This document defines interoperability test cases for
Canonical XML 1.1 [XML-C14N1.1] and
XML Signature Syntax and Processing, Second Edition [XMLDSIG2]. The changes tested include C14N11
handling of attributes in the XML namespace, including xml:id
and xml:base, appropriate C14N11 nodeset to octet stream
transform processing, modifications to RFC 3986 dot segment
processing for C14N11, and RFC 4514 string encoding of
Distinguished Names. The tests include standalone C14N11 tests
as well as tests integrated with XML signature generation and
validation. This document also includes earlier test cases used
in XML Signature [XMLDSIG] for
regression testing.
1
Introduction
The test cases include standalone C14N 1.1 tests and test
cases involving XML signature generation and validation. XML
signatures are generated according to the details specified
in this document.
All the test cases are positive (signatures that are
valid).
Applications should validate these signatures and check
that they are valid.
1.1 Test Case
Notation
This section summarizes the notation used for
identification of test cases.
A test case identifier matches the following pattern,
and the syntax for describing the pattern is borrowed from
section
2.0 of [XMLDSIG] (where "?"
denotes zero or one occurrence; "+" denotes one or more
occurrences; "*" denotes zero or more occurrences) and "|"
denotes a choice.
Rec/(SubRec/)?(SpecificIssue-(SpecificSubIssue-)?)+TestNumber
|
The Rec part identifies the source
recommendation for the test case.
The SubRec part identifies a recommendation
that is tested in the context of Rec.
The SpecificIssue part identifies the issue
to be tested by the test case. The optional
SpecificSubIssue part further refines the
issue to be tested.
The TestNumber part numbers the test case.
It must be an integer number or an integer number followed
by a lowercase letter.
The next section identifies codes used throughout this
document.
1.3 Codes for Issues
(SpecificIssue) and Sub-Issues
(SpecificSubIssue)
The following codes are used for identifying the issues
and sub-issues for the test cases:
-
defCan identifies the test cases that
test the [XMLDSIG2] implicit
and explicit rules managing the final canonicalization
that precedes the digest computation..
-
xmllang identifies the test cases that
test the C14N11 handling of the xml:lang
attribute.
-
xmlspace identifies the test cases that
test the C14N11 handling of the xml:space
attribute.
-
xmlid identifies the test cases that
test the C14N11 handling of the xml:id
attribute.
-
xmlbase identifies the test cases that
test the C14N11 handling of the xml:base
attribute.
The following sub-issues are associated with this
issue:
-
prop identifies the test cases that
test the C14N11 propagation of the
xml:base attribute through the node
tree.
-
annexA identifies the test cases
that test the C14N11 Remove Dot Segments examples
listed in Appendix A of [XML-C14N1.1].
-
c14n11spec identifies the test
cases that test the examples in the [XML-C14N1.1] specification.
-
dnString identifies the test cases that
test the string encoding of Distinguished Names.
-
diffRFCs identifies the test cases that
test the differences between [RFC-2253] and [RFC-4514].
-
xpointer identifies the test cases that
test the handling of XPointer Reference URIs as
specified in [XMLDSIG2]
2 Test
Cases specification
The following sub-sections describe each of the test cases
and are grouped by Recommendation and Issue.
2.1 Legacy XMLDSig Working Group
Test Cases
The IETF/W3C XML-DSig Working Group produced an
interoperability test matrix that can be found at [XMLDSIG-interop].
2.2 Test Cases for Canonicalization
1.1
The set of test cases in this section are designed to
test the C14N11 handling of attributes in the xml
namespace. The input for each of these test cases is an XML
document and an XPath document subset expression. Two
different sets of tests are included based on the test
cases in this section.
-
Standalone tests: no XML signature generation or
validation is required. The XPath document subset
expression is applied to the input document. These
tests are used to check that the implementation for
[XML-C14N1.1] behaves
correctly.
-
Integrated tests with XML signatures: In these set
of tests, an XML signature is generated based on the
input document and a corresponding XPath Filtering
Transform as indicated in the tables. For these set of
tests, the following rules apply:
2.2.1 Test Cases
for xml:lang attribute
The set of test cases in this section test the C14N11
handling of xml:lang attributes.
Below is the input document for the
test cases in this section:
<?xml version="1.0" encoding="UTF-8"?>
<ietf:c14n11Xmllang xmlns:ietf="http://www.ietf.org"
xmlns:w3c="http://www.w3.org">
<ietf:e1 xml:lang="EN">
<ietf:e11>
<ietf:e111 />
</ietf:e11>
<ietf:e12 at="2">
<ietf:e121 />
</ietf:e12>
</ietf:e1>
<ietf:e2 >
<ietf:e21 />
</ietf:e2>
</ietf:c14n11Xmllang>
|
Note:
Document subset expressions for document subsets
computation are defined as in [XML-C14N1.1].
|
Test case c14n11/xmllang-1 |
| Input details |
To-Be-Signed (TBS
henceforth) data object with ONLY a
xml:lang attribute in a certain
element e whose content includes other
elements. The ds:Transform contains a
XPath expression whose result is a node set that
includes element e. |
| Rationale |
Check that
implementations of [XML-C14N1.1] handle xml:lang
attributes as defined in [XML-C14N1.1] |
| Document subset
expression |
(//. | //@* |
//namespace::*)[ancestor-or-self::ietf:e1] |
| Output |
<ietf:e1 xmlns:ietf="http://www.ietf.org"\
+ xmlns:w3c="http://www.w3.org" xml:lang="EN">
<ietf:e11>
<ietf:e111></ietf:e111>
</ietf:e11>
<ietf:e12 at="2">
<ietf:e121></ietf:e121>
</ietf:e12>
</ietf:e1>
|
|
Test case c14n11/xmllang-2 |
| Input details |
TBS data object with
ONLY a xml:lang attribute in a certain
element e whose content includes other
elements. The ds:Transform contains a
XPath expression whose result is a node set that
DOES NOT include neither element e nor
any of its children elements. |
| Rationale |
Check that
implementations of [XML-C14N1.1] handle xml:lang
attributes as defined in [XML-C14N1.1] |
| Document subset
expression |
(//. | //@* |
//namespace::*)[ancestor-or-self::ietf:e2] |
| Output |
<ietf:e2 xmlns:ietf="http://www.ietf.org"\
+ xmlns:w3c="http://www.w3.org">
<ietf:e21></ietf:e21>
</ietf:e2>
|
|
Test case c14n11/xmllang-3 |
| Input details |
TBS with ONLY a
xml:lang attribute in a certain
element e whose content includes a
sequence of one element. The
ds:Transform contains a XPath
expression whose result is a node set that DOES NOT
include element e but includes one
child element. |
| Rationale |
Check that
implementations of [XML-C14N1.1] handle xml:lang
attributes as defined in [XML-C14N1.1] |
| Document subset
expression |
(//. | //@* |
//namespace::*)[ancestor-or-self::ietf:e11] |
| Output |
<ietf:e11 xmlns:ietf="http://www.ietf.org"\
+ xmlns:w3c="http://www.w3.org" xml:lang="EN">
<ietf:e111></ietf:e111>
</ietf:e11>
|
|
Test case c14n11/xmllang-4 |
| Input details |
TBS with ONLY a
xml:lang attribute in a certain
element e whose content includes a
sequence of more than one element (these children
may in turn contain children elements). The
ds:Transform contains a XPath
expression whose result is a node set that DOES NOT
include element e but includes more
than one of its children elements. |
| Rationale |
Check that
implementations of [XML-C14N1.1] handle xml:lang
attributes as defined in [XML-C14N1.1] |
| Document subset
expression |
(//. | //@* |
//namespace::*)[ancestor-or-self::ietf:e11 or
ancestor-or-self::ietf:e12] |
| Output |
<ietf:e11 xmlns:ietf="http://www.ietf.org"\
+ xmlns:w3c="http://www.w3.org" xml:lang="EN">
<ietf:e111></ietf:e111>
</ietf:e11>\
+ <ietf:e12 xmlns:ietf="http://www.ietf.org"\
+ xmlns:w3c="http://www.w3.org" at="2" xml:lang="EN">
<ietf:e121></ietf:e121>
</ietf:e12>
|
2.2.2 Test Cases
for xml:space attribute
The set of test cases in this section test the C14N11
handling of xml:space attributes.
