XML Security 1.1.0 test coverage

This document summarizes test coverage for XML Security 1.1, not including 1.0 regression tests.

This table shows what tests are specified in the 1.1 test cases ( http://www.w3.org/2008/xmlsec/wiki/Interop) .
Section Specification

1.1 Testcases


1.1 tests Test cases for Canonical XML 2.0 http://www.w3.org/2008/xmlsec/Drafts/c14n-20/test-cases/
XML Signature Syntax and Processing Version 2.0
3.2.1 XML Signature 2.0 Algorithm Identifiers and Implementation Requirements Canonicalization Required Canonical XML 2.0 1.1 tests
Required: XML Signature 2.0 Transform 1.1 tests
Required XML Documents or Fragments
1.1 tests
Required External Binary Data
1.1 tests
Required Selection of Binary Data within XML
Optional DigestDataLength
Optional PositionAssertion
Optional IDAttributes
Required Canonical XML 1.0 (omits comments) http://www.w3.org/TR/2001/REC-xml-c14n-20010315 1.1 tests
Required Canonical XML 1.1 (omits comments) http://www.w3.org/2006/12/xml-c14n11 1.1 tests for c14n, but unknown if the test is inclusive or exclusive
Required Exclusive XML Canonicalization 1.0 (omits comments) http://www.w3.org/2001/10/xml-exc-c14n# 1.1 tests for c14n, but unknown if the test omits comments
Recommended Canonical XML 1.0 with Comments http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
Recommended Canonical XML 1.1 with Comments http://www.w3.org/2006/12/xml-c14n11#WithComments
Recommended Exclusive XML Canonicalization 1.0 with Comments http://www.w3.org/2001/10/xml-exc-c14n#WithComments
Required base64
Required Enveloped Signature
Recommended XPath http://www.w3.org/TR/1999/REC-xpath-19991116 1.1 tests
Recommended XPath Filter 2.0 http://www.w3.org/2002/06/xmldsig-filter2
Optional XSLT
Core Validation Interoperability (4.3)
  1. Capability to check each Reference to to see if the data object matches with the expected data object.
  2. The cryptographic signature validation of the signature calculated over SignedInfo.
  3. Reference validation, the verification of the digest contained in each Reference in SignedInfo.
Algorithms (Message Digests)

10.1.1 SHA-1 1.1 Tests

10.1.2 SHA-256 1.1 Tests

10.1.3 SHA-384 1.1 Tests

10.1.4 SHA-512 1.1 Tests
Algorithms ( Message Authentication Codes )

10.2.1 HMAC 1.1 Tests
Algorithms ( Signature Algorithms)

10.3.1 DSA 1.1 Tests

10.3.2 RSA (PKCS#1 v1.5) 1.1 Tests

10.3.3 ECDSA 1.1 Tests
Algorithms (Canonicalization Algorithms)

10.4.1 Canonical XML 2.0 http://www.w3.org/2008/xmlsec/Group/interop/c14n2/
Algorithms (The Transform Algorithm)

10.5 The Transform Algorithm Needs Development

Streaming Profile

Section Specification 1.1 Tests Needs Development
XML Signature Streaming Profile of XPath 1.0
2. Streamable One pass Streaming Needs Development


Test cases for Canonical XML 2.0


Examples from Canonical XML 1.0      

PIs, Comments, and Outside of Document Element
Whitespace in Document Content
Start and End Tags
Character Modifications and Character References
Entity References
UTF-8 Encoding

Dealing with Namespaces      

Namespaces declarations are pushed down
Default namespace declarations
Sorting namespace declarations
Namespace Re-declarations
Superfluous Namespace declarations
Special namespaces "xml", "xsi", "xsd"
Prefixes in Element content




XML Signature Syntax and Processing Version 1.1 Test cases


Test Cases for C14N 1.1 and XMLDSig Interoperability

http://www.w3.org/TR/2008/NOTE-xmldsig2ed-tests-20080610/ http://www.w3.org/2008/xmlsec/wiki/Interop
3. Processing Rules      

3.1 Signature Generation

3.1.1 Reference Generation

3.1.2 Signature Generation

    3.3 Test Cases for XMLDSig
        3.3.1 Test Cases for C14N 1.1 in XMLDSig
        3.3.2 Test Cases on nodeset to octet-stream conversion by C14n 1.1 explicitly reflected in the chain of transforms
        3.3.3 Test Cases on schema based XPointers and canonicalization
        3.3.4 Test Cases on String encoding of Distinguished Names
   Test Cases on differences identified in RFC 2253 and RFC 4514
       Test case xmldsig/dname/diffRFCs-1
       Test case xmldsig/dname/diffRFCs-2
       Test case xmldsig/dname/diffRFCs-3
       Test case xmldsig/dname/diffRFCs-4
       Test case xmldsig/dname/diffRFCs-5
   Test Cases for RFC 4514
       Test case xmldsig/dname/dnString-4
       Test case xmldsig/dname/dnString-6
       Test case xmldsig/dname/dnString-8

