Notes about the signature

XML signatures are digital signatures designed for use in XML transactions. The W3C standard defines a schema for capturing the result of a digital signature operation applied to an infoset. XML signatures add authentication, data integrity, and support for non-repudiation to the data that they sign.
However, it is beyond the scope of this documentation to explain all details of a signature or the signing process. Detailed information about all aspects of signatures can be found at W3C.

Boundary conditions and critical aspects

  • the signature is optional!
     
  • if an infoset is signed then the private certificate of the sender must be used and this certificate is applied to the payload element. This inherently qualifies for a detached signature.

    In this context sender is used in terms of the communication and therefore is defined as the EAN entity given in the transport@from attribute which is the mirrored transport@to attribute of the request
     

  • the URI attribute of the reference element must use a XPointer syntax of the payload element, e.g. <ds:Reference URI="#xpointer(/mcd:response/mcd:payload)">
     
  • it is recommended to add the public key via a X509Data element such that a key store can be built at the recipient's site
     
  • The signature algorithm is fixed to PKCS1 (RSA-SHA1) (RFC 2437: RSA Cryptography Specifications)
     
  • The digest algorithm is fixed to SHA-1
     
  • the used canonicalization algorithm must be http://www.w3.org/2001/10/xml-exc-c14n#, the exclusive XML Canonicalization

The hospitalMCDResponse module does understand these boundary conditions. If the response XML is signed then the module extracts the X509Data element and transforms it to a binary DER format. Using the certificate the signature chain is checked. The IHospitalMCDResponse::GetTransport method returns a binary DER file named X509DER_from_EAN.cer. This is exactly the certificate to use for encrypting a MCD request XML infosets!