Below is the input document for the
test cases in this section:
<?xml version="1.0" encoding="UTF-8"?>
<ietf:c14n11XmlSpaceDoc1 xmlns:ietf="http://www.ietf.org"
xmlns:w3c="http://www.w3.org">
<ietf:e1 xml:space="true">
<ietf:e11>
<ietf:e111 />
</ietf:e11>
<ietf:e12 at="2">
<ietf:e121 />
</ietf:e12>
</ietf:e1>
<ietf:e2 >
<ietf:e21 />
</ietf:e2>
</ietf:c14n11XmlSpaceDoc1>
|
|
Test case c14n11/xmlspace-1 |
| Input details |
TBS data object with
ONLY a xml:space attribute in a
certain element e whose content
includes other elements. The
ds:Transform contains a XPath
expression whose result is a node set that includes
element e. |
| Rationale |
Check that
implementations of [XML-C14N1.1] handle xml:space
attributes as defined in [XML-C14N1.1] |
| Document subset
expression |
(//. | //@* |
//namespace::*) [ancestor-or-self::ietf:e1] |
| Output |
<ietf:e1 xmlns:ietf="http://www.ietf.org"\
+ xmlns:w3c="http://www.w3.org" xml:space="true">
<ietf:e11>
<ietf:e111></ietf:e111>
</ietf:e11>
<ietf:e12 at="2">
<ietf:e121></ietf:e121>
</ietf:e12>
</ietf:e1>
|
|
Test case c14n11/xmlspace-2 |
| Input details |
TBS data object with
ONLY a xml:space attribute in a
certain element e whose content
includes other elements. The
ds:Transform contains a XPath
expression whose result is a node set that DOES NOT
include neither element e nor any of
its children elements. |
| Rationale |
Check that
implementations of [XML-C14N1.1] handle xml:space
attributes as defined in [XML-C14N1.1] |
| Document subset
expression |
(//. | //@* |
//namespace::*) [ancestor-or-self::ietf:e2] |
| Output |
<ietf:e2 xmlns:ietf="http://www.ietf.org"\
+ xmlns:w3c="http://www.w3.org">
<ietf:e21></ietf:e21>
</ietf:e2>
|
|
Test case c14n11/xmlspace-3 |
| Input details |
TBS with ONLY a
xml:space attribute in a certain
element e whose content includes a
sequence of one element. The
ds:Transform contains a XPath
expression whose result is a node set that DOES NOT
include element e but includes its
child element. |
| Rationale |
Check that
implementations of [XML-C14N1.1] handle xml:space
attributes as defined in [XML-C14N1.1] |
| Document subset
expression |
(//. | //@* |
//namespace::*) [ancestor-or-self::ietf:e11] |
| Output |
<ietf:e11 xmlns:ietf="http://www.ietf.org"\
+ xmlns:w3c="http://www.w3.org" xml:space="true">
<ietf:e111></ietf:e111>
</ietf:e11>
|
|
Test case c14n11/xmlspace-4 |
| Input details |
TBS with ONLY a
xml:space attribute in a certain
element e whose content includes a
sequence of more than one element (these children
may in turn contain children elements). The
ds:Transform contains a XPath
expression whose result is a node set that DOES NOT
include element e but includes more
than one of its children elements. |
| Rationale |
Check that
implementations of [XML-C14N1.1] handle xml:space
attributes as defined in [XML-C14N1.1] |
| Document subset
expression |
(//. | //@* |
//namespace::*) [ancestor-or-self::ietf:e11 or
ancestor-or-self::ietf:e12] |
| Output |
<ietf:e11 xmlns:ietf="http://www.ietf.org"\
+ xmlns:w3c="http://www.w3.org" xml:space="true">
<ietf:e111></ietf:e111>
</ietf:e11>\
+ <ietf:e12 xmlns:ietf="http://www.ietf.org"\
+ xmlns:w3c="http://www.w3.org" at="2" xml:space="true">
<ietf:e121></ietf:e121>
</ietf:e12>
|
2.2.3 Test Cases for
xml:id attribute
The set of test cases in this section test the C14N11
handling of xml:id attributes.
Below is the input
document for all the test cases in this section:
<?xml version="1.0" encoding="UTF-8"?>
<ietf:c14n11XmlIdDoc1 xmlns:ietf="http://www.ietf.org"
xmlns:w3c="http://www.w3.org">
<ietf:e1 xml:id="IdInterop">
<ietf:e11>
<ietf:e111 />
</ietf:e11>
<ietf:e12 at="2">
<ietf:e121 />
</ietf:e12>
</ietf:e1>
<ietf:e2 >
<ietf:e21 />
</ietf:e2>
</ietf:c14n11XmlIdDoc1>
|
| Test
case c14n11/xmlid-1 |
| Input details |
TBS with ONLY a
xml:id attribute in a certain element
e whose content includes other
elements. The ds:Transform contains a
XPath expression whose result is a node set that
includes element e. |
| Rationale |
Check that
implementations of [XML-C14N1.1] handle xml:id
attributes as defined in [XML-C14N1.1] |
| Document subset
expression |
(//. | //@* |
//namespace::*) [ancestor-or-self::ietf:e1] |
| Output |
<ietf:e1 xmlns:ietf="http://www.ietf.org"\
+ xmlns:w3c="http://www.w3.org" xml:id="IdInterop">
<ietf:e11>
<ietf:e111></ietf:e111>
</ietf:e11>
<ietf:e12 at="2">
<ietf:e121></ietf:e121>
</ietf:e12>
</ietf:e1>
|
| Test
case c14n11/xmlid-2 |
| Input details |
TBS with ONLY a
xml:id attribute in a certain element
e whose content includes other
elements. The ds:Transform contains a
XPath expression whose result is a node set that
DOES NOT include the element e but
some of the children of the element
e. |
| Rationale |
Check that
implementations of [XML-C14N1.1] handle xml:id
attributes as defined in [XML-C14N1.1] |
| Document subset
expression |
(//. | //@* |
//namespace::*) [ancestor-or-self::ietf:e11 or
ancestor-or-self::ietf:e12] |
| Output |
<ietf:e11 xmlns:ietf="http://www.ietf.org"\
+ xmlns:w3c="http://www.w3.org">
<ietf:e111></ietf:e111>
</ietf:e11>\
+ <ietf:e12 xmlns:ietf="http://www.ietf.org"\
+ xmlns:w3c="http://www.w3.org" at="2">
<ietf:e121></ietf:e121>
</ietf:e12>
|
2.2.4 Test Cases
for xml:base attribute
The set of test cases in this section test the C14N11
handling of xml:base attributes.
Three sets of test cases have been defined:
-
Tests that check if the implementation correctly
propagates the xml:base attributes
through the node tree.
-
Tests that check if the implementation correctly
processes the examples involving xml:base propagation
in the [XML-C14N1.1]
specification.
-
Tests that check if the implementation correctly
processes the examples in the Appendix of [XML-C14N1.1]
2.2.4.1 Test Cases for
checking xml:base attribute
propagation
This section defines test cases that test how
implementations propagate xml:base
attributes through the tree when the result of the
filtering is a document subset.
Below is the input document
for the test cases in this section:
<?xml version="1.0" encoding="UTF-8"?>
<ietf:c14n11XmlBaseDoc1 xmlns:ietf="http://www.ietf.org"\
+ xmlns:w3c="http://www.w3.org"\
+ xml:base="http://xmlbase.example.org/xmlbase0/">
<ietf:e1 xml:base="/xmlbase1/">
<ietf:e11 xml:base="/xmlbase11/">
<ietf:e111 xml:base="/xmlbase111/"/>
</ietf:e11>
<ietf:e12 at="2">
<ietf:e121 xml:base="/xmlbase121/"/>
</ietf:e12>
</ietf:e1>
<ietf:e2>
<ietf:e21 xml:base="/xmlbase21/"/>
</ietf:e2>
<ietf:e3>
<ietf:e31 at="3"/>
</ietf:e3>
</ietf:c14n11XmlBaseDoc1>
|
The document's root element
ietf:c14n11XmlBaseDoc1 defines an
xml:base attribute. This element contains
three children elements.
The first element ietf:e1 has another
xml:base attribute. All the
ietf:e1's descendant elements have a
xml:base attribute. Transforms that select
subsets of ietf:e1's descendants will test
how each level in the tree of elements incorporates its
corresponding part to the value of the final
xml:base.
The second element ietf:e2 does not
have a xml:base attribute, but its child
element, ietf:e21 has a
xml:base attribute. Transforms that select
ietf:e21 will test how it takes the value
of xml:base from an ancestor different
than its parent.
As for the third element, neither it nor any of its
descendants have a xml:base attribute.
