AdditionalSignature11TestCases

From XML Security WG Wiki
Jump to: navigation, search

Open XML Signature 1.1 interop test items

XML Signature CR draft

Draft XML Signature 1.1 Interop Test Report

  1. X509Data: Support revocation checking by adding dsig11:OCSPResponse to list of elements that may be included in the KeyInfo X509Data element
    Incorporate OCSPResponse as X509Data child and be able to recognize it, extract the content and parse and recognize the base64-encoded OCSP response in DER encoding for the following two cases
    test 1
    validate a signature generated where the corresponding certificate is indicated as revoked in the OCSPResponse element and indicate verification failure
    test 2
    validate a signature generated where the corresponding certificate is indicated as valid in the OCSPResponse element and indicate verification success
  2. X509Data: Add dsig11:X509Digest to list of elements that may be included, to support reference via base64-encoded digest of a certificate
    Incorporate dsig11:X509Digest as X509Data child and be able to recognize it, extract the content and parse and recognize the base64-encoded digest of the certificate, use corresponding certificate in signature validation
  3. KeyInfo: Add new DEREncodedKeyValue KeyInfo child element
    recognize DEREncodedKeyValue as child of KeyInfo (not X509Data or KeyValue) and extract base64 DER encoded public key as would be used in the Subject Public Key - use to validate signature.
  4. KeyInfo: Enable use of XML Encryption EncryptedKey and DerivedKey Elements
    recognize, parse and use key to validate signature, test 1 for EncryptedKey, test 2 for DerivedKey.
  5. KeyInfo: Add KeyInfoReference - alternative to RetrievalMethod access to a KeyInfo element that does not require use of a Transform
    Recognize presence of KeyInfoReference element as child of KeyInfo, parse and dereference to obtain a different KeyInfo element and process this to obtain key information to validate signature. Perform two tests, one for additional KeyInfo in same document, one for separate document obtained on web.
  6. Added minimum output length for HMACOutputLength parameter in SignatureMethod
    Verify that signature is deemed invalid if HMacOutputLength truncation length is below the larger of (a) half the underlying hash algorithm's output length, and (b) 80 bits. Test that error generated for SHA-256 with truncation length is less than 128, e.g. 100 bits.