XML Signature 1.1 Interop Test Report

This document is the interop report for new features introduced in XML Signature 1.1. It includes the test cases and test results for these new features. It does not replicate interop testing performed for features retained from XML Signature 1.0.

Elliptic Curve Algorithms (Interop testing completed)

Summary of Changes

Add Elliptic Curve signature algorithms: ECDSA-SHA1 (OPTIONAL), ECDSA-SHA224 (OPTIONAL), ECDSA-SHA256 (REQUIRED), ECDSA-SHA384 (OPTIONAL), and ECDSA-SHA512 (OPTIONAL)
Add new KeyInfo child element - ECKeyValue (includes ECParameters)
Added profile of RFC 4050 with respect to ECDSA key formats.

Elliptic Curve Test Cases (not including SHA-224)

Various combinations of the following

Digest algorithm - SHA1/256/384/512
Signature algorithm - ECDSA (P256/P384/P521 with SHA1/SHA256/SHA384/SHA512)
Canonicalization algorithm - C14N 1.0, Exc C14N 1.0
KeyInfo format - RFC 4050 style ECDSA KeyValue, XML signature 1.1 style ECKeyValue

Microsoft's test vectors - 48 files

12 files: Digest = SHA1/SHA256/SHA384/SHA512, Signature = ECDSA (P256/P384/P521 with SHA1/SHA256/SHA384/SHA512), RFC4050 ECDSAKeyValue
12 files: All of the above but with Exclusive C14N 1.0
12 files: Digest = SHA1/SHA256/SHA384/SHA512, Signature = ECDSA (P256/P384/P521 with SHA1/SHA256/SHA384/SHA512), XML Signature 1.1 ECKeyValue
12 files: All of the above but with Exclusive C14N 1.0

Oracle's test vectors - 18 files

12 files: Digest = SHA1/SHA256/SHA384/SHA512, Signature = ECDSA (P256/P384/P521 with SHA1/SHA256/SHA384/SHA512), RFC4050 ECDSAKeyValue
12 files: all of the above XML Signature 1.1 ECKeyValue

Elliptic Curve Test Results (not including SHA-224)

Partipants: Oracle, Microsoft
Each participant has verified all of these files.

See test file directory.

Signature Algorithm	Digest	Canonicalization	ECKeyValue	Microsoft	Oracle
ECDSA (P256/P384/P521] with	SHA-1	Excl C14N	ECKeyValue	Y	Y
ECDSA (P256/P384/P521] with	SHA-256	Excl C14N	ECKeyValue	Y	Y
ECDSA (P256/P384/P521] with	SHA-384	Excl C14N	ECKeyValue	Y	Y
ECDSA (P256/P384/P521] with	SHA-512	Excl C14N	ECKeyValue	Y	Y

Elliptic Curve SHA-224 Test Cases

The following are the SHA-224 tests:

Elliptic Curve SHA-224 Test Results

Signature Algorithm	Digest	Oracle	Apache Santuario (C++)
ECDSA (P256/P384/P521] with	SHA-224	Y	Y

SHA Algorithms (Interop testing completed)

Summary of Changes

Add digest algorithms: SHA224 (OPTIONAL), SHA256 (REQUIRED), SHA384 (OPTIONAL), SHA512 (OPTIONAL)
Add RSA signing algorithms: RSAwithSHA224 (OPTIONAL), RSAwithSHA256 (REQUIRED), RSAwithSHA384 (OPTIONAL),RSAwithSHA512 (OPTIONAL)
Add HMAC-SHA224 (OPTIONAL)
Changed HMAC-SHA256 to REQUIRED
Changed HMAC-SHA384, HMAC-SHA512 to RECOMMENDED (from OPTIONAL).
Discourage use of SHA-1 but allow it for compatibility
- SHA-1 use is DISCOURAGED (but support is still REQUIRED).
- Added text to SHA-1 to state that use is DISCOURAGED (but still REQUIRED).
- Added text to HMAC-SHA1 to state that use is DISCOURAGED
- Change so that DSAwithSHA1 is only REQUIRED as Signature algorithm for Signature verification, but is OPTIONAL for Signature generation. Previously it was REQUIRED for both.
- Added text to indicate that use of RSA-SHA1 and ECDSA-SHA1 is DISCOURAGED.