Transforms that select ietf:e3 or any of
its descendants will test how they inherit the
xml:base attribute from the root element
without any further processing.
| Test case
c14n11/xmlbase-prop-1 |
| Input details |
The document shown
above. The ds:Transform contains a
XPath expression whose result is a node set that
includes element
ietf:c14n11XmlBaseDoc1 and the child
ietf:e1 and its descendant. |
| Rationale |
Check that
implementations of [XML-C14N1.1] work properly
when the xml:base origin appears in
the output document subset and also children with
xml:base, which do not require
further processing, are also present. |
| Document subset
expression |
(//. | //@* |
//namespace::*)
[ancestor-or-self::ietf:c14n11XmlBaseDoc1 and
not(ancestor-or-self::ietf:e2)] |
| Output |
<ietf:c14n11XmlBaseDoc1 xmlns:ietf="http://www.ietf.org"\
+ xmlns:w3c="http://www.w3.org"\
+ xml:base="http://xmlbase.example.org/xmlbase0/">
<ietf:e1 xml:base="/xmlbase1/">
<ietf:e11 xml:base="/xmlbase11/">
<ietf:e111 xml:base="/xmlbase111/"></ietf:e111>
</ietf:e11>
<ietf:e12 at="2">
<ietf:e121 xml:base="/xmlbase121/"></ietf:e121>
</ietf:e12>
</ietf:e1>
<ietf:e3>
<ietf:e31 at="3"></ietf:e31>
</ietf:e3>
</ietf:c14n11XmlBaseDoc1>
|
| Test case
c14n11/xmlbase-prop-2 |
| Input details |
The document shown
above. The ds:Transform contains a
XPath expression whose result is a node set that
includes element ietf:e1 and its
descendant but not
ietf:c14n11XmlBaseDoc1. |
| Rationale |
Check that
implementations of [XML-C14N1.1] properly build
the xml:base at the first level
(ietf:e1). |
| Document subset
expression |
(//. | //@* |
//namespace::*) [ancestor-or-self::ietf:e1] |
| Output |
<ietf:e1 xmlns:ietf="http://www.ietf.org"\
+ xmlns:w3c="http://www.w3.org"\
+ xml:base="http://xmlbase.example.org/xmlbase1/">
<ietf:e11 xml:base="/xmlbase11/">
<ietf:e111 xml:base="/xmlbase111/"></ietf:e111>
</ietf:e11>
<ietf:e12 at="2">
<ietf:e121 xml:base="/xmlbase121/"></ietf:e121>
</ietf:e12>
</ietf:e1>
|
| Test case
c14n11/xmlbase-prop-3 |
| Input details |
The document shown
above. The ds:Transform contains a
XPath expression whose result is a node set that
includes element ietf:e11 and its
descendant. Elements
ietf:c14n11XmlBaseDoc1 and
ietf:e1 do not appear. |
| Rationale |
Check that
implementations of [XML-C14N1.1] properly build
the xml:base if one of intermediate
the levels (ietf:e1) are absent from
the document subset. |
| Document subset
expression |
(//. | //@* |
//namespace::*) [ancestor-or-self::ietf:e11] |
| Output |
<ietf:e11 xmlns:ietf="http://www.ietf.org"\
+ xmlns:w3c="http://www.w3.org"\
+ xml:base="http://xmlbase.example.org/xmlbase11/">
<ietf:e111 xml:base="/xmlbase111/"></ietf:e111>
</ietf:e11>
|
| Test case
c14n11/xmlbase-prop-4 |
| Input details |
The document shown
above. The ds:Transform contains a
XPath expression whose result is a node set that
includes element ietf:e111 and its
descendant. Elements
ietf:c14n11XmlBaseDoc1,
ietf:e11 and ietf:e1 do
not appear. |
| Rationale |
Check that
implementations of [XML-C14N1.1] properly build
the xml:base if several intermediate
levels (ietf:e1 and
ietf:e11) are absent from the
document subset. |
| Document subset
expression |
(//. | //@* |
//namespace::*)
[ancestor-or-self::ietf:e111] |
| Output |
<ietf:e111 xmlns:ietf="http://www.ietf.org"\
+ xmlns:w3c="http://www.w3.org"\
+ xml:base="http://xmlbase.example.org/xmlbase111/"></ietf:e111>
|
| Test case
c14n11/xmlbase-prop-5 |
| Input details |
The document shown
above. The ds:Transform contains a
XPath expression whose result is a node set that
includes element ietf:e2 and its
descendant. Elements
ietf:c14n11XmlBaseDoc1,
ietf:e1 and its descendant, and
ietf:e3 and its descendant do not
appear. |
| Rationale |
Check that
implementations of [XML-C14N1.1] properly build
the xml:base if one intermediate
level (ietf:e2) without any
xml:base attribute is absent from
the document subset. |
| Document subset
expression |
(//. | //@* |
//namespace::*) [ancestor-or-self::ietf:e21] |
| Output |
<ietf:e21 xmlns:ietf="http://www.ietf.org"\
+ xmlns:w3c="http://www.w3.org"\
+ xml:base="http://xmlbase.example.org/xmlbase21/"></ietf:e21>
|
| Test case
c14n11/xmlbase-prop-6 |
| Input details |
The document shown
above. The ds:Transform contains a
XPath expression whose result is a node set that
includes element ietf:e3 and its
descendant. Elements
ietf:c14n11XmlBaseDoc1,
ietf:e1 and its descendant, and
ietf:e2 and its descendant do not
appear. |
| Rationale |
Check that
implementations of [XML-C14N1.1] properly build
the xml:base in one element that
originally had no xml:base
attribute. |
| Document subset
expression |
(//. | //@* |
//namespace::*) [ancestor-or-self::ietf:e3] |
| Output |
<ietf:e3 xmlns:ietf="http://www.ietf.org"\
+ xmlns:w3c="http://www.w3.org"\
+ xml:base="http://xmlbase.example.org/xmlbase0/">
<ietf:e31 at="3"></ietf:e31>
</ietf:e3>
|
| Test case
c14n11/xmlbase-prop-7 |
| Input details |
The document shown
above. The ds:Transform contains a
XPath expression whose result is a node set that
includes elements
ietf:c14n11XmlBaseDoc1 and
ietf:e3 and its descendant. Elements
ietf:e1 and its descendant, and
ietf:e2 and its descendant do not
appear. |
| Rationale |
Check that
implementations of [XML-C14N1.1] do not pass the
xml:base to another element when it
is not necessary. |
| Document subset
expression |
(//. | //@* |
//namespace::*)
[ancestor-or-self::ietf:c14n11XmlBaseDoc1 and
not(ancestor-or-self::ietf:e1 or
ancestor-or-self::ietf:e2)] |
| Output |
<ietf:c14n11XmlBaseDoc1 xmlns:ietf="http://www.ietf.org"\
+ xmlns:w3c="http://www.w3.org"\
+ xml:base="http://xmlbase.example.org/xmlbase0/">
<ietf:e3>
<ietf:e31 at="3"></ietf:e31>
</ietf:e3>
</ietf:c14n11XmlBaseDoc1>
|
2.2.4.2 Test Cases for
checking XML-C14N1.1 specification tests
This section defines test cases that are based on
the examples in the C14N11 specification that propagate
xml:base attributes through the tree when
the result of the filtering is a document subset.
Below is the input
document from section 3.8 of [XML-C14N1.1] for the test case
c14n11/xmlbase-c14n11spec-102 below:
<!DOCTYPE doc [
<!ATTLIST e2 xml:space (default|preserve) 'preserve'>
<!ATTLIST e3 id ID #IMPLIED>
]>
<doc xmlns="http://www.ietf.org" xmlns:w3c="http://www.w3.org"\
+ xml:base="http://www.example.com/something/else">
<e1>
<e2 xmlns="" xml:id="abc" xml:base="../bar/">
<e3 id="E3" xml:base="foo"/>
</e2>
</e1>
</doc>
|
| Test case
c14n11/xmlbase-c14n11spec-102 |
| Input details |
The input document
shown above. |
| Rationale |
Check that correct
xml:base fixup is performed. |
| Document
subset expression |
(//. | //@* |
//namespace::*)[self::ietf:e1 or (parent::ietf:e1
and not(self::text() or self::e2)) or
count(id("E3")|ancestor-or-self::node()) =
count(ancestor-or-self::node())] |
| Output |
<e1 xmlns="http://www.ietf.org" xmlns:w3c="http://www.w3.org"\
+ xml:base="http://www.example.com/something/else">\
+ <e3 xmlns="" id="E3" xml:base="../bar/foo" xml:space="preserve">\
+ </e3></e1>
|
Below is the input
document similar to the example from section 3.8 of
[XML-C14N1.1] for the test
case c14n11/xmlbase-c14n11spec-102 below. The main
difference is that the value of the xml:base attribute
of the e2 element is "bar/" instead of "../bar".
