ACTION-779 - Review test cases for 1.1 and summarize which are missing

ACTION-793 - Review 1.1 interop to determine which gaps we have in 1.1 testing itself

DRAFT

This table shows what tests are specified in the 1.1 test cases ( http://www.w3.org/2008/xmlsec/wiki/Interop) and what needs to be added to test 2.0
Section Specification

1.1 Testcases

http://www.w3.org/2008/xmlsec/wiki/Interop

 1.1 tests
XML Signature Syntax and Processing Version 2.0
http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-20/
3.2.1 XML Signature 2.0 Algorithm Identifiers and Implementation Requirements Canonicalization Required Canonical XML 2.0 1.1 tests
Transform
Required: XML Signature 2.0 Transform 1.1 tests
Selection
Required XML Documents or Fragments
http://www.w3.org/2010/xmldsig2#xml 		1.1 tests
Required External Binary Data
http://www.w3.org/2010/xmldsig2#binaryExternal 		1.1 tests
Required Selection of Binary Data within XML
http://www.w3.org/2010/xmldsig2#binaryfromBase64
Verification
Optional DigestDataLength
http://www.w3.org/2010/xmldsig2#DigestDataLength
Optional PositionAssertion
http://www.w3.org/2010/xmldsig2#PositionAssertion
Optional IDAttributes
http://www.w3.org/2010/xmldsig2#IDAttributes
Canonicalization
Required Canonical XML 1.0 (omits comments) http://www.w3.org/TR/2001/REC-xml-c14n-20010315 1.1 tests
Required Canonical XML 1.1 (omits comments) http://www.w3.org/2006/12/xml-c14n11 1.1 tests for c14n, but unknown if the test is inclusive or exclusive
Required Exclusive XML Canonicalization 1.0 (omits comments) http://www.w3.org/2001/10/xml-exc-c14n# 1.1 tests for c14n, but unknown if the test omits comments
Recommended Canonical XML 1.0 with Comments http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
Recommended Canonical XML 1.1 with Comments http://www.w3.org/2006/12/xml-c14n11#WithComments
Recommended Exclusive XML Canonicalization 1.0 with Comments http://www.w3.org/2001/10/xml-exc-c14n#WithComments
Transform
Required base64
http://www.w3.org/2000/09/xmldsig#base64
Required Enveloped Signature
http://www.w3.org/2000/09/xmldsig#enveloped-signature
Recommended XPath http://www.w3.org/TR/1999/REC-xpath-19991116 1.1 tests
Recommended XPath Filter 2.0 http://www.w3.org/2002/06/xmldsig-filter2
Optional XSLT
http://www.w3.org/TR/1999/REC-xslt-19991116
Core Validation Interoperability (4.3)
Verify:
  1. Capability to check each Reference to to see if the data object matches with the expected data object.
  2. The cryptographic signature validation of the signature calculated over SignedInfo.
  3. Reference validation, the verification of the digest contained in each Reference in SignedInfo.
Algorithms (Message Digests)
http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-20/#sec-MessageDigests

10.1.1 SHA-1 1.1 Tests

10.1.2 SHA-256 1.1 Tests

10.1.3 SHA-384 1.1 Tests

10.1.4 SHA-512 1.1 Tests
Algorithms ( Message Authentication Codes )
http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-20/#sec-MACs

10.2.1 HMAC 1.1 Tests
Algorithms ( Signature Algorithms)
http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-20/#sec-SignatureAlg

10.3.1 DSA 1.1 Tests

10.3.2 RSA (PKCS#1 v1.5) 1.1 Tests

10.3.3 ECDSA 1.1 Tests
Algorithms (Canonicalization Algorithms)
http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-20/#sec-c14nAlg-2.0

10.4.1 Canonical XML 2.0
Algorithms (The Transform Algorithm)
http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-20/#sec-Transforms-2.0

10.5 The Transform Algorithm

Streaming Profile

Section Specification 1.1 Tests Needs Development
XML Signature Streaming Profile of XPath 1.0
http://www.w3.org/2008/xmlsec/Drafts/xmldsig-xpath/
2. Streamable One pass Streaming Needs Development

 

 

XML Signature Syntax and Processing Version 1.1 Test cases
http://www.w3.org/TR/xmldsig-core1/

SPECIFICATIONS 1.1
http://www.w3.org/TR/xmldsig-core1/

Test Cases for C14N 1.1 and XMLDSig Interoperability
http://www.w3.org/2007/xmlsec/interop/xmlsig-interop-doc/testcases.html

