W3C

Test Cases for C14N 1.1 and XMLDSig Interoperability

W3C Working Group Note 10 June 2008

This version:
http://www.w3.org/TR/2008/NOTE-xmldsig2ed-tests-20080610/
Latest version:
http://www.w3.org/TR/xmldsig2ed-tests/
Editors:
Juan Carlos Cruellas, UPC <[email protected]>
Konrad Lanz, A-SIT <[email protected]>
Sean Mullan, Sun Microsystems <[email protected]>

Copyright © 2008 W3C® (MIT, ERCIM, Keio), All Rights Reserved. W3C liability, trademark and document use rules apply.

Abstract

This document defines interoperability test cases for Canonical XML 1.1 [XML-C14N1.1] and XML Signature Syntax and Processing, Second Edition [XMLDSIG2]. The changes tested include C14N11 handling of attributes in the XML namespace, including xml:id and xml:base, appropriate C14N11 nodeset to octet stream transform processing, modifications to RFC 3986 dot segment processing for C14N11, and RFC 4514 string encoding of Distinguished Names. The tests include standalone C14N11 tests as well as tests integrated with XML signature generation and validation. This document also includes earlier test cases used in XML Signature [XMLDSIG] for regression testing.

Status of this Document

This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at http://www.w3.org/TR/.

The set of test cases documented in this report was used to provide evidence for implementation support for the Canonical XML 1.1 and XML Signature Proposed (Edited) Recommendations. While the Working Group might publish revised versions of this document to include mild improvements of the test documentation, there is no expectation that the core material in this document will change. It should be noted that no material in this document is normative; in particular, passing the tests documented in this document is neither necessary, nor sufficient for a conformance claim against either Canonical XML 1.1 or XML Signature 2nd Edition.

This document was developed by the XML Security Specifications Maintenance Working Group.

Please send comments about this document to [email protected] (with public archive).

Publication as a Working Group Note does not imply endorsement by the W3C Membership. This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.

This document was produced by a group operating under the 5 February 2004 W3C Patent Policy. W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.

Table of Contents

1 Introduction
    1.1 Test Case Notation
    1.2 Codes for Recommendation References (Rec, SubRec)
    1.3 Codes for Issues (SpecificIssue) and Sub-Issues (SpecificSubIssue)
2 Acknowledgements
3 Test Cases specification
    3.1 Legacy XMLDSig Working Group Test Cases
    3.2 Test Cases for Canonicalization 1.1
        3.2.1 Test Cases for xml:lang attribute
        3.2.2 Test Cases for xml:space attribute
        3.2.3 Test Cases for xml:id attribute
        3.2.4 Test Cases for xml:base attribute
            3.2.4.1 Test Cases for checking xml:base attribute propagation
                3.2.4.1.1 Test case c14n11/xmlbase-prop-1
                3.2.4.1.2 Test case c14n11/xmlbase-prop-2
                3.2.4.1.3 Test case c14n11/xmlbase-prop-3
                3.2.4.1.4 Test case c14n11/xmlbase-prop-4
                3.2.4.1.5 Test case c14n11/xmlbase-prop-5
                3.2.4.1.6 Test case c14n11/xmlbase-prop-6
                3.2.4.1.7 Test case c14n11/xmlbase-prop-7
            3.2.4.2 Test Cases for checking XML-C14N1.1 specification tests
                3.2.4.2.1 Test case c14n11/xmlbase-c14n11spec-102
                3.2.4.2.2 Test case c14n11/xmlbase-c14n11spec2-102
                3.2.4.2.3 Test case c14n11/xmlbase-c14n11spec3-103
        3.2.5 Test Cases for checking examples in the XML-C14N1.1 Appendix
    3.3 Test Cases for XMLDSig
        3.3.1 Test Cases for C14N 1.1 in XMLDSig
        3.3.2 Test Cases on nodeset to octet-stream conversion by C14n 1.1 explicitly reflected in the chain of transforms
        3.3.3 Test Cases on schema based XPointers and canonicalization
        3.3.4 Test Cases on String encoding of Distinguished Names
            3.3.4.1 Test Cases on differences identified in RFC 2253 and RFC 4514
                3.3.4.1.1 Test case xmldsig/dname/diffRFCs-1
                3.3.4.1.2 Test case xmldsig/dname/diffRFCs-2
                3.3.4.1.3 Test case xmldsig/dname/diffRFCs-3
                3.3.4.1.4 Test case xmldsig/dname/diffRFCs-4
                3.3.4.1.5 Test case xmldsig/dname/diffRFCs-5
            3.3.4.2 Test Cases for RFC 4514
                3.3.4.2.1 Test case xmldsig/dname/dnString-4
                3.3.4.2.2 Test case xmldsig/dname/dnString-6
                3.3.4.2.3 Test case xmldsig/dname/dnString-8
4 References

1 Introduction

The test cases include standalone C14N 1.1 tests and test cases involving XML signature generation and validation. XML signatures are generated according to the details specified in this document.

All the test cases are positive (signatures that are valid).

Applications should validate these signatures and check that they are valid.

1.1 Test Case Notation

This section summarizes the notation used for identification of test cases.

A test case identifier matches the following pattern, and the syntax for describing the pattern is borrowed from section 2.0 of [XMLDSIG] (where "?" denotes zero or one occurrence; "+" denotes one or more occurrences; "*" denotes zero or more occurrences) and "|" denotes a choice.

  Rec/(SubRec/)?(SpecificIssue-(SpecificSubIssue-)?)+TestNumber

The Rec part identifies the source recommendation for the test case.

The SubRec part identifies a recommendation that is tested in the context of Rec.

The SpecificIssue part identifies the issue to be tested by the test case. The optional SpecificSubIssue part further refines the issue to be tested.

The TestNumber part numbers the test case. It must be an integer number or an integer number followed by a lowercase letter.

The next section identifies codes used throughout this document.

1.2 Codes for Recommendation References (Rec, SubRec)

The following codes are used for identifying the source recommendations for the test cases:

This structure is reflected in the directories c14n11/, xmldsig/, xmldsig/c14n11/, xmldsig/dname/ and xmldsig/xpointer/.

1.3 Codes for Issues (SpecificIssue) and Sub-Issues (SpecificSubIssue)

The following codes are used for identifying the issues and sub-issues for the test cases:

  • defCan identifies the test cases that test the [XMLDSIG2] implicit and explicit rules managing the final canonicalization that precedes the digest computation..

  • xmllang identifies the test cases that test the C14N11 handling of the xml:lang attribute.

  • xmlspace identifies the test cases that test the C14N11 handling of the xml:space attribute.

  • xmlid identifies the test cases that test the C14N11 handling of the xml:id attribute.

  • xmlbase identifies the test cases that test the C14N11 handling of the xml:base attribute.

    The following sub-issues are associated with this issue:

    • prop identifies the test cases that test the C14N11 propagation of the xml:base attribute through the node tree.

    • annexA identifies the test cases that test the C14N11 Remove Dot Segments examples listed in Appendix A of [XML-C14N1.1].

    • c14n11spec identifies the test cases that test the examples in the [XML-C14N1.1] specification.

  • dnString identifies the test cases that test the string encoding of Distinguished Names.

  • diffRFCs identifies the test cases that test the differences between [RFC 2253] and [RFC 4514].

  • xpointer identifies the test cases that test the handling of XPointer Reference URIs as specified in [XMLDSIG2]

2 Acknowledgements

Major contributions to this document were received from Juan Carlos Cruellas, UPC; Konrad Lanz, A-SIT; Sean Mullan, Sun Microsystems; Pratik Datta, Oracle; Frederick Hirsch, Nokia; Bruce Rich, IBM; Thomas Roessler, W3C. The test cases in this document were reviewed by the members of the W3C XML Security Specifications Maintenance Working Group.

3 Test Cases specification

The following sub-sections describe each of the test cases and are grouped by Recommendation and Issue.

3.1 Legacy XMLDSig Working Group Test Cases

The IETF/W3C XML-DSig Working Group produced an interoperability test matrix that can be found at [XMLDSIG-interop].

3.2 Test Cases for Canonicalization 1.1

The set of test cases in this section are designed to test the C14N11 handling of attributes in the xml namespace. The input for each of these test cases is an XML document and an XPath document subset expression. Two different sets of tests are included based on the test cases in this section.

  • Standalone tests: no XML signature generation or validation is required. The XPath document subset expression is applied to the input document. These tests are used to check that the implementation for [XML-C14N1.1] behaves correctly.

  • Integrated tests with XML signatures: In these set of tests, an XML signature is generated based on the input document and a corresponding XPath Filtering Transform as indicated in the tables. For these set of tests, the following rules apply:

    • The XML Signature is generated using the HMAC-SHA1 SignatureMethod algorithm and a secret key with the value: "secret".getBytes("ASCII").

    • The Transforms element contains a sequence of two transforms:

      • An XPath Filtering Transform that contains an XPath expression that depends on the test case.

      • A Canonical XML 1.1 Transform.

3.2.1 Test Cases for xml:lang attribute

The set of test cases in this section test the C14N11 handling of xml:lang attributes.