<!DOCTYPE doc [
<!ATTLIST e2 xml:space (default|preserve) 'preserve'>
<!ATTLIST e3 id ID #IMPLIED>
]>
<doc xmlns="http://www.ietf.org" xmlns:w3c="http://www.w3.org"\
+ xml:base="something/else">
<e1>
<e2 xmlns="" xml:id="abc" xml:base="bar/">
<e3 id="E3" xml:base="foo"/>
</e2>
</e1>
</doc>
|
| Test case
c14n11/xmlbase-c14n11spec2-102 |
| Input details |
The input document
shown above. |
| Rationale |
Check that correct
xml:base fixup is performed. |
| Document
subset expression |
(//. | //@* |
//namespace::*)[self::ietf:e1 or (parent::ietf:e1
and not(self::text() or self::e2)) or
count(id("E3")|ancestor-or-self::node()) =
count(ancestor-or-self::node())] |
| Output |
<e1 xmlns="http://www.ietf.org" xmlns:w3c="http://www.w3.org"\
+ xml:base="something/else">\
+ <e3 xmlns="" id="E3" xml:base="bar/foo" xml:space="preserve">\
+ </e3></e1>
|
Below is the input
document from section 2.4 of [XML-C14N1.1] for the test case
c14n11/xmlbase-c14n11spec-103 below.
<?xml version="1.0" encoding="UTF-8"?>
<a xml:base="foo/bar">
<b xml:base="..">
<c xml:base="..">
<d xml:base="x">
</d>
</c>
</b>
</a>
|
| Test case
c14n11/xmlbase-c14n11spec3-103 |
| Input details |
The input document
shown above. |
| Rationale |
Check that correct
xml:base fixup is performed. This test
illustrates the modification of the "Remove Dot
Segments" algorithm. |
| Document
subset expression |
(//. | //@* |
//namespace::*) [self::a or
ancestor-or-self::d] |
| Output |
<a xml:base="foo/bar"><d xml:base="../../x">
</d></a>
|
2.2.5 Test Cases for checking
examples in the XML-C14N1.1 Appendix
This section defines test cases for checking if
implementations are compliant with [XML-C14N1.1], specifically the
normative rules in the
Document Subsets section. Informative examples are
given in
the Appendix of C14N11.
Each test case in this section specifies an input
string, representing a URI that must be processed
according to the modified Remove Dot Segments algorithm
described in Section 2.4 (Document Subsets) of [XML-C14N1.1].
Each test case appears in a row of the table shown
below. The first column identifies the input URI that has
to be processed. The second column shows the
corresponding output.
| Test case
c14n11/xmlbase-annexa |
| inputs.txt |
outputs.txt |
no/.././/pseudo-netpath/seg/file.ext
no/..//.///pseudo-netpath/seg/file.ext
yes/no//..//.///pseudo-netpath/seg/file.ext
no/../yes
no/../yes/
no/../yes/no/..
../../no/../..
no/../..
no/..
no/../
/a/b/c/./../../g
mid/content=5/../6
../../..
no/../../
..yes/..no/..no/..no/../../../..yes
..yes/..no/..no/..no/../../../..yes/
../..
../../../
.
./
./.
//no/..
../../no/..
../../no/../
yes/no/../
yes/no/no/../..
yes/no/no/no/../../..
yes/no/../yes/no/no/../..
yes/no/no/no/../../../yes
yes/no/no/no/../../../yes/
/no/../
/yes/no/../
/yes/no/no/../..
/yes/no/no/no/../../..
../../..no/..
../../..no/../
..yes/..no/../
..yes/..no/..no/../..
..yes/...no/..no/..no/../../..
..yes/..no/../..yes/..no/..no/../..
/..no/../
/..yes/..no/../
/..yes/..no/..no/../..
/..yes/..no/..no/..no/../../..
/
/.
/./
/./.
/././
/..
/../..
/../../..
/../../..
//..
//..//..
//..//..//..
/./..
/./.././..
/./.././.././..
.
./
./.
..
../
|
pseudo-netpath/seg/file.ext
pseudo-netpath/seg/file.ext
yes/pseudo-netpath/seg/file.ext
yes
yes/
yes/
../../../
../
/a/g
mid/6
../../../
../
..yes/..yes
..yes/..yes/
../../
../../../
/
../../
../../
yes/
yes/
yes/
yes/yes/
yes/yes
yes/yes/
/
/yes/
/yes/
/yes/
../../
../../
..yes/
..yes/
..yes/
..yes/..yes/
/
/..yes/
/..yes/
/..yes/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
../
../
|
2.3 Test Cases for XMLDSig
2.3.1 Test Cases for C14N
1.1 in XMLDSig
The test cases in section 2.2 Test Cases for
Canonicalization 1.1 are performed in the context
of XMLDSig as well. Here it should be noted that this is
performed in a different location (i.e. xmldsig/c14n11/) and the
XPath-Filter expression in the
ds:Transform/ds:XPath should be equal to the
filter step of the XPath expressions in section 2.2 Test Cases for
Canonicalization 1.1 (cf.
explanation). The test cases are specified by an
"unsigned" ds:Signature (without
ds:DigestValue and
ds:SignatureValue) in files in xmldsig/c14n11/ having the
postfix ...-template.xml.
2.3.2 Test Cases on nodeset to
octet-stream conversion by C14n 1.1 explicitly reflected
in the chain of transforms
The set of test cases in this section test the
Reference Generation steps of [XMLDSIG2] and its rules that manage the
contents of the Transforms element when
nodeset to octet-stream conversions are to be performed
by canonicalization.
General rules for these test cases:
|
Test case xmldsig/defCan-1 |
| Input details |
The same input
document as in section 2.2.4 Test Cases for xml:base
attribute. |
| Rationale |
Check that
implementations and APIs of [XMLDSIG2] honor the recommendation
to use [XML-C14N1.1] in
section 3.1.1 "Reference Generation" of [XMLDSIG2] and make its use
explicit as a ds:Transform. |
| Template |
This template can
be used to instruct some API to create a signature
with a chain of transforms that would require
implicit transformations from a node set to an
octet stream. It is expected that c14n11 is
inserted at the relevant places. |
| Signature |
<?xml version="1.0" encoding="UTF-8"?>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">\
+ <SignedInfo>\
+ <CanonicalizationMethod\
+ Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>\
+ <SignatureMethod\
+ Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>\
+ <Reference URI="c14n11/xml-base-input.xml"><Transforms>\
+ <Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">\
+ <XPath xmlns:ietf="http://www.ietf.org">\
+ ancestor-or-self::ietf:c14n11XmlBaseDoc1 and\
+ not(ancestor-or-self::ietf:e2)</XPath></Transform>\
+ <Transform Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>\
+ </Transforms>\
+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\
+ <DigestValue>t7d2cL8Ink8A5i3cS9/bu9MBBU8=</DigestValue>\
+ </Reference></SignedInfo>\
+ <SignatureValue>LR4s+Nxoq3VZO1NiCLoiovfCpK4=</SignatureValue>\
+ </Signature>
|
|
Test case xmldsig/defCan-2 |
| Input details |
The same input
document as in section 2.2.4 Test Cases for xml:base
attribute. |
| Rationale |
Check that
implementations and APIs of [XMLDSIG2] honor the recommendation
to use [XML-C14N1.1] in
section 3.1.1 "Reference Generation" of [XMLDSIG2] and make it's use
explicit as a ds:Transform. It is
expected that c14n11 is inserted at the relevant
places. |
| Template |
This template can
be used to instruct some API to create a signature
with a chain of transforms that would require
implicit transformations from a node set to an
octet stream. The focus in this test case is to
assure that c14n11 is inserted before transforms
requiring an octet stream as input and also at the
end of the chain of transforms if necessary because
the last transform resulted in a node set. |
| Signature |
<?xml version="1.0" encoding="UTF-8"?>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">\
+ <SignedInfo>\
+ <CanonicalizationMethod\
+ Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>\
+ <SignatureMethod\
+ Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>\
+ <Reference URI="c14n11/xml-base-input.xml"><Transforms>\
+ <Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">\
+ <XPath xmlns:ietf="http://www.ietf.org">\
+ ancestor-or-self::ietf:e21</XPath></Transform>\
+ <Transform Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>\
+ <Transform Algorithm="http://www.w3.org/TR/1999/REC-xslt-19991116">\
+ <xsl:stylesheet version="1.0"\
+ xmlns="http://www.w3.org/1999/XSL/Transform"\
+ xmlns:xsl="http://www.w3.org/1999/XSL/Transform">\
