XML::Compile::WSS::Signature - WSS Signatures


   is a XML::Compile::WSS


WARNING: Only limited real-life experience. Many optional extensions have never been tried.

 # You may need a few constants
 use XML::Compile::WSS::Util  qw/:dsig/;
 use XML::Compile::C14N::Util qw/:c14n/;

 # This modules van be used "stand-alone" ...
 my $schema = XML::Compile::Cache->new(...);
 my $sig    = XML::Compile::WSS::Signature->new
   (sign_method => DSIG_RSA_SHA1, ...);

 # ... or as SOAP slave (strict order of object creation!)
 my $wss    = XML::Compile::SOAP::WSS->new;
 my $wsdl   = XML::Compile::WSDL11->new($wsdlfn);
 my $sig    = $wss->signature(sign_method => ...);


The generic Web Service Security protocol is implemented by the super class XML::Compile::WSS. This extension implements cypto signatures.

On this moment, there are two versions of this standard:



One or more elements of a (SOAP) document can be selected to be signed. They are canonalized (serialized in a well-described way) and then digested (usually via SHA1). The digest is put in a SignedInfo component of the Signature element in the Security header. When all digests are in place, the whole SignedInfo structure gets signed.

Extends "DESCRIPTION" in XML::Compile::WSS.


Many companies use their own selection from a large the pile of standards for this feature. Some of the resulting limitations are known by the author:

  • digests

    Only digest algorithms which are provided via the Digest module are supported for the elements to be signed. (But that's quite a lot)

  • signatures

    Only a limited subset of signing (algorithm, hash) combinations are supported. Lower on this page, you find details about each of the provided signing implementations.


Extends "METHODS" in XML::Compile::WSS.


Extends "Constructors" in XML::Compile::WSS.


The %options you provide here, will will passed to various objects which are created automatially. But you may also give pre-instantiated objects, for instance when you decide to use your own extension on a certain spot.

 -Option      --Defined in       --Default
  checker                          undef
  key_info                         {}
  prepare       XML::Compile::WSS  'ALL'
  remote_token                     undef
  schema        XML::Compile::WSS  undef
  sign_types                       <required>
  signed_info                      {}
  signer                           DSIG_RSA_SHA1
  token                            <depends on sign_method>
  version       XML::Compile::WSS  undef
  wss_version   XML::Compile::WSS  '1.1'

The signer object with server information, anything what is accepted by XML::Compile::WSS::Sign::fromConfig(). When provided, we do not need to collect the information from the incoming messages.

key_info => HASH

Read XML::Compile::WSS::KeyInfo::new()

prepare => 'READER'|'WRITER'|'ALL'|'NONE'
remote_token => OBJECT|HASH|FILENAME

To defend against man-in-the-middle attacks, you need to specify the server's public key. When specified, that key will be used to verify the signature, not the one listed in the XML response.

Only when this remote_token is specified, we will require the signature. Otherwise, the check of the signature will only be performed when a Signature is available in the Security header.

schema => an XML::Compile::Cache object
sign_types => ARRAY

Specify the types of elements which need to be signed. If you have more elements of the same type, they will all get signed.

signed_info => HASH

Settings for the SignedInfo structure. Read XML::Compile::WSS::SignedInfo::new()


The client-side signer object, anything what is accepted by XML::Compile::WSS::Sign::fromConfig().


The token, anything which is accepted by XML::Compile::WSS::SecToken::fromConfig(). This contains at least the public information.

version => STRING
wss_version => '1.1'|MODULE


Extends "Attributes" in XML::Compile::WSS.


Inherited, see "Attributes" in XML::Compile::WSS


Inherited, see "Attributes" in XML::Compile::WSS

Security Tokens

To prove the signature, there usually is some security token. This token may (or may not) be included in the SOAP message itself.


Returns the security token of the server, which is an XML::Compile::WSS::SecToken object. Either, this token is provided by new(remote_token), to taken from the first message.


Returns the security token, which is an XML::Compile::WSS::SecToken object.


Extends "Apply" in XML::Compile::WSS.


Inherited, see "Apply" in XML::Compile::WSS

$obj->create($doc, $security, $data)

Inherited, see "Apply" in XML::Compile::WSS


Extends "Helpers" in XML::Compile::WSS.


Inherited, see "Helpers" in XML::Compile::WSS


Extends "Internals" in XML::Compile::WSS.

$obj->loadSchemas($schema, $version)
XML::Compile::WSS::Signature->loadSchemas($schema, $version)

Inherited, see "Internals" in XML::Compile::WSS


Inherited, see "Internals" in XML::Compile::WSS


Extends "DETAILS" in XML::Compile::WSS.


This module is part of XML-Compile-WSS-Signature distribution version 2.02, built on July 16, 2016. Website:

Please post questions or ideas to the mailinglist at . For live contact with other developers, visit the #xml-compile channel on


Copyrights 2012-2016 by [Mark Overmeer]. For other contributors see ChangeLog.

This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself. See