IETF W3C  
XML-Signature Interoperability [ascii]

Editors(s):
Ed Simon <ed.simon@entrust.com>
Joseph Reagle Jr. <reagle@w3.org>

This document describes the interoperability requirements over a features, operations, and requirements specified by the XML Signature Processing and Syntax specification as required by the charter and defined by IETF RFC2026:

4.1.2 Draft Standard A specification from which at least two independent and interoperable implementations from different code bases have been developed, and for which sufficient successful operational experience has been obtained, may be elevated to the "Draft Standard" level. For the purposes of this section, "interoperable" means to be functionally equivalent or interchangeable components of the system or process in which they are used.

Tests to satisfy this requirement should operate over the following (tenative) list of (mostly) MANDATORY operations (as based on the last call draft (20000228)) requirements and features:

Feature Key Word Implementation
Operation: Reference elements generation/validation MUST  
Feature: Detached Signature MUST  
Feature: Enveloped Signature MUST  
  • requires: XPath selector that drops SignatureValue
MUST  
Feature: Enveloping Signature MUST  
MUST  
Operation: SignatureValue generation/validation MUST  
Requirement: Signing parts of a document MUST  
MUST
SHOULD
 
Feature: Minimal C14N MUST  
Feature: Canonical XML SHOULD  
Feature: KeyValue MUST  

As well as the following external algorithms:

Algorithm Type Algorithm Key Word Implementation
Digest SHA1 REQUIRED  
Encoding Base64 REQUIRED  
Encoding QuotedPrintable RECOMMENDED  
MAC HMAC-SHA1 REQUIRED  
Signature DSAwithSHA1
(DSS)
REQUIRED  
Signature RSAwithSHA1 RECOMMENDED  

Strategy

There are three deliverables involved in getting this rolling:

  1. Test Vectors/Cases
    1. scenarious FAQ as a very broad first step, but very far from complete or exhaustive (or the proper methodology)
  2. Testing interface
    1. a web/email interface that can run on top of an implemenation (e.g., Simon's example interface)

  3. Implementations
    1. propietary implementations with an open testing interface (be it exchanging examples in email, or someting like an auto-web/email responder).
    2. open code

Short Term

Long Term


Example Interface

// Format the test case
String strXmlSignatureTestCase = 
"<XmlSignatureTestCase>" +
"<Sender>" +
"<Name>Acme Signatures Inc.</Name>" +
"<XmlSignatureAutoresponderUri>http://www.acmesigs.com/xmlsigautoresponder</
XmlSignatureAutoresponderUri>" +
"</Sender>" +
"<Description>Signature should verify</Description>" +
"<Signature xmlns=\"http://www.w3.org/2000/02/xmldsig#\">" +
"  ." +
"</Signature>" +
"<XmlSignatureTestCase>";

// Send the test case to the other org's autoresponder
URL urlAutoResponder = new URL("http://www.iotp.com/xmlsigautoresponder");
URLConnection urlconAutoResponder = u.openConnection();
urlconAutoResponder.getOutputStream().write(strXmlSignatureTestCase );

// Get the result from the other org's autoresponder
String strTestResult = urlconAutoResponder.getInputStream().read();

// Process result
process(strTestResult);


The (pseudo) code on the server side might look like this  .

public class XmlSigInteroperabilityServlet extends HttpServlet { 
      private static String strTitle = "XML Signature InteroperabilityTester";
	private static XmlSigTester xst = null;
	public void init(ServletConfig sc) throws ServletException {
		super.init(sc);
		xst = new XmlSigTester();
    if (!xst.doInit().equals("SUCCESS")) {
      throw new UnavailableException(this, 
          "Could not initialize XmlSigTesterclass.");
    }
  }
  
  public void doPost (HttpServletRequest req,
  HttpServletResponse res, HttpSession httpsesn)
      throws ServletException, IOException, Exception {
    String strSignatureElement =req.getParameter("theXmlSignature").trim();
    String strVerificationStatus = "INCOMPLETE";
    try {
      strVerificationStatus = xst.verifySignature(strSignatureElement);
    } catch (Exception ex) {
      doPageError(req, res, ex, "The verification processing failed  .");
    }
   
    StringBuffer htmlOutput = new StringBuffer(
        "<HTML>" +
        "<HEAD>" +
        "<TITLE>" + strTitle + "</TITLE>" +
        "</HEAD>" +
        "<BODY>" +
        "<H1>" + strTitle + "</H1>" +
        "<H2>Verification parameters</H2>" +
        "<H3>Signature received from sender</H3>" +
        "<TEXTAREA name=\"theXmlSignature\" rows=\"20\" cols=\"120\">\n" +
        strSignatureElement +
        "</TEXTAREA><HR>");
          
    htmlOutput.append(
        "<H2>Signature verification results</H2>" +
        "<P>" +
        "The verification indicates that the signature is ");
		htmlOutput.append("\"" + strVerificationStatus + "\"");
		htmlOutput.append(
				"</P>" +
				"\n</BODY>" +
				"</HTML>");
		PrintWriter pw = res.getWriter();		
		pw.println(htmlOutput);
		pw.flush();
		pw.close();
	}
}

Joseph Reagle <reagle@w3.org>

Last revised by Reagle $Date: 2000/04/06 18:52:48 $

=======