SHA Test Cases (not including SHA-224)

Various combinations of the following

Digest algorithm - SHA1/256/384/512
Signature algorithm - DSA-SHA1, RSA 1024/2048-SHA256/384/512, HMAC-SHA256/384/512
Canonicalization algorithm - C14N 1.0, C14N 1.1, Exc C14N 1.0

Sun's test vectors - 18 files

3 files: Digest = SHA1, Signature = HMAC-SHA256 / HMAC-SHA384 / HMAC-SHA512, Canonicalization = C14N 1.1
3 files: Digest = SHA1, Signature = RSA-SHA256 / RSA-SHA384 / RSA-SHA512, Canonicalization = C14N 1.1
3 files: Digest = SHA-256/ SHA-384 / SHA-512, Signature = RSA-SHA256, Canonicalization = C14N 1.1
9 files: All of the above repeated for C14n 1.0

Oracle's test vectors - 9 files (same as sun's, C14n 1.0 only)

3 files: Digest = SHA1, Signature = HMAC-SHA256 / HMAC-SHA384 / HMAC-SHA512, Canonicalization = C14N 1.0
3 files: Digest = SHA1, Signature = RSA-SHA256 / RSA-SHA384 / RSA-SHA512, Canonicalization = C14N 1.0
3 files: Digest = SHA-256/ SHA-384 / SHA-512, Signature = RSA-SHA256, CCanonicalization = C14N 1.0

Microsoft's test vectors - 14 files

2 files: Digest = SHA1, Signature = DSA-SHA1, Canonicalization = C14N1.0 / Exc C14N 1.0
4 files: Digest = SHA1, Signature = HMAC-SHA1/HMAC-SHA256/HMAC-SHA384/HMAC-SHA512, Canonicalization = Exc C14N 1.0
8 files: Digest = SHA1/SHA256/SHA384/SHA512, Signature = RSA2048-SHA1/RSA2048-SHA256/RSA2048-SHA384/RSA2048-SHA512, Canonicalization = C14n 1.0 / Exc C14N 1.0

HMAC key

All of Sun signatures are use "secret"
All of Oracle's signature use "testkey"
Microsoft's signatures use keys that are stored in the files secret-sha1.hmac, secret-sha256.hmac, secret-sha384.hmac, secret-sha512.hmac

SHA Test Results (not including SHA-224)

Participants: Oracle, Microsoft, Sun
Each participant has verified all of the files in the interop test directory. (except Microsoft not verifying C14N 1.1).

Digest	Signature	Canonicalization	Sun	Oracle
SHA-1	RSA-SHA256	C14N1.0	Y	Y
SHA-1	RSA-SHA384	C14N1.0	Y	Y
SHA-1	RSA-SHA512	C14N1.0	Y	Y
SHA-1	HMAC-SHA256	C14N1.0	Y	Y
SHA-1	HMAC-SHA384	C14N1.0	Y	Y
SHA-1	HMAC-SHA512	C14N1.0	Y	Y
SHA-384	RSA-SHA256	C14N1.0	Y	Y
SHA-512	RSA-SHA256	C14N1.0	Y	Y

SHA-224 Test Cases

SHA-224 Test Results

Digest	Signature	Oracle	Apache Santuario (C++)
SHA-224	RSA-SHA224	Y	Y
SHA-224	RSA-SHA256	Y	Y
SHA-224	HMAC-SHA224	Y	Y

`X509Data` Additions

Summary of Changes

Add dsig11:X509Digest to list of elements that may be included, to support reference via base64-encoded digest of a certificate

Note: X509Digest was added to correct issues with X509IssuerSerial.

