© 2009-2010 Samuel Lidén Borell.
This document may be distributed and/or modified freely.
Last updated: 2010-03-23 (minor mobile adaption update 2020-11-17)
Document version: $Id: 08cb95732bce9bca0142928f27391c76f906455e $
FriBID is supposed to be fully compatible with the BankID signature format. The signature format is based on xmldsig, but is always normalized and free from spaces and line-breaks between tags which makes xmldsig normalization unecessary.
The bankIdSignedData element. Actually, it's hashed and then the hash
value is signed. It's specific to FriBID and BankID. See the template signature below.
Note: Indentation and line-breaks have been added in this template.
<?xml version="1.0" encoding="UTF-8" standalone="no"?> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"> </CanonicalizationMethod> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"> </SignatureMethod> <Reference Type="http://www.bankid.com/signature/v1.0.0/types" URI="#bidSignedData"> <Transforms> <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"> </Transform> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"> </DigestMethod> <DigestValue>(Base64 encoded SHA256 sum of the entire bankIdSignedData element)</DigestValue> </Reference> <Reference URI="#bidKeyInfo"> <Transforms> <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"> </Transform> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"> </DigestMethod> <DigestValue>(Base64 encoded SHA256 sum of the entire KeyInfo element)</DigestValue> </Reference> </SignedInfo> <SignatureValue>(Base64 encoded ISO-SHA1-RSA signature of the entire SignedInfo element)</SignatureValue> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#" Id="bidKeyInfo"> <X509Data> <X509Certificate>(this is your personal public certificate in DER format. Base64 encoded)</X509Certificate> <X509Certificate>(your CA's certificate)</X509Certificate> <X509Certificate>(your CA's CA's certificate, and so on...)</X509Certificate> </X509Data> </KeyInfo> <Object> <bankIdSignedData xmlns="http://www.bankid.com/signature/v1.0.0/types" Id="bidSignedData"> <usrVisibleData charset="UTF-8" visible="wysiwys">(Signed message. This element is required when signing, but is never present when authenticating. The message comes from the TextToBeSigned parameter and remains Base64 encoded)</usrVisibleData> <usrNonVisibleData>(IdenticalusrVisibleData, except that this message is not presented to the user while signing. The message comes from the NonVisibleData parameter and remains Base64 encoded. This element is optional)</usrNonVisibleData> <srvInfo> <nonce>(Base64 encoded nonce value. This the Challenge or Nonce parameter from the server)</nonce> </srvInfo> <clientInfo> <funcId>(Identificationwhen authenticating,Signingwhen signing)</funcId> <host> <fqdn>(the web server's domain name, for examplelocalhost)</fqdn> <ip>(the web server's IP address, for example127.0.0.1)</ip> </host> <version>(Base64 encoded version string)</version> </clientInfo> </bankIdSignedData> </Object> </Signature>