Question: I see that
SC14N
supports Canonical XML Version 1.0 (REC-xml-c14n-20010315
) but I am required to use support for Canonical XML Version 1.1 (xml-c14n11
) in my application.
Can I use your SC14N to do this?
Answer: Yes, with certain restrictions.
c14n11 [XML-C14N11] is identical to the older xml-c14n-20010315 unless the XML document has
xml:id
or xml:base
URI path processing.
So, if your document does not use either of xml:id
or xml:base
then you can "pretend" to use the
<Transform Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>
but actually just use the SC14N
default transformation algorithm
Sc14n.TranMethod.Inclusive
as if it were the standard xml-c14n method.
If your document does use either of these, then sorry, but we don't support it. But, honestly, they are very rare.
<Transform Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>
Note that the document does not use xml:id
or xml:base
,
so we can write http://www.w3.org/2006/12/xml-c14n11
as the algorithm, but then process it using the standard
Inclusive algorithm with SC14N.
<?xml version="1.0" encoding="utf-8"?>
<q1:Message xmlns:q1="http://example.com/q1" xmlns:head="http://example.com/head">
<q1:AppHdr>
<head:SomeElements />
<head:Sgntr>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>aoXHZ1uyrOwj5xCk+Vv6Jn3oD0VIaJ2WuUOrFc9u0vU=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>@!SIGVAL!@</SignatureValue>
<KeyInfo>
<KeyValue><!-- needed for https://di-mgt.com.au/xmldsig-verifier.html otherwise omit -->
<RSAKeyValue>
<Modulus>@!RSA-MOD!@</Modulus>
<Exponent>@!RSA-EXP!@</Exponent>
</RSAKeyValue>
</KeyValue>
<X509Data>
<X509Certificate>@!X509-CERT!@</X509Certificate>
<X509SubjectName>@!X509-SUBJECTNAME!@</X509SubjectName>
<X509IssuerSerial>
<X509IssuerName>@!X509-ISSUERNAME!@</X509IssuerName>
<X509SerialNumber>@!X509-SERIALNUMBER!@</X509SerialNumber>
</X509IssuerSerial>
</X509Data>
</KeyInfo>
</Signature>
</head:Sgntr>
</q1:AppHdr>
<q1:OtherElements>
</q1:OtherElements>
</q1:Message>
(The elements containing content like @!SIGVAL!@
are placeholders to be filled in once the signing process has been done.)
> sc14n -d --sha256 -x "Signature" wt-example-base.xml aoXHZ1uyrOwj5xCk+Vv6Jn3oD0VIaJ2WuUOrFc9u0vU=and the SHA-256 digest to be input to the RSA signing operation is computed over the (completed) SignedInfo element in default inclusive mode.
sc14n -d --sha256 -s "SignedInfo" wt-example-inter.xml h+QbSEwIQ6/+Fx+O2uAQmrPFuVz2la+B5jd9ZEOyaJQ=
The final signed document is here: example-signed.xml. This verifies at the XML Digital Signature Verifier
To contact us or comment on this page, please send us a message.
This page last updated 10 September 2025