[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Changes for Manifest 4.6.1 plus changes to the Schema File
Dear all, To accommodate Tommy's suggestions with minor amendments in the core the following is necessary: Separate <Document> and DocumentType to be able to reuse DocumentType for <Schema>. The RefUri of <Schema> has a constrained semantic as it MUST match the targetNamespace of the contained schema document. The <Schema> should contain either <Base64XML>, <EscapedXML> or <InlineXML> otherwise an error is thrown. Profiles however are welcome to use <Base64Data> as well for e.g. zipped schemas or not yet defined other binary forms of binary schemas a document (binary or xml) can comply to. The following changes to the schema file are necessary: Change Replace the "old" Schema element of DocumentBaseType with the following attribute: <xs:attribute name="SchemaRefs" type="xs:IDREFS" use="optional"/> Separate <Document> and DocumentType to be able to reuse DocumentType for <Schema> to be able to reuse DocumentType. <xs:element name="Document" type="dss:DocumentType"/> <xs:complexType name="DocumentType"> ... </xs:complexType> Add the optional input <Schema>: <xs:element name="Schema" type="dss:SchemaType"/> <xs:complexType name="SchemaType"> <xs:simpleContent> <xs:extension base="xs:base64Binary"> <xs:attribute name="ID" type="xs:ID" use="required"/> <xs:attribute name="targetNamespace" type="xs:anyURI" use="optional"/> </xs:extension> </xs:simpleContent> </xs:complexType> Add the optional input <Schemas>: <xs:element name="Schemas" type="dss:SchemasType"/> <xs:complexType name="SchemasType"> <xs:sequence> <xs:element ref="dss:Schema" minOccurs="1" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="ID" type="xs:ID" use="required"/> </xs:complexType> Amended Text for 2.5.1 Type DocumentBaseType: SchemaRefs [Optional] This may be used when the document contains XML documents or signatures. It transfers an XML Schema [Schema1] which gives the ID attributes of elements within the input document, which may be necessary if the included signatures’ <ds:Reference> elements use XPointer expressions or <ds:Transforms> require it. Referred <Schemas>, <Schema> or combinations of those are to be used during parsing in sections 2.5.2, 3.3.1 1.a and 4.3 and for XPath evaluation in sections 2.6, 3.5.7, 4.3.1 if they are supplied. If anything else but <Schemas>, <Schema> are referred to from here the server MUST report an Error. If a referred Schema is not used by the document this MAY be ignored or reported to the client in the <Result>/<ResultMessage>. Potential explanatory annex for SchemaRefs: Namespace declarations (inside documents and schemas) have an URI as value, this value can be used to identify the relevant schemas. E.g.: xmlns="urn:oasis:names:tc:dss:1.0:core:schema" xmlns:dss="urn:oasis:names:tc:dss:1.0:core:schema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Implementors using DOM level 3 revalidation (http://xml.apache.org/xerces2-j/faq-dom.html#faq-9) do not necessary have to have the schemas available during parsing. However we would have to scan the document for namespace declarations to get the Uris. This can be expensive and we might want to use validation during the first parsing already. Hence we need the SchemaRefs identifying the relevant schemas for a Document. For this we should allow to identify all schemas used via SchemaRefs and issue an Error if the SchemaRefs are ambiguous or in contradiction to what is then really used in the document. SchemaRefs is hence optional (but used by default) to allow implementors to be able to avoid this redundant information and to be able to collect namespace Uris during non-validating parsing and to use this information to identify the relevant schemas. To summarize, the dependency of documents on schemas is an directed acyclic graph with the document to be validated as starting node and the namespace declarations being edges and the all other nodes being schemas. And SchemaRefs are optional, although encouraged to be used per default as validation during parsing might be wanted. best regards Konrad P.S.: I attached my latest version of the Schema file, so Stefan please check that it is really in sync with other recent changes or simply extract what you need from this file.
