XML Signature 1.1 Interop Test Report (original) (raw)
Abstract
This document is the interop report for new features introduced in XML Signature 1.1. It includes the test cases and test results for these new features. It does not replicate interop testing performed for features retained from XML Signature 1.0.
Status of This Document
This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at http://www.w3.org/TR/.
This document records the results of interop testing using the test cases referenced in this document. The Working Group has successfully completed interop testing but expects to update the references section of this document when XML Signature 1.1 advances to Recommendation.
This document was published by the XML Security Working Group as a First Public Working Group Note. If you wish to make comments regarding this document, please send them to public-xmlsec@w3.org (subscribe,archives). All feedback is welcome.
Publication as a Working Group Note does not imply endorsement by the W3C Membership. This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.
This document was produced by a group operating under the 5 February 2004 W3C Patent Policy.W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes containsEssential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.
Table of Contents
- 1. Introduction
- 2. Elliptic Curve Algorithms (Interop testing completed)
- 3. SHA Algorithms (Interop testing completed)
- 4. X509Data Additions
- 5. KeyInfo Additions
- 6. HMACOutputLength verification
- 7. Additional Algorithm additions and changes (previously interop tested)
- A. References
1. Introduction
This document summarizes interop tests and the test results for new features introduced in XML Signature 1.1 [XMLDSIG-CORE1]. Changes to XML Signature introduced in XML Signature 1.1 are summarized in a detailed change explanation document [XMLDSIG-CORE1-CHGS].
Tests that are marked 'Y' are completed, 'U' means 'untested' and should not be taken to make a statement about the implementation (as testing may simply not have been performed for interop due to timing or other reasons).
2. Elliptic Curve Algorithms (Interop testing completed)
2.1 Summary of Changes
- Add Elliptic Curve signature algorithms:
ECDSA-SHA1(optional),ECDSA-SHA224(optional),ECDSA-SHA256(required),ECDSA-SHA384(optional), andECDSA-SHA512(optional) - Add new KeyInfo child element -
ECKeyValue(includesECParameters) - Added profile of RFC 4050 with respect to ECDSA key formats.
2.2 Elliptic Curve Test Cases (not including SHA-224)
Various combinations of the following
- Digest algorithm - SHA1/256/384/512
- Signature algorithm - ECDSA (P256/P384/P521 with SHA1/SHA256/SHA384/SHA512)
- Canonicalization algorithm - C14N 1.0, Exc C14N 1.0
- KeyInfo format - RFC 4050 style ECDSA KeyValue, XML signature 1.1 style ECKeyValue
Microsoft's test vectors - 48 files
- 12 files: Digest = SHA1/SHA256/SHA384/SHA512, Signature = ECDSA (P256/P384/P521 with SHA1/SHA256/SHA384/SHA512), RFC4050 ECDSAKeyValue
- 12 files: All of the above but with Exclusive C14N 1.0
- 12 files: Digest = SHA1/SHA256/SHA384/SHA512, Signature = ECDSA (P256/P384/P521 with SHA1/SHA256/SHA384/SHA512), XML Signature 1.1 ECKeyValue
- 12 files: All of the above but with Exclusive C14N 1.0
Oracle's test vectors - 18 files
- 12 files: Digest = SHA1/SHA256/SHA384/SHA512, Signature = ECDSA (P256/P384/P521 with SHA1/SHA256/SHA384/SHA512), RFC4050 ECDSAKeyValue
- 12 files: all of the above XML Signature 1.1 ECKeyValue
2.3 Elliptic Curve Test Results (not including SHA-224)
- Participants: Oracle, Microsoft
- Each participant has verified all of these files.
See test file directory.
| Signature Algorithm | Digest | Canonicalization | ECKeyValue | Microsoft | Oracle |
|---|---|---|---|---|---|
| ECDSA (P256/P384/P521] with | SHA-1 | Excl C14N | ECKeyValue | Y | Y |
| ECDSA (P256/P384/P521] with | SHA-256 | Excl C14N | ECKeyValue | Y | Y |
| ECDSA (P256/P384/P521] with | SHA-384 | Excl C14N | ECKeyValue | Y | Y |
| ECDSA (P256/P384/P521] with | SHA-512 | Excl C14N | ECKeyValue | Y | Y |
2.4 Elliptic Curve SHA-224 Test Cases
The following are the SHA-224 tests:
- <interop/xmldsig11/oracle/signature-enveloping-p256%5Fsha224.xml>
- <interop/xmldsig11/oracle/signature-enveloping-p384%5Fsha224.xml>
- <interop/xmldsig11/oracle/signature-enveloping-p521%5Fsha224.xml>
2.5 Elliptic Curve SHA-224 Test Results
| Signature Algorithm | Digest | Oracle | Apache Santuario (C++) |
|---|---|---|---|
| ECDSA (P256/P384/P521] with | SHA-224 | Y | Y |
3. SHA Algorithms (Interop testing completed)
3.1 Summary of Changes
- Add digest algorithms:
SHA224(optional),SHA256(required),SHA384(optional),SHA512(optional) - Add RSA signing algorithms:
RSAwithSHA224(optional),RSAwithSHA256(required),RSAwithSHA384(optional),RSAwithSHA512(optional) - Add
HMAC-SHA224(optional) - Changed
HMAC-SHA256to required - Changed
HMAC-SHA384,HMAC-SHA512to_recommended_ (from optional). - Discourage use of
SHA-1but allow it for compatibilitySHA-1use is DISCOURAGED (but support is still required).- Added text to
SHA-1to state that use is DISCOURAGED (but still required). - Added text to
HMAC-SHA1to state that use is DISCOURAGED - Change so that
DSAwithSHA1is only required as Signature algorithm for Signature verification, but is optional for Signature generation. Previously it was required for both. - Added text to indicate that use of
RSA-SHA1andECDSA-SHA1is DISCOURAGED.
