[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: full schema for signing request, dss-proposal-rsalz-02.xsd
I knocked most of this off earlier, but then I ran it through IBM's schema quality checker which found various typo's, etc. Looking forward to feedback. /r$ -- Rich Salz Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
<?xml version="1.0" encoding="utf-8"?> <!-- vi: set sw=2 ts=8 et: --> <xs:schema version="0.1" xmlns:xs="http://www.w3.org/2001/XMLSchema" targetNamespace="http://www.example.com/dss" xmlns="http://www.example.com/dss" xmlns:dss="http://www.example.com/dss" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"> <xs:import schemaLocation="http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd" namespace="http://www.w3.org/2000/09/xmldsig#"/> <!-- This is a signature property; something the client wants the server to embed in the signature. If no transforms are specified, then the server applies the transforms from the main element when creating the reference. Clients MUST NOT specify dss:Property/dsig:Transforms when dss:Property/@signed is false. --> <xs:element name="Property"> <xs:complexType> <xs:sequence> <xs:element ref="dsig:Object"/> <xs:element ref="dsig:Transforms"/> </xs:sequence> <xs:attribute name="signed" type="xs:boolean"/> </xs:complexType> </xs:element> <!-- This indicates if the signature is enveloped or not. There must be a simpler way to do this. I want <Enveloped value='true'/> --> <xs:element name="Enveloped"> <xs:complexType> <xs:sequence/> <xs:attribute name="value" type="xs:boolean"/> </xs:complexType> </xs:element> <!-- This is a parameter, which a client provides to help control the operation of the server. Basic structure taken from the dsig:Transform element. --> <xs:element name="Parameter"> <xs:complexType mixed="true"> <xs:choice minOccurs="0" maxOccurs="unbounded"> <!-- Here is where we put the definitions of elements we define in the core. Examples below show a proposal for what should be in the core. --> <xs:element ref="dsig:KeyInfo"/> <xs:element ref="dsig:Transforms"/> <xs:element ref="dss:Property"/> <xs:element ref="dss:Enveloped"/> <!-- Extensibility point. --> <xs:any namespace="##other" processContents="lax"/> </xs:choice> <xs:attribute name="type" type="xs:anyURI" use="required"/> <xs:attribute name="mustUnderstand" type="xs:boolean"/> </xs:complexType> </xs:element> <xs:element name="Parameters"> <xs:complexType> <xs:sequence> <xs:element ref="dss:Parameter" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <!-- I tried to make this simpler than just using dsig:Reference. But when you look at what information the server will need to apply in order to create a real Reference so that clients can verify it, then this is what you end up with. --> <xs:element name="PreDigested"> <xs:complexType> <xs:sequence> <xs:element ref="dsig:Reference"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="XML"> <xs:complexType mixed="true"> <xs:sequence> <xs:any namespace="##other" processContents="lax"/> </xs:sequence> </xs:complexType> </xs:element> <!-- An input document. The following values for Document/@type are defined: urn1 Text (in same encoding as the surrounding doc) urn2 Base64 string; unencode it before hashing urn3 XML (same encoding) urn4 XML, but transferred as base64 For example, signing the OASIS homepage via external ref: <dss:Document type="urn1"> <dss:URI>http://www.oasis-open.org</dss:URI> <dss:Document> Enclosing a WORD doc to be signed: <dss:Document type="urn2"> ZXRlX3MobGQsIHNlcnZlckROKSAhPSBMREFQX1NVQ0NFU1MpIHsKCQkqc3RhdHVz ... X05TX0xEQVAgKi8KCg== </dss:Document> Including a bit of XML to be signed, specifying the same-doc URI reference that will appear in the generated signature: <dss:Document type="urn3" uri="#body"> <dss:XML> <foo><bar foobar='23'/>yes</foo> </dss:XML> </dss:Document> --> <xs:element name="Document"> <xs:complexType mixed="true"> <xs:choice minOccurs="1" maxOccurs="1"> <xs:element name="URI" type="xs:anyURI"/> <xs:element ref="dss:PreDigested"/> <!-- Extensibility point. --> <xs:any namespace="##other" processContents="lax"/> </xs:choice> <xs:attribute name="type" type="xs:anyURI" use="required"/> <!-- Used for dss:SignaturePlacement, and also used as the ID for the server-generated dsig:Reference element. --> <xs:attribute name="id" type="xs:ID"/> <!-- The URI the server should use to refer to the content. --> <xs:attribute name="uri" type="xs:anyURI"/> </xs:complexType> </xs:element> <xs:element name="Documents"> <xs:complexType> <xs:sequence> <xs:element ref="dss:Document" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="SignRequest"> <xs:complexType> <xs:sequence> <xs:element ref="dss:Parameters"/> <xs:element ref="dss:Documents"/> </xs:sequence> <xs:attribute name="profile" type="xs:anyURI"/> </xs:complexType> </xs:element> </xs:schema>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]