Code Signing

How to Sign XML Files?

Reading Time : 4 minutes

XML signing is a process that involves adding a digital signature to an XML document to ensure its integrity, authenticity, and non-repudiation. By applying a digital signature to an XML document, the signer attests to the authenticity and integrity of the data, making it possible to verify the document’s origin and ensure that it has not been altered during transit or storage.

The digital signature is created using asymmetric encryption techniques, typically based on public-key infrastructure (PKI). The signer generates a private key that is kept securely and a corresponding public key that can be shared with others. The private key is used to encrypt a hash or digest of the XML document, creating the digital signature. The encrypted digest serves as a unique representation of the data and is appended to the XML document.

XML signing is crucial in various domains, including e-commerce, electronic invoicing, supply chain management, and government applications. It enables secure electronic document exchanges, establishes the authenticity of data, and ensures non-repudiation, meaning that the signer cannot later deny their involvement or the integrity of the document.

An Overview of the XML signing process:

  1. A suitable cryptographic algorithm, such as RSA, DSA, or ECDSA, is chosen by the XML signer to produce the digital signature.
  2. The XML document to be signed is prepared. This involves ensuring that the document adheres to the required XML syntax and structure.
  3. XML canonicalization is applied to the document, which ensures that any variations in whitespace, attribute order, or namespace prefixes do not affect the validity of the signature. Canonicalization produces a standardized form of the XML document for signing.
  4. A digest, also known as a hash, is calculated over the canonicalized XML document. The digest serves as a unique fingerprint of the document and is used in the signing process.
  5. The digest is encrypted with the private key of the signer, creating the digital signature. The private key is kept securely by the signer and should not be accessible to unauthorized parties.
  6. The digital signature is inserted into the XML document, typically as an additional element or attribute. This allows the signature to be associated with the signed data.

Encryption Consulting has a CodeSigning solution, “CodeSign Secure,” which can help you with tamper-proof storage for the keys and complete visibility and control of Code Signing activities. The private keys of the code-signing certificate can be stored in an HSM to eliminate the risks associated with stolen, corrupted, or misused keys. Within this solution we offer a utility tool, XML Signer, which can sign XML files. The steps listed below will assist you with using our tool with ease.

Prerequisite

In order to use XML Signer, the users must first set environment variables for the SSL Client Authentication Certificate path and certificate password. Ask the Encryption Consulting team if you don’t already have it.

Note: SSL Client Authentication Certificate should be in the PKCS12 format (.p12 or .pfx)

Execute the below commands to set environment variables:

Mac or Linux

$ export SIGNER_SSL_CERT_PFX=path_to_ssl_certificate $ export SIGNER_SSL_CERT_PFX_PASS=your_client_certificate_password

Windows

$ set SIGNER_SSL_CERT_PFX=path_to_ssl_certificate $ set SIGNER_SSL_CERT_PFX_PASS=your_client_certificate_password

How to use the XML Signer utility?

Get the version of the XML Signer Utility

Execute the below command

Mac or Linux

$./xmlsigner -v

Windows

$ xmlsigner.exe -v

Get the help of the XML Signer Utility

Execute the below command

Mac or Linux

$./xmlsigner -h or $./xmlsigner --help

Windows

$ xmlsigner.exe -h or $ xmlsigner.exe --help

Sign an XML Document

The Signer utility will generate the signed document with the same name with the postfix “_signed”

Use the sign subcommand to sign an XML document

./xmlsigner -S <file_to_be_signed> -u <user_name> -k <key_name> -a <algorithm> -c <key_certificate> -q

-S: XML document to be signed.

-u: User name. A user name on Encryption Consulting server. Ask the Encryption Consulting team if you don’t already have it.

-k: Key/certificate name for signing/verification provided by Encryption Consulting server. Ask the Encryption Consulting team if you don’t already have it.

-a: Algorithm to be used for signing. One of the following options should be used:

  • SHA224
  • SHA256 (Default)
  • SHA384
  • SHA512

If the Algorithm is not provided, it will use SHA256 as a default.

-c: Certificate file provided by Encryption Consulting server.

-q: Execute quietly.

-h: Display help

Examples

Mac or Linux

: ./xmlsigner -h : ./xmlsigner -S file.xml -u admin -k SignCertificateName -a SHA256 -c <path /to/certificate>

Windows

: xmlsigner.exe -h : xmlsigner.exe -S file.xml -u admin -k SignCertificateName -a SHA256 -c <path /to/certificate>

Conclusion

XML signing ensures the integrity, authenticity, and non-repudiation of XML documents. It adds a digital signature that verifies the document’s origin and prevents tampering. XML signing is essential for secure data exchange, fostering trust in electronic transactions and reliable communication. It finds applications in e-commerce, invoicing, supply chain management, and more. By using tools and libraries, the XML signing process is simplified and can be integrated into various environments. To get your hands on our tool which can help you with XML Signing process please contact us on [email protected]

Free Downloads

Datasheet of Code Signing Solution

Code signing is a process to confirm the authenticity and originality of digital information such as a piece of software code.

Download

About the Author

Surabhi Dahal is a Consultant at Encryption Consulting, working with PKIs, Code Signing Solution and Intune.

Explore the full range of services offered by Encryption Consulting.

Feel free to schedule a demo to gain a comprehensive understanding of all the services Encryption Consulting provides.

Request a demo