DSS Quickstart Guide

The simple Start: Requesting a CMS Signature

SignRequest for a prehashed document

The DSS core schema with all its referred schema definitions may cause the impression that doing a simple signing call using the DSS specification is a complex task. But that's not the case! Doing simple tasks can be done with just a few lines of XML. Let's start with a request of a detached signature using the good old PKCS7 standard. The enclosing element is the SignRequest from the DSS core namespace. The input document to be signed was already hashed so the InputDocuments element includes the DocumentHash element with is descendants DigestMethod and DigestValue. Please note: these both tags are defined in the XMLDSig namespace.
To be independent of the server's default settings we added an OptionalInputs element to explicitly define the type of signature, in this case RFC 3369, what's the bit outdated unified resource name for the PKCS7 / CMS family of signatures.
  

<dss:SignRequest
xmlns:dss="urn:oasis:names:tc:dss:1.0:core:schema" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
 
<dss:InputDocuments>
<dss:DocumentHash>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>In6GUzH+gMFR5q4WpUTyPa+1b4s=</ds:DigestValue>
</dss:DocumentHash>
</dss:InputDocuments>
<dss:OptionalInputs>
<dss:SignatureType>urn:ietf:rfc:3369</dss:SignatureType>
</dss:OptionalInputs>
</dss:SignRequest>

 That's all you have to do to successfully request a signature from a DSS compliant server!
Now let's see what the server's response looks like …

The CMS Response

The returning structure is encapsulated in a SignResponse element from the DSS core namespace. This element hosts the Result element, which describes the outcome of the DSS request. The first item to check is value of the ResultMajor element. The resultmajor:Success constant (from the DSS namespace) signals successful processing of the request. But beware, the ResultMajor element has the scope of technical processing. Other aspects of the processing maybe reflected in the ResultMinor element. The resultminor:valid:signature:OnAllDocuments constant ensures that all documents (even if there is just a hash of a single document, as we supplied it with our sample request).
As the result represents a successful call to the server, we can now start to retrieve the created signature! The CMS standard uses ASN.1 encoding, so the signature needs to Base64 encoded. So let's take a look at the SignatureObject element: It contains the signature within the Base64Signature element.
 

<dss:SignResponse 
 xmlns:dss="urn:oasis:names:tc:dss:1.0:core:schema"
 Profile="" > 
 <dss:Result>
 <dss:ResultMajor>urn:oasis:names:tc:dss:1.0:resultmajor:Success</dss:ResultMajor>
 <dss:ResultMinor>urn:oasis:names:tc:dss:1.0:resultminor:valid:signature:OnAllDocuments</dss:ResultMinor>
 <dss:ResultMessage xml:lang="en" />
 </dss:Result> 
 <dss:SignatureObject> 
 <dss:Base64Signature>
 MIAGCSqGSIb3DQEHAqCAMIIRdQIBATEPMA0GCWCGSAFlAwQCAQUAMAsGCSqGSIb3
 DQEHAaCCD74wggWAMIIEaKADAgECAgkAriOsm0HbWzYwDQYJKoZIhvcNAQEFBQAw
 [...]
 DQEBAQUABEA3YkuiPSDVaAhaAza49UTKZFO6azBoeECls6LSStNJD0GtcqATY/HO
 DZWtCGVc0LCc5QRlBOc54ZrVGp6MUVa0AAAAAA==
 </dss:Base64Signature>
 </dss:SignatureObject>
 </dss:SignResponse> 

Moving on: Requesting a XMLDSig Signature

SignRequest for a XML document

The XMLDSig Response

Providing different encoding of the XML document

Enveloped vs. Enveloping: Placement of the XML signature

SignRequest for a XML document

Checking a Signature

The verification of a CMS signature

Sending a XML signature off for verification