### Escaped XPointer Example Source: https://github.com/apache/santuario-xml-security-java/blob/main/src/test/resources/org/w3c/www/interop/xmldsig/xpointer/xpointerscheme-Readme-RFC2396_RFC2732-diff-RFC3986.txt This example demonstrates the correct escaping of square brackets within an XPointer to comply with RFC 3986. ```xml #xpointer(//*%5B@authenticate='true'%5D) ``` -------------------------------- ### Linking Stylesheets with xml-stylesheet Source: https://github.com/apache/santuario-xml-security-java/blob/main/src/test/resources/com/pothole/xmldsig/xml-stylesheet.txt Examples of linking stylesheets using the 'xml-stylesheet' processing instruction. Demonstrates different ways to specify the stylesheet, including compact and media-specific links. ```xml ``` ```xml ``` ```xml ``` -------------------------------- ### Multiple XML Stylesheet Processing Instructions Source: https://github.com/apache/santuario-xml-security-java/blob/main/src/test/resources/org/w3c/www/TR/xml-stylesheet.html This example illustrates how multiple xml-stylesheet processing instructions can be used to link several stylesheets, including alternate ones, similar to multiple HTML LINK elements. ```xml ``` ```xml ``` ```xml ``` ```xml ``` -------------------------------- ### Alternate XML Stylesheet Processing Instruction Source: https://github.com/apache/santuario-xml-security-java/blob/main/src/test/resources/org/w3c/www/TR/xml-stylesheet.html This example shows an alternate stylesheet using the xml-stylesheet processing instruction, equivalent to an HTML LINK with alternate stylesheet. ```xml ``` -------------------------------- ### Basic XML Stylesheet Processing Instruction Source: https://github.com/apache/santuario-xml-security-java/blob/main/src/test/resources/org/w3c/www/TR/xml-stylesheet.html This is a basic example of the xml-stylesheet processing instruction, equivalent to an HTML LINK element for a CSS stylesheet. ```xml ``` -------------------------------- ### Regenerate PKCS12 Keystore with OpenSSL Source: https://github.com/apache/santuario-xml-security-java/blob/main/src/test/resources/org/w3c/www/interop/xmlenc-core-11/README.md Use this bash script to regenerate PKCS12 files with modern encryption algorithms, making them compatible with recent Java security policies. It requires openssl to be installed and takes the base filename as an argument. ```bash #!/usr/bin/env bash FILENAME=$1 PASSPHRASE="passwd" # Regenerate a PKCS12 with up-to-date encryption algorithm so that it can be used with latest java security policy echo "Regenerating PKCS12 file $FILENAME.p12 to $FILENAME-v02.p12" openssl pkcs12 -in "${FILENAME}.p12" -passin pass:${PASSPHRASE} -out "${FILENAME}.pem" -nodes -nokeys openssl pkcs12 -in "${FILENAME}.p12" -passin pass:${PASSPHRASE} -out "${FILENAME}.key" -nodes -nocerts openssl pkcs12 -export -out "${FILENAME}-v02.p12" -passin pass:${PASSPHRASE} -passout pass:${PASSPHRASE} -inkey "${FILENAME}.key" -in "${FILENAME}.pem" -name "test-certificate" echo "Cleaning the temporary files ${FILENAME}.pem and ${FILENAME}.key" rm "${FILENAME}.pem" rm "${FILENAME}.key" echo "Done" ``` -------------------------------- ### XML Stylesheet with Title Source: https://github.com/apache/santuario-xml-security-java/blob/main/src/test/resources/org/w3c/www/TR/xml-stylesheet.html This example demonstrates the xml-stylesheet processing instruction with a title attribute, similar to an HTML LINK element with a title. ```xml ``` -------------------------------- ### Test Case 2: xml:base Propagation from First Level Element Source: https://github.com/apache/santuario-xml-security-java/blob/main/src/test/resources/org/w3c/www/interop/testcases.html Verifies xml:base propagation when the output subset starts from the first-level element 'ietf:e1', ensuring the base is correctly established