Copyright © 2008 W3C® (MIT, ERCIM, Keio), All Rights Reserved. W3C liability, trademark and document use rules apply.
This document is an editors' copy that has no official standing.
This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at http://www.w3.org/TR/.
1 Overview
2 Acknowledgements
3 Schema
3.1 Schema in
RELAX NG XML Syntax
3.2 Schema in
Relax NG Compact Syntax
4 References
The XML Signature specification [XMLDSIG] includes a normative XML schema and an informative DTD. Upon popular request, this Note includes a non-normative RELAX NG [RELAXNG] schema for the document format.
The schema presented in this Note was originally prepared by Joseph Reagle, then affiliated with W3C.
The schema included with this Note is also available as a separate XML file and in RELAX NG compact syntax.
<?xml version="1.0" encoding="UTF-8"?>
<grammar xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns="http://relaxng.org/ns/structure/1.0" datatypeLibrary="http://www.w3.org/2001/XMLSchema-datatypes">
<!--
Relax NG Grammar for XML Signatures
Namespace: http://www.w3.org/2000/09/xmldsig#
$Revision: 1.7 $ on $Date: 2008/07/16 18:04:37 $ by $Author: roessler $
Copyright 2001 The Internet Society and W3C (Massachusetts Institute
of Technology, Institut National de Recherche en Informatique et en
Automatique, Keio University). All Rights Reserved.
http://www.w3.org/Consortium/Legal/
This document is governed by the W3C Software License [1] as described
in the FAQ [2].
[1] http://www.w3.org/Consortium/Legal/copyright-software-19980720
[2] http://www.w3.org/Consortium/Legal/IPR-FAQ-20000620.html#DTD
Constructed by hand from xmldsig-core-schema.xsd by
Norman.Walsh@marklogic.com on 5 May 2008.
Notes:
You must not use the RELAX NG DTD Compatibility features with this
grammar. DTD Compatibility features, ID type attributes, and
wildcard attributes are mutually exclusive.
The definition for the Signature element includes a SignatureType
pattern. The rest of the patterns are "inline". This is a matter of
style. I constructed only one "type" pattern as an example of the
style, not because it's significant in the Signature pattern.
-->
<start>
<ref name="Signature"/>
</start>
<!-- Start Signature -->
<define name="SignatureType">
<optional>
<attribute name="Id">
<data type="ID"/>
</attribute>
</optional>
<ref name="SignedInfo"/>
<ref name="SignatureValue"/>
<optional>
<ref name="KeyInfo"/>
</optional>
<zeroOrMore>
<ref name="Object"/>
</zeroOrMore>
</define>
<define name="Signature">
<element name="ds:Signature">
<ref name="SignatureType"/>
</element>
</define>
<define name="SignatureValue">
<element name="ds:SignatureValue">
<optional>
<attribute name="Id">
<data type="ID"/>
</attribute>
</optional>
<data type="base64Binary"/>
</element>
</define>
<!-- Start SignedInfo -->
<define name="SignedInfo">
<element name="ds:SignedInfo">
<optional>
<attribute name="Id">
<data type="ID"/>
</attribute>
</optional>
<ref name="CanonicalizationMethod"/>
<ref name="SignatureMethod"/>
<oneOrMore>
<ref name="Reference"/>
</oneOrMore>
</element>
</define>
<define name="CanonicalizationMethod">
<element name="ds:CanonicalizationMethod">
<attribute name="Algorithm">
<data type="anyURI"/>
</attribute>
<zeroOrMore>
<choice>
<text/>
<ref name="anyElement"/>
</choice>
</zeroOrMore>
</element>
</define>
<define name="SignatureMethod">
<element name="ds:SignatureMethod">
<attribute name="Algorithm">
<data type="anyURI"/>
</attribute>
<zeroOrMore>
<choice>
<text/>
<ref name="HMACOutputLength"/>
<ref name="anyOtherElement"/>
</choice>
</zeroOrMore>
</element>
</define>
<!-- Start Reference -->
