How to Sign XML Files?
XML signing is a process that involves adding a digital signature to an XML document to ensure its integrity, authenticity, and non-repudiation. By applying a digital signature to an XML document, the signer attests to the authenticity and integrity of the data, making it possible to verify the document’s origin and ensure that it has not been altered during transit or storage.
The digital signature is created using asymmetric encryption techniques, typically based on public-key infrastructure (PKI). The signer generates a private key that is kept securely and a corresponding public key that can be shared with others. The private key is used to encrypt a hash or digest of the XML document, creating the digital signature. The encrypted digest serves as a unique representation of the data and is appended to the XML document.
XML signing is crucial in various domains, including e-commerce, electronic invoicing, supply chain management, and government applications. It enables secure electronic document exchanges, establishes the authenticity of data, and ensures non-repudiation, meaning that the signer cannot later deny their involvement or the integrity of the document.
An Overview of the XML signing process:
- A suitable cryptographic algorithm, such as RSA, DSA, or ECDSA, is chosen by the XML signer to produce the digital signature.
- The XML document to be signed is prepared. This involves ensuring that the document adheres to the required XML syntax and structure.
- XML canonicalization is applied to the document, which ensures that any variations in whitespace, attribute order, or namespace prefixes do not affect the validity of the signature. Canonicalization produces a standardized form of the XML document for signing.
- A digest, also known as a hash, is calculated over the canonicalized XML document. The digest serves as a unique fingerprint of the document and is used in the signing process.
- The digest is encrypted with the private key of the signer, creating the digital signature. The private key is kept securely by the signer and should not be accessible to unauthorized parties.
- The digital signature is inserted into the XML document, typically as an additional element or attribute. This allows the signature to be associated with the signed data.
Encryption Consulting has a CodeSigning solution, “CodeSign Secure,” which can help you with tamper-proof storage for the keys and complete visibility and control of Code Signing activities. The private keys of the code-signing certificate can be stored in an HSM to eliminate the risks associated with stolen, corrupted, or misused keys. Within this solution we offer a utility tool, XML Signer, which can sign XML files. The steps listed below will assist you with using our tool with ease.
Prerequisite
In order to use XML Signer, the users must first set environment variables for the SSL Client Authentication Certificate path and certificate password. Ask the Encryption Consulting team if you don’t already have it.
Note: SSL Client Authentication Certificate should be in the PKCS12 format (.p12 or .pfx)
Execute the below commands to set environment variables:
Mac or Linux
$ export SIGNER_SSL_CERT_PFX=path_to_ssl_certificate
$ export SIGNER_SSL_CERT_PFX_PASS=your_client_certificate_password
Windows
$ set SIGNER_SSL_CERT_PFX=path_to_ssl_certificate
$ set SIGNER_SSL_CERT_PFX_PASS=your_client_certificate_password
How to use the XML Signer utility?
Get the version of the XML Signer Utility
Execute the below command
Mac or Linux
$./xmlsigner -v
Windows
$ xmlsigner.exe -v
Get the help of the XML Signer Utility
Execute the below command
Mac or Linux
$./xmlsigner -h or $./xmlsigner --help
Windows
$ xmlsigner.exe -h or $ xmlsigner.exe --help
Sign an XML Document
The Signer utility will generate the signed document with the same name with the postfix “_signed”
Use the sign subcommand to sign an XML document
./xmlsigner -S <file_to_be_signed> -u <user_name> -k <key_name> -a <algorithm> -c <key_certificate> -q
-S: XML document to be signed.
-u: User name. A user name on Encryption Consulting server. Ask the Encryption Consulting team if you don’t already have it.
-k: Key/certificate name for signing/verification provided by Encryption Consulting server. Ask the Encryption Consulting team if you don’t already have it.
-a: Algorithm to be used for signing. One of the following options should be used:
- SHA224
- SHA256 (Default)
- SHA384
- SHA512
If the Algorithm is not provided, it will use SHA256 as a default.
-c: Certificate file provided by Encryption Consulting server.
-q: Execute quietly.
-h: Display help
Examples
Mac or Linux
: ./xmlsigner -h
: ./xmlsigner -S file.xml -u admin -k SignCertificateName -a SHA256 -c
<path /to/certificate>
Windows
: xmlsigner.exe -h
: xmlsigner.exe -S file.xml -u admin -k SignCertificateName -a SHA256 -c
<path /to/certificate>
Conclusion
XML signing ensures the integrity, authenticity, and non-repudiation of XML documents. It adds a digital signature that verifies the document’s origin and prevents tampering. XML signing is essential for secure data exchange, fostering trust in electronic transactions and reliable communication. It finds applications in e-commerce, invoicing, supply chain management, and more. By using tools and libraries, the XML signing process is simplified and can be integrated into various environments. To get your hands on our tool which can help you with XML Signing process please contact us on info@encryptionconsulting.com
