W3C

XML Security RELAX NG Schemas

W3C Working Group Note 24 January 2012

This version:
http://www.w3.org/TR/2012/NOTE-xmlsec-rngschema-20120124/
Latest published version:
http://www.w3.org/TR/xmlsec-rngschema/
Latest editor's draft:
http://www.w3.org/2008/xmlsec/Drafts/xmlsec-rngschema/
Previous version:
http://www.w3.org/TR/2011/WD-xmlsec-rngschema-20110830/
Editors:
Makoto Murata, Invited Expert
Frederick Hirsch, Nokia

Abstract

This document serves to publish RELAX NG schemas for XML Security specifications, including XML Signature 1.0 and 1.1, XML Encryption 1.0 and 1.1, Exclusive Canonicalization, XML Signature Properties, XML-Signature XPath Filter 2.0, and XML Security Generic Hybrid Ciphers.

Status of This Document

This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at http://www.w3.org/TR/.

This W3C Note collects non-normative RELAX NG Schemas for XML Security specifications, including XML Signature 1.0 and 1.1, XML Encryption 1.0 and 1.1, Exclusive Canonicalization, XML Signature Properties, XML-Signature XPath Filter 2.0, and XML Security Generic Hybrid Ciphers. The normative description of the respective data formats are included in the Recommendation-track specifications.

This version of this specification differs from the the previous version as follows (redline):

This document was published by the XML Security Working Group as a Working Group Note. If you wish to make comments regarding this document, please send them to public-xmlsec@w3.org (subscribe, archives). All feedback is welcome.

Publication as a Working Group Note does not imply endorsement by the W3C Membership. This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.

This document was produced by a group operating under the 5 February 2004 W3C Patent Policy. W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.

Table of Contents

1. Introduction

The XML Security specifications include normative XML Schema [XMLSCHEMA-1], [XMLSCHEMA-2]. This note provides non-normative RELAX NG schemas in the compact syntax as well as the XML syntax [RELAXNG-SCHEMA].

The biggest difference from the original XSD schemas is that these RELAX NG schemas provide co-occurrence constraints between the Algorithm attribute and child parameter elements. Thus, RELAX NG validation can report an error when a DigestMethod element with Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" has an HMACOutputLength element, which is allowed only when Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1".

2. Taxonomy of Schemas

2.1 Driver Schemas

Schemas in this group invoke other schemas, and further define the start pattern and wildcard patterns. These driver schemas are written from scratch.

A driver schema is required for each combination of strict, lenient, and supplementary schemas (see below). This note provides some driver schemas, but does not cover all possible combinations. It is believed that driver schemas for other combinations are easy to write.

Moreover, the driver schemas in this note allow signature or encryption elements anywhere in the given XML document. When one wants to allow signature or encryption elements at a certain location only, dedicated schemas are required.

2.2 Strict Schemas

Schemas in this group play the key role, and they are derived from the original XSD schemas. Unlike the original XSD schemas, strict schemas allow specific values of the Algorithm attribute and further specify permissible child parameter elements for each of the values. For example, a strict schema xmldsig-core-schema.rnc allows "http://www.w3.org/2000/09/xmldsig#sha1" as the value of the Algorithm attribute of the DigestMethod element and an empty sequence of child elements.

2.3 Lenient Schemas

Schemas in this group complement strict schemas, and they are derived mainly from xsd:any in the original XSD schemas. Lenient schemas are expected to be used together with strict schemas.

Unlike strict schemas, lenient schemas allow any value for the Algorithm attribute and allow any child parameter elements. For example, xmldsig-allowAnyForeign.rnc allows any value for the Algorithm attribute of the DigestMethod element and any child parameter element. However, when the Algorithm attribute value is explicitly specified in strict schemas, child parameter elements continue to be tightly constrained.

2.4 Supplementary Schemas

Schemas in this group are derived from XSD schemas not constraining the Algorithm attribute. These schemas are used together with strict schemas. These schemas are intended to exactly capture the original XSD schemas.

2.5 Common schemas

Schemas in this group define common patterns for RELAX NG. These schemas are not derived from XSD schemas. There is one common schema, namely security_any.rnc (security_any.rng). It defines security_anyElement and security_anyAttribute, which allow any element and attribute, respectively.