3.2 Core Validation

3.2.1 Reference Validation

3.2.2 Signature Validation

4. Core Signature Syntax      

4.1 The ds:CryptoBinary Simple Type

    Not referenced

4.2 The Signature element

    All DSig

4.3 The SignatureValue Element


4.4 The SignedInfo Element


4.5 The KeyInfo Element

4.5.1 The KeyName Element
4.5.2 The KeyValue Element The DSAKeyValue Element The RSAKeyValue Element




 The ECKeyValue Element Explicit Curve Parameters Compatibility with RFC 4050

4.5.3 The RetrievalMethod Element



XML Security 1.1 Core: Elliptic Curve algorithms

Various combinations of the following

  • Digest algorithm - SHA1/256/384/512
  • Signature algorithm - ECDSA (P256/P384/P521 with SHA1/SHA256/SHA384/SHA512)
  • Canonicalization algorithm - C14N 1.0, Exc C14N 1.0
  • KeyInfo format - RFC 4050 style ECDSA KeyValue, XML signature 1.1 style ECKeyValue

Microsoft's test vectors - 12 files

  • 12 files: Digest = SHA1/SHA256/SHA384/SHA512, Signature = ECDSA (P256/P384/P521 with SHA1/SHA256/SHA384/SHA512), RFC4050 ECDSAKeyValue
  • 12 files: all of the above with Exc C14N 1.0

Oracle's test vectors - 18 files

  • 12 files: Digest = SHA1/SHA256/SHA384/SHA512, Signature = ECDSA (P256/P384/P521 with SHA1/SHA256/SHA384/SHA512), RFC4050 ECDSAKeyValue
  • 12 files: all of the above XML Signature 1.1 ECKeyValue

XML Security 1.1 Core: Other items

  • AES Keywrap with padding (XML Encryption) RFC 5649
  • OCSP - add and read OCSP information successfully (Sun?)
  • DEREncodedKeyValue (Sun?)
  • RFC4050 compatibility ( ? DONE
  • Required Exclusive C14N - note that implemented or interop? DONE
  • XPath 2.0


4.5.4 The X509Data Element Distinguished Name Encoding Rules

4.5.5 The PGPData Element
4.5.6 The SPKIData Element
4.5.7 The MgmtData Element
4.5.8 XML Encryption EncryptedKey and DerivedKey Elements

4.5.9 The DEREncodedKeyValue Element
4.5.10 The KeyInfoReference Element


XML Encryption 1.1 Derived Keys

Test case 1: EncryptedData with content encryption key derived from shared secret. Key derivation method: ConcatKDF (http://www.w3.org/2009/xmlenc11#ConcatKDF).

Test case 2: EncryptedData with content encryption key derived from shared secret password. Key derivation method: PBKDF2 (http://www.w3.org/2009/xmlenc11#pbkdf2

4.6 The Object Element

5. Additional Signature Syntax      

5.1 The Manifest Element


5.2 The SignatureProperties Element


5.3 Processing Instructions in Signature Elements


5.4 Comments in Signature Elements


6. Algorithms


6.1 Algorithm Identifiers and Implementation Requirements


6.2 Message Digests

6.2.1 SHA-1
6.2.2 SHA-256
6.2.3 SHA-384
6.2.4 SHA-512

    In Tests documented

6.3 Message Authentication Codes


6.4 Signature Algorithms

6.4.1 DSA
6.4.2 RSA (PKCShttp://www.w3.org/TR/xmldsig-core1/#1 v1.5)
6.4.3 ECDSA

        3.3.4 Test Cases on String encoding of Distinguished Names
   Test Cases on differences identified in RFC 2253 and RFC 4514
       Test case xmldsig/dname/diffRFCs-1
       Test case xmldsig/dname/diffRFCs-2
       Test case xmldsig/dname/diffRFCs-3
       Test case xmldsig/dname/diffRFCs-4
       Test case xmldsig/dname/diffRFCs-5
   Test Cases for RFC 4514
       Test case xmldsig/dname/dnString-4
       Test case xmldsig/dname/dnString-6
       Test case xmldsig/dname/dnString-8
  1.1 tests

6.5 Canonicalization Algorithms

6.5.1 Canonical XML 1.0
6.5.2 Canonical XML 1.1
6.5.3 Exclusive XML Canonicalization 1.0

3.2 Test Cases for Canonicalization 1.1
        3.2.1 Test Cases for xml:lang attribute
        3.2.2 Test Cases for xml:space attribute
        3.2.3 Test Cases for xml:id attribute
        3.2.4 Test Cases for xml:base attribute
   Test Cases for checking xml:base attribute propagation
       Test case c14n11/xmlbase-prop-1
       Test case c14n11/xmlbase-prop-2
       Test case c14n11/xmlbase-prop-3
       Test case c14n11/xmlbase-prop-4
       Test case c14n11/xmlbase-prop-5
       Test case c14n11/xmlbase-prop-6
       Test case c14n11/xmlbase-prop-7
   Test Cases for checking XML-C14N1.1 specification tests
       Test case c14n11/xmlbase-c14n11spec-102
       Test case c14n11/xmlbase-c14n11spec2-102
       Test case c14n11/xmlbase-c14n11spec3-103
        3.2.5 Test Cases for checking examples in the XML-C14N1.1 Appendix