<?xml version="1.0" encoding="UTF-8"?> <xs:schema targetNamespace="urn:oasis:names:tc:dss:1.0:core:schema" xmlns:dss="urn:oasis:names:tc:dss:1.0:core:schema" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" elementFormDefault="qualified" attributeFormDefault="unqualified"> <!-- --> <xs:annotation> <xs:documentation xml:lang="en"> This Schema defines the Digital Signature Service Core Protocols, Elements, and Bindings Working Draft 34 </xs:documentation> </xs:annotation> <!-- --> <xs:import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd"/> <xs:import namespace="urn:oasis:names:tc:SAML:1.0:assertion" schemaLocation="http://www.oasis-open.org/committees/download.php/3408/oasis-sstc-saml-schema-protocol-1.1.xsd"/> <xs:import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="http://www.w3.org/2001/xml.xsd"/> <!-- COMMON PROTOCOL STRUCTURES --> <xs:complexType name="AnyType"> <xs:annotation> <xs:documentation xml:lang="en"> This Type type is used to match optional inputs, optional outputs and to make the Schema extensible where <xs:any namespace="##other" processContents="lax"/> is not possible due to unique particle attributtion rules. </xs:documentation> </xs:annotation> <xs:sequence> <xs:any processContents="lax" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> <!-- --> <xs:complexType name="InlineXMLType"> <xs:annotation> <xs:documentation xml:lang="en"> This Type clearly expresses the fact that content of InlineXML should be equivalent to a complete XML Document. I.e. having only one DocumentElement and not allowing anything but PI's and Comments before and after this one element. The attribute ignorePIsComments indicates how to deal with PI's and Comments as a number of parsers will also ignore them and a server will have to be able to know if PI's and Comments have gone missing after parsing and if the client would have wanted them to be signed. </xs:documentation> </xs:annotation> <xs:sequence> <xs:any processContents="lax"/> </xs:sequence> <xs:attribute name="ignorePIs" type="xs:boolean" use="optional" default="true"/> <xs:attribute name="ignoreComments" type="xs:boolean" use="optional" default="true"/> </xs:complexType> <!-- --> <xs:complexType name="InternationalStringType"> <xs:simpleContent> <xs:extension base="xs:string"> <xs:attribute ref="xml:lang"/> </xs:extension> </xs:simpleContent> </xs:complexType> <!-- --> <xs:element name="InputDocuments"> <xs:annotation> <xs:documentation xml:lang="en"> <!-- Re: UPA Problem rationale behind these changes [FW: FROM JC THROUGH KONRAD] --> <!-- <xs:any namespace="##other" processContents="lax"/> allowes to introduce new top level elements from other namespaces to support other types of documents in the future. --> <!-- Solution consistent with other places --> <xs:element name="Other" type="dss:AnyType"/> allowes to introduce new top level elements from namespaces including dss to support other types of input documents in the future. </xs:documentation> </xs:annotation> <xs:complexType> <xs:sequence> <xs:choice maxOccurs="unbounded"> <xs:element ref="dss:Document"/> <xs:element ref="dss:TransformedData"/> <xs:element ref="dss:DocumentHash"/> <xs:element name="Other" type="dss:AnyType"/> </xs:choice> </xs:sequence> </xs:complexType> </xs:element> <!-- --> <xs:complexType name="DocumentBaseType" abstract="true"> <xs:sequence> <xs:element name="Schema" type="xs:base64Binary" minOccurs="0"/> </xs:sequence> <xs:attribute name="ID" type="xs:ID" use="optional"/> <xs:attribute name="RefURI" type="xs:anyURI" use="optional"/> <xs:attribute name="RefType" type="xs:anyURI" use="optional"/> </xs:complexType> <!-- --> <xs:element name="Document"> <xs:complexType> <xs:complexContent> <xs:extension base="dss:DocumentBaseType"> <xs:choice> <xs:element name="InlineXML" type="dss:InlineXMLType"/> <xs:element name="Base64XML" type="xs:base64Binary"/> <xs:element name="EscapedXML" type="xs:string"/> <xs:element ref="dss:Base64Data"/> </xs:choice> </xs:extension> </xs:complexContent> </xs:complexType> </xs:element> <!