I have an XML document having structure similar to the following
<envelop>
<header>blaa</header>
<message>blaa blaa</message>
<footer></footer>
</envelop>
I want to digitally sign the header and message elements and add the signature to the footer element.
How can I sign the elements and then later verify the signature (using .net c#) ?
A quick and dirty way is concatenate the elements and calculate some hash, e.g. MD5 sum of them. Then put the hash in the footer element. It's not a real signature of course, but prevents average people from tampering with the data.
You should be able to add an XPath-Transform to the Signature. It should look something like this:
<Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
<XPath xmlns:dsig="&dsig;">
...
</XPath>
</Transform>
I am not fluent in XPath, but it should be easy to formulate an XPath-expression that excludes the Footer-element. (But note that XPath is an optional part of XML-DSIG, so not all implementations may support it).
Alternatively, if you could restructure your document to be
<envelop>
<header>blaa</header>
<message>blaa blaa</message>
<Signature></Signature>
</envelop>
or
<envelop>
<signedEnvelope>
<header>blaa</header>
<message>blaa blaa</message>
</signedEnvelope>
<Signature></Signature>
</envelop>
you could handle it by using an Enveloped Signature Transform (first case) or by signing the signedEnvelope element (second case).
Why not follow w3 recomendation for XML signing http://www.w3.org/2000/09/xmldsig# it has a basic structure:
<Signature>
<SignedInfo>
<SignatureMethod />
<CanonicalizationMethod />
<Reference>
<Transforms>
<DigestMethod>
<DigestValue>
</Reference>
<Reference /> etc.
</SignedInfo>
<SignatureValue />
<KeyInfo />
<Object />
</Signature>
If you want more advanced features, read about XAdES - i think it's avalible in c#.
You can use our XMLBlackbox, which provides support for digital signing and verification, including XAdES (quite complex technology, I must say).