+ <xsl:template match="@*|node()"><xsl:copy>\
+ <xsl:apply-templates select="@*|node()"/></xsl:copy>\
+ </xsl:template></xsl:stylesheet></Transform>\
+ <Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">\
+ <XPath xmlns:ietf="http://www.ietf.org">1</XPath>\
+ </Transform>\
+ <Transform Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>\
+ </Transforms>\
+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\
+ <DigestValue>fL7Igzs0LL7lKHJzAJIKYCphYBo=</DigestValue>\
+ </Reference></SignedInfo>\
+ <SignatureValue>bKQLywY51VZwjutUX/CUMsVs6RE=</SignatureValue>\
+ </Signature>
|
|
Test case xmldsig/defCan-3 |
| Input details |
The same input
document as in section 2.2.4 Test Cases for xml:base
attribute. |
| Rationale |
Check that
implementations and APIs of [XMLDSIG2] honor the recommendation
to use [XML-C14N1.1] in
section 3.1.1 "Reference Generation" of [XMLDSIG2] and make it's use
explicit as a ds:Transform. It is
expected that c14n11 is inserted at the relevant
places. The focus in this test case is to assure
that c14n11 is inserted before transforms requiring
an octet stream as input but not inserted at the
end of the chain of transforms, which is not
necessary because the last transform resulted in an
octet stream. |
| Template |
This template can
be used to instruct some API to create a signature
with a chain of transforms that would require
implicit transformations from a node set to an
octet stream. |
| Signature |
<?xml version="1.0" encoding="UTF-8"?>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">\
+ <SignedInfo>\
+ <CanonicalizationMethod\
+ Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>\
+ <SignatureMethod\
+ Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>\
+ <Reference URI="c14n11/xml-base-input.xml"><Transforms>\
+ <Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">\
+ <XPath xmlns:ietf="http://www.ietf.org">\
+ ancestor-or-self::ietf:e21</XPath></Transform>\
+ <Transform Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>\
+ <Transform Algorithm="http://www.w3.org/TR/1999/REC-xslt-19991116">\
+ <xsl:stylesheet version="1.0"\
+ xmlns="http://www.w3.org/1999/XSL/Transform"\
+ xmlns:xsl="http://www.w3.org/1999/XSL/Transform">\
+ <xsl:template match="@*|node()"><xsl:copy>\
+ <xsl:apply-templates select="@*|node()"/></xsl:copy>\
+ </xsl:template></xsl:stylesheet></Transform>\
+ <Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">\
+ <XPath xmlns:ietf="http://www.ietf.org">1</XPath>\
+ </Transform>\
+ <Transform Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>\
+ <Transform Algorithm="http://www.w3.org/TR/1999/REC-xslt-19991116">\
+ <xsl:stylesheet version="1.0"\
+ xmlns="http://www.w3.org/1999/XSL/Transform"\
+ xmlns:xsl="http://www.w3.org/1999/XSL/Transform">\
+ <xsl:template match="@*|node()"><xsl:copy>\
+ <xsl:apply-templates select="@*|node()"/></xsl:copy>\
+ </xsl:template></xsl:stylesheet></Transform>\
+ </Transforms>\
+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\
+ <DigestValue>hqabUu4fEZp7GK5JRyFC26W5JBk=</DigestValue>\
+ </Reference></SignedInfo>\
+ <SignatureValue>9+wp0W9xwL5X3kSttxABZ7p/kU0=</SignatureValue>\
+ </Signature>
|
2.3.3 Test Cases on
schema based XPointers and canonicalization
This section defines test cases that test if
implementations behave correctly when processing both
schema-based xpointers and short-name xpointers with
regards to comments present in the to be signed xml data
object.
The following rules apply to the test cases in this
section:
-
As the model processing is defined in [XMLDSIG2], the test cases are based
on XML signatures. For each test case, an XML
signature will be generated and validated. The
signatures will be enveloped signatures when the
URI attribute is referencing the root
element and enveloping when the URI
attribute is referencing an element using its Id
attribute.
-
The input for the test cases is the to be signed
xml data object shown below and the
ds:Reference's URI
attribute value (a schema-based xpointer or a
short-name pointer).
-
The ds:Reference for enveloped
signatures will eventually contain two
Transform elements, namely; the
enveloped signature transform and the conversion from
node set data to octet stream (canonical XML
1.1).
Below is the input document for the test cases in this
section:
<?xml version="1.0" encoding="UTF-8"?>
<ietf:c14n11XmlPointerDoc1 xmlns:ietf="http://www.ietf.org"\
+ xmlns:w3c="http://www.w3.org" >
\
+ <!-- This is a xml document for checking behaviour of tools with\
+ regards to comments when using scheme-based xpointers in the\
+ ds:Reference's URI attribute -->
<ietf:e1 xml:id="e1ID">
<!-- This is a comment for ietf:e1 element -->
<ietf:e11 >
<!-- This is a comment for ietf:e11 element -->
<ietf:e111 />
</ietf:e11>
<ietf:e12 at="2">
<!-- This is a comment for ietf:e12 element -->
<ietf:e121 />
</ietf:e12>
</ietf:e1>
<ietf:e2 xml:id="e2ID">
<!-- This is a comment for ietf:e2 element -->
<ietf:e21 />
</ietf:e2>
<ietf:e3 xml:id="e3ID">
<ietf:e31 at="3"/>
</ietf:e3>
</ietf:c14n11XmlPointerDoc1>
|
|
Test case xmldsig/xpointer-1 |
| Input details |
The signature is an
enveloped signature. It appears as the last child
of the root element. The document enveloping the
signature is the one shown at the beginning of this
section. The value of the URI
attribute is "#xpointer(/)" (find it here). |
| Rationale |
Check that
implementations, following the rules stated in the
[XMLDSIG2] model,
dereference the URI getting the root element and
its descendant, and that comments are preserved
before proceeding with the computation of
digest. |
| Signature |
<?xml version="1.0" encoding="UTF-8"?>\
+ <ietf:c14n11XmlPointerDoc1 xmlns:ietf="http://www.ietf.org"\
+ xmlns:w3c="http://www.w3.org">
\
+ <!-- This is a xml document for checking behaviour of tools with\
+ regards to comments when using scheme-based xpointers in the\
+ ds:Reference's URI attribute -->
<ietf:e1 xml:id="e1ID">
<!-- This is a comment for ietf:e1 element -->
<ietf:e11>
<!-- This is a comment for ietf:e11 element -->
<ietf:e111/>
</ietf:e11>
<ietf:e12 at="2">
<!-- This is a comment for ietf:e12 element -->
<ietf:e121/>
</ietf:e12>
</ietf:e1>
<ietf:e2 xml:id="e2ID">
<!-- This is a comment for ietf:e2 element -->
<ietf:e21/>
</ietf:e2>
<ietf:e3 xml:id="e3ID">
<ietf:e31 at="3"/>
</ietf:e3>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">\
+ <SignedInfo>\
+ <CanonicalizationMethod\
+ Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>\
+ <SignatureMethod\
+ Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>\
+ <Reference URI="#xpointer(/)"><Transforms>\
+ <Transform\
+ Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>\
+ <Transform\
+ Algorithm="http://www.w3.org/2006/12/xml-c14n11#WithComments"/>\
+ </Transforms>\
+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\
+ <DigestValue>/IZyGLL72rXhisXRkB617TxJrL8=</DigestValue>\
+ </Reference></SignedInfo>\
+ <SignatureValue>E4gxKwllVjvvlUQFe9p/ssO7Yxw=</SignatureValue>\
+ </Signature></ietf:c14n11XmlPointerDoc1>
|
|
Test case xmldsig/xpointer-2 |
| Input details |
The signature is an
enveloping signature. The enveloped document is the
one shown at the beginning of this section. The
value of the URI attribute is
"#xpointer(id('e1ID'))" (find it here). |
| Rationale |
Check that
implementations, following the rules stated in the
[XMLDSIG2] model,
dereference the URI getting an element identified
by its id attribute as well as its descendant, and
that comments are preserved before proceeding with
the computation of digest. |
| Signature |
<?xml version="1.0" encoding="UTF-8"?>\