<define name="Reference">
<element name="ds:Reference">
<optional>
<attribute name="Id">
<data type="ID"/>
</attribute>
</optional>
<optional>
<attribute name="URI">
<data type="anyURI"/>
</attribute>
</optional>
<optional>
<attribute name="Type">
<data type="anyURI"/>
</attribute>
</optional>
<optional>
<ref name="Transforms"/>
</optional>
<ref name="DigestMethod"/>
<ref name="DigestValue"/>
</element>
</define>
<define name="Transforms">
<element name="ds:Transforms">
<oneOrMore>
<ref name="Transform"/>
</oneOrMore>
</element>
</define>
<define name="Transform">
<element name="ds:Transform">
<attribute name="Algorithm">
<data type="anyURI"/>
</attribute>
<zeroOrMore>
<choice>
<ref name="anyOtherElement"/>
<ref name="XPath"/>
</choice>
</zeroOrMore>
</element>
</define>
<define name="XPath">
<element name="ds:XPath">
<data type="string"/>
</element>
</define>
<!-- End Reference -->
<define name="DigestMethod">
<element name="ds:DigestMethod">
<attribute name="Algorithm">
<data type="anyURI"/>
</attribute>
<zeroOrMore>
<ref name="anyOtherElement"/>
</zeroOrMore>
</element>
</define>
<define name="DigestValue">
<element name="ds:DigestValue">
<ref name="DigestValueType"/>
</element>
</define>
<define name="DigestValueType">
<data type="base64Binary"/>
</define>
<!-- End SignedInfo -->
<!-- Start KeyInfo -->
<define name="KeyInfo">
<element name="ds:KeyInfo">
<optional>
<attribute name="Id">
<data type="ID"/>
</attribute>
</optional>
<zeroOrMore>
<choice>
<text/>
<ref name="KeyName"/>
<ref name="KeyValue"/>
<ref name="RetrievalMethod"/>
<ref name="X509Data"/>
<ref name="PGPData"/>
<ref name="SPKIData"/>
<ref name="MgmtData"/>
<ref name="anyOtherElement"/>
</choice>
</zeroOrMore>
</element>
</define>
<define name="KeyName">
<element name="ds:KeyName">
<data type="string"/>
</element>
</define>
<define name="MgmtData">
<element name="ds:MgmtData">
<data type="string"/>
</element>
</define>
<define name="KeyValue">
<element name="ds:KeyValue">
<zeroOrMore>
<choice>
<text/>
<ref name="DSAKeyValue"/>
<ref name="RSAKeyValue"/>
<ref name="anyOtherElement"/>
</choice>
</zeroOrMore>
</element>
</define>
<define name="RetrievalMethod">
<element name="ds:RetrievalMethod">
<attribute name="URI">
<data type="anyURI"/>
</attribute>
<optional>
<attribute name="Type">
<data type="anyURI"/>
</attribute>
</optional>
<optional>
<ref name="Transforms"/>
</optional>
</element>
</define>
<!-- Start X509Data -->
<define name="X509Data">
<element name="ds:X509Data">
<zeroOrMore>
<choice>
<ref name="X509IssuerSerial"/>
<ref name="X509SKI"/>
<ref name="X509SubjectName"/>
<ref name="X509Certificate"/>
<ref name="X509CRL"/>
<ref name="anyOtherElement"/>
</choice>
</zeroOrMore>
</element>
</define>
<define name="X509IssuerSerial">
<element name="ds:X509IssuerSerial">
<ref name="X509IssuerName"/>
<ref name="X509SerialNumber"/>
</element>
</define>
<define name="X509IssuerName">
<element name="ds:X509IssuerName">
<data type="string"/>
</element>
</define>
<define name="X509SerialNumber">
<element name="ds:X509SerialNumber">
<data type="integer"/>
</element>
</define>
<define name="X509SKI">
<element name="ds:X509SKI">
<data type="base64Binary"/>
</element>
</define>
<define name="X509SubjectName">
<element name="ds:X509SubjectName">
<data type="string"/>
</element>
</define>
<define name="X509Certificate">
<element name="ds:X509Certificate">
<data type="base64Binary"/>
</element>
</define>
<define name="X509CRL">
<element name="ds:X509CRL">
<data type="base64Binary"/>
</element>
</define>
<!-- End X509Data -->
<!-- Begin PGPData -->
<define name="PGPData">
<element name="ds:PGPData">
<choice>
