XML-Signature Interoperability [ascii]

Editors(s):: Ed Simon <ed.simon@entrust.com>; Joseph Reagle Jr. <reagle@w3.org>

This document describes the interoperability requirements over a features, operations, and requirements specified by the XML Signature Processing and Syntax specification as required by the charter and defined by IETF RFC2026:

4.1.2 Draft Standard A specification from which at least two independent and interoperable implementations from different code bases have been developed, and for which sufficient successful operational experience has been obtained, may be elevated to the "Draft Standard" level. For the purposes of this section, "interoperable" means to be functionally equivalent or interchangeable components of the system or process in which they are used.

Tests to satisfy this requirement should operate over the following (tenative) list of (mostly) MANDATORY operations (as based on the last call draft (20000228)) requirements and features:

Feature	Key Word	Implementation
Operation: `Reference` elements generation/validation	MUST
Feature: Detached Signature	MUST
Feature: Enveloped Signature	MUST
requires: XPath selector that drops `SignatureValue`	MUST
Feature: Enveloping Signature	MUST
requires: URI="#fragment"	MUST
Operation: `SignatureValue` generation/validation	MUST
Requirement: Signing parts of a document	MUST
requires requires: URI="#fragment" requires XPath support as specified	MUST SHOULD
Feature: Minimal C14N	MUST
Feature: Canonical XML	SHOULD
Feature: KeyValue	MUST

As well as the following external algorithms:

Algorithm Type	Algorithm	Key Word	Implementation
Digest	SHA1	REQUIRED
Encoding	Base64	REQUIRED
Encoding	QuotedPrintable	RECOMMENDED
MAC	HMAC-SHA1	REQUIRED
Signature	DSAwithSHA1 (DSS)	REQUIRED
Signature	RSAwithSHA1	RECOMMENDED

Strategy

There are three deliverables involved in getting this rolling:

Test Vectors/Cases
1. scenarious FAQ as a very broad first step, but very far from complete or exhaustive (or the proper methodology)
Testing interface
1. a web/email interface that can run on top of an implemenation (e.g., Simon's example interface)
Implementations
1. propietary implementations with an open testing interface (be it exchanging examples in email, or someting like an auto-web/email responder).
2. open code

Short Term

Identify two implementors and ask them to commit to implementing the spec and doing interoperability testing until full interoperability is achieved.
- Regularly email each others' Toolkits to each other on a regular basis.
- Provide a Web email interface so the toolkits need not be revealed by tests can be run with different examples..

Long Term

If someone is going to provide a interface for pairwise testing, they might as well open up access to the public and commit to tracking the space to make it a 'semi-normative' implementation.

Example Interface

// Format the test case
String strXmlSignatureTestCase = 
"<XmlSignatureTestCase>" +
"<Sender>" +
"<Name>Acme Signatures Inc.</Name>" +
"<XmlSignatureAutoresponderUri>http://www.acmesigs.com/xmlsigautoresponder</
XmlSignatureAutoresponderUri>" +
"</Sender>" +
"<Description>Signature should verify</Description>" +
"<Signature xmlns=\"http://www.w3.org/2000/02/xmldsig#\">" +
"  ." +
"</Signature>" +
"<XmlSignatureTestCase>";

// Send the test case to the other org's autoresponder
URL urlAutoResponder = new URL("http://www.iotp.com/xmlsigautoresponder");
URLConnection urlconAutoResponder = u.openConnection();
urlconAutoResponder.getOutputStream().write(strXmlSignatureTestCase );

// Get the result from the other org's autoresponder
String strTestResult = urlconAutoResponder.getInputStream().read();

// Process result
process(strTestResult);


The (pseudo) code on the server side might look like this  .

public class XmlSigInteroperabilityServlet extends HttpServlet { 
      private static String strTitle = "XML Signature InteroperabilityTester";
	private static XmlSigTester xst = null;
	public void init(ServletConfig sc) throws ServletException {
		super.init(sc);
		xst = new XmlSigTester();
    if (!xst.doInit().equals("SUCCESS")) {
      throw new UnavailableException(this, 
          "Could not initialize XmlSigTesterclass.");
    }
  }
  
  public void doPost (HttpServletRequest req,
  HttpServletResponse res, HttpSession httpsesn)
      throws ServletException, IOException, Exception {
    String strSignatureElement =req.getParameter("theXmlSignature").trim();
    String strVerificationStatus = "INCOMPLETE";
    try {
      strVerificationStatus = xst.verifySignature(strSignatureElement);
    } catch (Exception ex) {
      doPageError(req, res, ex, "The verification processing failed  .");
    }
   
    StringBuffer htmlOutput = new StringBuffer(
        "<HTML>" +
        "<HEAD>" +
        "<TITLE>" + strTitle + "</TITLE>" +
        "</HEAD>" +
        "<BODY>" +
        "<H1>" + strTitle + "</H1>" +
        "<H2>Verification parameters</H2>" +
        "<H3>Signature received from sender</H3>" +
        "<TEXTAREA name=\"theXmlSignature\" rows=\"20\" cols=\"120\">\n" +
        strSignatureElement +
        "</TEXTAREA><HR>");
          
    htmlOutput.append(
        "<H2>Signature verification results</H2>" +
        "<P>" +
        "The verification indicates that the signature is ");
		htmlOutput.append("\"" + strVerificationStatus + "\"");
		htmlOutput.append(
				"</P>" +
				"\n</BODY>" +
				"</HTML>");
		PrintWriter pw = res.getWriter();		
		pw.println(htmlOutput);
		pw.flush();
		pw.close();
	}
}

Joseph Reagle <reagle@w3.org>

Last revised by Reagle $Date: 2000/04/06 18:52:48 $

=======