at this level. ```xpath (//. | //@* | //namespace::*) [ancestor-or-self::ietf:e1] ``` ```xml ``` -------------------------------- ### Multiple xml-stylesheet Instructions Source: https://github.com/apache/santuario-xml-security-java/blob/main/src/test/resources/at/iaik/ixsil/transforms/samples/sampleBase64EncodedData.txt Shows how to use multiple xml-stylesheet processing instructions to associate different style sheets with an XML document, similar to HTML's LINK element. ```xml ``` ```xml ``` -------------------------------- ### Multiple Stylesheet Links Source: https://github.com/apache/santuario-xml-security-java/blob/main/src/test/resources/com/pothole/xmldsig/xml-stylesheet.txt Illustrates how multiple 'xml-stylesheet' processing instructions can be used to link different stylesheets. This allows for alternative or complementary styling options. ```xml ``` ```xml ``` -------------------------------- ### XML Output with xml:base Propagation (Test Case 6) Source: https://github.com/apache/santuario-xml-security-java/blob/main/src/test/resources/org/w3c/www/interop/testcases.html This XML snippet demonstrates the expected output for a test case where xml:base is built for an element that originally lacked it, due to absent intermediate levels. ```xml ``` -------------------------------- ### XML Output with xml:base Propagation (Test Case 5) Source: https://github.com/apache/santuario-xml-security-java/blob/main/src/test/resources/org/w3c/www/interop/testcases.html This XML snippet shows the expected output for a test case involving xml:base propagation when one intermediate level is absent. ```xml ``` -------------------------------- ### XML Signature with Multiple Schema-based XPointers Source: https://github.com/apache/santuario-xml-security-java/blob/main/src/test/resources/org/w3c/www/interop/testcases.html Tests implementation behavior when processing multiple elements referenced by their ID using schema-based XPointers. Includes elements with and without comments. Uses XML-C14N 1.1 with comments. ```xml \ \ \ \ \ \ \ \ \ XhSsDpWTt+ti0kcU9XYpleRDHfQ=\ \ \ \ \ \ abyA1j4yzf1IgQLWwDwKuU9l8Ik=\ \ \ \ \ \ RUUBiUeFf8uRqTlpCyutkXDqnJ4=\ \ sG+0pHk9TB6v7jES9RZUIVKMFos=\ \ \ ``` -------------------------------- ### Input XML Document for Test Cases Source: https://github.com/apache/santuario-xml-security-java/blob/main/src/test/resources/org/w3c/www/interop/testcases.html This is the base XML document used for various test cases involving schema-based XPointers and canonicalization. It includes comments that are relevant to the test scenarios. ```xml ``` -------------------------------- ### Linking Stylesheets with xml-stylesheet Source: https://github.com/apache/santuario-xml-security-java/blob/main/src/test/resources/at/iaik/ixsil/transforms/samples/sampleBase64EncodedData.txt Demonstrates various ways to link CSS stylesheets using the xml-stylesheet processing instruction, including different attributes like title and media. ```xml ``` -------------------------------- ### XML Signature with Schema-based XPointers and Canonicalization (SUN) Source: https://github.com/apache/santuario-xml-security-java/blob/main/src/test/resources/org/w3c/www/interop/testcases.html Tests dereferencing a URI with an ID attribute using schema-based XPointers and preserving comments during canonicalization. ```xml XhSsDpWTt+ti0kcU9XYpleRDHfQ= brEpICVA4lg7eQwz7i/rlBmYXiU= <-- This is a xml document for checking behaviour of tools with regards to comments when using scheme-based xpointers in the ds:Reference's URI attribute --> ``` -------------------------------- ### XML Output with xml:base Propagation (Test Case 4) Source: https://github.com/apache/santuario-xml-security-java/blob/main/src/test/resources/org/w3c/www/interop/testcases.html This XML snippet represents the expected output for a test case where xml:base should propagate through absent intermediate elements. ```xml ``` -------------------------------- ### Generate Brainpool EC Keystore Script Source: https://github.com/apache/santuario-xml-security-java/blob/main/src/test/resources/org/apache/xml/security/samples/input/README.txt This bash script automates the generation of certificates for brainpool EC curves and merges them into a single PKCS12 keystore. It uses OpenSSL for certificate creation and keytool for keystore management. ```bash #!