Below is the input document for the test cases in this section:

  <?xml version="1.0" encoding="UTF-8"?>
  <ietf:c14n11Xmllang xmlns:ietf="http://www.ietf.org" 
  xmlns:w3c="http://www.w3.org">
     <ietf:e1 xml:lang="EN">
        <ietf:e11>
           <ietf:e111 />
        </ietf:e11>
        <ietf:e12 at="2">
           <ietf:e121 />
        </ietf:e12>
     </ietf:e1>
     <ietf:e2 >
        <ietf:e21 />
     </ietf:e2>
  </ietf:c14n11Xmllang>

Note:

Document subset expressions for document subsets computation are defined as in [XML-C14N1.1].

3.2.1.1 Test case c14n11/xmllang-1
Input details To-Be-Signed (TBS henceforth) data object with ONLY a xml:lang attribute in a certain element e whose content includes other elements. The ds:Transform contains a XPath expression whose result is a node set that includes element e.
Rationale Check that implementations of [XML-C14N1.1] handle xml:lang attributes as defined in [XML-C14N1.1]
Document subset expression (//. | //@* | //namespace::*)[ancestor-or-self::ietf:e1]
Output 
  <ietf:e1 xmlns:ietf="http://www.ietf.org"\
+  xmlns:w3c="http://www.w3.org" xml:lang="EN">
        <ietf:e11>
           <ietf:e111></ietf:e111>
        </ietf:e11>
        <ietf:e12 at="2">
           <ietf:e121></ietf:e121>
        </ietf:e12>
     </ietf:e1>
3.2.1.2 Test case c14n11/xmllang-2
Input details TBS data object with ONLY a xml:lang attribute in a certain element e whose content includes other elements. The ds:Transform contains a XPath expression whose result is a node set that DOES NOT include neither element e nor any of its children elements.
Rationale Check that implementations of [XML-C14N1.1] handle xml:lang attributes as defined in [XML-C14N1.1]
Document subset expression (//. | //@* | //namespace::*)[ancestor-or-self::ietf:e2]
Output 
  <ietf:e2 xmlns:ietf="http://www.ietf.org"\
+  xmlns:w3c="http://www.w3.org">
        <ietf:e21></ietf:e21>
     </ietf:e2>
3.2.1.3 Test case c14n11/xmllang-3
Input details TBS with ONLY a xml:lang attribute in a certain element e whose content includes a sequence of one element. The ds:Transform contains a XPath expression whose result is a node set that DOES NOT include element e but includes one child element.
Rationale Check that implementations of [XML-C14N1.1] handle xml:lang attributes as defined in [XML-C14N1.1]
Document subset expression (//. | //@* | //namespace::*)[ancestor-or-self::ietf:e11]
Output 
  <ietf:e11 xmlns:ietf="http://www.ietf.org"\
+  xmlns:w3c="http://www.w3.org" xml:lang="EN">
           <ietf:e111></ietf:e111>
        </ietf:e11>
3.2.1.4 Test case c14n11/xmllang-4
Input details TBS with ONLY a xml:lang attribute in a certain element e whose content includes a sequence of more than one element (these children may in turn contain children elements). The ds:Transform contains a XPath expression whose result is a node set that DOES NOT include element e but includes more than one of its children elements.
Rationale Check that implementations of [XML-C14N1.1] handle xml:lang attributes as defined in [XML-C14N1.1]
Document subset expression (//. | //@* | //namespace::*)[ancestor-or-self::ietf:e11 or ancestor-or-self::ietf:e12]
Output 
  <ietf:e11 xmlns:ietf="http://www.ietf.org"\
+  xmlns:w3c="http://www.w3.org" xml:lang="EN">
           <ietf:e111></ietf:e111>
        </ietf:e11>\
+ <ietf:e12 xmlns:ietf="http://www.ietf.org"\
+  xmlns:w3c="http://www.w3.org" at="2" xml:lang="EN">
           <ietf:e121></ietf:e121>
        </ietf:e12>

3.2.2 Test Cases for xml:space attribute

The set of test cases in this section test the C14N11 handling of xml:space attributes.

Below is the input document for the test cases in this section:

  <?xml version="1.0" encoding="UTF-8"?>
  <ietf:c14n11XmlSpaceDoc1 xmlns:ietf="http://www.ietf.org" 
  xmlns:w3c="http://www.w3.org">
     <ietf:e1 xml:space="true">
        <ietf:e11>
           <ietf:e111 />
        </ietf:e11>
        <ietf:e12 at="2">
           <ietf:e121 />
        </ietf:e12>
     </ietf:e1>
     <ietf:e2 >
        <ietf:e21 />
     </ietf:e2>
  </ietf:c14n11XmlSpaceDoc1>
3.2.2.1 Test case c14n11/xmlspace-1
Input details TBS data object with ONLY a xml:space attribute in a certain element e whose content includes other elements. The ds:Transform contains a XPath expression whose result is a node set that includes element e.
Rationale Check that implementations of [XML-C14N1.1] handle xml:space attributes as defined in [XML-C14N1.1]
Document subset expression (//. | //@* | //namespace::*) [ancestor-or-self::ietf:e1]
Output 
  <ietf:e1 xmlns:ietf="http://www.ietf.org"\
+  xmlns:w3c="http://www.w3.org" xml:space="true">
        <ietf:e11>
           <ietf:e111></ietf:e111>
        </ietf:e11>
        <ietf:e12 at="2">
           <ietf:e121></ietf:e121>
        </ietf:e12>
     </ietf:e1>
3.2.2.2 Test case c14n11/xmlspace-2
Input details TBS data object with ONLY a xml:space attribute in a certain element e whose content includes other elements. The ds:Transform contains a XPath expression whose result is a node set that DOES NOT include neither element e nor any of its children elements.
Rationale Check that implementations of [XML-C14N1.1] handle xml:space attributes as defined in [XML-C14N1.1]
Document subset expression (//. | //@* | //namespace::*) [ancestor-or-self::ietf:e2]
Output 
  <ietf:e2 xmlns:ietf="http://www.ietf.org"\
+  xmlns:w3c="http://www.w3.org">
        <ietf:e21></ietf:e21>
     </ietf:e2>
3.2.2.3 Test case c14n11/xmlspace-3
Input details TBS with ONLY a xml:space attribute in a certain element e whose content includes a sequence of one element. The ds:Transform contains a XPath expression whose result is a node set that DOES NOT include element e but includes its child element.
Rationale Check that implementations of [XML-C14N1.1] handle xml:space attributes as defined in [XML-C14N1.1]
Document subset expression (//. | //@* | //namespace::*) [ancestor-or-self::ietf:e11]
Output 
  <ietf:e11 xmlns:ietf="http://www.ietf.org"\
+  xmlns:w3c="http://www.w3.org" xml:space="true">
           <ietf:e111></ietf:e111>
        </ietf:e11>
3.2.2.4 Test case c14n11/xmlspace-4
Input details TBS with ONLY a xml:space attribute in a certain element e whose content includes a sequence of more than one element (these children may in turn contain children elements). The ds:Transform contains a XPath expression whose result is a node set that DOES NOT include element e but includes more than one of its children elements.
Rationale Check that implementations of [XML-C14N1.1] handle xml:space attributes as defined in [XML-C14N1.1]
Document subset expression (//. | //@* | //namespace::*) [ancestor-or-self::ietf:e11 or ancestor-or-self::ietf:e12]
Output 
  <ietf:e11 xmlns:ietf="http://www.ietf.org"\
+  xmlns:w3c="http://www.w3.org" xml:space="true">
           <ietf:e111></ietf:e111>
        </ietf:e11>\
+ <ietf:e12 xmlns:ietf="http://www.ietf.org"\
+  xmlns:w3c="http://www.w3.org" at="2" xml:space="true">
           <ietf:e121></ietf:e121>
        </ietf:e12>

3.2.3 Test Cases for xml:id attribute

The set of test cases in this section test the C14N11 handling of xml:id attributes.

Below is the input document for all the test cases in this section:

  <?xml version="1.0" encoding="UTF-8"?>
  <ietf:c14n11XmlIdDoc1 xmlns:ietf="http://www.ietf.org" 
  xmlns:w3c="http://www.w3.org">
     <ietf:e1 xml:id="IdInterop">
        <ietf:e11>
           <ietf:e111 />
        </ietf:e11>
        <ietf:e12 at="2">
           <ietf:e121 />
        </ietf:e12>
     </ietf:e1>
     <ietf:e2 >
        <ietf:e21 />
     </ietf:e2>  
  </ietf:c14n11XmlIdDoc1>
3.2.3.1 Test case c14n11/xmlid-1
Input details TBS with ONLY a xml:id attribute in a certain element e whose content includes other elements. The ds:Transform contains a XPath expression whose result is a node set that includes element e.
Rationale Check that implementations of [XML-C14N1.1] handle xml:id attributes as defined in [XML-C14N1.1]
Document subset expression (//. | //@* | //namespace::*) [ancestor-or-self::ietf:e1]
Output 
  <ietf:e1 xmlns:ietf="http://www.ietf.org"\
+  xmlns:w3c="http://www.w3.org" xml:id="IdInterop">
        <ietf:e11>
           <ietf:e111></ietf:e111>
        </ietf:e11>
        <ietf:e12 at="2">
           <ietf:e121></ietf:e121>
        </ietf:e12>
     </ietf:e1>
3.2.3.2 Test case c14n11/xmlid-2
Input details TBS with ONLY a xml:id attribute in a certain element e whose content includes other elements. The ds:Transform contains a XPath expression whose result is a node set that DOES NOT include the element e but some of the children of the element e.
Rationale Check that implementations of [XML-C14N1.1] handle xml:id attributes as defined in [XML-C14N1.1]
Document subset expression (//. | //@* | //namespace::*) [ancestor-or-self::ietf:e11 or ancestor-or-self::ietf:e12]
Output 
  <ietf:e11 xmlns:ietf="http://www.ietf.org"\
+  xmlns:w3c="http://www.w3.org">
           <ietf:e111></ietf:e111>
        </ietf:e11>\
+ <ietf:e12 xmlns:ietf="http://www.ietf.org"\
+  xmlns:w3c="http://www.w3.org" at="2">
           <ietf:e121></ietf:e121>
        </ietf:e12>

3.2.4 Test Cases for xml:base attribute

The set of test cases in this section test the C14N11 handling of xml:base attributes.