3.2 SHA Test Cases (not including SHA-224)
Various combinations of the following
- Digest algorithm - SHA1/256/384/512
- Signature algorithm - DSA-SHA1, RSA 1024/2048-SHA256/384/512, HMAC-SHA256/384/512
- Canonicalization algorithm - C14N 1.0, C14N 1.1, Exc C14N 1.0
Sun's test vectors - 18 files
- 3 files: Digest = SHA1, Signature = HMAC-SHA256 / HMAC-SHA384 / HMAC-SHA512, Canonicalization = C14N 1.1
- 3 files: Digest = SHA1, Signature = RSA-SHA256 / RSA-SHA384 / RSA-SHA512, Canonicalization = C14N 1.1
- 3 files: Digest = SHA-256/ SHA-384 / SHA-512, Signature = RSA-SHA256, Canonicalization = C14N 1.1
- 9 files: All of the above repeated for C14n 1.0
Oracle's test vectors - 9 files (same as sun's, C14n 1.0 only)
- 3 files: Digest = SHA1, Signature = HMAC-SHA256 / HMAC-SHA384 / HMAC-SHA512, Canonicalization = C14N 1.0
- 3 files: Digest = SHA1, Signature = RSA-SHA256 / RSA-SHA384 / RSA-SHA512, Canonicalization = C14N 1.0
- 3 files: Digest = SHA-256/ SHA-384 / SHA-512, Signature = RSA-SHA256, CCanonicalization = C14N 1.0
Microsoft's test vectors - 14 files
- 2 files: Digest = SHA1, Signature = DSA-SHA1, Canonicalization = C14N1.0 / Exc C14N 1.0
- 4 files: Digest = SHA1, Signature = HMAC-SHA1/HMAC-SHA256/HMAC-SHA384/HMAC-SHA512, Canonicalization = Exc C14N 1.0
- 8 files: Digest = SHA1/SHA256/SHA384/SHA512, Signature = RSA2048-SHA1/RSA2048-SHA256/RSA2048-SHA384/RSA2048-SHA512, Canonicalization = C14n 1.0 / Exc C14N 1.0
HMAC key
- All of Sun signatures are use "secret"
- All of Oracle's signature use "testkey"
- Microsoft's signatures use keys that are stored in the files secret-sha1.hmac, secret-sha256.hmac, secret-sha384.hmac, secret-sha512.hmac
3.3 SHA Test Results (not including SHA-224)
- Partipants: Oracle, Microsoft, Sun
- Each participant has verified all of the files in the interop test directory. (except Microsoft not verifying C14N 1.1).
| Digest | Signature | Canonicalization | Sun | Oracle |
|---|---|---|---|---|
| SHA-1 | RSA-SHA256 | C14N1.0 | Y | Y |
| SHA-1 | RSA-SHA384 | C14N1.0 | Y | Y |
| SHA-1 | RSA-SHA512 | C14N1.0 | Y | Y |
| SHA-1 | HMAC-SHA256 | C14N1.0 | Y | Y |
| SHA-1 | HMAC-SHA384 | C14N1.0 | Y | Y |
| SHA-1 | HMAC-SHA512 | C14N1.0 | Y | Y |
| SHA-384 | RSA-SHA256 | C14N1.0 | Y | Y |
| SHA-512 | RSA-SHA256 | C14N1.0 | Y | Y |
3.4 SHA-224 Test Cases
- <interop/xmldsig11/oracle/signature-enveloping-hmac-sha224.xml>
- <interop/xmldsig11/oracle/signature-enveloping-rsa-sha224.xml>
- <interop/xmldsig11/oracle/signature-enveloping-sha224-rsa%5Fsha256.xml>
3.5 SHA-224 Test Results
| Digest | Signature | Oracle | Apache Santuario (C++) |
|---|---|---|---|
| SHA-224 | RSA-SHA224 | Y | Y |
| SHA-224 | RSA-SHA256 | Y | Y |
| SHA-224 | HMAC-SHA224 | Y | Y |
4. X509Data Additions
4.1 Summary of Changes
- Add
dsig11:X509Digestto list of elements that may be included, to support reference via base64-encoded digest of a certificate
Note: X509Digest was added to correct issues with X509IssuerSerial.