`X509Data` Test Cases

X509Digest: https://www.w3.org/2008/xmlsec/Group/interop/xmldsig11/oracle/signature-enveloping-x509digest-rsa.xml

`X509Data` Test Results

Item	OpenSAML (Shibboleth)	Oracle
X509Digest	Y	Y

`KeyInfo` Additions

Summary of Changes

Add new DEREncodedKeyValue KeyInfo child element
Add sections on how to use additional KeyInfo child elements
- Describe use of XML Encryption EncryptedKey and DerivedKey Elements
- Add DEREncodedKeyValue - new representation for public keys
- Add KeyInfoReference - alternative to RetrievalMethod access to a KeyInfo element that does not require use of a Transform

`KeyInfo` Test Cases

DEREncodedKeyValue with ECKey: https://www.w3.org/2008/xmlsec/Group/interop/xmldsig11/oracle/signature-enveloping-derencoded-ec.xml
DEREncodedKeyValue with RSAKey: https://www.w3.org/2008/xmlsec/Group/interop/xmldsig11/oracle/signature-enveloping-derencoded-rsa.xml
KeyInfoReference: https://www.w3.org/2008/xmlsec/Group/interop/xmldsig11/oracle/signature-enveloping-keyinforeference-rsa.xml

`KeyInfo` Test Results

Item	Apache Santuario (C++)	OpenSAML (Shibboleth)	Oracle
`DEREncodedKeyValue` (both EC and RSA)	Y	U	Y
`KeyInfoReference`	U	Y	Y

Note: Same author for both Apache Santuario (C++) and OpenSAML (Shibboleth) implementations. In OpenSaml reproduced the X509Digest material by consuming the same keypair and successfully processing the KeyInfoReference after copying it into a SAML document.

`HMACOutputLength` verification

Summary of Changes

Added minimum output length for HMACOutputLength parameter in SignatureMethod.
Verify that signature is deemed invalid if HMacOutputLength truncation length is below the larger of (a) half the underlying hash algorithm's output length, and (b) 80 bits. Test that error generated for SHA-256 with truncation length is less than 128, e.g. 100 bits [[RFC4868]].

`HMACOutputLength` Test Cases

The following are test vectors for HMACOutputLength verification:

The first one is truncated to 40 bytes, so it should be rejected. The second one is not truncated at all, so it should be accepted.

`HMACOutputLength` Test Results

`HMACOutputLength`	Oracle	Apache Santuario (C++)
Truncated 40 (invalid)	Y	Y
Truncated 160 (valid)	Y	Y

Introduction

Elliptic Curve Algorithms (Interop testing completed)

Summary of Changes

Elliptic Curve Test Cases (not including SHA-224)

Elliptic Curve Test Results (not including SHA-224)

Elliptic Curve SHA-224 Test Cases

Elliptic Curve SHA-224 Test Results

SHA Algorithms (Interop testing completed)

Summary of Changes

SHA Test Cases (not including SHA-224)

SHA Test Results (not including SHA-224)

SHA-224 Test Cases

SHA-224 Test Results

`X509Data` Additions

Summary of Changes

`X509Data` Test Cases

`X509Data` Test Results

`KeyInfo` Additions

Summary of Changes

`KeyInfo` Test Cases

`KeyInfo` Test Results

`HMACOutputLength` verification

Summary of Changes

`HMACOutputLength` Test Cases

`HMACOutputLength` Test Results

Additional Algorithm additions and changes (previously interop tested)

Introduction

Elliptic Curve Algorithms (Interop testing completed)

Summary of Changes

Elliptic Curve Test Cases (not including SHA-224)

Elliptic Curve Test Results (not including SHA-224)

Elliptic Curve SHA-224 Test Cases

Elliptic Curve SHA-224 Test Results

SHA Algorithms (Interop testing completed)

Summary of Changes

SHA Test Cases (not including SHA-224)

SHA Test Results (not including SHA-224)

SHA-224 Test Cases

SHA-224 Test Results

X509Data Additions

Summary of Changes

X509Data Test Cases

X509Data Test Results

KeyInfo Additions

Summary of Changes

KeyInfo Test Cases

KeyInfo Test Results

HMACOutputLength verification

Summary of Changes

HMACOutputLength Test Cases

HMACOutputLength Test Results

Additional Algorithm additions and changes (previously interop tested)

`X509Data` Additions

`X509Data` Test Cases

`X509Data` Test Results

`KeyInfo` Additions

`KeyInfo` Test Cases

`KeyInfo` Test Results

`HMACOutputLength` verification

`HMACOutputLength` Test Cases

`HMACOutputLength` Test Results