Three sets of test cases have been defined:

  • Tests that check if the implementation correctly propagates the xml:base attributes through the node tree.

  • Tests that check if the implementation correctly processes the examples involving xml:base propagation in the [XML-C14N1.1] specification.

  • Tests that check if the implementation correctly processes the examples in the Appendix of [XML-C14N1.1]

3.2.4.1 Test Cases for checking xml:base attribute propagation

This section defines test cases that test how implementations propagate xml:base attributes through the tree when the result of the filtering is a document subset.

Below is the input document for the test cases in this section:

  <?xml version="1.0" encoding="UTF-8"?>
  <ietf:c14n11XmlBaseDoc1 xmlns:ietf="http://www.ietf.org"\
+  xmlns:w3c="http://www.w3.org"\
+  xml:base="http://xmlbase.example.org/xmlbase0/">
    <ietf:e1 xml:base="/xmlbase1/">
      <ietf:e11 xml:base="/xmlbase11/">
        <ietf:e111 xml:base="/xmlbase111/"/>
      </ietf:e11>
      <ietf:e12 at="2">
        <ietf:e121 xml:base="/xmlbase121/"/>
      </ietf:e12>
    </ietf:e1>
    <ietf:e2>
      <ietf:e21 xml:base="/xmlbase21/"/>
    </ietf:e2>
    <ietf:e3>
      <ietf:e31 at="3"/>
    </ietf:e3>
  </ietf:c14n11XmlBaseDoc1>

The document's root element ietf:c14n11XmlBaseDoc1 defines an xml:base attribute. This element contains three children elements.

The first element ietf:e1 has another xml:base attribute. All the ietf:e1's descendant elements have a xml:base attribute. Transforms that select subsets of ietf:e1's descendants will test how each level in the tree of elements incorporates its corresponding part to the value of the final xml:base.

The second element ietf:e2 does not have a xml:base attribute, but its child element, ietf:e21 has a xml:base attribute. Transforms that select ietf:e21 will test how it takes the value of xml:base from an ancestor different than its parent.

As for the third element, neither it nor any of its descendants have a xml:base attribute. Transforms that select ietf:e3 or any of its descendants will test how they inherit the xml:base attribute from the root element without any further processing.

3.2.4.1.1 Test case c14n11/xmlbase-prop-1
Input details The document shown above. The ds:Transform contains a XPath expression whose result is a node set that includes element ietf:c14n11XmlBaseDoc1 and the child ietf:e1 and its descendant.
Rationale Check that implementations of [XML-C14N1.1] work properly when the xml:base origin appears in the output document subset and also children with xml:base, which do not require further processing, are also present.
Document subset expression (//. | //@* | //namespace::*) [ancestor-or-self::ietf:c14n11XmlBaseDoc1 and not(ancestor-or-self::ietf:e2)]
Output 
  <ietf:c14n11XmlBaseDoc1 xmlns:ietf="http://www.ietf.org"\
+  xmlns:w3c="http://www.w3.org"\
+  xml:base="http://xmlbase.example.org/xmlbase0/">
    <ietf:e1 xml:base="/xmlbase1/">
      <ietf:e11 xml:base="/xmlbase11/">
        <ietf:e111 xml:base="/xmlbase111/"></ietf:e111>
      </ietf:e11>
      <ietf:e12 at="2">
        <ietf:e121 xml:base="/xmlbase121/"></ietf:e121>
      </ietf:e12>
    </ietf:e1>
    
    <ietf:e3>
      <ietf:e31 at="3"></ietf:e31>
    </ietf:e3>
  </ietf:c14n11XmlBaseDoc1>
3.2.4.1.2 Test case c14n11/xmlbase-prop-2
Input details The document shown above. The ds:Transform contains a XPath expression whose result is a node set that includes element ietf:e1 and its descendant but not ietf:c14n11XmlBaseDoc1.
Rationale Check that implementations of [XML-C14N1.1] properly build the xml:base at the first level (ietf:e1).
Document subset expression (//. | //@* | //namespace::*) [ancestor-or-self::ietf:e1]
Output 
  <ietf:e1 xmlns:ietf="http://www.ietf.org"\
+  xmlns:w3c="http://www.w3.org"\
+  xml:base="http://xmlbase.example.org/xmlbase1/">
      <ietf:e11 xml:base="/xmlbase11/">
        <ietf:e111 xml:base="/xmlbase111/"></ietf:e111>
      </ietf:e11>
      <ietf:e12 at="2">
        <ietf:e121 xml:base="/xmlbase121/"></ietf:e121>
      </ietf:e12>
    </ietf:e1>
3.2.4.1.3 Test case c14n11/xmlbase-prop-3
Input details The document shown above. The ds:Transform contains a XPath expression whose result is a node set that includes element ietf:e11 and its descendant. Elements ietf:c14n11XmlBaseDoc1 and ietf:e1 do not appear.
Rationale Check that implementations of [XML-C14N1.1] properly build the xml:base if one of intermediate the levels (ietf:e1) are absent from the document subset.
Document subset expression (//. | //@* | //namespace::*) [ancestor-or-self::ietf:e11]
Output 
  <ietf:e11 xmlns:ietf="http://www.ietf.org"\
+  xmlns:w3c="http://www.w3.org"\
+  xml:base="http://xmlbase.example.org/xmlbase11/">
        <ietf:e111 xml:base="/xmlbase111/"></ietf:e111>
      </ietf:e11>
3.2.4.1.4 Test case c14n11/xmlbase-prop-4
Input details The document shown above. The ds:Transform contains a XPath expression whose result is a node set that includes element ietf:e111 and its descendant. Elements ietf:c14n11XmlBaseDoc1, ietf:e11 and ietf:e1 do not appear.
Rationale Check that implementations of [XML-C14N1.1] properly build the xml:base if several intermediate levels (ietf:e1 and ietf:e11) are absent from the document subset.
Document subset expression (//. | //@* | //namespace::*) [ancestor-or-self::ietf:e111]
Output 
  <ietf:e111 xmlns:ietf="http://www.ietf.org"\
+  xmlns:w3c="http://www.w3.org"\
+  xml:base="http://xmlbase.example.org/xmlbase111/"></ietf:e111>
3.2.4.1.5 Test case c14n11/xmlbase-prop-5
Input details The document shown above. The ds:Transform contains a XPath expression whose result is a node set that includes element ietf:e2 and its descendant. Elements ietf:c14n11XmlBaseDoc1, ietf:e1 and its descendant, and ietf:e3 and its descendant do not appear.
Rationale Check that implementations of [XML-C14N1.1] properly build the xml:base if one intermediate level (ietf:e2) without any xml:base attribute is absent from the document subset.
Document subset expression (//. | //@* | //namespace::*) [ancestor-or-self::ietf:e21]
Output 
  <ietf:e21 xmlns:ietf="http://www.ietf.org"\
+  xmlns:w3c="http://www.w3.org"\
+  xml:base="http://xmlbase.example.org/xmlbase21/"></ietf:e21>
3.2.4.1.6 Test case c14n11/xmlbase-prop-6
Input details The document shown above. The ds:Transform contains a XPath expression whose result is a node set that includes element ietf:e3 and its descendant. Elements ietf:c14n11XmlBaseDoc1, ietf:e1 and its descendant, and ietf:e2 and its descendant do not appear.
Rationale Check that implementations of [XML-C14N1.1] properly build the xml:base in one element that originally had no xml:base attribute.
Document subset expression (//. | //@* | //namespace::*) [ancestor-or-self::ietf:e3]
Output 
  <ietf:e3 xmlns:ietf="http://www.ietf.org"\
+  xmlns:w3c="http://www.w3.org"\
+  xml:base="http://xmlbase.example.org/xmlbase0/">
      <ietf:e31 at="3"></ietf:e31>
    </ietf:e3>
3.2.4.1.7 Test case c14n11/xmlbase-prop-7
Input details The document shown above. The ds:Transform contains a XPath expression whose result is a node set that includes elements ietf:c14n11XmlBaseDoc1 and ietf:e3 and its descendant. Elements ietf:e1 and its descendant, and ietf:e2 and its descendant do not appear.
Rationale Check that implementations of [XML-C14N1.1] do not pass the xml:base to another element when it is not necessary.
Document subset expression (//. | //@* | //namespace::*) [ancestor-or-self::ietf:c14n11XmlBaseDoc1 and not(ancestor-or-self::ietf:e1 or ancestor-or-self::ietf:e2)]
Output 
  <ietf:c14n11XmlBaseDoc1 xmlns:ietf="http://www.ietf.org"\
+  xmlns:w3c="http://www.w3.org"\
+  xml:base="http://xmlbase.example.org/xmlbase0/">
    
    
    <ietf:e3>
      <ietf:e31 at="3"></ietf:e31>
    </ietf:e3>
  </ietf:c14n11XmlBaseDoc1>
3.2.4.2 Test Cases for checking XML-C14N1.1 specification tests

This section defines test cases that are based on the examples in the C14N11 specification that propagate xml:base attributes through the tree when the result of the filtering is a document subset.

