As we mentioned previously, when reading about or discussing XML Signature, you will often hear about three different types of XML Signatures: Enveloping, Enveloped, and Detached. In the next three sections, we describe each of these signature types and show you how they work.

An Enveloping Signature wraps the item that is being signed, as shown in Figure 4.1. Later, we discuss specifically how this is done, but for now suffice it to say that the reference is to an XML element within the Signature element itself. The following simplified example in Listing 4.3 shows what an Enveloping Signature might look like (notice that the URI points to an item within the Signature Object element):

Listing 4.3 A Simplified Enveloping Signature

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
 <SignedInfo>
  <Reference URI="#111" />
 </SignedInfo>
 <SignatureValue>...</SignatureValue>
 <KeyInfo>...</KeyInfo>
 <Object>
   <SignedItem id="111">Stuff to be signed</SignedItem>
 </Object>
</Signature>

Figure 4.1  Structure of an Enveloping Signature.

In an Enveloped Signature, the reference points to a parent XML element, as shown in Figure 4.2. The following simplified example in Listing 4.4 shows what an Enveloped Signature might look like (notice that the Reference is to an element that is a parent of the Signature):

Listing 4.4 A Simplified Enveloped Signature

<PurchaseOrder id="po1">
 <SKU>125356</SKU>
 <Quantity>17</Quantity>
 <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
  <SignedInfo>
   <Reference URI="#po1" />
  </SignedInfo>
  <SignatureValue>...</SignatureValue>
  <KeyInfo>...</KeyInfo>
 </Signature>
</PurchaseOrder>

Figure 4.2  Structure of an Enveloped Signature.

Finally, a Detached Signature points to an XML element or binary file outside the Signature element's hierarchy. In other words, the item being pointed to is neither a child (Enveloping Signature) nor a parent (Enveloped Signature) of the Signature element. Therefore, a Detached Signature could point to an element within the same document, as shown in Figure 4.3, or to a another resource completely outside the current XML document, as shown in Figure 4.4. The following example in Listing 4.5 of a Detached Signature points to another XML element within the same XML document but is not an ancestor or child of the Signature:

Listing 4.5 Structure of a Detached Signature

<PurchaseOrderDocument>
 <PurchaseOrder id="po1">
  <SKU>12366</SKU>
  <Quantity>17</SKU>
 </PurchaseOrder>
 <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
 <SignedInfo>
  <Reference URI="#po1" />
 </SignedInfo>
 <SignatureValue>...</SignatureValue>
 <KeyInfo>...</KeyInfo>
</Signature>

Figure 4.3 Structure of a Detached Signature within the same
XML document.

A Detached Signature can also point to an external resource such as another XML document, a node in another XML document, a text file, or generally any type of resource that can be referenced by a URI, as shown in Figure 4.4. The following simplified example in Listing 4.6 of a Detached Signature points to a JPEG file:

Listing 4.6 A Detached Signature of an External JPEG File

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
 <SignedInfo>
  <Reference URI="http://www.foo.com/picture.jpg" />
 </SignedInfo>
 <SignatureValue>...</SignatureValue>
 <KeyInfo>...</KeyInfo>
</Signature>

Figure 4.4  Structure of Detached Signature referencing an
external resource.

Even though these are often called signature types, even in the XML Signature specification, they are really about references. It would be more accurate to describe them as Enveloping Reference, Enveloped Reference, and Detached Reference. Then the next statement becomes more understandable. An XML Signature can be enveloping, enveloped, and detached all at the same time! This means that the Signature element can contain more than one Reference element, and a Reference element can be enveloping, enveloped, or detached.

We wanted to give you the highest level overview of XML Signature and emphasize that XML Signature is mostly just one or more pointers (references) that can point to XML elements, internal or external to the Signature itself, or to an external resource. These pointers are dereferenced and grouped together; then they go through a signature process resulting in a signature. All of this—the pointers, the signature itself, and, optionally, the key information to validate the signature—goes into an XML Signature element.

Now let's go to the next level of detail and explore the different aspects of the Signature element.

This chapter is from Securing Web Services Security with WS-Security, by Jothy Rosenberg and David Remy (Sams, 2004, ISBN: 0672326515). Check it out at your favorite bookstore today. Buy this book now.