/bin/bash ALL_CERTS="brainpoolP256r1 brainpoolP384r1 brainpoolP512r1" KS_FILENAME="brainpool.p12" PASSPHRASE="security" for cert in ${ALL_CERTS}; do echo "Generating certificate for ${cert}"; openssl ecparam -name ${cert} -genkey -noout -out ${cert}.pem openssl ec -in ${cert}.pem -pubout -out ${cert}.pub openssl req -x509 -nodes -sha256 -days 3650 -subj "/CN=${cert}/OU=eDeliveryAS4-2.0/OU=santuario/O=apache/C=EU" -addext "keyUsage=digitalSignature,keyEncipherment,dataEncipherment,cRLSign,keyCertSign" -addext "extendedKeyUsage=serverAuth,clientAuth" -key ${cert}.pem -out ${cert}.crt echo "importing ${cert} to keystore"; openssl pkcs12 -export -out ${cert}.pfx -name ${cert} -inkey ${cert}.pem -in ${cert}.crt -passout pass:${PASSPHRASE} echo "Merge ${cert} to common keystore"; /opt/java/jdk-17.0.9/bin/keytool -importkeystore -destkeystore ${KS_FILENAME} -deststoretype PKCS12 \ -destkeypass ${PASSPHRASE} -deststorepass ${PASSPHRASE} \ -srckeystore ${cert}.pfx -srcstoretype PKCS12 \ -srcstorepass ${PASSPHRASE} -srckeypass ${PASSPHRASE} \ -destalias ${cert} -srcalias ${cert} echo "clean temp files for the ${cert}"; rm -f ${cert}.pem ${cert}.pub ${cert}.crt ${cert}.pfx; done ``` -------------------------------- ### Multiple HTML LINK to XML Stylesheet PIs Source: https://github.com/apache/santuario-xml-security-java/blob/main/src/test/resources/at/iaik/ixsil/transforms/digestInputs/base64Signature.firstReference.txt Illustrates how multiple HTML LINK tags, including alternate stylesheets, are converted into equivalent XML processing instructions. ```html ``` ```xml ``` -------------------------------- ### XML Signature with Schema-based XPointers and Canonicalization Source: https://github.com/apache/santuario-xml-security-java/blob/main/src/test/resources/org/w3c/www/interop/testcases.html This XML structure represents a signature with multiple references to elements identified by their IDs. It utilizes the XML Canonicalization 1.1 method with comments included, demonstrating how the system handles XPointers and canonicalization with comments present in the signed document. ```xml 3K+K4MbR2EW7l/ry59XockKqt4g= hnKFjGFr/jwLCCTckZpaclOwe28= RUUBiUeFf8uRqTlpCyutkXDqnJ4= XzEJQ+whhHUYlqiCEt8XFxC8wpk= ``` -------------------------------- ### Test Case 1: xml:base Propagation with Root and Descendants Source: https://github.com/apache/santuario-xml-security-java/blob/main/src/test/resources/org/w3c/www/interop/testcases.html Tests xml:base propagation when the output subset includes the root element and its descendants, ensuring correct handling of xml:base origins within the subset and elements requiring further processing. ```xpath (//. | //@* | //namespace::*) [ancestor-or-self::ietf:c14n11XmlBaseDoc1 and not(ancestor-or-self::ietf:e2)] ``` ```xml ``` -------------------------------- ### XML Stylesheet Processing Instruction Grammar Source: https://github.com/apache/santuario-xml-security-java/blob/main/src/test/resources/at/iaik/ixsil/transforms/samples/sampleBase64EncodedData.txt Provides the grammar for the 'xml-stylesheet' processing instruction, including pseudo-attributes like 'type' and 'href'. ```xml ``` ```xml ``` ```xml ``` ```xml ``` ```xml ``` -------------------------------- ### XML Output without unnecessary xml:base Propagation (Test Case 7) Source: https://github.com/apache/santuario-xml-security-java/blob/main/src/test/resources/org/w3c/www/interop/testcases.html This XML snippet illustrates the expected output for a test case where xml:base should not be passed to another element when not necessary. ```xml ``` -------------------------------- ### Output for Test Case c14n11/xmllang-2 Source: https://github.com/apache/santuario-xml-security-java/blob/main/src/test/resources/org/w3c/www/interop/testcases.html The canonicalized output for test case 2. The 'e2' element is included, but since it does not have an xml:lang attribute, none is present in the output. ```xml ``` -------------------------------- ### XML Signature with Schema-based XPointers and Canonicalization Source: https://github.com/apache/santuario-xml-security-java/blob/main/src/test/resources/org/w3c/www/interop/testcases.html Tests dereferencing URIs to elements identified by ID, including descendants, and verifies comment handling during digest computation. Uses XML-C14N 1.1 with comments. ```xml \ \ \ \ \ \ \ \ \ 3K+K4MbR2EW7l/ry59XockKqt4g=\ \ dgyjONUs9rBjW7PH25seGqcMNZY=\ \ \ ``` -------------------------------- ### Output for xmlspace-1 Test Case Source: https://github.com/apache/santuario-xml-security-java/blob/main/src/test/resources/org/w3c/www/interop/testcases.html Expected output for the xmlspace-1 test case, demonstrating C14N11 canonicalization of an element with an xml:space attribute. ```xml ``` -------------------------------- ### RFC 3986 Fragment Definition (Expanded) Source: https://github.com/apache/santuario-xml-security-java/blob/main/src/test/resources/org/w3c/www/interop/xmldsig/xpointer/xpointerscheme-Readme-RFC2396_RFC2732-diff-RFC3986.txt An expanded view of the RFC 3986 fragment definition, showing all allowed characters. ```bnf fragment = *( pct-encoded / ALPHA / DIGIT / "-" / "." / "_" / "~" / "!" / "$" / "&" / "'" / "(" / ")" / "*" / "+" / "," / ";" / "=" ``` -------------------------------- ### Output for Test Case c14n11/xmllang-4 Source: https://github.com/apache/santuario-xml-security-java/blob/main/src/test/resources/org/w3c/www/interop/testcases.html The canonicalized output for test case 4. Both 'e11' and 'e12' elements are included, and they both inherit the xml:lang attribute from their parent 'e1'. ```xml ``` -------------------------------- ### HTML LINK to XML Stylesheet PI Source: https://github.com/apache/santuario-xml-security-java/blob/main/src/test/resources/at/iaik/ixsil/transforms/digestInputs/base64Signature.firstReference.txt Shows the direct translation from HTML LINK tags to XML processing instructions for basic stylesheet linking. ```html ``` ```html ``` ```html ``` -------------------------------- ### XMLDSIG Signature with Multiple Transforms including C14n 1.1 Source: https://github.com/apache/santuario-xml-security-java/blob/main/src/test/resources/org/w3c/www/interop/testcases.html This signature demonstrates a more complex transform chain involving XPath, XSLT, and explicit C14n 1.1. It tests the correct ordering of transforms, especially when C14n 1.1 is needed before and after other transforms. ```xml + + + + + + + ancestor-or-self::ietf:e21 + + + + + + + + 1 + + + + + fL7Igzs0LL7lKHJzAJIKYCphYBo= + + bKQLywY51VZwjutUX/CUMsVs6RE= + ``` -------------------------------- ### Generate ECDSA Keystore Source: https://github.com/apache/santuario-xml-security-java/blob/main/src/test/resources/org/apache/xml/security/samples/input/README.txt This command generates an ECDSA key pair and stores it in a JKS keystore. It specifies the EC group, validity period, and keystore/key passwords. ```shell keytool -genkeypair -keystore ecdsa.jks -alias secp256r1 -keyalg EC -groupname secp256r1 \ -storepass security -keypass security \ -dname "CN=secp256r1,OU=ecdsa, OU=xmlsec,O=apache,C=EU" \ -validity 3650 ```