3.2.4.2.1 Test case c14n11/xmlbase-c14n11spec-102

Below is the input document from section 3.8 of [XML-C14N1.1] for the test case c14n11/xmlbase-c14n11spec-102 below:

  <!DOCTYPE doc [
  <!ATTLIST e2 xml:space (default|preserve) 'preserve'>
  <!ATTLIST e3 id ID #IMPLIED>
  ]>
  <doc xmlns="http://www.ietf.org" xmlns:w3c="http://www.w3.org"\
+  xml:base="http://www.example.com/something/else">
     <e1>
        <e2 xmlns="" xml:id="abc" xml:base="../bar/">
           <e3 id="E3" xml:base="foo"/>
        </e2>
     </e1>
  </doc>
Input details The input document shown above.
Rationale Check that correct xml:base fixup is performed.
Document subset expression (//. | //@* | //namespace::*)[self::ietf:e1 or (parent::ietf:e1 and not(self::text() or self::e2)) or count(id("E3")|ancestor-or-self::node()) = count(ancestor-or-self::node())]
Output 
  <e1 xmlns="http://www.ietf.org" xmlns:w3c="http://www.w3.org"\
+  xml:base="http://www.example.com/something/else">\
+ <e3 xmlns="" id="E3" xml:base="../bar/foo" xml:space="preserve">\
+ </e3></e1>
3.2.4.2.2 Test case c14n11/xmlbase-c14n11spec2-102

Below is the input document similar to the example from section 3.8 of [XML-C14N1.1] for the test case c14n11/xmlbase-c14n11spec-102 below. The main difference is that the value of the xml:base attribute of the e2 element is "bar/" instead of "../bar".

  <!DOCTYPE doc [
  <!ATTLIST e2 xml:space (default|preserve) 'preserve'>
  <!ATTLIST e3 id ID #IMPLIED>
  ]>
  <doc xmlns="http://www.ietf.org" xmlns:w3c="http://www.w3.org"\
+  xml:base="something/else">
     <e1>
        <e2 xmlns="" xml:id="abc" xml:base="bar/">
           <e3 id="E3" xml:base="foo"/>
        </e2>
     </e1>
  </doc>
Input details The input document shown above.
Rationale Check that correct xml:base fixup is performed.
Document subset expression (//. | //@* | //namespace::*)[self::ietf:e1 or (parent::ietf:e1 and not(self::text() or self::e2)) or count(id("E3")|ancestor-or-self::node()) = count(ancestor-or-self::node())]
Output 
  <e1 xmlns="http://www.ietf.org" xmlns:w3c="http://www.w3.org"\
+  xml:base="something/else">\
+ <e3 xmlns="" id="E3" xml:base="bar/foo" xml:space="preserve">\
+ </e3></e1>
3.2.4.2.3 Test case c14n11/xmlbase-c14n11spec3-103

Below is the input document from section 2.4 of [XML-C14N1.1] for the test case c14n11/xmlbase-c14n11spec-103 below.

  <?xml version="1.0" encoding="UTF-8"?>
  <a xml:base="foo/bar">
   <b xml:base="..">
    <c xml:base="..">
     <d xml:base="x">
     </d>
    </c>
   </b>
  </a>
Input details The input document shown above.
Rationale Check that correct xml:base fixup is performed. This test illustrates the modification of the "Remove Dot Segments" algorithm.
Document subset expression (//. | //@* | //namespace::*) [self::a or ancestor-or-self::d]
Output 
  <a xml:base="foo/bar"><d xml:base="../../x">
     </d></a>

3.2.5 Test Cases for checking examples in the XML-C14N1.1 Appendix

This section defines test cases for checking if implementations are compliant with [XML-C14N1.1], specifically the normative rules in the Document Subsets section. Informative examples are given in the Appendix of C14N11.

Each test case in this section specifies an input string, representing a URI that must be processed according to the modified Remove Dot Segments algorithm described in Section 2.4 (Document Subsets) of [XML-C14N1.1].

Each test case appears in a row of the table shown below. The first column identifies the input URI that has to be processed. The second column shows the corresponding output.

3.2.5.1 Test case c14n11/xmlbase-annexa
inputs.txt outputs.txt 
  no/.././/pseudo-netpath/seg/file.ext
  no/..//.///pseudo-netpath/seg/file.ext
  yes/no//..//.///pseudo-netpath/seg/file.ext
  no/../yes
  no/../yes/
  no/../yes/no/..
  ../../no/../..
  no/../..
  no/..
  no/../
  /a/b/c/./../../g
  mid/content=5/../6
  ../../..
  no/../../
  ..yes/..no/..no/..no/../../../..yes
  ..yes/..no/..no/..no/../../../..yes/
  ../..
  ../../../
  .
  ./
  ./.
  //no/..
  ../../no/..
  ../../no/../
  yes/no/../
  yes/no/no/../..
  yes/no/no/no/../../..
  yes/no/../yes/no/no/../..
  yes/no/no/no/../../../yes
  yes/no/no/no/../../../yes/
  /no/../
  /yes/no/../
  /yes/no/no/../..
  /yes/no/no/no/../../..
  ../../..no/..
  ../../..no/../
  ..yes/..no/../
  ..yes/..no/..no/../..
  ..yes/...no/..no/..no/../../..
  ..yes/..no/../..yes/..no/..no/../..
  /..no/../
  /..yes/..no/../
  /..yes/..no/..no/../..
  /..yes/..no/..no/..no/../../..
  /
  /.
  /./
  /./.
  /././
  /..
  /../..
  /../../..
  /../../..
  //..
  //..//..
  //..//..//..
  /./..
  /./.././..
  /./.././.././..
  .
  ./
  ./.
  ..
  ../

  pseudo-netpath/seg/file.ext
  pseudo-netpath/seg/file.ext
  yes/pseudo-netpath/seg/file.ext
  yes
  yes/
  yes/
  ../../../
  ../
  /a/g
  mid/6
  ../../../
  ../
  ..yes/..yes
  ..yes/..yes/
  ../../
  ../../../
  /
  ../../
  ../../
  yes/
  yes/
  yes/
  yes/yes/
  yes/yes
  yes/yes/
  /
  /yes/
  /yes/
  /yes/
  ../../
  ../../
  ..yes/
  ..yes/
  ..yes/
  ..yes/..yes/
  /
  /..yes/
  /..yes/
  /..yes/
  /
  /
  /
  /
  /
  /
  /
  /
  /
  /
  /
  /
  /
  /
  /
  ../
  ../

3.3 Test Cases for XMLDSig

3.3.1 Test Cases for C14N 1.1 in XMLDSig

The test cases in section [TestCases-C14n11] are performed in the context of XMLDSig as well. Here it should be noted that this is performed in a different location (i.e. xmldsig/c14n11/) and the XPath-Filter expression in the ds:Transform/ds:XPath should be equal to the filter step of the XPath expressions in section [TestCases-C14n11] (cf. explanation). The test cases are specified by an "unsigned" ds:Signature (without ds:DigestValue and ds:SignatureValue) in files in xmldsig/c14n11/ having the postfix ...-template.xml.

3.3.2 Test Cases on nodeset to octet-stream conversion by C14n 1.1 explicitly reflected in the chain of transforms

The set of test cases in this section test the Reference Generation steps of [XMLDSIG2] and its rules that manage the contents of the Transforms element when nodeset to octet-stream conversions are to be performed by canonicalization.

General rules for these test cases:

  • Test cases contain a ds:Transforms element with one child, containing a XPath filter that depends on the test case.