Test Cases:
http://www.w3.org/TR/2008/NOTE-xmldsig2ed-tests-20080610/

 1.1 tests
http://www.w3.org/2008/xmlsec/wiki/Interop
3. Processing Rules

3.1 Signature Generation

3.1.1 Reference Generation

3.1.2 Signature Generation

     3.3 Test Cases for XMLDSig
        3.3.1 Test Cases for C14N 1.1 in XMLDSig
        3.3.2 Test Cases on nodeset to octet-stream conversion by C14n 1.1 explicitly reflected in the chain of transforms
        3.3.3 Test Cases on schema based XPointers and canonicalization
        3.3.4 Test Cases on String encoding of Distinguished Names
            3.3.4.1 Test Cases on differences identified in RFC 2253 and RFC 4514
                3.3.4.1.1 Test case xmldsig/dname/diffRFCs-1
                3.3.4.1.2 Test case xmldsig/dname/diffRFCs-2
                3.3.4.1.3 Test case xmldsig/dname/diffRFCs-3
                3.3.4.1.4 Test case xmldsig/dname/diffRFCs-4
                3.3.4.1.5 Test case xmldsig/dname/diffRFCs-5
            3.3.4.2 Test Cases for RFC 4514
                3.3.4.2.1 Test case xmldsig/dname/dnString-4
                3.3.4.2.2 Test case xmldsig/dname/dnString-6
                3.3.4.2.3 Test case xmldsig/dname/dnString-8

3.2 Core Validation

3.2.1 Reference Validation

3.2.2 Signature Validation
 
4. Core Signature Syntax

4.1 The ds:CryptoBinary Simple Type

 Not referenced

4.2 The Signature element

 All DSig

4.3 The SignatureValue Element

4.4 The SignedInfo Element

4.5 The KeyInfo Element

4.5.1 The KeyName Element
4.5.2 The KeyValue Element

4.5.2.1 The DSAKeyValue Element
4.5.2.2 The RSAKeyValue Element
 

 
 
  4.5.2.3 The ECKeyValue Element

4.5.2.3.1 Explicit Curve Parameters
4.5.2.3.2 Compatibility with RFC 4050

4.5.3 The RetrievalMethod Element

 

XML Security 1.1 Core: Elliptic Curve algorithms

Various combinations of the following

  • Digest algorithm - SHA1/256/384/512
  • Signature algorithm - ECDSA (P256/P384/P521 with SHA1/SHA256/SHA384/SHA512)
  • Canonicalization algorithm - C14N 1.0, Exc C14N 1.0
  • KeyInfo format - RFC 4050 style ECDSA KeyValue, XML signature 1.1 style ECKeyValue

Microsoft's test vectors - 48 files

  • 12 files: Digest = SHA1/SHA256/SHA384/SHA512, Signature = ECDSA (P256/P384/P521 with SHA1/SHA256/SHA384/SHA512), RFC4050 ECDSAKeyValue
  • 12 files: All of the above but with Exclusive C14N 1.0
  • 12 files: Digest = SHA1/SHA256/SHA384/SHA512, Signature = ECDSA (P256/P384/P521 with SHA1/SHA256/SHA384/SHA512), XML Signature 1.1 ECKeyValue
  • 12 files: All of the above but with Exclusive C14N 1.0

Oracle's test vectors - 18 files

  • 12 files: Digest = SHA1/SHA256/SHA384/SHA512, Signature = ECDSA (P256/P384/P521 with SHA1/SHA256/SHA384/SHA512), RFC4050 ECDSAKeyValue
  • 12 files: all of the above XML Signature 1.1 ECKeyValue


Interop status

  • Partipants: Oracle, Microsoft
  • Each participant has verified all of these files.

XML Security 1.1 Core: Other items

  • AES Keywrap with padding (XML Encryption) RFC 5649
  • OCSP - add and read OCSP information successfully (Sun?)
  • DEREncodedKeyValue (Sun?)
  • RFC4050 compatibility (4.4.2.3.2) ? DONE
  • Required Exclusive C14N - note that implemented or interop? DONE
  • XPath 2.0

 

4.5.4 The X509Data Element

4.5.4.1 Distinguished Name Encoding Rules

4.5.5 The PGPData Element
4.5.6 The SPKIData Element
4.5.7 The MgmtData Element
4.5.8 XML Encryption EncryptedKey and DerivedKey Elements

4.5.9 The DEREncodedKeyValue Element
4.5.10 The KeyInfoReference Element

XML Encryption 1.1 Derived Keys

Test case 1: EncryptedData with content encryption key derived from shared secret. Key derivation method: ConcatKDF (http://www.w3.org/2009/xmlenc11#ConcatKDF).

