Section 9 in The Digital Signature (End entity) Rules, 2015
9. Creation of xml digital signature.
(1)To sign an electronic record or any other item of information, the signatory shall first constructs reference elements, xml digital signature element, signed info, key info and signature value.(2)For the purpose of reference element generation, the signing software shall-(a)create reference(s) element(s) with reference to the item of information, xml transform element(s) (optional), digest algorithms and digest value;(b)optionally apply xml transform(s) to each referenced object in a sequential order;(c)apply the hash function in the signatory's hardware or software to each reference elements, store the hash result in the reference element;(d)ensure that if the object element is created, it shall not have a manifest element;(e)ensure that exclusive canonicalization "without comments" has been mandatorily specified in addition to any other transforms.(3)For the purpose xml digital signature generation, the signing software shall-(a)create signed info element with signature method, canonicalisation method and reference(s);(b)apply canonicalisation to signed info and calculate the hash value of canonicalised signed info using the hashing algorithms implied by the signature method;(c)ensure that,-(i)the signatory has seen all the contents of the document before signing;(ii)the contents display requirements, in the case of automated signing process, is not required;(iii)to sign multiple resources together,-(a)each resource shall be rendered on the screen;(b)each referenced xml resource shall be rendered using xslt and the xslt shall be the last transform done to render the resource on the screen;(c)each non xml resource shall be rendered using mime-type attribute mentioned in the object;(d)generate the signature using the signature algorithm and the hash, the signatory's private key, and the public key parameters (if applicable) and perform base64 encoding of the signature result and use it to form signature value;(e)construct the signature element that includes signed info, items of information, key info with x 509 certificate element and signature value and the x509 certificate element shall carry the signatory's x 509 public key certificate.(4)The contextual information like date and time, shall be then made part of the xml digital signature.(5)The counter signatures or parallel signatures or both may also be applied to electronic record.(6)The following information may also be a part of signature-(a)the public key certificate(s) of the licensed Certifying Authorities which used to verify the authenticity of the digital signature certificate issued to the signatory;(b)the self signed certificate generated by the Controller used to verify the authenticity of the public key certificate of the licensed Certifying Authorities;(c)the certificate revocation list(s) maintained by the licensed Certifying Authorities and controller which is used check whether the digital signature certificate has been revoked under section 38 the Act;(d)online certificate status protocol responder certificates and online certificate status protocol responses may be used in lieu of certificate revocation list.(7)To create long term valid xml digital signature-(a)a time stamp shall be applied initially to the signed document, where the Initial time stamp shall cover all the electronic record and signature(s);(b)a nested time stamp option shall be used to ensure signature validity past the time-stamping service provider (tssp)'s key or algorithm expiry where as nesting of time stamps implies that a subsequent time stamp shall be applied to the prior time stamp;(c)signature(s) and time stamps may be embedded in the data itself or stored separately as standalone.
