CryptoSys Home > Sc14n > Using Canonical XML Version 1.1

Using Canonical XML Version 1.1


Question: I see that SC14N supports Canonical XML Version 1.0 (REC-xml-c14n-20010315) but I am required to use support for Canonical XML Version 1.1 (xml-c14n11) in my application. Can I use your SC14N to do this?

Answer: Yes, with certain restrictions.

c14n11 [XML-C14N11] is identical to the older xml-c14n-20010315 unless the XML document has xml:id or xml:base URI path processing.

So, if your document does not use either of xml:id or xml:base then you can "pretend" to use the <Transform Algorithm="http://www.w3.org/2006/12/xml-c14n11"/> but actually just use the SC14N default transformation algorithm Sc14n.TranMethod.Inclusive as if it were the standard xml-c14n method.

If your document does use either of these, then sorry, but we don't support it. But, honestly, they are very rare.

Example XML

This example requires the c14n11 transform algorithm at line 13
<Transform Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>
Note that the document does not use xml:id or xml:base, so we can write http://www.w3.org/2006/12/xml-c14n11 as the algorithm, but then process it using the standard Inclusive algorithm with SC14N.
<?xml version="1.0" encoding="utf-8"?>
<q1:Message xmlns:q1="http://example.com/q1" xmlns:head="http://example.com/head">
<q1:AppHdr>
<head:SomeElements />
<head:Sgntr>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>aoXHZ1uyrOwj5xCk+Vv6Jn3oD0VIaJ2WuUOrFc9u0vU=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>@!SIGVAL!@</SignatureValue>
<KeyInfo>
<KeyValue><!-- needed for https://di-mgt.com.au/xmldsig-verifier.html otherwise omit -->
<RSAKeyValue>
<Modulus>@!RSA-MOD!@</Modulus>
<Exponent>@!RSA-EXP!@</Exponent>
</RSAKeyValue>
</KeyValue>
<X509Data>
<X509Certificate>@!X509-CERT!@</X509Certificate>
<X509SubjectName>@!X509-SUBJECTNAME!@</X509SubjectName>
<X509IssuerSerial>
<X509IssuerName>@!X509-ISSUERNAME!@</X509IssuerName>
<X509SerialNumber>@!X509-SERIALNUMBER!@</X509SerialNumber>
</X509IssuerSerial>
</X509Data>
</KeyInfo>
</Signature>
</head:Sgntr>
</q1:AppHdr>
<q1:OtherElements>
</q1:OtherElements>
</q1:Message>

(The elements containing content like @!SIGVAL!@ are placeholders to be filled in once the signing process has been done.)

As per standard XML-DSIG procedure, the DigestValue at line 17 is computed over the entire document excluding the Signature element
> sc14n -d --sha256 -x "Signature" wt-example-base.xml
aoXHZ1uyrOwj5xCk+Vv6Jn3oD0VIaJ2WuUOrFc9u0vU=
and the SHA-256 digest to be input to the RSA signing operation is computed over the (completed) SignedInfo element in default inclusive mode.
sc14n -d --sha256 -s "SignedInfo" wt-example-inter.xml
h+QbSEwIQ6/+Fx+O2uAQmrPFuVz2la+B5jd9ZEOyaJQ=

The final signed document is here: example-signed.xml. This verifies at the XML Digital Signature Verifier

References

Contact us

To contact us or comment on this page, please send us a message.

This page last updated 10 September 2025

[Go to top]