3. Schema Authoring Techniques

3.1 Strict Definitions

Strict schemas provide strict definitions of the Algorithm attribute as well as permissible child elements. For example, a strict schema xmldsig-core-schema.rnc has a definition shown below. It specifies that "http://www.w3.org/2000/09/xmldsig#sha1" is allowed for the Algorithm attribute and an empty sequence of child elements are allowed. This definition is used for defining attributes and contents of the DigestMethod element.

ds_DigestMethodType =
        attribute Algorithm { 
        xsd:anyURI "http://www.w3.org/2000/09/xmldsig#sha1" }

Another definition (shown below) from the same schema specifies that either

Note that RELAX NG allow the use of attribute definitions in the choice construct.

ds_SignatureMethodType =
        (attribute Algorithm { 
        xsd:anyURI "http://www.w3.org/2000/09/xmldsig#hmac-sha1" }, 
        element HMACOutputLength { ds_HMACOutputLengthType }?) 
        | attribute Algorithm { 
        xsd:anyURI "http://www.w3.org/2000/09/xmldsig#dsa-sha1" } 
        | attribute Algorithm { 
        xsd:anyURI "http://www.w3.org/2000/09/xmldsig#rsa-sha1" } 

Furthermore, strict or supplementary schemas may extend definitions provided by other strict schemas. This is done by the combine feature of [RELAXNG-SCHEMA]. For example, another strict schema, xmldsig11-schema.rnc, extends the definition ds_DigestMethodType in xmldsig-core-schema.rnc.

ds_DigestMethodType |=
        attribute Algorithm { 
        xsd:anyURI "http://www.w3.org/2001/04/xmlenc#sha256"
        }
        | attribute Algorithm { 
        xsd:anyURI "http://www.w3.org/2001/04/xmldsig-more#sha384"
        }
        | attribute Algorithm { 
        xsd:anyURI "http://www.w3.org/2001/04/xmlenc#sha512"
        }

It specifies that "http://www.w3.org/2001/04/xmlenc#sha256", "http://www.w3.org/2001/04/xmldsig-more#sha384", and "http://www.w3.org/2001/04/xmlenc#sha512" are also allowed as values of the Algorithm attribute.

Note that the original strict definition is NOT overshadowed. The value "http://www.w3.org/2000/09/xmldsig#sha1" continues to be allowed for the Algorithm attribute.

3.2 Lenient Definitions

Lenient schemas provide lenient definitions of the Algorithm attribute as well as permissible child elements. For example, xmldsig-allowAnyForeign.rnc has a definition shown below. It specifies that any value except ds_DigestAlgorithms (see 3.1.3) is allowed for the Algorithm attribute and a possibly-empty sequence of foreign elements is allowed as the content. Again, note that the combine feature of RELAX NG is used to combine strict definitions and lenient definitions.

ds_DigestMethodType |=
        attribute Algorithm { xsd:anyURI - ds_DigestAlgorithms },
        ds_anyForeignElement*

3.3 Except Patterns

Lenient definitions do not allow any value except those explicitly allowed by strict schemas. This is done by the except pattern of RELAX NG.

The above lenient definition of ds_DigestMethodType contains "- ds_DigestAlgorithms". It is an except pattern, and allows any value except those matching ds_DigestAlgorithms, which is defined by the strict schema xmldsig-core-schema.rnc.

ds_DigestAlgorithms =
        xsd:anyURI "http://www.w3.org/2000/09/xmldsig#sha1"

Since other strict schemas introduce other values for the Algorithm attribute, they also extend such definitions for the except pattern. For example, xmldsig11-schema.rnc, extends the above definition.

ds_DigestAlgorithms |=
        xsd:anyURI "http://www.w3.org/2001/04/xmlenc#sha256"
        | xsd:anyURI "http://www.w3.org/2001/04/xmldsig-more#sha384"
        | xsd:anyURI "http://www.w3.org/2001/04/xmlenc#sha512"

3.4 Wildcard Patterns

Wildcard patterns, namely ds_anyForeignElement, dsig11_anyForeignElement, xenc_anyForeignElement, and xenc11_anyForeignElement, in driver schemas capture foreign elements. These wildcard patterns are defined as elements not belonging to any of the known namespaces.

4. Schema Indexes

4.1 Strict, Lenient, and Supplementary Schemas

XML Signature 1.0 [XMLDSIG-CORE]
strict
xmldsig-core-schema.rnc (xmldsig-core-schema.rng)
lenient
xmldsig-allowAnyForeign.rnc (xmldsig-allowAnyForeign.rng)
XML Signature 1.1 [XMLDSIG-CORE1]
strict
xmldsig11-schema.rnc (xmldsig11-schema.rng)
lenient
xmldsig11-allowAnyForeign.rnc (xmldsig11-allowAnyForeign.rng)
Exclusive Canonicalization Algorithms [XML-EXC-C14N]
supplementary
exc-c14n.rnc (exc-c14n.rng)
XML Signature Properties [XMLDSIG-PROPERTIES]
supplementary
xmldsig-properties-schema.rnc (xmldsig-properties-schema.rng)
XML Encryption 1.0 [XMLENC-CORE]
strict
xenc-schema.rnc (xenc-schema.rng)
lenient
xenc-allowAnyForeign.rnc (xenc-allowAnyForeign.rng)
XML Encryption 1.1 [XMLENC-CORE1]
strict
xenc-schema-11.rnc (xenc-schema-11.rng)
lenient
xenc11-allowAnyForeign.rnc (xenc11-allowAnyForeign.rng)
XML-Signature XPath Filter 2.0 [XMLDSIG-XPATH-FILTER2]
supplementary
xmldsig-filter2.rnc (xmldsig-filter2.rng)
This schema is directly invoked by xmldsig11-schema.rnc
XML Security Generic Hybrid Ciphers [XMLSEC-GHCIPHERS]
strict
xmlsec-ghc-schema.rnc (xmlsec-ghc-schema.rng)
lenient
xmlsec-ghc-allowAnyForeign.rnc (xmlsec-ghc-allowAnyForeign.rng)

