Implementation report for XML Signature, Second Edition

This implementation report is intended to support the transition of the draft XML Signature, 2nd Edition specification to Proposed Edited Recommendation.

The specification was produced by the XML Security Specifications Maintenance Working Group. A Summary of Changes and Change Rationale is available.

Testing was organized and performed by the members of the XML Security Specifications Maintenance Working Group. Five implementations participated in the testing. All five implementations successfully completed the test cases listed in this report; some completed additional optional cases.

Test cases are detailed in the Test Cases for C14N 1.1 and XMLDSig Interoperability document.

Test Cases

The test cases tested by all implementations covered the following:

• ds:Reference URI attribute processing for schema based XPointers and short-name XPointers. These tests demonstrate support for the XPointer idioms that have been mandatory to implement since XML-Signature 1.0, but were defined only by way of a normative reference to a Candidate Recommendation that had been subsequently withdrawn.

  See also: detailed description of schema based XPointers and short-name XPointers test cases.

• Representation of Distinguished Names as Strings as specified by RFC 4514. These test cases provide evidence that the edge cases related to a change of normative references from RFC 2253 to RFC 4514 do not cause issues in implementations. Since the IBM implementation is known to use an identical code basis for Distinguished Name processing as another implementation, no test results were included for this implementation.

  See also: detailed description of RFC-4514 test cases.

Additional optional test cases were created and partially tested, but are not detailed in this report. These included:

• Test cases to test nodeset to octet-stream conversion by C14n 1.1 explicitly reflected in the chain of transforms (detailed description of defCan test cases)

  The defCan-* test cases were intended to demonstrate that implementations are able to generate signatures using Canonical XML 1.1 as a default. However, all test cases rely on the availability of a templating mechanism, and two of them rely on the (optional) XSLT transform. We therefore do not include detailed results for this test case.

The implementation report for Canonical XML 1.1 demonstrates support in all five implementations for both generating and verifying signatures involving Canonical XML 1.1. All tests covered in that report were performed in the context of generating and verifying digital signatures according to the XML Signature specification.

Participating Implementations

IBM XML Digital Signature Package (IBM)

The XML Digital Signature package is bundled into IBM JREs that ship with IBM products or are downloaded for IBM systems. The XML Digital Signature package bundled into all IBM JREs at the Java 6.0 level or higher, and by special arrangement at earlier levels. It is a separate security provider, so would either need to be in the provider list in jre/lib/security/java.security or added programmatically at runtime. The C14N11 capability is currently (11 January, 2008) a technology preview that is not yet generally available.

Sun Java XML Digital Signature API and Implementation (Sun)

Sun's XML Digital Signature implementation is an implementation of the standard JSR 105 API (Java XML Digital Signature API) and is included in Sun's JDK 6 and Application Server products. The C14N 1.1 implementation is not yet generally available but is targeted for future releases.

Oracle XML Digital Signature package (Oracle)

The XML Digital Signature package is part of Oracle Security Developer Tools which is part of Oracle's Fusion Middleware platform. The upcoming AS11R1 release of Fusion Middleware includes full support for C14N version 1.1 in addition to XML Signature, XML Encryption, XML Key Management, SAML and Web Services Security technologies. The XML Digital Signature functionality can be accessed using the industry standard JSR 105 APIs (by using the Oracle provider) or through the current OSDT XML Security APIs.

upcxslib xml signature package (Universitat Politecnica de Catalunya)

The upcxslib xml signature package runs on Java 1.4.2 or higher. It uses Sun's security provider within the JRE for basic cryptographic tasks. CN14N 1.1 is not generally available at present, but its incorporation is targeted for a near future.

IAIK XML Security Toolkit (XSECT) (Graz University of Technology)

The IAIK XML Security Toolkit (XSECT) is the successor of the IAIK XML Signature Library (IXSIL). XSECT 1.12 or higher is scheduled to ship in Q2/2008 and will contain the C14N 1.1 implementation. C14N 1.1 will be enabled in the default mode for signature creation and may be turned off by a configuration flag allowing for maximum flexibility. XSECT 1.12 will support all Java^(TM) versions since JDK 1.3.1 or higher.