4.2 X509Data Test Cases
X509Digest: <interop/xmldsig11/oracle/signature-enveloping-x509digest-rsa.xml>
4.3 X509Data Test Results
| Item | OpenSAML (Shibboleth) | Oracle |
|---|---|---|
| X509Digest | Y | Y |
5. KeyInfo Additions
5.1 Summary of Changes
- Add new
DEREncodedKeyValueKeyInfo child element - Add sections on how to use additional
KeyInfochild elements- Describe use of XML Encryption
EncryptedKeyandDerivedKeyElements - Add
DEREncodedKeyValue- new representation for public keys - Add
KeyInfoReference- alternative toRetrievalMethodaccess to aKeyInfoelement that does not require use of aTransform
- Describe use of XML Encryption
5.2 KeyInfo Test Cases
DEREncodedKeyValuewith ECKey:<interop/xmldsig11/oracle/signature-enveloping-derencoded-ec.xml>DEREncodedKeyValuewith RSAKey: <interop/xmldsig11/oracle/signature-enveloping-derencoded-rsa.xml>KeyInfoReference: <interop/xmldsig11/oracle/signature-enveloping-keyinforeference-rsa.xml>
5.3 KeyInfo Test Results
| Item | Apache Santuario (C++) | OpenSAML (Shibboleth) | Oracle |
|---|---|---|---|
| DEREncodedKeyValue (both EC and RSA) | Y | U | Y |
| KeyInfoReference | U | Y | Y |
Note: Same author for both Apache Santuario (C++) and OpenSAML (Shibboleth) implementations. In OpenSaml reproduced the X509Digestmaterial by consuming the same keypair and successfully processing theKeyInfoReference after copying it into a SAML document.
6. HMACOutputLength verification
6.1 Summary of Changes
- Added minimum output length for
HMACOutputLengthparameter inSignatureMethod.
Verify that signature is deemed invalid ifHMacOutputLengthtruncation length is below the larger of (a) half the underlying hash algorithm's output length, and (b) 80 bits. Test that error generated for SHA-256 with truncation length is less than 128, e.g. 100 bits [RFC4868].
6.2 HMACOutputLength Test Cases
The following are test vectors for HMACOutputLength verification:
- <interop/xmldsig11/oracle/signature-enveloping-hmac-sha1-truncated40.xml>
- <interop/xmldsig11/oracle/signature-enveloping-hmac-sha1-truncated160.xml>
The first one is truncated to 40 bytes, so it should be rejected. The second one is not truncated at all, so it should be accepted.
6.3 HMACOutputLength Test Results
| HMACOutputLength | Oracle | Apache Santuario (C++) |
|---|---|---|
| Truncated 40 (invalid) | Y | Y |
| Truncated 160 (valid) | Y | Y |
7. Additional Algorithm additions and changes (previously interop tested)
The following algorithms were added or changed in XML Signature 1.1 but were not included in this round of interop testing as they have been previously tested during the development of the corresponding W3C Recommendations:
- Add Exclusive XML Canonicalization 1.0 (omits comments) required. Tested with development of [XML-EXC-C14N].
- Add Exclusive XML Canonicalization 1.0 (with Comments)recommended. Tested with development of [XML-EXC-C14N].
- Add XPath Filter 2.0 as recommended transform algorithm. (alternative to URI fragment identifiers). Tested with development of [XMLDSIG-XPATH-FILTER2].
- Changed DSA and RSA KeyValue formats to required from recommended. Tested with development of [XMLDSIG-CORE].
A. References
A.1 Informative references
[RFC4868]
S. Kelly, S. Frankel. Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with IPsec IETF RFC 4868. May 2007. URL: http://www.ietf.org/rfc/rfc4868.txt
[XML-EXC-C14N]
Donald E. Eastlake 3rd; Joseph Reagle; John Boyer. Exclusive XML Canonicalization Version 1.0. 18 July 2002. W3C Recommendation. URL: http://www.w3.org/TR/2002/REC-xml-exc-c14n-20020718/
[XMLDSIG-CORE]
Joseph Reagle; et al. XML Signature Syntax and Processing (Second Edition). 10 June 2008. W3C Recommendation. URL: http://www.w3.org/TR/2008/REC-xmldsig-core-20080610
[XMLDSIG-CORE1]
D. Eastlake, J. Reagle, D. Solo, F. Hirsch, T. Roessler, K. Yiu. XML Signature Syntax and Processing Version 1.1. 18 October 2012. W3C Last Call Working Draft. (Work in progress) URL: http://www.w3.org/TR/2012/WD-xmldsig-core1-20121018/
[XMLDSIG-CORE1-CHGS]
Frederick Hirsch. Functional Explanation of Changes in XML Signature 1.1. 18 October 2012. W3C Working Group Note. URL: http://www.w3.org/TR/2012/NOTE-xmldsig-core1-explain-20121018/
[XMLDSIG-XPATH-FILTER2]
Merlin Hughes; John Boyer; Joseph Reagle. XML-Signature XPath Filter 2.0. 8 November 2002. W3C Recommendation. URL: http://www.w3.org/TR/2002/REC-xmldsig-filter2-20021108/