+ <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">\
+ <SignedInfo>\
+ <CanonicalizationMethod\
+ Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>\
+ <SignatureMethod\
+ Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>\
+ <Reference URI="#xpointer(id('e1ID'))"><Transforms>\
+ <Transform\
+ Algorithm="http://www.w3.org/2006/12/xml-c14n11#WithComments"/>\
+ </Transforms>\
+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\
+ <DigestValue>XhSsDpWTt+ti0kcU9XYpleRDHfQ=</DigestValue>\
+ </Reference></SignedInfo>\
+ <SignatureValue>brEpICVA4lg7eQwz7i/rlBmYXiU=</SignatureValue>\
+ <Object>\
+ <ietf:c14n11XmlPointerDoc1 xmlns:ietf="http://www.ietf.org"\
+ xmlns:w3c="http://www.w3.org">
\
+ <!-- This is a xml document for checking behaviour of tools with\
+ regards to comments when using scheme-based xpointers in the\
+ ds:Reference's URI attribute -->
<ietf:e1 xml:id="e1ID">
<!-- This is a comment for ietf:e1 element -->
<ietf:e11>
<!-- This is a comment for ietf:e11 element -->
<ietf:e111/>
</ietf:e11>
<ietf:e12 at="2">
<!-- This is a comment for ietf:e12 element -->
<ietf:e121/>
</ietf:e12>
</ietf:e1>
<ietf:e2 xml:id="e2ID">
<!-- This is a comment for ietf:e2 element -->
<ietf:e21/>
</ietf:e2>
<ietf:e3 xml:id="e3ID">
<ietf:e31 at="3"/>
</ietf:e3>
</ietf:c14n11XmlPointerDoc1></Object></Signature>
|
|
Test case xmldsig/xpointer-3 |
| Input details |
The signature is an
enveloped signature. It appears as the last child
of the root element. The document enveloping the
signature is the one shown at the beginning of this
section. The value of the URI
attribute is "". |
| Rationale |
Check that
implementations, following the rules stated in the
[XMLDSIG2] model,
dereference the URI getting the root element and
its descendant, and that comments are not preserved
before proceeding with the computation of
digest. |
| Signature |
<?xml version="1.0" encoding="UTF-8"?>\
+ <ietf:c14n11XmlPointerDoc1 xmlns:ietf="http://www.ietf.org"\
+ xmlns:w3c="http://www.w3.org">
\
+ <!-- This is a xml document for checking behaviour of tools with\
+ regards to comments when using scheme-based xpointers in the\
+ ds:Reference's URI attribute -->
<ietf:e1 xml:id="e1ID">
<!-- This is a comment for ietf:e1 element -->
<ietf:e11>
<!-- This is a comment for ietf:e11 element -->
<ietf:e111/>
</ietf:e11>
<ietf:e12 at="2">
<!-- This is a comment for ietf:e12 element -->
<ietf:e121/>
</ietf:e12>
</ietf:e1>
<ietf:e2 xml:id="e2ID">
<!-- This is a comment for ietf:e2 element -->
<ietf:e21/>
</ietf:e2>
<ietf:e3 xml:id="e3ID">
<ietf:e31 at="3"/>
</ietf:e3>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">\
+ <SignedInfo>\
+ <CanonicalizationMethod\
+ Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>\
+ <SignatureMethod\
+ Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>\
+ <Reference URI=""><Transforms>\
+ <Transform\
+ Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>\
+ <Transform\
+ Algorithm="http://www.w3.org/2006/12/xml-c14n11#WithComments"/>\
+ </Transforms>\
+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\
+ <DigestValue>gaV5r7qC3Ve/t641+d3ykN8JFSc=</DigestValue>\
+ </Reference></SignedInfo>\
+ <SignatureValue>gS1QKSwAH/6eE3OFi/L9O0oKKig=</SignatureValue>\
+ </Signature></ietf:c14n11XmlPointerDoc1>
|
|
Test case xmldsig/xpointer-4 |
| Input details |
The signature is an
enveloping signature. The enveloped document is the
one shown at the beginning of this section. The
value of the URI attribute is "#e1ID"
(find it here). |
| Rationale |
Check that
implementations, following the rules stated in the
[XMLDSIG2] model,
dereference the URI getting an element identified
by its id attribute as well as its descendant, and
that comments are not preserved before proceeding
with the computation of digest. |
| Signature |
<?xml version="1.0" encoding="UTF-8"?>\
+ <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">\
+ <SignedInfo>\
+ <CanonicalizationMethod\
+ Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>\
+ <SignatureMethod\
+ Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>\
+ <Reference URI="#e1ID"><Transforms>\
+ <Transform\
+ Algorithm="http://www.w3.org/2006/12/xml-c14n11#WithComments"/>\
+ </Transforms>\
+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\
+ <DigestValue>3K+K4MbR2EW7l/ry59XockKqt4g=</DigestValue>\
+ </Reference></SignedInfo>\
+ <SignatureValue>dgyjONUs9rBjW7PH25seGqcMNZY=</SignatureValue>\
+ <Object>\
+ <ietf:c14n11XmlPointerDoc1 xmlns:ietf="http://www.ietf.org"\
+ xmlns:w3c="http://www.w3.org">
\
+ <!-- This is a xml document for checking behaviour of tools with\
+ regards to comments when using scheme-based xpointers in the\
+ ds:Reference's URI attribute -->
<ietf:e1 xml:id="e1ID">
<!-- This is a comment for ietf:e1 element -->
<ietf:e11>
<!-- This is a comment for ietf:e11 element -->
<ietf:e111/>
</ietf:e11>
<ietf:e12 at="2">
<!-- This is a comment for ietf:e12 element -->
<ietf:e121/>
</ietf:e12>
</ietf:e1>
<ietf:e2 xml:id="e2ID">
<!-- This is a comment for ietf:e2 element -->
<ietf:e21/>
</ietf:e2>
<ietf:e3 xml:id="e3ID">
<ietf:e31 at="3"/>
</ietf:e3>
</ietf:c14n11XmlPointerDoc1></Object></Signature>
|
|
Test case xmldsig/xpointer-5 |
| Input details |
The signature is an
enveloping signature and signs three elements from
the document. The enveloped document is the one
shown at the beginning of this section. There are
three ds:Reference elements. For the
first one the value of the URI
attribute is "#xpointer(id('e1ID'))" (find it
here). For the second, it is
"#xpointer(id('e2ID'))" (find it
here). For the third one, it is
"#xpointer(id('e3ID'))" (find it
here). |
| Rationale |
Check implementation's
behaviour when processing several elements (with
and without comments) referenced by its Id
attribute using a schema-based xpointer. |
| Signature |
<?xml version="1.0" encoding="UTF-8"?>\
+ <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">\
+ <SignedInfo>\
+ <CanonicalizationMethod\
+ Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>\
+ <SignatureMethod\
+ Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>\
+ <Reference URI="#xpointer(id('e1ID'))"><Transforms>\
+ <Transform\
+ Algorithm="http://www.w3.org/2006/12/xml-c14n11#WithComments"/>\
+ </Transforms>\
+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\
+ <DigestValue>XhSsDpWTt+ti0kcU9XYpleRDHfQ=</DigestValue>\
+ </Reference><Reference URI="#xpointer(id('e2ID'))">\
+ <Transforms>\
+ <Transform\
+ Algorithm="http://www.w3.org/2006/12/xml-c14n11#WithComments"/>\
+ </Transforms>\
+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\
+ <DigestValue>abyA1j4yzf1IgQLWwDwKuU9l8Ik=</DigestValue>\
+ </Reference><Reference URI="#xpointer(id('e3ID'))">\
+ <Transforms>\
+ <Transform\
+ Algorithm="http://www.w3.org/2006/12/xml-c14n11#WithComments"/>\
+ </Transforms>\
+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\
+ <DigestValue>RUUBiUeFf8uRqTlpCyutkXDqnJ4=</DigestValue>\
+ </Reference></SignedInfo>\
+ <SignatureValue>sG+0pHk9TB6v7jES9RZUIVKMFos=</SignatureValue>\
+ <Object>\
+ <ietf:c14n11XmlPointerDoc1 xmlns:ietf="http://www.ietf.org"\
+ xmlns:w3c="http://www.w3.org">
\
+ <!-- This is a xml document for checking behaviour of tools with\
+ regards to comments when using scheme-based xpointers in the\
+ ds:Reference's URI attribute -->
<ietf:e1 xml:id="e1ID">
<!-- This is a comment for ietf:e1 element -->
<ietf:e11>
<!-- This is a comment for ietf:e11 element -->
<ietf:e111/>
</ietf:e11>
<ietf:e12 at="2">
<!-- This is a comment for ietf:e12 element -->
<ietf:e121/>
</ietf:e12>
</ietf:e1>
<ietf:e2 xml:id="e2ID">
<!-- This is a comment for ietf:e2 element -->
<ietf:e21/>
</ietf:e2>
