DSS Quickstart Guide
...
The DSS core schema with all its referred schema definitions may cause the impression that doing a simple signing call using the DSS specification is a complex task. But that's not the case! Doing simple tasks can be done with just a few lines of XML. Let's start with a request of a detached signature using the good old PKCS7 standard. The enclosing element is the SignRequest from the DSS core namespace. The input document to be signed was already hashed so the InputDocuments element includes the DocumentHash element with is descendants DigestMethod and DigestValue. Please note: these both tags are defined in the XMLDSig namespace.
To be independent of the server's default settings we added an OptionalInputs element to explicitly define the type of signature, in this case RFC 3369, what's the bit outdated unified resource name for the PKCS7 / CMS family of signatures.
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
<dss:SignRequest xmlns:dss="urn:oasis:names:tc:dss:1.0:core:schema" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> <dss:InputDocuments> <dss:DocumentHash> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>In6GUzH+gMFR5q4WpUTyPa+1b4s=</ds:DigestValue> </dss:DocumentHash> </dss:InputDocuments> <dss:OptionalInputs> <dss:SignatureType>urn:ietf:rfc:3369</dss:SignatureType> </dss:OptionalInputs> </dss:SignRequest> |
That's all you have to do to successfully request a signature from a DSS compliant server!
Now let's see what the server's response looks like …
...
The returning structure is encapsulated in a SignResponse element from the DSS core namespace. This element hosts the Result element, which describes the outcome of the DSS request. The first item to check is value of the ResultMajor element. The resultmajor:Success constant (from the DSS namespace) signals successful processing of the request. But beware, the ResultMajor element has the scope of technical processing. Other aspects of the processing maybe reflected in the ResultMinor element. The resultminor:valid:signature:OnAllDocuments constant ensures that all documents (even if there is just a hash of a single document, as we supplied it with our sample request).
As the result represents a successful call to the server, we can now start to retrieve the created signature! The CMS standard uses ASN.1 encoding, so the signature needs to Base64 encoded. So let's take a look at the SignatureObject element: It contains the signature within the Base64Signature element.
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
<dss:SignResponse xmlns:dss="urn:oasis:names:tc:dss:1.0:core:schema" Profile="" > <dss:Result> <dss:ResultMajor>urn:oasis:names:tc:dss:1.0:resultmajor:Success</dss:ResultMajor> <dss:ResultMinor>urn:oasis:names:tc:dss:1.0:resultminor:valid:signature:OnAllDocuments</dss:ResultMinor> <dss:ResultMessage xml:lang="en" /> </dss:Result> <dss:SignatureObject> <dss:Base64Signature> MIAGCSqGSIb3DQEHAqCAMIIRdQIBATEPMA0GCWCGSAFlAwQCAQUAMAsGCSqGSIb3 DQEHAaCCD74wggWAMIIEaKADAgECAgkAriOsm0HbWzYwDQYJKoZIhvcNAQEFBQAw [...] DQEBAQUABEA3YkuiPSDVaAhaAza49UTKZFO6azBoeECls6LSStNJD0GtcqATY/HO DZWtCGVc0LCc5QRlBOc54ZrVGp6MUVa0AAAAAA== </dss:Base64Signature> </dss:SignatureObject> </dss:SignResponse> |
...