3.3.2.1 Test case xmldsig/defCan-1
Input details The same input document as in section [XMLBASE].
Rationale Check that implementations and APIs of [XMLDSIG2] honor the recommendation to use [XML-C14N1.1] in section 3.1.1 "Reference Generation" of [XMLDSIG2] and make its use explicit as a ds:Transform.
Template This template can be used to instruct some API to create a signature with a chain of transforms that would require implicit transformations from a node set to an octet stream. It is expected that c14n11 is inserted at the relevant places.
Signature 
  <?xml version="1.0" encoding="UTF-8"?>
  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">\
+ <SignedInfo>\
+ <CanonicalizationMethod\
+  Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>\
+ <SignatureMethod\
+  Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>\
+ <Reference URI="c14n11/xml-base-input.xml"><Transforms>\
+ <Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">\
+ <XPath xmlns:ietf="http://www.ietf.org">\
+ ancestor-or-self::ietf:c14n11XmlBaseDoc1 and\
+  not(ancestor-or-self::ietf:e2)</XPath></Transform>\
+ <Transform Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>\
+ </Transforms>\
+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\
+ <DigestValue>t7d2cL8Ink8A5i3cS9/bu9MBBU8=</DigestValue>\
+ </Reference></SignedInfo>\
+ <SignatureValue>LR4s+Nxoq3VZO1NiCLoiovfCpK4=</SignatureValue>\
+ </Signature>
3.3.2.2 Test case xmldsig/defCan-2
Input details The same input document as in section [XMLBASE].
Rationale Check that implementations and APIs of [XMLDSIG2] honor the recommendation to use [XML-C14N1.1] in section 3.1.1 "Reference Generation" of [XMLDSIG2] and make it's use explicit as a ds:Transform. It is expected that c14n11 is inserted at the relevant places.
Template This template can be used to instruct some API to create a signature with a chain of transforms that would require implicit transformations from a node set to an octet stream. The focus in this test case is to assure that c14n11 is inserted before transforms requiring an octet stream as input and also at the end of the chain of transforms if necessary because the last transform resulted in a node set.
Signature 
  <?xml version="1.0" encoding="UTF-8"?>
  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">\
+ <SignedInfo>\
+ <CanonicalizationMethod\
+  Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>\
+ <SignatureMethod\
+  Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>\
+ <Reference URI="c14n11/xml-base-input.xml"><Transforms>\
+ <Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">\
+ <XPath xmlns:ietf="http://www.ietf.org">\
+ ancestor-or-self::ietf:e21</XPath></Transform>\
+ <Transform Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>\
+ <Transform Algorithm="http://www.w3.org/TR/1999/REC-xslt-19991116">\
+ <xsl:stylesheet version="1.0"\
+  xmlns="http://www.w3.org/1999/XSL/Transform"\
+  xmlns:xsl="http://www.w3.org/1999/XSL/Transform">\
+ <xsl:template match="@*|node()"><xsl:copy>\
+ <xsl:apply-templates select="@*|node()"/></xsl:copy>\
+ </xsl:template></xsl:stylesheet></Transform>\
+ <Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">\
+ <XPath xmlns:ietf="http://www.ietf.org">1</XPath>\
+ </Transform>\
+ <Transform Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>\
+ </Transforms>\
+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\
+ <DigestValue>fL7Igzs0LL7lKHJzAJIKYCphYBo=</DigestValue>\
+ </Reference></SignedInfo>\
+ <SignatureValue>bKQLywY51VZwjutUX/CUMsVs6RE=</SignatureValue>\
+ </Signature>
3.3.2.3 Test case xmldsig/defCan-3
Input details The same input document as in section [XMLBASE].
Rationale Check that implementations and APIs of [XMLDSIG2] honor the recommendation to use [XML-C14N1.1] in section 3.1.1 "Reference Generation" of [XMLDSIG2] and make it's use explicit as a ds:Transform. It is expected that c14n11 is inserted at the relevant places. The focus in this test case is to assure that c14n11 is inserted before transforms requiring an octet stream as input but not inserted at the end of the chain of transforms, which is not necessary because the last transform resulted in an octet stream.
Template This template can be used to instruct some API to create a signature with a chain of transforms that would require implicit transformations from a node set to an octet stream.
Signature 
  <?xml version="1.0" encoding="UTF-8"?>
  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">\
+ <SignedInfo>\
+ <CanonicalizationMethod\
+  Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>\
+ <SignatureMethod\
+  Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>\
+ <Reference URI="c14n11/xml-base-input.xml"><Transforms>\
+ <Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">\
+ <XPath xmlns:ietf="http://www.ietf.org">\
+ ancestor-or-self::ietf:e21</XPath></Transform>\
+ <Transform Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>\
+ <Transform Algorithm="http://www.w3.org/TR/1999/REC-xslt-19991116">\
+ <xsl:stylesheet version="1.0"\
+  xmlns="http://www.w3.org/1999/XSL/Transform"\
+  xmlns:xsl="http://www.w3.org/1999/XSL/Transform">\
+ <xsl:template match="@*|node()"><xsl:copy>\
+ <xsl:apply-templates select="@*|node()"/></xsl:copy>\
+ </xsl:template></xsl:stylesheet></Transform>\
+ <Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">\
+ <XPath xmlns:ietf="http://www.ietf.org">1</XPath>\
+ </Transform>\
+ <Transform Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>\
+ <Transform Algorithm="http://www.w3.org/TR/1999/REC-xslt-19991116">\
+ <xsl:stylesheet version="1.0"\
+  xmlns="http://www.w3.org/1999/XSL/Transform"\
+  xmlns:xsl="http://www.w3.org/1999/XSL/Transform">\
+ <xsl:template match="@*|node()"><xsl:copy>\
+ <xsl:apply-templates select="@*|node()"/></xsl:copy>\
+ </xsl:template></xsl:stylesheet></Transform>\
+ </Transforms>\
+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\
+ <DigestValue>hqabUu4fEZp7GK5JRyFC26W5JBk=</DigestValue>\
+ </Reference></SignedInfo>\
+ <SignatureValue>9+wp0W9xwL5X3kSttxABZ7p/kU0=</SignatureValue>\
+ </Signature>

3.3.3 Test Cases on schema based XPointers and canonicalization

This section defines test cases that test if implementations behave correctly when processing both schema-based xpointers and short-name xpointers with regards to comments present in the to be signed xml data object.

The following rules apply to the test cases in this section:

  • As the model processing is defined in [XMLDSIG2], the test cases are based on XML signatures. For each test case, an XML signature will be generated and validated. The signatures will be enveloped signatures when the URI attribute is referencing the root element and enveloping when the URI attribute is referencing an element using its Id attribute.

  • The input for the test cases is the to be signed xml data object shown below and the ds:Reference's URI attribute value (a schema-based xpointer or a short-name pointer).

  • The ds:Reference for enveloped signatures will eventually contain two Transform elements, namely; the enveloped signature transform and the conversion from node set data to octet stream (canonical XML 1.1).

Below is the input document for the test cases in this section:

