Search code examples
xmlxmlsec

Can the XML signature be last child element under root node?

As per w3c xmlsec specification which can be found at http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/#sec-Overview , I would like to know are we allowed to add the xml signature element as the last child element under the root node ?

I tried to read through the spec, but its not explicitly mentioned at which location should we add the signature element. I would like to know for sure whether spec emphasizes where should we add the signature element ?

Solution

  • The spec does not emphasize a specific location for the signature element. The URI mechanism allows any location; in particular the following settings :

    • Enveloped signature your ds:Signature is a descendant of your document root (signed root) :

    <SignedDocumentRoot>
....
    <ds:Signature>....</ds:Signature>
</SignedDocucmentRoot>

    In this setting you must use the Enveloped Transform defined in the spec. Note that the ds:Signature may be the last child but this is not necessary.

    • Enveloping signature your document root (signed root) is a descendant of the ds:Signature :

    <ds:Signature>
....
    <ds:Object>
        <SignedDocumentRoot>...</SignedDocumentRoot>
    </ds:Object>
</ds:Signature>

    The ds:Object is defined in the spec. Here, no special transform is mandated.