<ietf:e3 xml:id="e3ID">
<ietf:e31 at="3"/>
</ietf:e3>
</ietf:c14n11XmlPointerDoc1></Object></Signature>
|
|
Test case xmldsig/xpointer-6 |
| Input details |
The signature is an
enveloping signature and signs two elements from
the document. The enveloped document is the one
shown at the beginning of this section. There are
three ds:Reference elements. For the
first one the value of the URI
attribute is "#e1ID" (find it
here). For the second, it is "#e2ID" (find it
here). For the third one, it is "#e3ID" (find
it
here). |
| Rationale |
Check implementation's
behaviour when processing several elements (with
and without comments) referenced by its Id
attribute using a short-name xpointer. |
| Signature |
<?xml version="1.0" encoding="UTF-8"?>\
+ <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">\
+ <SignedInfo>\
+ <CanonicalizationMethod\
+ Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>\
+ <SignatureMethod\
+ Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>\
+ <Reference URI="#e1ID"><Transforms>\
+ <Transform\
+ Algorithm="http://www.w3.org/2006/12/xml-c14n11#WithComments"/>\
+ </Transforms>\
+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\
+ <DigestValue>3K+K4MbR2EW7l/ry59XockKqt4g=</DigestValue>\
+ </Reference><Reference URI="#e2ID"><Transforms>\
+ <Transform\
+ Algorithm="http://www.w3.org/2006/12/xml-c14n11#WithComments"/>\
+ </Transforms>\
+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\
+ <DigestValue>hnKFjGFr/jwLCCTckZpaclOwe28=</DigestValue>\
+ </Reference><Reference URI="#e3ID"><Transforms>\
+ <Transform\
+ Algorithm="http://www.w3.org/2006/12/xml-c14n11#WithComments"/>\
+ </Transforms>\
+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\
+ <DigestValue>RUUBiUeFf8uRqTlpCyutkXDqnJ4=</DigestValue>\
+ </Reference></SignedInfo>\
+ <SignatureValue>XzEJQ+whhHUYlqiCEt8XFxC8wpk=</SignatureValue>\
+ <Object>\
+ <ietf:c14n11XmlPointerDoc1 xmlns:ietf="http://www.ietf.org"\
+ xmlns:w3c="http://www.w3.org">
\
+ <!-- This is a xml document for checking behaviour of tools with\
+ regards to comments when using scheme-based xpointers in the\
+ ds:Reference's URI attribute -->
<ietf:e1 xml:id="e1ID">
<!-- This is a comment for ietf:e1 element -->
<ietf:e11>
<!-- This is a comment for ietf:e11 element -->
<ietf:e111/>
</ietf:e11>
<ietf:e12 at="2">
<!-- This is a comment for ietf:e12 element -->
<ietf:e121/>
</ietf:e12>
</ietf:e1>
<ietf:e2 xml:id="e2ID">
<!-- This is a comment for ietf:e2 element -->
<ietf:e21/>
</ietf:e2>
<ietf:e3 xml:id="e3ID">
<ietf:e31 at="3"/>
</ietf:e3>
</ietf:c14n11XmlPointerDoc1></Object></Signature>
|
2.3.4 Test Cases on
String encoding of Distinguished Names
2.3.4.1
Test Cases on differences identified in RFC 2253 and
RFC 4514
This Working group has identified a number of
differences between [RFC-4514]
and [RFC-2253]. They are
described in this
e-mail within the XML Security Specifications
Maintenance Working Group e-mail list archive. This
section contains test cases designed for checking that
applications can parse and generate RFC 4514
Distinguished Names with these differences.
The following rules apply for the test cases defined
in this section:
-
The input to each test case is an XML Signature.
Each signature contains an X509SubjectName or
X509IssuerSerial element with an RFC 4514
Distinguished Name.
-
To resolve the key, the application must find a
certificate containing a matching issuer/serial or
subject DN from the certificates that are contained
in the "certs" directory.
-
Signature generation is also required. A PKCS#12
KeyStore containing the private keys used to
generate the signatures is in the file
"certs/keystore.p12". The keystore password is
"secret". The key entry name is the same as the
corresponding certificate file name (without the
".crt" part).
| Test case
xmldsig/dname/diffRFCs-1 |
| Input details |
The input is an XML
Signature containing an X509SubjectName in RFC
4514 format. The DN contains at least one
Relative Distinguished Name whose attribute type
keyword is encoded with one alphabetic character,
and another Relative Distinguished Name whose
attribute type keyword is encoded with two
characters. |
| Rationale |
Check processing of
attribute type keywords by tools implementing
[RFC-4514]. |
| [RFC-4514] DN |
CN=John,C=US |
| Signature |
<?xml version="1.0" encoding="UTF-8" standalone="no"?>\
+ <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">\
+ <SignedInfo>\
+ <CanonicalizationMethod\
+ Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>\
+ <SignatureMethod\
+ Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>\
+ <Reference URI="#object">\
+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\
+ <DigestValue>nxGVxTzX3uQVeaZ7vtWMLc+V6CE=</DigestValue>\
+ </Reference></SignedInfo>\
+ <SignatureValue>\
+ DOz4KhJHOvhzPiKjxl0WVsrXPuZ9XQtdDvKN0KuLQGIzXkljfkFEQA==</SignatureValue>\
+ <KeyInfo><X509Data>\
+ <X509SubjectName>CN=John,C=US</X509SubjectName>\
+ </X509Data></KeyInfo>\
+ <Object Id="object">Approved</Object></Signature>
|
| Test case
xmldsig/dname/diffRFCs-2 |
| Input details |
The input is an XML
Signature containing an X509SubjectName in RFC
4514 format. The DN contains at least a Relative
Distinguished Name containing space characters.
[RFC-2253] does not allow
escaping, whereas [RFC-4514] requires space
characters to be escaped. |
| Rationale |
Check escaping of
space characters by tools implementing [RFC-4514]. |
| [RFC-4514] DN |
CN=\ Spacey\
,C=US |
| Signature |
<?xml version="1.0" encoding="UTF-8" standalone="no"?>\
+ <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">\
+ <SignedInfo>\
+ <CanonicalizationMethod\
+ Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>\
+ <SignatureMethod\
+ Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>\
+ <Reference URI="#object">\
+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\
+ <DigestValue>nxGVxTzX3uQVeaZ7vtWMLc+V6CE=</DigestValue>\
+ </Reference></SignedInfo>\
+ <SignatureValue>\
+ V18nxls1pqn4IyA/GNosGfqLHEE6INnyuV9TmHlYt/sYsaagHCH9Xw==</SignatureValue>\
+ <KeyInfo><X509Data>\
+ <X509SubjectName>CN=\ Spacey\ ,C=US</X509SubjectName>\
+ </X509Data></KeyInfo>\
+ <Object Id="object">Approved</Object></Signature>
|
| Test case
xmldsig/dname/diffRFCs-3 |
| Input details |
The input is an XML
Signature containing an X509SubjectName in RFC
4514 format. The DN contains at least a Relative
Distinguished Name containing null characters.
[RFC-2253] does not allow
escaping, whereas [RFC-4514] requires space
characters to be escaped. |
| Rationale |
Check escaping of
null characters by tools implementing [RFC-4514]. |
| [RFC-4514] DN |
CN=\00,C=US |
| Signature |
<?xml version="1.0" encoding="UTF-8" standalone="no"?>\
+ <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">\
+ <SignedInfo>\
+ <CanonicalizationMethod\
+ Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>\
+ <SignatureMethod\
+ Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>\
+ <Reference URI="#object">\
+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\
+ <DigestValue>nxGVxTzX3uQVeaZ7vtWMLc+V6CE=</DigestValue>\
+ </Reference></SignedInfo>\
+ <SignatureValue>\
+ N6jHpYnYpggrfADJkvZfggCaUq9dzU9M3EQ+27wA8f92nWwmrlyUQQ==</SignatureValue>\
+ <KeyInfo><X509Data>\
+ <X509SubjectName>CN=\00,C=US</X509SubjectName>\
+ </X509Data></KeyInfo>\
+ <Object Id="object">Approved</Object></Signature>
|
| Test case
xmldsig/dname/diffRFCs-4 |
| Input details |
The input is an XML
Signature containing an X509SubjectName in RFC
4514 format. The DN contains at least a Relative
Distinguished Name containing a non-leading
number sign character that is not escaped.