<group>
<ref name="PGPKeyID"/>
<optional>
<ref name="PGPKeyPacket"/>
</optional>
<zeroOrMore>
<ref name="anyOtherElement"/>
</zeroOrMore>
</group>
<group>
<ref name="PGPKeyPacket"/>
<zeroOrMore>
<ref name="anyOtherElement"/>
</zeroOrMore>
</group>
</choice>
</element>
</define>
<define name="PGPKeyID">
<element name="ds:PGPKeyID">
<data type="base64Binary"/>
</element>
</define>
<define name="PGPKeyPacket">
<element name="ds:PGPKeyPacket">
<data type="base64Binary"/>
</element>
</define>
<!-- End PGPData -->
<!-- Begin SPKIData -->
<define name="SPKIData">
<element name="ds:SPKIData">
<oneOrMore>
<ref name="SPKISexp"/>
<zeroOrMore>
<ref name="anyOtherElement"/>
</zeroOrMore>
</oneOrMore>
</element>
</define>
<define name="SPKISexp">
<element name="ds:SPKISexp">
<data type="base64Binary"/>
</element>
</define>
<!-- End SPKIData -->
<!-- End KeyInfo -->
<!-- Start Object (Manifest, SignatureProperty) -->
<define name="Object">
<element name="ds:Object">
<optional>
<attribute name="Id">
<data type="ID"/>
</attribute>
</optional>
<optional>
<attribute name="MimeType">
<data type="string"/>
</attribute>
</optional>
<optional>
<attribute name="Encoding">
<data type="anyURI"/>
</attribute>
</optional>
<zeroOrMore>
<choice>
<ref name="anyElement"/>
<text/>
</choice>
</zeroOrMore>
</element>
</define>
<define name="Manifest">
<element name="ds:Manifest">
<optional>
<attribute name="Id">
<data type="ID"/>
</attribute>
</optional>
<oneOrMore>
<ref name="Reference"/>
</oneOrMore>
</element>
</define>
<define name="SignatureProperties">
<element name="ds:SignatureProperties">
<optional>
<attribute name="Id">
<data type="ID"/>
</attribute>
</optional>
<oneOrMore>
<ref name="SignatureProperty"/>
</oneOrMore>
</element>
</define>
<define name="SignatureProperty">
<element name="ds:SignatureProperty">
<optional>
<attribute name="Id">
<data type="ID"/>
</attribute>
</optional>
<attribute name="Target">
<data type="anyURI"/>
</attribute>
<oneOrMore>
<ref name="anyOtherElement"/>
</oneOrMore>
</element>
</define>
<!-- End Object (Manifest, SignatureProperty) -->
<!-- Start Algorithm Parameters -->
<define name="HMACOutputLength">
<element name="ds:HMACOutputLength">
<data type="integer"/>
</element>
</define>
<!-- Start KeyValue Element-types -->
<define name="DSAKeyValue">
<element name="ds:DSAKeyValue">
<optional>
<ref name="P"/>
<ref name="Q"/>
</optional>
<optional>
<ref name="G"/>
</optional>
<ref name="Y"/>
<optional>
<ref name="J"/>
</optional>
<optional>
<ref name="Seed"/>
<ref name="PgenCounter"/>
</optional>
</element>
</define>
<define name="P">
<element name="ds:P">
<ref name="CryptoBinary"/>
</element>
</define>
<define name="Q">
<element name="ds:Q">
<ref name="CryptoBinary"/>
</element>
</define>
<define name="G">
<element name="ds:G">
<ref name="CryptoBinary"/>
</element>
</define>
<define name="Y">
<element name="ds:Y">
<ref name="CryptoBinary"/>
</element>
</define>
<define name="J">
<element name="ds:J">
<ref name="CryptoBinary"/>
</element>
</define>
<define name="Seed">
<element name="ds:Seed">
<ref name="CryptoBinary"/>
</element>
</define>
<define name="PgenCounter">
<element name="ds:PgenCounter">
<ref name="CryptoBinary"/>
</element>
</define>
<define name="CryptoBinary">
<data type="base64Binary"/>
</define>
<define name="RSAKeyValue">
<element name="ds:RSAKeyValue">
<ref name="Modulus"/>
<ref name="Exponent"/>
</element>
</define>
<define name="Modulus">
<element name="ds:Modulus">
<ref name="CryptoBinary"/>
</element>
</define>
<define name="Exponent">
<element name="ds:Exponent">
<ref name="CryptoBinary"/>
</element>
</define>
<!-- End KeyValue Element-types -->
