransport). This certificate must be in the PFX format.