-- --> <xs:element name="Base64Data"> <xs:complexType> <xs:simpleContent> <xs:extension base="xs:base64Binary"> <xs:attribute name="MimeType" type="xs:string" use="optional"/> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <!-- --> <xs:element name="DocumentHash"> <xs:complexType> <xs:complexContent> <xs:extension base="dss:DocumentBaseType"> <xs:sequence> <xs:element ref="ds:Transforms" minOccurs="0"/> <xs:element ref="ds:DigestMethod"/> <xs:element ref="ds:DigestValue"/> </xs:sequence> </xs:extension> </xs:complexContent> </xs:complexType> </xs:element> <!-- --> <xs:element name="TransformedData"> <xs:complexType> <xs:complexContent> <xs:extension base="dss:DocumentBaseType"> <xs:sequence> <xs:element ref="ds:Transforms" minOccurs="0"/> <xs:element ref="dss:Base64Data"/> </xs:sequence> </xs:extension> </xs:complexContent> </xs:complexType> </xs:element> <!-- --> <xs:element name="SignatureObject"> <xs:annotation> <xs:documentation xml:lang="en"> <xs:any namespace="##other" processContents="lax"/> is not possible here to allow extensibility as more than one namespace (i.e. ds, dss) are used in the choice hence <xs:element name="Other" type="dss:AnyType"/> allowes to introduce new top level elements from namespaces including dss to support other types of signatures in the future. </xs:documentation> </xs:annotation> <xs:complexType> <xs:sequence> <xs:choice> <xs:element ref="ds:Signature"/> <xs:element ref="dss:Timestamp"/> <xs:element ref="dss:Base64Signature"/> <xs:element ref="dss:SignaturePtr"/> <xs:element name="Other" type="dss:AnyType"/> </xs:choice> <xs:element name="Schema" type="xs:base64Binary" minOccurs="0"/> </xs:sequence> </xs:complexType> </xs:element> <!-- --> <xs:element name="Base64Signature"> <xs:complexType> <xs:simpleContent> <xs:extension base="xs:base64Binary"> <xs:attribute name="Type" type="xs:anyURI"/> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <!-- --> <xs:element name="SignaturePtr"> <xs:complexType> <xs:attribute name="WhichDocument" type="xs:IDREF"/> <xs:attribute name="XPath" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <!-- --> <xs:element name="Result"> <xs:complexType> <xs:sequence> <xs:element name="ResultMajor" type="xs:anyURI"/> <xs:element name="ResultMinor" type="xs:anyURI" minOccurs="0"/> <xs:element name="ResultMessage" type="dss:InternationalStringType" minOccurs="0"/> </xs:sequence> </xs:complexType> </xs:element> <!-- --> <xs:element name="OptionalInputs" type="dss:AnyType"> <xs:annotation> <xs:documentation xml:lang="en"> "dss:AnyType"/> matches any top level element of any namespace, hence OptionalInputs can contain 0..* top level elements. It should however not contain elements that are not declared as optional inputs by normative text of the dss-core or dss-profiles. </xs:documentation> </xs:annotation> </xs:element> <!-- --> <xs:element name="OptionalOutputs" type="dss:AnyType"> <xs:annotation> <xs:documentation xml:lang="en"> "dss:AnyType"/> matches any top level element of any namespace, hence OptionalInputs can contain 0..* top level elements. It should however not contain elements that are not declared as optional outputs by normative text of the dss-core or dss-profiles. </xs:documentation> </xs:annotation> </xs:element> <!-- --> <xs:element name="ServicePolicy" type="xs:anyURI"/> <!-- --> <xs:element name="ClaimedIdentity"> <xs:complexType> <xs:sequence> <xs:element name="Name" type="saml:NameIdentifierType"/> <xs:element name="SupportingInfo" type="dss:AnyType" minOccurs="0"/> </xs:sequence> </xs:complexType> </xs:element> <!-- --> <xs:element name="Language" type="xs:language"/> <!-- --> <xs:element name="AdditionalProfile" type="xs:anyURI"/> <!-- COMMON PROTOCOL STRUCTURES --> <!-- PROTOCOL MESSAGES BEGIN --> <xs:element name="SignRequest"> <xs:complexType> <xs:sequence> <xs:element ref="dss:OptionalInputs" minOccurs="0"/> <xs:element ref="dss:InputDocuments"/> </xs:sequence> <xs:attribute name="RequestID" type="xs:string" use="optional"/> <xs:attribute name="Profile" type="xs:anyURI" use="optional"/> </xs:complexType> </xs:element> <!