<!-- End Signature -->
<!-- Definitions for the *any* wild card and the *any other* wildcard -->
<define name="anyAttribute">
<attribute>
<anyName/>
</attribute>
</define>
<define name="anyElement">
<element>
<anyName/>
<zeroOrMore>
<choice>
<ref name="anyAttribute"/>
<text/>
<ref name="anyElement"/>
</choice>
</zeroOrMore>
</element>
</define>
<define name="anyOtherElement">
<element>
<anyName>
<except>
<nsName ns="http://www.w3.org/2000/09/xmldsig#"/>
</except>
</anyName>
<zeroOrMore>
<choice>
<ref name="anyAttribute"/>
<text/>
<ref name="anyOtherElement"/>
</choice>
</zeroOrMore>
</element>
</define>
</grammar>
<!-- EOF -->
namespace ds = "http://www.w3.org/2000/09/xmldsig#"
# Relax NG Grammar for XML Signatures
# Namespace: http://www.w3.org/2000/09/xmldsig#
# $Revision: 1.7 $ on $Date: 2008/07/16 18:04:37 $ by $Author: roessler $
#
# Copyright 2001 The Internet Society and W3C (Massachusetts Institute
# of Technology, Institut National de Recherche en Informatique et en
# Automatique, Keio University). All Rights Reserved.
# http://www.w3.org/Consortium/Legal/
#
# This document is governed by the W3C Software License [1] as described
# in the FAQ [2].
#
# [1] http://www.w3.org/Consortium/Legal/copyright-software-19980720
# [2] http://www.w3.org/Consortium/Legal/IPR-FAQ-20000620.html#DTD
#
# Constructed by hand from xmldsig-core-schema.xsd by
# Norman.Walsh@marklogic.com on 5 May 2008.
#
# Notes:
#
# You must not use the RELAX NG DTD Compatibility features with this
# grammar. DTD Compatibility features, ID type attributes, and
# wildcard attributes are mutually exclusive.
#
# The definition for the Signature element includes a SignatureType
# pattern. The rest of the patterns are "inline". This is a matter of
# style. I constructed only one "type" pattern as an example of the
# style, not because it's significant in the Signature pattern.
start = Signature
# Start Signature
SignatureType =
attribute Id { xsd:ID }?,
SignedInfo,
SignatureValue,
KeyInfo?,
Object*
Signature = element ds:Signature {
SignatureType
}
SignatureValue = element ds:SignatureValue {
attribute Id { xsd:ID }?,
xsd:base64Binary
}
# Start SignedInfo
SignedInfo = element ds:SignedInfo {
attribute Id { xsd:ID }?,
CanonicalizationMethod,
SignatureMethod,
Reference+
}
CanonicalizationMethod = element ds:CanonicalizationMethod {
attribute Algorithm { xsd:anyURI },
(text | anyElement)*
}
SignatureMethod = element ds:SignatureMethod {
attribute Algorithm { xsd:anyURI },
(text | HMACOutputLength | anyOtherElement)*
}
# Start Reference
Reference = element ds:Reference {
attribute Id { xsd:ID }?,
attribute URI { xsd:anyURI }?,
attribute Type { xsd:anyURI }?,
Transforms?,
DigestMethod,
DigestValue
}
Transforms = element ds:Transforms {
Transform+
}
Transform = element ds:Transform {
attribute Algorithm { xsd:anyURI },
(anyOtherElement | XPath)*
}
XPath = element ds:XPath {
xsd:string
}
# End Reference
DigestMethod = element ds:DigestMethod {
attribute Algorithm { xsd:anyURI },
anyOtherElement*
}
DigestValue = element ds:DigestValue {
DigestValueType
}
DigestValueType = xsd:base64Binary
# End SignedInfo
# Start KeyInfo
KeyInfo = element ds:KeyInfo {
attribute Id { xsd:ID }?,
(text | KeyName | KeyValue
| RetrievalMethod | X509Data | PGPData | SPKIData | MgmtData
| anyOtherElement)*
}
KeyName = element ds:KeyName { xsd:string }
MgmtData = element ds:MgmtData { xsd:string }
KeyValue = element ds:KeyValue {
(text | DSAKeyValue | RSAKeyValue | anyOtherElement)*
}
RetrievalMethod = element ds:RetrievalMethod {
attribute URI { xsd:anyURI },
attribute Type { xsd:anyURI }?,
Transforms?