Test case 2: EncryptedData with content encryption key derived from shared secret password. Key derivation method: PBKDF2 (http://www.w3.org/2009/xmlenc11#pbkdf2

4.6 The Object Element
5. Additional Signature Syntax

5.1 The Manifest Element

5.2 The SignatureProperties Element

5.3 Processing Instructions in Signature Elements

5.4 Comments in Signature Elements

6. Algorithms

6.1 Algorithm Identifiers and Implementation Requirements

6.2 Message Digests

6.2.1 SHA-1
6.2.2 SHA-256
6.2.3 SHA-384
6.2.4 SHA-512

 In Tests documented

6.3 Message Authentication Codes

6.4 Signature Algorithms

6.4.1 DSA
6.4.2 RSA (PKCShttp://www.w3.org/TR/xmldsig-core1/#1 v1.5)
6.4.3 ECDSA

         3.3.4 Test Cases on String encoding of Distinguished Names
            3.3.4.1 Test Cases on differences identified in RFC 2253 and RFC 4514
                3.3.4.1.1 Test case xmldsig/dname/diffRFCs-1
                3.3.4.1.2 Test case xmldsig/dname/diffRFCs-2
                3.3.4.1.3 Test case xmldsig/dname/diffRFCs-3
                3.3.4.1.4 Test case xmldsig/dname/diffRFCs-4
                3.3.4.1.5 Test case xmldsig/dname/diffRFCs-5
            3.3.4.2 Test Cases for RFC 4514
                3.3.4.2.1 Test case xmldsig/dname/dnString-4
                3.3.4.2.2 Test case xmldsig/dname/dnString-6
                3.3.4.2.3 Test case xmldsig/dname/dnString-8
 1.1 tests

6.5 Canonicalization Algorithms

6.5.1 Canonical XML 1.0
6.5.2 Canonical XML 1.1
6.5.3 Exclusive XML Canonicalization 1.0


3.2 Test Cases for Canonicalization 1.1
        3.2.1 Test Cases for xml:lang attribute
        3.2.2 Test Cases for xml:space attribute
        3.2.3 Test Cases for xml:id attribute
        3.2.4 Test Cases for xml:base attribute
            3.2.4.1 Test Cases for checking xml:base attribute propagation
                3.2.4.1.1 Test case c14n11/xmlbase-prop-1
                3.2.4.1.2 Test case c14n11/xmlbase-prop-2
                3.2.4.1.3 Test case c14n11/xmlbase-prop-3
                3.2.4.1.4 Test case c14n11/xmlbase-prop-4
                3.2.4.1.5 Test case c14n11/xmlbase-prop-5
                3.2.4.1.6 Test case c14n11/xmlbase-prop-6
                3.2.4.1.7 Test case c14n11/xmlbase-prop-7
            3.2.4.2 Test Cases for checking XML-C14N1.1 specification tests
                3.2.4.2.1 Test case c14n11/xmlbase-c14n11spec-102
                3.2.4.2.2 Test case c14n11/xmlbase-c14n11spec2-102
                3.2.4.2.3 Test case c14n11/xmlbase-c14n11spec3-103
        3.2.5 Test Cases for checking examples in the XML-C14N1.1 Appendix

3.3.1 Test Cases for C14N 1.1 in XMLDSig

 

 

3.3.1 Test Cases for C14N 1.1 in XMLDSig
Tested in ECDSA

6.6 Transform Algorithms

6.6.1 Canonicalization
6.6.2 Base64
6.6.3 XPath Filtering
6.6.4 Enveloped Signature Transform
6.6.5 XSLT Transform


XML 1.1 Canonicalization Test case mapping

Canonical XML Version 1.1
W3C Recommendation 2 May 2008
http://www.w3.org/TR/xml-c14n11/

 http://www.w3.org/TR/2008/NOTE-xmldsig2ed-tests-20080610
  1. Data Model
    1. XPath 1.0 Recommendation [XPath] is used to represent the input XML
    2. F irst parameter of input to the XML canonicalization method is either an XPath node-set or an octet stream containing a well-formed XML document. 
    3. The second parameter of input to the XML canonicalization method is a boolean flag indicating whether or not comments should be included in the canonical form output by the XML canonicalization method.
    4. If an XML document must be converted to a node-set, XPath REQUIRES that an XML processor be used to create the nodes of its data model to fully represent the document.
    5. The input octet stream MUST contain a well-formed XML document, but the input need not be validated. 
    6. All whitespace within the root document element MUST be preserved (except for any #xD characters deleted by line delimiter normalization). This includes all whitespace in external entities. Whitespace outside of the root document element MUST be discarded.