-- --> <xs:element name="IncludeObject"> <xs:complexType> <xs:attribute name="WhichDocument" type="xs:IDREF"/> <xs:attribute name="hasObjectTagsAndAttributesSet" type="xs:boolean" default="false"/> <xs:attribute name="ObjId" type="xs:string" use="optional"/> <xs:attribute name="createReference" type="xs:boolean" use="optional" default="true"/> </xs:complexType> </xs:element> <!-- --> <xs:element name="SignaturePlacement"> <xs:complexType> <xs:choice> <xs:element name="XPathAfter" type="xs:string"/> <xs:element name="XPathFirstChildOf" type="xs:string"/> </xs:choice> <xs:attribute name="WhichDocument" type="xs:IDREF"/> <xs:attribute name="createEnvelopedSignature" type="xs:boolean" default="true"/> </xs:complexType> </xs:element> <!-- --> <xs:element name="SignResponse"> <xs:complexType> <xs:sequence> <xs:element ref="dss:Result"/> <xs:element ref="dss:OptionalOutputs" minOccurs="0"/> <xs:element ref="dss:SignatureObject" minOccurs="0"/> </xs:sequence> <xs:attribute name="RequestID" type="xs:string" use="optional"/> <xs:attribute name="Profile" type="xs:anyURI" use="required"/> </xs:complexType> </xs:element> <!-- SIGNRESPONSE OPTIONAL OUTPUTS START --> <xs:element name="DocumentWithSignature"> <xs:complexType> <xs:sequence> <xs:element ref="dss:Document"/> </xs:sequence> </xs:complexType> </xs:element> <!-- SIGNRESPONSE OPTIONAL OUTPUTS END --> <!-- --> <xs:element name="VerifyRequest"> <xs:complexType> <xs:sequence> <xs:element ref="dss:OptionalInputs" minOccurs="0"/> <xs:element ref="dss:SignatureObject" minOccurs="0"/> <xs:element ref="dss:InputDocuments" minOccurs="0"/> </xs:sequence> <xs:attribute name="RequestID" type="xs:string" use="optional"/> <xs:attribute name="Profile" type="xs:anyURI" use="optional"/> </xs:complexType> </xs:element> <!-- --> <xs:element name="VerifyResponse"> <xs:complexType> <xs:sequence> <xs:element ref="dss:Result"/> <xs:element ref="dss:OptionalOutputs" minOccurs="0"/> </xs:sequence> <xs:attribute name="RequestID" type="xs:string" use="optional"/> <xs:attribute name="Profile" type="xs:anyURI" use="required"/> </xs:complexType> </xs:element> <!-- PROTOCOL MESSAGES END --> <!-- SIGNREQUEST OPTIONAL INPUTS START --> <xs:element name="SignatureType" type="xs:anyURI"/> <xs:element name="AddTimestamp"> <xs:complexType> <xs:attribute name="Type" type="xs:anyURI" use="optional"/> </xs:complexType> </xs:element> <!-- --> <xs:element name="IntendedAudience"> <xs:complexType> <xs:sequence> <xs:element name="Recipient" type="saml:NameIdentifierType" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <!-- --> <xs:element name="KeySelector"> <xs:annotation> <xs:documentation xml:lang="en"> <xs:any namespace="##other" processContents="lax"/> is not possible here to allow extensibility as another namespace than the target namespace is used in the choice hence <xs:element name="Other" type="dss:AnyType"/> allowes to introduce new top level elements from namespaces including dss to support other types of key selectors in the future. Note that namespace="##other" is the complement of the target namespace. Note also that xml schema does not support complements for other namespaces or sets of namespaces which is a defect in xml schema. It only supports sets of namespaces which is not useful however as we cannot know which namespaces might be relevant in the future. </xs:documentation> </xs:annotation> <xs:complexType> <xs:choice> <xs:element ref="ds:KeyInfo"/> <xs:element name="Other" type="dss:AnyType"/> </xs:choice> </xs:complexType> </xs:element> <!-- --> <xs:element name="SignedReferences"> <xs:complexType> <xs:sequence> <xs:element ref="dss:SignedReference" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <!-- --> <xs:element name="Properties"> <xs:complexType> <xs:sequence> <xs:element name="SignedProperties" type="dss:PropertiesType" minOccurs="0"/> <xs:element name="UnsignedProperties" type="dss:PropertiesType" minOccurs="0"/> </xs:sequence> </xs:complexType> </xs:element> <!-- --> <xs:element name="Property"> <xs:complexType> <xs:sequence> <xs:element name="Identifier" type="xs:anyURI"/> <xs:element name="Value" type="dss:AnyType" minOccurs="0"/> </xs:sequence> </xs:complexType> </xs:element> <!-- --> <xs:complexType name="PropertiesType"> <xs:sequence> <xs:element ref="dss:Property" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> <!