  <?xml version="1.0" encoding="UTF-8"?>
  <ietf:c14n11XmlPointerDoc1 xmlns:ietf="http://www.ietf.org"\
+  xmlns:w3c="http://www.w3.org"  >
                  \
+ <!-- This is a xml document for checking behaviour of tools with\
+  regards to  comments when using scheme-based xpointers in the\
+  ds:Reference's URI attribute -->
          <ietf:e1 xml:id="e1ID">
                  <!-- This is a comment for ietf:e1 element -->
                  <ietf:e11 >
                  <!-- This is a comment for ietf:e11 element -->
                          <ietf:e111 />
                  </ietf:e11>
                  <ietf:e12 at="2">
                  <!-- This is a comment for ietf:e12 element -->
                          <ietf:e121 />
                  </ietf:e12>
          </ietf:e1>
          <ietf:e2 xml:id="e2ID">
                  <!-- This is a comment for ietf:e2 element -->
                  <ietf:e21 />
          </ietf:e2>
          <ietf:e3 xml:id="e3ID">
                  <ietf:e31 at="3"/>
          </ietf:e3>
  </ietf:c14n11XmlPointerDoc1>
3.3.3.1 Test case xmldsig/xpointer-1
Input details The signature is an enveloped signature. It appears as the last child of the root element. The document enveloping the signature is the one shown at the beginning of this section. The value of the URI attribute is "#xpointer(/)" (find it here).
Rationale Check that implementations, following the rules stated in the [XMLDSIG2] model, dereference the URI getting the root element and its descendant, and that comments are preserved before proceeding with the computation of digest.
Signature 
  <?xml version="1.0" encoding="UTF-8"?>\
+ <ietf:c14n11XmlPointerDoc1 xmlns:ietf="http://www.ietf.org"\
+  xmlns:w3c="http://www.w3.org">
                  \
+ <!-- This is a xml document for checking behaviour of tools with\
+  regards to  comments when using scheme-based xpointers in the\
+  ds:Reference's URI attribute -->
          <ietf:e1 xml:id="e1ID">
                  <!-- This is a comment for ietf:e1 element -->
                  <ietf:e11>
                  <!-- This is a comment for ietf:e11 element -->
                          <ietf:e111/>
                  </ietf:e11>
                  <ietf:e12 at="2">
                  <!-- This is a comment for ietf:e12 element -->
                          <ietf:e121/>
                  </ietf:e12>
          </ietf:e1>
          <ietf:e2 xml:id="e2ID">
                  <!-- This is a comment for ietf:e2 element -->
                  <ietf:e21/>
          </ietf:e2>
          <ietf:e3 xml:id="e3ID">
                  <ietf:e31 at="3"/>
          </ietf:e3>
  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">\
+ <SignedInfo>\
+ <CanonicalizationMethod\
+  Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>\
+ <SignatureMethod\
+  Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>\
+ <Reference URI="#xpointer(/)"><Transforms>\
+ <Transform\
+  Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>\
+ <Transform\
+  Algorithm="http://www.w3.org/2006/12/xml-c14n11#WithComments"/>\
+ </Transforms>\
+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\
+ <DigestValue>/IZyGLL72rXhisXRkB617TxJrL8=</DigestValue>\
+ </Reference></SignedInfo>\
+ <SignatureValue>E4gxKwllVjvvlUQFe9p/ssO7Yxw=</SignatureValue>\
+ </Signature></ietf:c14n11XmlPointerDoc1>
3.3.3.2 Test case xmldsig/xpointer-2
Input details The signature is an enveloping signature. The enveloped document is the one shown at the beginning of this section. The value of the URI attribute is "#xpointer(id('e1ID'))" (find it here).
Rationale Check that implementations, following the rules stated in the [XMLDSIG2] model, dereference the URI getting an element identified by its id attribute as well as its descendant, and that comments are preserved before proceeding with the computation of digest.
Signature 
  <?xml version="1.0" encoding="UTF-8"?>\
+ <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">\
+ <SignedInfo>\
+ <CanonicalizationMethod\
+  Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>\
+ <SignatureMethod\
+  Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>\
+ <Reference URI="#xpointer(id('e1ID'))"><Transforms>\
+ <Transform\
+  Algorithm="http://www.w3.org/2006/12/xml-c14n11#WithComments"/>\
+ </Transforms>\
+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\
+ <DigestValue>XhSsDpWTt+ti0kcU9XYpleRDHfQ=</DigestValue>\
+ </Reference></SignedInfo>\
+ <SignatureValue>brEpICVA4lg7eQwz7i/rlBmYXiU=</SignatureValue>\
+ <Object>\
+ <ietf:c14n11XmlPointerDoc1 xmlns:ietf="http://www.ietf.org"\
+  xmlns:w3c="http://www.w3.org">
                  \
+ <!-- This is a xml document for checking behaviour of tools with\
+  regards to  comments when using scheme-based xpointers in the\
+  ds:Reference's URI attribute -->
          <ietf:e1 xml:id="e1ID">
                  <!-- This is a comment for ietf:e1 element -->
                  <ietf:e11>
                  <!-- This is a comment for ietf:e11 element -->
                          <ietf:e111/>
                  </ietf:e11>
                  <ietf:e12 at="2">
                  <!-- This is a comment for ietf:e12 element -->
                          <ietf:e121/>
                  </ietf:e12>
          </ietf:e1>
          <ietf:e2 xml:id="e2ID">
                  <!-- This is a comment for ietf:e2 element -->
                  <ietf:e21/>
          </ietf:e2>
          <ietf:e3 xml:id="e3ID">
                  <ietf:e31 at="3"/>
          </ietf:e3>
  </ietf:c14n11XmlPointerDoc1></Object></Signature>
3.3.3.3 Test case xmldsig/xpointer-3
Input details The signature is an enveloped signature. It appears as the last child of the root element. The document enveloping the signature is the one shown at the beginning of this section. The value of the URI attribute is "".
Rationale Check that implementations, following the rules stated in the [XMLDSIG2] model, dereference the URI getting the root element and its descendant, and that comments are not preserved before proceeding with the computation of digest.
Signature 
  <?xml version="1.0" encoding="UTF-8"?>\
+ <ietf:c14n11XmlPointerDoc1 xmlns:ietf="http://www.ietf.org"\
+  xmlns:w3c="http://www.w3.org">
                  \
+ <!-- This is a xml document for checking behaviour of tools with\
+  regards to  comments when using scheme-based xpointers in the\
+  ds:Reference's URI attribute -->
          <ietf:e1 xml:id="e1ID">
                  <!-- This is a comment for ietf:e1 element -->
                  <ietf:e11>
                  <!-- This is a comment for ietf:e11 element -->
                          <ietf:e111/>
                  </ietf:e11>
                  <ietf:e12 at="2">
                  <!-- This is a comment for ietf:e12 element -->
                          <ietf:e121/>
                  </ietf:e12>
          </ietf:e1>
          <ietf:e2 xml:id="e2ID">
                  <!-- This is a comment for ietf:e2 element -->
                  <ietf:e21/>
          </ietf:e2>
          <ietf:e3 xml:id="e3ID">
                  <ietf:e31 at="3"/>
          </ietf:e3>
  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">\
+ <SignedInfo>\
+ <CanonicalizationMethod\
+  Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>\
+ <SignatureMethod\
+  Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>\
+ <Reference URI=""><Transforms>\
+ <Transform\
+  Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>\
+ <Transform\
+  Algorithm="http://www.w3.org/2006/12/xml-c14n11#WithComments"/>\
+ </Transforms>\
+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\
+ <DigestValue>gaV5r7qC3Ve/t641+d3ykN8JFSc=</DigestValue>\
+ </Reference></SignedInfo>\
+ <SignatureValue>gS1QKSwAH/6eE3OFi/L9O0oKKig=</SignatureValue>\
+ </Signature></ietf:c14n11XmlPointerDoc1>
3.3.3.4 Test case xmldsig/xpointer-4
Input details The signature is an enveloping signature. The enveloped document is the one shown at the beginning of this section. The value of the URI attribute is "#e1ID" (find it here).
Rationale Check that implementations, following the rules stated in the [XMLDSIG2] model, dereference the URI getting an element identified by its id attribute as well as its descendant, and that comments are not preserved before proceeding with the computation of digest.
Signature 
  <?xml version="1.0" encoding="UTF-8"?>\
+ <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">\
+ <SignedInfo>\
+ <CanonicalizationMethod\
+  Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>\
+ <SignatureMethod\
+  Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>\
+ <Reference URI="#e1ID"><Transforms>\
+ <Transform\
+  Algorithm="http://www.w3.org/2006/12/xml-c14n11#WithComments"/>\
+ </Transforms>\
+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\
+ <DigestValue>3K+K4MbR2EW7l/ry59XockKqt4g=</DigestValue>\
+ </Reference></SignedInfo>\
+ <SignatureValue>dgyjONUs9rBjW7PH25seGqcMNZY=</SignatureValue>\
+ <Object>\
+ <ietf:c14n11XmlPointerDoc1 xmlns:ietf="http://www.ietf.org"\
+  xmlns:w3c="http://www.w3.org">
                  \
+ <!-- This is a xml document for checking behaviour of tools with\
+  regards to  comments when using scheme-based xpointers in the\
+  ds:Reference's URI attribute -->
          <ietf:e1 xml:id="e1ID">
                  <!-- This is a comment for ietf:e1 element -->
                  <ietf:e11>
                  <!-- This is a comment for ietf:e11 element -->
                          <ietf:e111/>
                  </ietf:e11>
                  <ietf:e12 at="2">
                  <!-- This is a comment for ietf:e12 element -->
                          <ietf:e121/>
                  </ietf:e12>
          </ietf:e1>
          <ietf:e2 xml:id="e2ID">
                  <!-- This is a comment for ietf:e2 element -->
                  <ietf:e21/>
          </ietf:e2>
          <ietf:e3 xml:id="e3ID">
                  <ietf:e31 at="3"/>
          </ietf:e3>
  </ietf:c14n11XmlPointerDoc1></Object></Signature>
3.3.3.5 Test case xmldsig/xpointer-5
Input details The signature is an enveloping signature and signs three elements from the document. The enveloped document is the one shown at the beginning of this section. There are three ds:Reference elements. For the first one the value of the URI attribute is "#xpointer(id('e1ID'))" (find it here). For the second, it is "#xpointer(id('e2ID'))" (find it here). For the third one, it is "#xpointer(id('e3ID'))" (find it here).
Rationale Check implementation's behaviour when processing several elements (with and without comments) referenced by its Id attribute using a schema-based xpointer.
Signature 
  <?xml version="1.0" encoding="UTF-8"?>\
+ <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">\
+ <SignedInfo>\
+ <CanonicalizationMethod\
+  Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>\
+ <SignatureMethod\
+  Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>\
+ <Reference URI="#xpointer(id('e1ID'))"><Transforms>\
+ <Transform\
+  Algorithm="http://www.w3.org/2006/12/xml-c14n11#WithComments"/>\
+ </Transforms>\
+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\
+ <DigestValue>XhSsDpWTt+ti0kcU9XYpleRDHfQ=</DigestValue>\
+ </Reference><Reference URI="#xpointer(id('e2ID'))">\
+ <Transforms>\
+ <Transform\
+  Algorithm="http://www.w3.org/2006/12/xml-c14n11#WithComments"/>\
+ </Transforms>\
+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\
+ <DigestValue>abyA1j4yzf1IgQLWwDwKuU9l8Ik=</DigestValue>\
+ </Reference><Reference URI="#xpointer(id('e3ID'))">\
+ <Transforms>\
+ <Transform\
+  Algorithm="http://www.w3.org/2006/12/xml-c14n11#WithComments"/>\
+ </Transforms>\
+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\
+ <DigestValue>RUUBiUeFf8uRqTlpCyutkXDqnJ4=</DigestValue>\
+ </Reference></SignedInfo>\
+ <SignatureValue>sG+0pHk9TB6v7jES9RZUIVKMFos=</SignatureValue>\
+ <Object>\
+ <ietf:c14n11XmlPointerDoc1 xmlns:ietf="http://www.ietf.org"\
+  xmlns:w3c="http://www.w3.org">
                  \
+ <!-- This is a xml document for checking behaviour of tools with\
+  regards to  comments when using scheme-based xpointers in the\
+  ds:Reference's URI attribute -->
          <ietf:e1 xml:id="e1ID">
                  <!-- This is a comment for ietf:e1 element -->
                  <ietf:e11>
                  <!-- This is a comment for ietf:e11 element -->
                          <ietf:e111/>
                  </ietf:e11>
                  <ietf:e12 at="2">
                  <!-- This is a comment for ietf:e12 element -->
                          <ietf:e121/>
                  </ietf:e12>
          </ietf:e1>
          <ietf:e2 xml:id="e2ID">
                  <!-- This is a comment for ietf:e2 element -->
                  <ietf:e21/>
          </ietf:e2>
          <ietf:e3 xml:id="e3ID">
                  <ietf:e31 at="3"/>
          </ietf:e3>
  </ietf:c14n11XmlPointerDoc1></Object></Signature>
3.3.3.6 Test case xmldsig/xpointer-6
Input details The signature is an enveloping signature and signs two elements from the document. The enveloped document is the one shown at the beginning of this section. There are three ds:Reference elements. For the first one the value of the URI attribute is "#e1ID" (find it here). For the second, it is "#e2ID" (find it here). For the third one, it is "#e3ID" (find it here).
Rationale Check implementation's behaviour when processing several elements (with and without comments) referenced by its Id attribute using a short-name xpointer.
Signature 
  <?xml version="1.0" encoding="UTF-8"?>\
+ <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">\
+ <SignedInfo>\
+ <CanonicalizationMethod\
+  Algorithm="http://www.w3.org/2006/12/xml-c14n11"/>\
+ <SignatureMethod\
+  Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>\
+ <Reference URI="#e1ID"><Transforms>\
+ <Transform\
+  Algorithm="http://www.w3.org/2006/12/xml-c14n11#WithComments"/>\
+ </Transforms>\
+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\
+ <DigestValue>3K+K4MbR2EW7l/ry59XockKqt4g=</DigestValue>\
+ </Reference><Reference URI="#e2ID"><Transforms>\
+ <Transform\
+  Algorithm="http://www.w3.org/2006/12/xml-c14n11#WithComments"/>\
+ </Transforms>\
+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\
+ <DigestValue>hnKFjGFr/jwLCCTckZpaclOwe28=</DigestValue>\
+ </Reference><Reference URI="#e3ID"><Transforms>\
+ <Transform\
+  Algorithm="http://www.w3.org/2006/12/xml-c14n11#WithComments"/>\
+ </Transforms>\
+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\
+ <DigestValue>RUUBiUeFf8uRqTlpCyutkXDqnJ4=</DigestValue>\
+ </Reference></SignedInfo>\
+ <SignatureValue>XzEJQ+whhHUYlqiCEt8XFxC8wpk=</SignatureValue>\
+ <Object>\
+ <ietf:c14n11XmlPointerDoc1 xmlns:ietf="http://www.ietf.org"\
+  xmlns:w3c="http://www.w3.org">
                  \
+ <!-- This is a xml document for checking behaviour of tools with\
+  regards to  comments when using scheme-based xpointers in the\
+  ds:Reference's URI attribute -->
          <ietf:e1 xml:id="e1ID">
                  <!-- This is a comment for ietf:e1 element -->
                  <ietf:e11>
                  <!-- This is a comment for ietf:e11 element -->
                          <ietf:e111/>
                  </ietf:e11>
                  <ietf:e12 at="2">
                  <!-- This is a comment for ietf:e12 element -->
                          <ietf:e121/>
                  </ietf:e12>
          </ietf:e1>
          <ietf:e2 xml:id="e2ID">
                  <!-- This is a comment for ietf:e2 element -->
                  <ietf:e21/>
          </ietf:e2>
          <ietf:e3 xml:id="e3ID">
                  <ietf:e31 at="3"/>
          </ietf:e3>
  </ietf:c14n11XmlPointerDoc1></Object></Signature>