4.2 Driver schemas

This subsection provides a list of driver schemas and also provides a list of included schemas for each driver schema.

Strict-Signature.rnc (Strict-Signature.rng)
Strict-Encryption.rnc (Strict-Encryption.rng)
Lenient-Signature11.rnc (Lenient-Signature11.rng)
Lenient-Signature11-properties.rnc (Lenient-Signature11-properties.rng)
Lenient-Signature-exclusiveC14N.rnc (Lenient-Signature-exclusiveC14N.rng)
Lenient-Signature11-properties-exclusiveC14N.rnc (Lenient-Signature11-properties-exclusiveC14N.rng)
Lenient-Encryption11.rnc (Lenient-Encryption11.rng)
Lenient-Encryption11-ghc.rnc (Lenient-Encryption11-ghc.rng)

A. References

Dated references below are to the latest known or appropriate edition of the referenced work. The referenced works may be subject to revision, and conformant implementations may follow, and are encouraged to investigate the appropriateness of following, some or all more recent editions or replacements of the works cited. It is in each case implementation-defined which editions are supported.

A.1 Normative references

No normative references.

A.2 Informative references

[RELAXNG-SCHEMA]
Information technology -- Document Schema Definition Language (DSDL) -- Part 2: Regular-grammar-based validation -- RELAX NG. ISO/IEC 19757-2:2008. URL: http://standards.iso.org/ittf/PubliclyAvailableStandards/c052348_ISO_IEC_19757-2_2008(E).zip
[XML-EXC-C14N]
Donald E. Eastlake 3rd; Joseph Reagle; John Boyer. Exclusive XML Canonicalization Version 1.0. 18 July 2002. W3C Recommendation. URL: http://www.w3.org/TR/2002/REC-xml-exc-c14n-20020718/
[XMLDSIG-CORE]
Joseph Reagle; et al. XML Signature Syntax and Processing (Second Edition). 10 June 2008. W3C Recommendation. URL: http://www.w3.org/TR/2008/REC-xmldsig-core-20080610
[XMLDSIG-CORE1]
D. Eastlake, J. Reagle, D. Solo, F. Hirsch, T. Roessler, K. Yiu. XML Signature Syntax and Processing Version 1.1. 3 March 2011. W3C Candidate Recommendation. (Work in progress.) URL: http://www.w3.org/TR/2011/CR-xmldsig-core1-20110303/
[XMLDSIG-PROPERTIES]
Frederick Hirsch. XML Signature Properties. 3 March 2011. W3C Candidate Recommendation. (Work in progress.) URL: http://www.w3.org/TR/2011/CR-xmldsig-properties-20110303/
[XMLDSIG-XPATH-FILTER2]
Merlin Hughes; John Boyer; Joseph Reagle. XML-Signature XPath Filter 2.0. 8 November 2002. W3C Recommendation. URL: http://www.w3.org/TR/2002/REC-xmldsig-filter2-20021108/
[XMLENC-CORE]
Donald Eastlake; Joseph Reagle. XML Encryption Syntax and Processing. 10 December 2002. W3C Recommendation. URL: http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/
[XMLENC-CORE1]
J. Reagle; D. Eastlake; F. Hirsch; T. Roessler. XML Encryption Syntax and Processing Version 1.1. 5 January 2012. W3C Last Call Working Draft. (Work in progress.) URL: http://www.w3.org/TR/2012/WD-xmlenc-core1-20120105/
[XMLSCHEMA-1]
Henry S. Thompson; et al. XML Schema Part 1: Structures Second Edition. 28 October 2004. W3C Recommendation. URL: http://www.w3.org/TR/2004/REC-xmlschema-1-20041028/
[XMLSCHEMA-2]
Paul V. Biron; Ashok Malhotra. XML Schema Part 2: Datatypes Second Edition. 28 October 2004. W3C Recommendation. URL: http://www.w3.org/TR/2004/REC-xmlschema-2-20041028/
[XMLSEC-GHCIPHERS]
Magnus Nyström; Frederick Hirsch. XML Security Generic Hybrid Ciphers. 3 March 2011. W3C Candidate Recommendation. (Work in progress.) URL: http://www.w3.org/TR/2011/CR-xmlsec-generic-hybrid-20110303/