}
# Start X509Data
X509Data = element ds:X509Data {
(X509IssuerSerial | X509SKI | X509SubjectName | X509Certificate | X509CRL
| anyOtherElement)*
}
X509IssuerSerial = element ds:X509IssuerSerial {
X509IssuerName,
X509SerialNumber
}
X509IssuerName = element ds:X509IssuerName { xsd:string }
X509SerialNumber = element ds:X509SerialNumber { xsd:integer }
X509SKI = element ds:X509SKI { xsd:base64Binary }
X509SubjectName = element ds:X509SubjectName { xsd:string }
X509Certificate = element ds:X509Certificate { xsd:base64Binary }
X509CRL = element ds:X509CRL { xsd:base64Binary }
# End X509Data
# Begin PGPData
PGPData = element ds:PGPData {
((PGPKeyID,PGPKeyPacket?,anyOtherElement*)
| (PGPKeyPacket,anyOtherElement*))
}
PGPKeyID = element ds:PGPKeyID { xsd:base64Binary }
PGPKeyPacket = element ds:PGPKeyPacket { xsd:base64Binary }
# End PGPData
# Begin SPKIData
SPKIData = element ds:SPKIData {
(SPKISexp,anyOtherElement*)+
}
SPKISexp = element ds:SPKISexp { xsd:base64Binary }
# End SPKIData
# End KeyInfo
# Start Object (Manifest, SignatureProperty)
Object = element ds:Object {
attribute Id { xsd:ID }?,
attribute MimeType { xsd:string }?,
attribute Encoding { xsd:anyURI }?,
(anyElement|text)*
}
Manifest = element ds:Manifest {
attribute Id { xsd:ID }?,
Reference+
}
SignatureProperties = element ds:SignatureProperties {
attribute Id { xsd:ID }?,
SignatureProperty+
}
SignatureProperty = element ds:SignatureProperty {
attribute Id { xsd:ID }?,
attribute Target { xsd:anyURI },
anyOtherElement+
}
# End Object (Manifest, SignatureProperty)
# Start Algorithm Parameters
HMACOutputLength = element ds:HMACOutputLength {
xsd:integer
}
# Start KeyValue Element-types
DSAKeyValue = element ds:DSAKeyValue {
(P,Q)?, G?, Y, J?, (Seed, PgenCounter)?
}
P = element ds:P { CryptoBinary }
Q = element ds:Q { CryptoBinary }
G = element ds:G { CryptoBinary }
Y = element ds:Y { CryptoBinary }
J = element ds:J { CryptoBinary }
Seed = element ds:Seed { CryptoBinary }
PgenCounter = element ds:PgenCounter { CryptoBinary }
CryptoBinary = xsd:base64Binary
RSAKeyValue = element ds:RSAKeyValue {
Modulus,
Exponent
}
Modulus = element ds:Modulus { CryptoBinary }
Exponent = element ds:Exponent { CryptoBinary }
# End KeyValue Element-types
# End Signature
# Definitions for the *any* wild card and the *any other* wildcard
anyAttribute = attribute * { text }
anyElement = element * { (anyAttribute | text | anyElement)* }
anyOtherElement = element * - ds:* { (anyAttribute | text | anyOtherElement)* }
# EOF