[RFC-2253] requires
escaping of non-leading number sign characters,
whereas [RFC-4514] does
not. |
| Rationale |
Check processing of
non-leading number sign characters that are not
escaped by tools implementing [RFC-4514]. |
| [RFC-4514] DN |
CN=Num#ber,C=US |
| Signature |
<?xml version="1.0" encoding="UTF-8" standalone="no"?>\
+ <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">\
+ <SignedInfo>\
+ <CanonicalizationMethod\
+ Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>\
+ <SignatureMethod\
+ Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>\
+ <Reference URI="#object">\
+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\
+ <DigestValue>nxGVxTzX3uQVeaZ7vtWMLc+V6CE=</DigestValue>\
+ </Reference></SignedInfo>\
+ <SignatureValue>\
+ QN8dVUz4674CG7tnHJ+VSDFKbttZ3Ywa5rizoYS2EGUD8/33RFlZJA==</SignatureValue>\
+ <KeyInfo><X509Data>\
+ <X509SubjectName>CN=Num#ber,C=US</X509SubjectName>\
+ </X509Data></KeyInfo>\
+ <Object Id="object">Approved</Object></Signature>
|
| Test case
xmldsig/dname/diffRFCs-5 |
| Input details |
The input is an XML
Signature containing an X509SubjectName in RFC
4514 format. The DN contains at least a Relative
Distinguished Name containing an equals sign
character that is not escaped. [RFC-2253] requires escaping of
equals sign characters, whereas [RFC-4514] does not. |
| Rationale |
Check processing of
equals sign characters that are not escaped by
tools implementing [RFC-4514]. |
| [RFC-4514] DN |
CN=Eq=uals,C=US |
| Signature |
<?xml version="1.0" encoding="UTF-8" standalone="no"?>\
+ <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">\
+ <SignedInfo>\
+ <CanonicalizationMethod\
+ Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>\
+ <SignatureMethod\
+ Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>\
+ <Reference URI="#object">\
+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\
+ <DigestValue>nxGVxTzX3uQVeaZ7vtWMLc+V6CE=</DigestValue>\
+ </Reference></SignedInfo>\
+ <SignatureValue>\
+ TEFSu5hmr8r5JU78U9MgS0mdZIZOXUjORTRzDFaBWh9DhFjPjxxW4w==</SignatureValue>\
+ <KeyInfo><X509Data>\
+ <X509SubjectName>CN=Eq=uals,C=US</X509SubjectName>\
+ </X509Data></KeyInfo>\
+ <Object Id="object">Approved</Object></Signature>
|
2.3.4.2 Test
Cases for RFC 4514
The set of test cases in this section are designed
to test the representation of Distinguished Names as
Strings as specified by [RFC-4514].
The same rules defined in section 3.3.4.1 apply to
the test cases in this section.
| Test case
xmldsig/dname/dnString-4 |
| Input details |
The DistinguishedName has the following
restrictions:
-
All the RelativeDistinguishedNames
attribute types have a short name
(descriptor) tabulated in [RFC-4514].
-
Some RelativeDistinguishedNames
attribute value have one or more trailing
space characters (U+0020). The escaping
mechanism will be '\20'.
|
| Rationale |
Check that
implementations correctly manage escaping of
trailing space characters. |
| [RFC-4514] DN |
CN=Trailing\20\20,C=US |
| Signature |
<?xml version="1.0" encoding="UTF-8" standalone="no"?>\
+ <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">\
+ <SignedInfo>\
+ <CanonicalizationMethod\
+ Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>\
+ <SignatureMethod\
+ Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>\
+ <Reference URI="#object">\
+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\
+ <DigestValue>nxGVxTzX3uQVeaZ7vtWMLc+V6CE=</DigestValue>\
+ </Reference></SignedInfo>\
+ <SignatureValue>\
+ ONd8OoOnv9OThyiTPkneEcsdgVt65w6AgUAxidekHeKmjyQxnYEdWA==</SignatureValue>\
+ <KeyInfo><X509Data>\
+ <X509SubjectName>CN=Trailing\20\20,C=US</X509SubjectName>\
+ </X509Data></KeyInfo>\
+ <Object Id="object">Approved</Object></Signature>
|
| Test case
xmldsig/dname/dnString-6 |
| Input details |
The DistinguishedName has the following
restrictions:
-
All the RelativeDistinguishedNames
attribute types have a short name
(descriptor) tabulated in [RFC-4514].
-
Some RelativeDistinguishedNames
attribute value have one or more escaped
ASCII control characters (U+1d). The
escaping mechanism will be a backslash
followed of a by a two digit hex number
showing its Unicode point number.
|
| Rationale |
Check that
implementations correctly manage escaping of an
ASCII control character that is neither the first
nor the final character of the group. |
| [RFC-4514] DN |
CN=Con\09trol,C=US |
| Signature |
<?xml version="1.0" encoding="UTF-8" standalone="no"?>\
+ <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">\
+ <SignedInfo>\
+ <CanonicalizationMethod\
+ Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>\
+ <SignatureMethod\
+ Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>\
+ <Reference URI="#object">\
+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\
+ <DigestValue>nxGVxTzX3uQVeaZ7vtWMLc+V6CE=</DigestValue>\
+ </Reference></SignedInfo>\
+ <SignatureValue>\
+ V34pKGIfKacwJtTEShfSXx4M2dhSOTqZVCIL6nO66lm+JTQ//wCKaA==</SignatureValue>\
+ <KeyInfo><X509Data>\
+ <X509SubjectName>CN=Con\09trol,C=US</X509SubjectName>\
+ </X509Data></KeyInfo>\
+ <Object Id="object">Approved</Object></Signature>
|
| Test case
xmldsig/dname/dnString-8 |
| Input details |
The DistinguishedName has the following
restrictions:
-
All the RelativeDistinguishedNames
attribute types have a short name
(descriptor) tabulated in [RFC-4514].
-
Some RelativeDistinguishedNames
attribute value contain one or more special
characters in the following group: '+',
',', ';', and '\.'
|
| Rationale |
Check that
implementations correctly manage escaping of all
the special characters (except '"', 'lt;' and
'>').. |
| [RFC-4514] DN |
CN=E\+s\,c\;aped,C=US |
| Signature |
<?xml version="1.0" encoding="UTF-8" standalone="no"?>\
+ <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">\
+ <SignedInfo>\
+ <CanonicalizationMethod\
+ Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>\
+ <SignatureMethod\
+ Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>\
+ <Reference URI="#object">\
+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\
+ <DigestValue>nxGVxTzX3uQVeaZ7vtWMLc+V6CE=</DigestValue>\
+ </Reference></SignedInfo>\
+ <SignatureValue>\
+ L2r+QCiO0qOPgDYybThQEbP7A8Iq8AomDGBXgQqe4mkuLMnroTxnGA==</SignatureValue>\
+ <KeyInfo><X509Data>\
+ <X509SubjectName>CN=E\+s\,c\;aped,C=US</X509SubjectName>\
+ </X509Data></KeyInfo>\
+ <Object Id="object">Approved</Object></Signature>
|
3
References
- RFC
2253
- RFC 2253: Lightweight Directory Access Protocol (v3):
UTF-8 String Representation of Distinguished Names. M.
Wahl, S. Kille, T. Howes. Ed. December 1997. http://www.ietf.org/rfc/rfc2253txt
- RFC
4514
- RFC 4514: Lightweight Directory Access Protocol (LDAP):
String Representation of Distinguished Names. K. Zeilenga,
Ed. June 2006. http://www.ietf.org/rfc/rfc4514.txt
- XML-C14N1.1
- Canonical XML. Version 1.1. W3C Proposed
Recommendation. John Boyer, Glenn Marcy. January 2008.
http://www.w3.org/TR/2008/PR-xml-c14n11-20080129/
- XMLDSIG
- XML-Signature Syntax and Processing. W3C
Recommendation. Donald Eastlake, Joseph Reagle, David Solo.
February 2002. http://www.w3.org/TR/xmldsig-core/
- XMLDSIG-interop
- XML-Signature Interoperability. Joseph Reagle. April
2001.
http://www.w3.org/Signature/2001/04/05-xmldsig-interop.html
- XMLDSIG2
- XML-Signature Syntax and Processing (Second Edition).
Editor's Draft. Donald Eastlake, Joseph Reagle, David Solo,
Frederick Hirsch, Thomas Roessler. January 2008. http://www.w3.org/2007/xmlsec/Drafts/xmldsig-core/
- XPointer-Element
- XPointer element() Scheme. W3C Recommendation. P.
Grosso, E. Maler, J. Marsh, N. Walsh. March 2003. http://www.w3.org/TR/2003/REC-xptr-element-20030325
- XPointer-Framework
- XPointer Framework. W3C Recommendation. P. Grosso, E.
Maler, J. Marsh, N. Walsh. March 2003. http://www.w3.org/TR/2003/REC-xptr-framework-20030325/
- XPointer-xpointer
- XPointer xpointer() Scheme. W3C Working Draft. S.
DeRose, E. Maler, R. Daniel. December 2002. http://www.w3.org/TR/2002/WD-xptr-xpointer-20021219/