Quickstart Guide for DSS

Owned by Andreas Kuehne
Last updated: Apr 19, 2013 by Stefan DreesVersion comment

DSS Quick start Guide

Simple Start: Requesting a CMS Signature

SignRequest for a prehashed document

The DSS core schema with all its referred schema definitions may cause the impression that doing a simple signing request using the DSS specification is a complex task. But that's not the case! Doing simple tasks can be done with just a few lines of XML. Let's start with a request of a detached signature using the good old PKCS7 standard. The enclosing element is the SignRequest from the DSS core namespace. Let's assume the input document to be signed was already hashed so the InputDocuments element includes the DocumentHash element with it's descendants DigestMethod and DigestValue. Please note: these both latter tags are defined in the XMLDSig namespace.

To be independent of the server's default settings we add an OptionalInputs element to explicitly define the type of signature, in this case RFC 3369, which is the somehow outdated unified resource name (URN) for the PKCS7 / CMS family of signatures.

 

<dss:SignRequest
     xmlns:dss="urn:oasis:names:tc:dss:1.0:core:schema" 
     xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
  <dss:InputDocuments>
    <dss:DocumentHash>
      <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
      <ds:DigestValue>In6GUzH+gMFR5q4WpUTyPa+1b4s=</ds:DigestValue>
    </dss:DocumentHash>
  </dss:InputDocuments>
  <dss:OptionalInputs>
    <dss:SignatureType>urn:ietf:rfc:3369</dss:SignatureType>
  </dss:OptionalInputs>
</dss:SignRequest>

CMS Signing Request

That's all you have to do to successfully request a signature from a DSS compliant server!

Now let's see what the server's response looks like …

The CMS Response

The returning structure is encapsulated in a SignResponse element from the DSS core namespace. This element hosts the Result element, which describes the outcome of the DSS request. The first item to check is value of the ResultMajor element. The resultmajor:Success constant (from the DSS namespace) signals successful processing of the request. But beware, the ResultMajor element has the scope of technical processing. Other aspects of the processing maybe reflected in the ResultMinor element. The resultminor:valid:signature:OnAllDocuments constant ensures that all documents (even if there is just a hash of a single document, as we supplied it with our sample request).

 

 

Moving on: Requesting a XMLDSig Signature

Let's create a well-formed XML document like the following:

Hello World! 
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<content>Hello World!</content>

How to sign this using DSS and XMLDSig is shown in the next section.

SignRequest for a XML document




The XMLDSig Response



Providing different encoding of the XML document



Enveloped vs. Enveloping: Placement of the XML signature



SignRequest for a XML document

 

Checking a Signature



The verification of a CMS signature



Sending a XML signature off for verification