Enveloped XML signature

An XML enveloped signature is a digital signature embedded in an XML document within the signed content. Enveloped digital signatures are commonly used when there are multiple resources within an XML document to be signed by one or more entities. Within an XML document, an XML enveloped signature refers to, and signs, a resource that contains the signature as an element.

You cannot use enveloped XML digital signatures to sign existing signatures.

images/download/thumbnails/250337596/image-2023-4-25_15-57-37-version-1-modificationdate-1714026004661-api-v2.png

For example, an employee is purchasing office supplies for their company and must complete an XML purchase order approval form. The form must be approved by the office manager and the finance department. The office manager must digitally sign the <quantity> element, which gives approval for the quantity of office supplies purchased. The finance department must digitally sign the <creditApproval> element, giving approval for the purchase of office supplies in a specific dollar amount.

<?xml version="1.0" encoding="UTF-8"?>
<RootElement>
<!-- ... unsigned XML content ... -->
<quantity Id="Q1">
<dsig:Signature Id="Signature001"
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2000/WD-xml-c14n-20000907" />
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<dsig:Reference URI="#Q1">
<dsig:Transforms>
<dsig:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<dsig:DigestValue>Uwefn6Mkm8NjELWGQ7pNxqQsilk=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>B1FPUvo6GgjSLZ0 ... M+ebcNsNC8t1Ebng=</dsig:SignatureValue>
<dsig:KeyInfo>
<dsig:KeyValue>
<dsig:RSAKeyValue>
<dsig:Modulus>3PV+BoAm9hmX ... F11TfW04ocV9xmuN</dsig:Modulus>
<dsig:Exponent>AQAB</dsig:Exponent>
</dsig:RSAKeyValue>
</dsig:KeyValue>
<dsig:X509Data>
<dsig:X509SubjectName>cn=OfficeManager o=EXAMPLE,c=CA</dsig:X509SubjectName>
<dsig:X509Certificate>MIIC1jCCAj+gA ...QXV0b2JvdHMxF</dsig:X509Certificate>
</dsig:X509Data>
</dsig:KeyInfo>
</dsig:Signature>
</quantity>
<creditApproval Id="A1">
<dsig:Signature
Id="Signature002" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2000/WD-xml-c14n-20000907" />
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<dsig:Reference URI="#A1">
<dsig:Transforms>
<dsig:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<dsig:DigestValue>Uwefn6Mkm8NjELWGQ7pNxqQsilk=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>B1FPUvo6GgjS ... M+ebcNsNC8t1Ebng=</dsig:SignatureValue>
<dsig:KeyInfo>
<dsig:KeyValue>
<dsig:RSAKeyValue>
<dsig:Modulus>3PV+BoAm9hmXLkTS ... F11TfW04ocV9xmuN</dsig:Modulus>
<dsig:Exponent>AQAB</dsig:Exponent>
</dsig:RSAKeyValue>
</dsig:KeyValue>
<dsig:X509Data>
<dsig:X509SubjectName>cn=DepartmentofFinanceTest4,o=ACME,c=CA</dsig:X509SubjectName>
<dsig:X509Certificate>MIIC1jCCAj+ ... QXV0b2JvdHMxF</dsig:X509Certificate>
</dsig:X509Data>
</dsig:KeyInfo>
</dsig:Signature>
</creditApproval>
<!-- ... unsigned XML content ... -->
</RootElement>