RE: Further informaiton on: ACTION-779 - Table of tests and new tests needed for 2.0

This is a DRAFT table of what needs to be developed to test version 2.


Gerald Edgar, CISSP
Supply Chain Cyber Security

-----Original Message-----
From: Edgar, Gerald 
Sent: Tuesday, March 29, 2011 6:01 PM
To: public-xmlsec@w3.org
Subject: Further infomraiton on: ACTION-779 - Review test cases for 1.1 and summarize which are missing 


Further examination of the 1.1 test page at http://www.w3.org/2008/xmlsec/wiki/Interop and the current 2.0 drafts I found the following items:

There is no test for streaming.
There is no test for prefix rewriting
Therer are no tests for the forms of C14N (inclusive and exclusive) accepted by XML Signature Syntax and Processing Version 2.0
There is no test for "2.0 Mode" Selection Algorithms 

I found the following items that could be used in groups as interoperability tests for what is in the current drafts, I used the section numbers in the documents. These processing requirements could be grouped to make testing easier.

Comments are welcome.

Gerald Edgar



XML Signature Syntax and Processing Version 2.0
http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-20/

3.2.1 XML Signature 2.0 Algorithm Identifiers and Implementation Requirements
Canonicalization 
	Required: Canonical XML 2.0 
Transform 
	Required: XML Signature 2.0 Transform 
Selection --
	Required: XML Documents or Fragments - 
		http://www.w3.org/2010/xmldsig2#xml 
	Required: External Binary Data - 
		http://www.w3.org/2010/xmldsig2#binaryExternal 
	Required: Selection of Binary Data within XML - 
		http://www.w3.org/2010/xmldsig2#binaryfromBase64 
Verification --
	Optional:DigestDataLength - 
		http://www.w3.org/2010/xmldsig2#DigestDataLength 
	Optional:PositionAssertion - 
		http://www.w3.org/2010/xmldsig2#PositionAssertion 
	Optional:IDAttributes - 
		http://www.w3.org/2010/xmldsig2#IDAttributes 
Canonicalization --
	Required: Canonical XML 1.0 (omits comments) 
		http://www.w3.org/TR/2001/REC-xml-c14n-20010315 
	Required: Canonical XML 1.1 (omits comments) 	
		http://www.w3.org/2006/12/xml-c14n11 
	Required: Exclusive XML Canonicalization 1.0 (omits comments) 
		http://www.w3.org/2001/10/xml-exc-c14n# 

	Recommended:Canonical XML 1.0 with Comments 
		http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments 
	Recommended:Canonical XML 1.1 with Comments 
		http://www.w3.org/2006/12/xml-c14n11#WithComments 
	Recommended:Exclusive XML Canonicalization 1.0 with Comments 
		http://www.w3.org/2001/10/xml-exc-c14n#WithComments 
Transform 
	Required: base64 
		http://www.w3.org/2000/09/xmldsig#base64 
	Required: Enveloped Signature 
		http://www.w3.org/2000/09/xmldsig#enveloped-signature 
	Recommended: XPath 
		http://www.w3.org/TR/1999/REC-xpath-19991116 
	Recommended: XPath Filter 2.0 
		http://www.w3.org/2002/06/xmldsig-filter2 
	Optional: XSLT http://www.w3.org/TR/1999/REC-xslt-19991116 

3.3.1 Compatibility Mode Algorithms
Canonicalization 
Required 
	Required: Canonical XML 1.0 (omits comments) 
		http://www.w3.org/TR/2001/REC-xml-c14n-20010315 
	Required: Canonical XML 1.1 (omits comments) 
		http://www.w3.org/2006/12/xml-c14n11 
	Required: Exclusive XML Canonicalization 1.0 (omits comments) 						http://www.w3.org/2001/10/xml-exc-c14n# 
	Recommended:  
	Recommended: Canonical XML 1.0 with Comments
		http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments 
	Recommended: Canonical XML 1.1 with Comments 
		http://www.w3.org/2006/12/xml-c14n11#WithComments 
	Recommended: Exclusive XML Canonicalization 1.0 with Comments 						http://www.w3.org/2001/10/xml-exc-c14n#WithComments 
Transform 
	Required: base64 (*note)
		http://www.w3.org/2000/09/xmldsig#base64 
	Required: Enveloped Signature (**note)
		http://www.w3.org/2000/09/xmldsig#enveloped-signature 

	Recommended: XPath http://www.w3.org/TR/1999/REC-xpath-19991116 
	Recommended: XPath Filter 2.0 http://www.w3.org/2002/06/xmldsig-filter2 
	Optional: XSLT http://www.w3.org/TR/1999/REC-xslt-19991116 


4.1 Signature generation 

4.2 Reference Generation

4.3 Core Validation interoperability
	Verify:
	1. capability to check each Reference to to see if the data object matches with the 
		expected data object. 
	2. The cryptographic signature validation of the signature calculated over SignedInfo. 
	3. Reference validation, the verification of the digest contained in each 
		Reference in SignedInfo. 

4.4 Reference Check

4.5 Reference Validation

4.6 Signature Validation

5. Core Signature Syntax validation

7. The KeyInfo Element

8. The Object Element (optional element)

9. Additional Signature Syntax


10. Algorithms
	10.1 Message Digests
		10.1.1 SHA-1
		10.1.2 SHA-256
		10.1.3 SHA-384
		10.1.4 SHA-512
	10.2 Message Authentication Codes
		10.2.1 HMAC
	10.3 Signature Algorithms
		10.3.1 DSA
		10.3.2 RSA (PKCS#1 v1.5)
		10.3.3 ECDSA
	10.4 Canonicalization Algorithms
		10.4.1 Canonical XML 2.0
	10.5 Transform Algorithm
	10.6 dsig2:Selection Algorithms
	10.7 The dsig2:Verification Types
13. Schema
	13.1 XSD Schema
------------------------------------------
Streaming
XML Signature Streaming Profile of XPath 1.0
http://www.w3.org/2008/xmlsec/Drafts/xmldsig-xpath/
2.	Streamable
	One pass Streaming


----------------------------------------------
C14N2
1.4.2 Streaming
2.4 Exclusive XML Canonicalization
2.5 Namespace Processing
2.5.3.1 With PrefixRewrite="none"
2.5.3.2 With PrefixRewrite="sequential"


_____________________________________________ 
From: 	Edgar, Gerald  
Sent:	Monday, March 07, 2011 3:38 PM
To:	public-xmlsec@w3.org
Subject:	ACTION-779 - Review test cases for 1.1 and summarize which are missing 

ACTION-779 - Review test cases for 1.1 and summarize which are missing 

In my examination, I used the test cases described at the InterOp XML Security 
Wiki (http://www.w3.org/2008/xmlsec/wiki/Interop) 


First I compared the test cases with the 2.0 mark-ups in the diff marked version 
of Canonical XML Version 2.0 

http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-20/Overview-pub-diff.html#sec-SelectionMode-2.0

I found the following items:
There is no reference to the combined (inclusive and exclusive) 
canonicalization implementations (they were separate before)
  There is no reference to "conformance profiles".

Second I compared the test cases to the diff marked XML Signature Syntax and 
Processing Version 2.0.
http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-20/Overview-pub-diff.html
I found the following items 
  There is no reference to dsig2:Verification in the test cases. 
  There is no reference to the streaming XPath profile.
  There is no reference to "2.0 Mode" Selection Algorithms 

Received on Monday, 11 April 2011 23:40:12 UTC