-- --> <xs:element name="SignedReference"> <xs:annotation> <xs:documentation xml:lang="en"> RefURI overrides the of <dss:Document> </xs:documentation> </xs:annotation> <xs:complexType> <xs:sequence> <xs:element ref="ds:Transforms" minOccurs="0"/> </xs:sequence> <xs:attribute name="WhichDocument" type="xs:IDREF" use="required"/> <xs:attribute name="RefURI" type="xs:anyURI" use="optional"/> <xs:attribute name="RefId" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <!-- SIGNREQUEST OPTIONAL INPUTS END --> <!-- VERIFYREQUEST OPTIONAL INPUTS START --> <xs:element name="VerifyManifests"/> <xs:element name="VerificationTime" type="xs:dateTime"/> <xs:element name="AdditionalKeyInfo"> <xs:complexType> <xs:sequence> <xs:element ref="ds:KeyInfo"/> </xs:sequence> </xs:complexType> </xs:element> <!-- --> <xs:element name="ReturnProcessingDetails"/> <!-- --> <xs:element name="ReturnSigningTime"/> <!-- --> <xs:element name="ReturnTimestampTime"/> <!-- --> <xs:element name="ReturnSignerIdentity"/> <!-- --> <xs:element name="ReturnUpdatedSignature"> <xs:complexType> <xs:attribute name="Type" type="xs:anyURI" use="optional"/> </xs:complexType> </xs:element> <!-- --> <xs:element name="ReturnTransformedDocument"> <xs:complexType> <xs:attribute name="WhichReference" type="xs:integer" use="required"/> </xs:complexType> </xs:element> <!-- VERIFYREQUEST OPTIONAL INPUTS END --> <!-- VERIFYRESPONSE OPTIONAL OUTPUTS START --> <xs:element name="ProcessingDetails"> <xs:complexType> <xs:sequence> <xs:element name="ValidDetail" type="dss:DetailType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="IndeterminateDetail" type="dss:DetailType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="InvalidDetail" type="dss:DetailType" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <!-- --> <xs:element name="SigningTime"> <xs:complexType> <xs:simpleContent> <xs:extension base="xs:dateTime"> <xs:attribute name="ThirdPartyTimestamp" type="xs:boolean" use="required"/> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <!-- --> <xs:element name="TimestampTime" type="xs:dateTime"/> <!-- --> <xs:element name="SignerIdentity" type="saml:NameIdentifierType"/> <!-- --> <xs:element name="UpdatedSignature"> <xs:complexType> <xs:sequence> <xs:element ref="dss:SignatureObject"/> </xs:sequence> <xs:attribute name="Type" type="xs:anyURI" use="optional"/> </xs:complexType> </xs:element> <!-- --> <xs:element name="TransformedDocument"> <xs:complexType> <xs:sequence> <xs:element ref="dss:Document"/> </xs:sequence> <xs:attribute name="WhichReference" type="xs:integer" use="required"/> </xs:complexType> </xs:element> <!-- --> <xs:complexType name="DetailType"> <xs:sequence> <xs:element name="Code" type="xs:anyURI" minOccurs="0"/> <xs:element name="Message" type="dss:InternationalStringType" minOccurs="0"/> <xs:any namespace="##other" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="Type" type="xs:anyURI" use="required"/> </xs:complexType> <!-- VERIFYRESPONSE OPTIONAL OUTPUTS END --> <!-- TIMESTAMP BEGIN --> <xs:element name="Timestamp"> <xs:complexType> <xs:choice> <xs:element ref="ds:Signature"/> <xs:element name="RFC3161TimeStampToken" type="xs:base64Binary"/> <xs:element name="Other" type="dss:AnyType"/> </xs:choice> </xs:complexType> </xs:element> <!-- --> <xs:element name="TstInfo"> <xs:complexType> <xs:sequence> <xs:element name="SerialNumber" type="xs:integer"/> <xs:element name="CreationTime" type="xs:dateTime"/> <xs:element name="Policy" type="xs:anyURI" minOccurs="0"/> <xs:element name="ErrorBound" type="xs:duration" minOccurs="0"/> <xs:element name="Ordered" type="xs:boolean" default="false" minOccurs="0"/> <xs:element name="TSA" type="saml:NameIdentifierType" minOccurs="0"/> </xs:sequence> </xs:complexType> </xs:element> <!-- TIMESTAMP END --> <!-- REQUESTER IDENTITY BEGIN --> <xs:element name="RequesterIdentity"> <xs:complexType> <xs:sequence> <xs:element name="Name" type="saml:NameIdentifierType"/> <xs:element name="SupportingInfo" type="dss:AnyType" minOccurs="0"/> </xs:sequence> </xs:complexType> </xs:element> <!-- REQUESTER IDENTITY END --> </xs:schema>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]