In an enveloped signature, the signed or to-be-signed data is an XML document and contains the <ds:Signature>
element as its child element.
Note The content of<ds:Signature>
element is excluded from the calculations of the signature value (that is, the content of<ds:SignatureValue>
) of an enveloped signature.
The following is an example of enveloped signatures.
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE Envelope [ <!ENTITY ds "http://www.w3.org/2000/09/xmldsig#"> <!ENTITY c14n "http://www.w3.org/TR/2001/REC-xml-c14n-20010315"> <!ENTITY xpath "http://www.w3.org/TR/1999/REC-xpath-19991116"> <!ENTITY xslt "http://www.w3.org/TR/1999/REC-xslt-19991116"> <!ENTITY digest "http://www.w3.org/2000/09/xmldsig#sha1"> ]> <Letter> <Return-address>...</Return-address> <To>...</To> <Message>...</Message> <From> <ds:Signature xmlns:ds="&ds;"> <ds:SignedInfo> ... <ds:Reference
URI=""><ds:Transforms>
<ds:Transform Algorithm="&xpath;">
<XPath xmlns:dsig="&ds;">
not(ancestor-or-self::dsig:Signature)
</XPath>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="&digest;"/>
<ds:DigestValue></ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
</ds:Signature>
</From>
<Attach>...</Attach>
</Letter>
The data referenced in the <ds:Signature>
element and specified by the "URI=''"
attribute of the <ds:Reference>
descendant element is the entire <Letter>
element, including <ds:Signature>
itself.