3.3.1 Test Cases for C14N 1.1 in XMLDSig


  No Exclusive Canonicalization test

6.6 Transform Algorithms

6.6.1 Canonicalization
6.6.2 Base64
6.6.3 XPath Filtering
6.6.4 Enveloped Signature Transform
6.6.5 XSLT Transform


XML 1.1 Canonicalization Test case mapping

Canonical XML Version 1.1
W3C Recommendation 2 May 2008

  1. Data Model
    1. XPath 1.0 Recommendation [XPath] is used to represent the input XML
    2. F irst parameter of input to the XML canonicalization method is either an XPath node-set or an octet stream containing a well-formed XML document. 
    3. The second parameter of input to the XML canonicalization method is a boolean flag indicating whether or not comments should be included in the canonical form output by the XML canonicalization method.
    4. If an XML document must be converted to a node-set, XPath REQUIRES that an XML processor be used to create the nodes of its data model to fully represent the document.
    5. The input octet stream MUST contain a well-formed XML document, but the input need not be validated. 
    6. All whitespace within the root document element MUST be preserved (except for any #xD characters deleted by line delimiter normalization). This includes all whitespace in external entities. Whitespace outside of the root document element MUST be discarded.

3.2.1 Test Cases for xml:lang attribute
3.2.2 Test Cases for xml:space attribute
3.2.3 Test Cases for xml:id attribute
3.2.4 Test Cases for xml:base attribute

Document Order
  1. Document order is defined to be the order in which the first character of the XML representation of each node occurs in the XML representation of the document after expansion of general entities, except for namespace and attribute nodes whose document order is application-dependent. Test Cases for checking XML-C14N1.1 specification tests  
Processing Model
  1. The XPath node-set is converted into an octet stream, the canonical form, by generating the representative UCS characters for each node in the node-set in ascending document order, then encoding the result in UTF-8 (without a leading byte order mark).
  2. No node is processed more than once. 
  3. The text generated for a node is dependent on the node type and given in the following list:
    • Root Node- 
    • Element Nodes- 
      • Namespace Axis
      • Attribute Axis
    • Namespace Nodes
    • Attribute Nodes
    • Text Nodes
    • Processing Instruction (PI) Nodes
    • Comment Nodes

Does this apply to all test? What about tests for all node types in the list in the recommendation? Test Cases for checking xml:base attribute propagation Test case c14n11/xmlbase-prop-1 Test case c14n11/xmlbase-prop-2 Test case c14n11/xmlbase-prop-3 Test case c14n11/xmlbase-prop-4 Test case c14n11/xmlbase-prop-5 Test case c14n11/xmlbase-prop-6 Test case c14n11/xmlbase-prop-7

Document Subsets

3.2 Test Cases for Canonicalization 1.1
 The input for each of these test cases is an XML document and an XPath document subset expression. 


Test Cases for 1.1

Test Cases for C14N 1.1 and XMLDSig Interoperability Editor's Draft 15 April 2008
3 Test Cases specification      
3.1 Legacy XMLDSig Working Group Test Cases
3.2 Test Cases for Canonicalization 1.1

3.2.1 Test Cases for xml:lang attribute


3.2.2 Test Cases for xml:space attribute


3.2.3 Test Cases for xml:id attribute


3.2.4 Test Cases for xml:base attribute Test Cases for checking xml:base attribute propagation Test case c14n11/xmlbase-prop- Test case c14n11/xmlbase-prop-2 Test case c14n11/xmlbase-prop-3 Test case c14n11/xmlbase-prop-4 Test case c14n11/xmlbase-prop-5 Test case c14n11/xmlbase-prop-6 Test case c14n11/xmlbase-prop-7 Test Cases for checking XML-C14N1.1 specification tests Test case c14n11/xmlbase-c14n11spec-102 Test case c14n11/xmlbase-c14n11spec2-102 Test case c14n11/xmlbase-c14n11spec3-103


3.2.5 Test Cases for checking examples in the XML-C14N1.1 Appendix

3.3 Test Cases for XMLDSig      

3.3.1 Test Cases for C14N 1.1 in XMLDSig


3.3.2 Test Cases on nodeset to octet-stream conversion by C14n 1.1 explicitly reflected in the chain of transforms


3.3.3 Test Cases on schema based XPointers and canonicalization


3.3.4 Test Cases on String encoding of Distinguished Names Test Cases on differences identified in RFC 2253 and RFC 4514 Test case xmldsig/dname/diffRFCs-1 Test case xmldsig/dname/diffRFCs-2 Test case xmldsig/dname/diffRFCs-3 Test case xmldsig/dname/diffRFCs-4 Test case xmldsig/dname/diffRFCs-5 Test Cases for RFC 4514 Test case xmldsig/dname/dnString-4 Test case xmldsig/dname/dnString-6 Test case xmldsig/dname/dnString-8



Author: Gerald Edgar

July 17, 2011

Date: July 12, 2011
Date: June 4, 2011
Date: May 23, 2011