3.2.1 Test Cases for xml:lang attribute
3.2.2 Test Cases for xml:space attribute
3.2.3 Test Cases for xml:id attribute
3.2.4 Test Cases for xml:base attribute
Document Order
  1. Document order is defined to be the order in which the first character of the XML representation of each node occurs in the XML representation of the document after expansion of general entities, except for namespace and attribute nodes whose document order is application-dependent.
3.2.4.2 Test Cases for checking XML-C14N1.1 specification tests
Processing Model
  1. The XPath node-set is converted into an octet stream, the canonical form, by generating the representative UCS characters for each node in the node-set in ascending document order, then encoding the result in UTF-8 (without a leading byte order mark).
  2. No node is processed more than once. 
  3. The text generated for a node is dependent on the node type and given in the following list:
    • Root Node- 
    • Element Nodes- 
      • Namespace Axis
      • Attribute Axis
    • Namespace Nodes
    • Attribute Nodes
    • Text Nodes
    • Processing Instruction (PI) Nodes
    • Comment Nodes

Does this apply to all test? What about tests for all node types in the list in the recommendation?

 3.2.4.1 Test Cases for checking xml:base attribute propagation
      3.2.4.1.1 Test case c14n11/xmlbase-prop-1
      3.2.4.1.2 Test case c14n11/xmlbase-prop-2
       3.2.4.1.3 Test case c14n11/xmlbase-prop-3
       3.2.4.1.4 Test case c14n11/xmlbase-prop-4
       3.2.4.1.5 Test case c14n11/xmlbase-prop-5
       3.2.4.1.6 Test case c14n11/xmlbase-prop-6
       3.2.4.1.7 Test case c14n11/xmlbase-prop-7
Document Subsets

3.2 Test Cases for Canonicalization 1.1
 The input for each of these test cases is an XML document and an XPath document subset expression. 

Test Cases for 1.1

Test Cases for C14N 1.1 and XMLDSig Interoperability Editor's Draft 15 April 2008
http://www.w3.org/2007/xmlsec/interop/xmlsig-interop-doc/testcases.html
3 Test Cases specification
3.1 Legacy XMLDSig Working Group Test Cases
3.2 Test Cases for Canonicalization 1.1

3.2.1 Test Cases for xml:lang attribute

3.2.2 Test Cases for xml:space attribute

3.2.3 Test Cases for xml:id attribute

3.2.4 Test Cases for xml:base attribute

3.2.4.1 Test Cases for checking xml:base attribute propagation

 3.2.4.1.1 Test case c14n11/xmlbase-prop-13.2.4.1.2 Test case c14n11/xmlbase-prop-2
3.2.4.1.3 Test case c14n11/xmlbase-prop-3
3.2.4.1.4 Test case c14n11/xmlbase-prop-4
3.2.4.1.5 Test case c14n11/xmlbase-prop-5
3.2.4.1.6 Test case c14n11/xmlbase-prop-6
3.2.4.1.7 Test case c14n11/xmlbase-prop-7

3.2.4.2 Test Cases for checking XML-C14N1.1 specification tests

3.2.4.2.1 Test case c14n11/xmlbase-c14n11spec-102
3.2.4.2.2 Test case c14n11/xmlbase-c14n11spec2-102
 3.2.4.2.3 Test case c14n11/xmlbase-c14n11spec3-103

3.2.5 Test Cases for checking examples in the XML-C14N1.1 Appendix
3.3 Test Cases for XMLDSig

3.3.1 Test Cases for C14N 1.1 in XMLDSig

3.3.2 Test Cases on nodeset to octet-stream conversion by C14n 1.1 explicitly reflected in the chain of transforms

3.3.3 Test Cases on schema based XPointers and canonicalization

3.3.4 Test Cases on String encoding of Distinguished Names

3.3.4.1 Test Cases on differences identified in RFC 2253 and RFC 4514

3.3.4.1.1 Test case xmldsig/dname/diffRFCs-1
3.3.4.1.2 Test case xmldsig/dname/diffRFCs-2
3.3.4.1.3 Test case xmldsig/dname/diffRFCs-3
3.3.4.1.4 Test case xmldsig/dname/diffRFCs-4
3.3.4.1.5 Test case xmldsig/dname/diffRFCs-5

3.3.4.2 Test Cases for RFC 4514

3.3.4.2.1 Test case xmldsig/dname/dnString-4
3.3.4.2.2 Test case xmldsig/dname/dnString-6
3.3.4.2.3 Test case xmldsig/dname/dnString-8

 

Author: Gerald Edgar

Date: Sept 26,2011
Date: July 17, 2011
Date: July 12, 2011
Date: June 4, 2011
Date: May 23, 2011