XML Digital Signatures

Article
10/19/2016

Applies To: Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server Technical Preview, Windows Vista

When authentication is requested for an HTTP message (introduced in MSMQ 3.0) or a multicast message, which is also sent in SRMP (introduced in MSMQ 3.0), Message Queuing automatically signs it using an XML digital signature. For information on Digital Signatures, see Digital Signatures.

An XML digital signature consists of a <Signature> entry that contains exactly one <SignedInfo> element and exactly one <SignatureValue> subelement and is inserted into the header portion of the SOAP envelope of the SRMP message. The <SignedInfo> element contains exactly one <SignatureMethod> subelement and 0 to 2 <Reference> elements. Each <Reference> element in turn contains exactly one <DigestMethod> subelement and exactly one <DigestValue> subelement.

The <DigestMethod> element includes the hashing algorithm specified in the hashing algorithm property (PROPID_M_HASH_ALGor MSMQMessage.HashAlgorithm) of the message. The default digest method is the SHA1 algorithm.

The <DigestValue> element contains a hash value based on a single message property preceded by a keyword indicating the message property used to calculate it with the hashing algorithm specified in the <DigestMethod> element. Only the body property (PROPID_M_BODY or MSMQMessage.Body) and the extension property (PROPID_M_EXTENSION or MSMQMessage.Extension) are used to calculate digest values in <Reference> elements. If the body property or the extension property does not exist, the applicable <Reference> element is omitted. Each digest value is calculated directly from the applicable binary property.

The value in the <SignatureValue> element is calculated by hashing the data in the <SignedInfo> element using the SHA1 hashing algorithm, encrypting the hash with the user's private key (which corresponds to the public key in the certificate attached to the message), and converting the result to Base64 encoding.

Note

All values in the XML digital signature (the digest values and the signature value) are Base64-encoded. The size of an XML digital signature varies according to the number of references.

XML Digital Signature with One <Reference> Element

The following is an example of an XML digital signature with one <Reference> element.

<Signature xmlns="http://www.w3.org/2000/02/xmldsig#">  
  <SignedInfo>  
    <SignatureMethod Algorithm="http://www.w3.org/2000/02/xmldsig#dsa"></SignatureMethod>  
    <Reference URI="cid:body@f6a3323c-7c7b-4a5f-b0ed-b3f63a200893">  
      <DigestMethod Algorithm="http://www.w3.org/2000/02/xmldsig#sha1"></DigestMethod>  
      <DigestValue>XU9yAzfwEPuP7L5iOcQY9XRNEWM=</DigestValue>  
    </Reference>  
  </SignedInfo>  
  <SignatureValue>ZxvFMInWLSb1+iNj5xA/OhPHE4uzIx4nXOCmoOyGSSyHWEuODsByooS00j9RsMuGN/FmpEEOgJ1NFCBEDaBAag==</SignatureValue>  
</Signature>

XML Digital Signatures

XML Digital Signature with One <Reference> Element

See Also

Additional resources