3.3.4 Test Cases on String encoding of Distinguished Names

3.3.4.1 Test Cases on differences identified in RFC 2253 and RFC 4514

This Working group has identified a number of differences between [RFC 4514] and [RFC 2253]. They are described in this e-mail within the XML Security Specifications Maintenance Working Group e-mail list archive. This section contains test cases designed for checking that applications can parse and generate RFC 4514 Distinguished Names with these differences.

The following rules apply for the test cases defined in this section:

  • The input to each test case is an XML Signature. Each signature contains an X509SubjectName or X509IssuerSerial element with an RFC 4514 Distinguished Name.

  • To resolve the key, the application must find a certificate containing a matching issuer/serial or subject DN from the certificates that are contained in the "certs" directory. This verifies that the implementation can parse the RFC 4514 DN and find a matching certificate with an equivalent subject or issuer DN.

  • Signature generation is also required. A PKCS#12 KeyStore containing the private keys used to generate the signatures is in the file "certs/keystore.p12". The keystore password is "secret". The key entry name is the same as the corresponding certificate file name (without the ".crt" part).

  • The generated signature should contain an X509SubjectName or X509IssuerSerial element with an RFC 4514 distinguished name as specified in the "[RFC-4514] DN" row of each of the tables in this section. However, if an implementation does not support an optional encoding as specified by RFC 4514, it is acceptable to generate a DN that is not strictly equivalent to those in the table but that is still RFC 4514 compliant.

3.3.4.1.1 Test case xmldsig/dname/diffRFCs-1
Input details The input is an XML Signature containing an X509SubjectName in RFC 4514 format. The DN contains one Relative Distinguished Name whose attribute type keyword is encoded with one alphabetic character, and another Relative Distinguished Name whose attribute type keyword is encoded with two characters. RFC 4514 allows attribute type keywords to be of length 1, whereas RFC 2253 (erroneously) requires them to be at least length 2.
Rationale Check processing of attribute type keywords by tools implementing [RFC 4514].
[RFC 4514] DN CN=John,C=US
Signature 
  <?xml version="1.0" encoding="UTF-8" standalone="no"?>\
+ <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">\
+ <SignedInfo>\
+ <CanonicalizationMethod\
+  Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>\
+ <SignatureMethod\
+  Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>\
+ <Reference URI="#object">\
+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\
+ <DigestValue>nxGVxTzX3uQVeaZ7vtWMLc+V6CE=</DigestValue>\
+ </Reference></SignedInfo>\
+ <SignatureValue>\
+ DOz4KhJHOvhzPiKjxl0WVsrXPuZ9XQtdDvKN0KuLQGIzXkljfkFEQA==</SignatureValue>\
+ <KeyInfo><X509Data>\
+ <X509SubjectName>CN=John,C=US</X509SubjectName>\
+ </X509Data></KeyInfo>\
+ <Object Id="object">Approved</Object></Signature>
3.3.4.1.2 Test case xmldsig/dname/diffRFCs-2
Input details The input is an XML Signature containing an X509SubjectName in RFC 4514 format. The DN contains a Relative Distinguished Name containing space characters. [RFC 2253] (erroneously) does not allow escaping, whereas [RFC 4514] allows space characters to be escaped.
Rationale Check escaping of space characters by tools implementing [RFC 4514].
[RFC 4514] DN CN=\ Spacey\ ,C=US
Signature 
  <?xml version="1.0" encoding="UTF-8" standalone="no"?>\
+ <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">\
+ <SignedInfo>\
+ <CanonicalizationMethod\
+  Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>\
+ <SignatureMethod\
+  Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>\
+ <Reference URI="#object">\
+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\
+ <DigestValue>nxGVxTzX3uQVeaZ7vtWMLc+V6CE=</DigestValue>\
+ </Reference></SignedInfo>\
+ <SignatureValue>\
+ V18nxls1pqn4IyA/GNosGfqLHEE6INnyuV9TmHlYt/sYsaagHCH9Xw==</SignatureValue>\
+ <KeyInfo><X509Data>\
+ <X509SubjectName>CN=\ Spacey\ ,C=US</X509SubjectName>\
+ </X509Data></KeyInfo>\
+ <Object Id="object">Approved</Object></Signature>
3.3.4.1.3 Test case xmldsig/dname/diffRFCs-3
Input details The input is an XML Signature containing an X509SubjectName in RFC 4514 format. The DN contains a Relative Distinguished Name containing a null character. [RFC 2253] does not require null characters to be escaped, whereas [RFC 4514] requires null characters to be hex escaped.
Rationale Check escaping of null characters by tools implementing [RFC 4514].
[RFC 4514] DN CN=\00,C=US
Signature 
  <?xml version="1.0" encoding="UTF-8" standalone="no"?>\
+ <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">\
+ <SignedInfo>\
+ <CanonicalizationMethod\
+  Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>\
+ <SignatureMethod\
+  Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>\
+ <Reference URI="#object">\
+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\
+ <DigestValue>nxGVxTzX3uQVeaZ7vtWMLc+V6CE=</DigestValue>\
+ </Reference></SignedInfo>\
+ <SignatureValue>\
+ N6jHpYnYpggrfADJkvZfggCaUq9dzU9M3EQ+27wA8f92nWwmrlyUQQ==</SignatureValue>\
+ <KeyInfo><X509Data>\
+ <X509SubjectName>CN=\00,C=US</X509SubjectName>\
+ </X509Data></KeyInfo>\
+ <Object Id="object">Approved</Object></Signature>
3.3.4.1.4 Test case xmldsig/dname/diffRFCs-4
Input details The input is an XML Signature containing an X509SubjectName in RFC 4514 format. The DN contains a Relative Distinguished Name containing a non-leading number sign character that is not escaped. [RFC 2253] requires escaping of non-leading number sign characters, whereas [RFC 4514] does not.
Rationale Check processing of non-leading number sign characters that are not escaped by tools implementing [RFC 4514].
[RFC 4514] DN CN=Num#ber,C=US
Signature 
  <?xml version="1.0" encoding="UTF-8" standalone="no"?>\
+ <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">\
+ <SignedInfo>\
+ <CanonicalizationMethod\
+  Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>\
+ <SignatureMethod\
+  Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>\
+ <Reference URI="#object">\
+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\
+ <DigestValue>nxGVxTzX3uQVeaZ7vtWMLc+V6CE=</DigestValue>\
+ </Reference></SignedInfo>\
+ <SignatureValue>\
+ QN8dVUz4674CG7tnHJ+VSDFKbttZ3Ywa5rizoYS2EGUD8/33RFlZJA==</SignatureValue>\
+ <KeyInfo><X509Data>\
+ <X509SubjectName>CN=Num#ber,C=US</X509SubjectName>\
+ </X509Data></KeyInfo>\
+ <Object Id="object">Approved</Object></Signature>
3.3.4.1.5 Test case xmldsig/dname/diffRFCs-5
Input details The input is an XML Signature containing an X509SubjectName in RFC 4514 format. The DN contains a Relative Distinguished Name containing an equals sign character that is not escaped. [RFC 2253] requires escaping of equals sign characters, whereas [RFC 4514] does not.
Rationale Check processing of equals sign characters that are not escaped by tools implementing [RFC 4514].
[RFC 4514] DN CN=Eq=uals,C=US
Signature 
  <?xml version="1.0" encoding="UTF-8" standalone="no"?>\
+ <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">\
+ <SignedInfo>\
+ <CanonicalizationMethod\
+  Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>\
+ <SignatureMethod\
+  Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>\
+ <Reference URI="#object">\
+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\
+ <DigestValue>nxGVxTzX3uQVeaZ7vtWMLc+V6CE=</DigestValue>\
+ </Reference></SignedInfo>\
+ <SignatureValue>\
+ TEFSu5hmr8r5JU78U9MgS0mdZIZOXUjORTRzDFaBWh9DhFjPjxxW4w==</SignatureValue>\
+ <KeyInfo><X509Data>\
+ <X509SubjectName>CN=Eq=uals,C=US</X509SubjectName>\
+ </X509Data></KeyInfo>\
+ <Object Id="object">Approved</Object></Signature>
3.3.4.2 Test Cases for RFC 4514

The set of test cases in this section are designed to test the representation of Distinguished Names as Strings as specified by [RFC 4514] and augmented by the optional encoding rules of section 4.4.4.1 of [XMLDSIG2].

The same rules defined in section 3.3.4.1 apply to the test cases in this section.

Also, with respect to signature generation, if an implementation does not support an optional encoding as specified by RFC 4514 or XMLDSIG2, it is acceptable to generate a DN that is not strictly equivalent to those in the table but that is still RFC 4514 compliant.

3.3.4.2.1 Test case xmldsig/dname/dnString-4
Input details The input is an XML Signature containing an X509SubjectName in RFC 4514 format. The DN contains a Relative Distinguished Name containing trailing space characters that have been escaped as "\20" instead of "\ ", as specified by the optional encoding rules of [XMLDSIG2].
Rationale Check that implementations correctly manage escaping of trailing space characters.
[RFC 4514] DN CN=Trailing\20\20,C=US
Signature 
  <?xml version="1.0" encoding="UTF-8" standalone="no"?>\
+ <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">\
+ <SignedInfo>\
+ <CanonicalizationMethod\
+  Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>\
+ <SignatureMethod\
+  Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>\
+ <Reference URI="#object">\
+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\
+ <DigestValue>nxGVxTzX3uQVeaZ7vtWMLc+V6CE=</DigestValue>\
+ </Reference></SignedInfo>\
+ <SignatureValue>\
+ ONd8OoOnv9OThyiTPkneEcsdgVt65w6AgUAxidekHeKmjyQxnYEdWA==</SignatureValue>\
+ <KeyInfo><X509Data>\
+ <X509SubjectName>CN=Trailing\20\20,C=US</X509SubjectName>\
+ </X509Data></KeyInfo>\
+ <Object Id="object">Approved</Object></Signature>
3.3.4.2.2 Test case xmldsig/dname/dnString-6
Input details The input is an XML Signature containing an X509SubjectName in RFC 4514 format. The DN contains a Relative Distinguished Name containing an ASCII control character that has been escaped as "\09" (instead of not escaping it), as specified by the optional encoding rules of [XMLDSIG2].
Rationale Check that implementations correctly handle escaping of an ASCII control character.
[RFC 4514] DN CN=Con\09trol,C=US
Signature 
  <?xml version="1.0" encoding="UTF-8" standalone="no"?>\
+ <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">\
+ <SignedInfo>\
+ <CanonicalizationMethod\
+  Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>\
+ <SignatureMethod\
+  Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>\
+ <Reference URI="#object">\
+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\
+ <DigestValue>nxGVxTzX3uQVeaZ7vtWMLc+V6CE=</DigestValue>\
+ </Reference></SignedInfo>\
+ <SignatureValue>\
+ V34pKGIfKacwJtTEShfSXx4M2dhSOTqZVCIL6nO66lm+JTQ//wCKaA==</SignatureValue>\
+ <KeyInfo><X509Data>\
+ <X509SubjectName>CN=Con\09trol,C=US</X509SubjectName>\
+ </X509Data></KeyInfo>\
+ <Object Id="object">Approved</Object></Signature>
3.3.4.2.3 Test case xmldsig/dname/dnString-8
Input details The input is an XML Signature containing an X509SubjectName in RFC 4514 format. The DN contains a Relative Distinguished Name containing several characters that must be escaped, as specified by [RFC 4514].
Rationale Check that implementations correctly manage escaping of the special characters (except '"', 'lt;' and '>').
[RFC 4514] DN CN=E\+s\,c\;aped,C=US
Signature 
  <?xml version="1.0" encoding="UTF-8" standalone="no"?>\
+ <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">\
+ <SignedInfo>\
+ <CanonicalizationMethod\
+  Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>\
+ <SignatureMethod\
+  Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>\
+ <Reference URI="#object">\
+ <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>\
+ <DigestValue>nxGVxTzX3uQVeaZ7vtWMLc+V6CE=</DigestValue>\
+ </Reference></SignedInfo>\
+ <SignatureValue>\
+ L2r+QCiO0qOPgDYybThQEbP7A8Iq8AomDGBXgQqe4mkuLMnroTxnGA==</SignatureValue>\
+ <KeyInfo><X509Data>\
+ <X509SubjectName>CN=E\+s\,c\;aped,C=US</X509SubjectName>\
+ </X509Data></KeyInfo>\
+ <Object Id="object">Approved</Object></Signature>

4 References

RFC 2253
RFC 2253: Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names. M. Wahl, S. Kille, T. Howes. Ed. December 1997. This document is http://www.ietf.org/rfc/rfc2253.txt.
RFC 4514
RFC 4514: Lightweight Directory Access Protocol (LDAP): String Representation of Distinguished Names. K. Zeilenga, Ed. June 2006. This document is http://www.ietf.org/rfc/rfc4514.txt.
XML-C14N1.1
Canonical XML Version 1.1. W3C Proposed Recommendation. John Boyer, Glenn Marcy. January 2008. This document is http://www.w3.org/TR/2008/PR-xml-c14n11-20080129/. The latest version is http://www.w3.org/TR/xml-c14n11/.
XMLDSIG
XML-Signature Syntax and Processing. W3C Recommendation. Donald Eastlake, Joseph Reagle, David Solo. February 2002. This document is http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/. The latest version is http://www.w3.org/TR/xmldsig-core.
XMLDSIG-interop
XML-Signature Interoperability. Joseph Reagle. April 2001.
XMLDSIG2
XML-Signature Syntax and Processing (Second Edition). W3C Recommendation. Donald Eastlake, Joseph Reagle, David Solo, Frederick Hirsch, Thomas Roessler. June 2008. This document is http://www.w3.org/TR/2008/REC-xmldsig-core-20080610/. The latest version is http://www.w3.org/TR/xmldsig-core.
XPointer-Element
XPointer element() Scheme. W3C Recommendation. P. Grosso, E. Maler, J. Marsh, N. Walsh. March 2003. This document is http://www.w3.org/TR/2003/REC-xptr-element-20030325. The latest version is http://www.w3.org/TR/xptr-element.
XPointer-Framework
XPointer Framework. W3C Recommendation. P. Grosso, E. Maler, J. Marsh, N. Walsh. March 2003. This document is http://www.w3.org/TR/2003/REC-xptr-framework-20030325/. The latest version is http://www.w3.org/TR/xptr-framework/.
XPointer-xpointer
XPointer xpointer() Scheme. W3C Working Draft (Work in Progress). S. DeRose, E. Maler, R. Daniel. December 2002. This document is http://www.w3.org/TR/2002/WD-xptr-xpointer-20021219/. The latest version is http://www.w3.org/TR/xptr-xpointer/.