| Internet-Draft | Using GOST Algorithms for XML Digital Si | May 2022 |
| Smirnov, et al. | Expires 6 November 2022 | [Page] |
This document defines new algorithm identifiers for GOST cryptographic algorithms and methods of including GOST-based digital signature and hash-based message authentication code (HMAC) within the XML document. All statements in this document are techically equivalent to [R1323565.1.033-2020].¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 6 November 2022.¶
Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
This document specifies identifiers (see Section 3) for the following Russian digital signature and hash algorithms (GOST algorithms):¶
This document specifies identifiers (see Section 3.3) for GOST-based HMAC transformations defined in the R 50.1.113-2016 [R501113-2016] (the English version can be found in [RFC7836]).¶
These identifiers are meant to use in XML Digital Signature Syntax (see [XMLDSIG]).¶
In addition, new methods of carrying GOST-based key material within XML documents are defined (see Section 4).¶
Also included are namespace identifiers, prefixes and XML schema definition required to make specification complete (see Section 2).¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].¶
This document uses XML elements from four different XML schemas (see Table 1). Every XML schema is assigned to one XML namespace. The following XML namespace identifier MUST be used as targetNamespace in the XML schema preamble:¶
urn:ietf:params:xml:ns:cpxmlsec¶
The other XML namespaces are external. Their identifiers are specified in XML schema preamble in corresponding attributes.¶
Table 1 lists full set of XML namespaces used in this document, identifiers and assigned prefixes. Table 1 also defines abbreviations for corresponding XML schemas.¶
+-----------------+------------------------------------+----------+---------------+
| XML schema name | XML namespace identifier | Prefix | Reference |
+-----------------+------------------------------------+----------+---------------+
| DS schema | http://www.w3.org/2000/09/xmldsig# | ds | [XMLDSIG] |
+-----------------+------------------------------------+----------+---------------+
| DSIG11 schema | http://www.w3.org/2009/xmldsig11# | dsig11 | [XMLDSIG] |
+-----------------+------------------------------------+----------+---------------+
| XS schema | http://www.w3.org/2001/XMLSchema | xs | [XMLSCHEMA-1]|
| | | | [XMLSCHEMA-2]|
+-----------------+------------------------------------+----------+---------------+
| CPXMLSEC schema | urn:ietf:params:xml:ns:cpxmlsec | cpxmlsec | This document |
+-----------------+------------------------------------+----------+---------------+
Table 1
¶
Any element or attribute whose name starts with the prefix from the Table 1 is considered to belong to the corresponding XML schema. This document uses prefixes to prevent possible collisions with elements of same names from different namespaces. Chosen prefixes have no special meaning and MAY be replaced by others.¶
The CPXMLSEC schema extends DS schema to support GOST algorithms. The CPXMLSEC schema uses XS schema elements (see [XMLSCHEMA-1] and [XMLSCHEMA-2]). The DS schema and DSIG11 schema definitions are described in accordance with [XMLDSIG].¶
The subsequent CPXMLSEC schema preamble is to be used with XML Schema definitions given in the remaining sections of this document.¶
<xs:schema xmlns:cpxmlsec="urn:ietf:params:xml:ns:cpxmlsec" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:dsig11="http://www.w3.org/2009/xmldsig11#" targetNamespace="urn:ietf:params:xml:ns:cpxmlsec" elementFormDefault="qualified" version="0.4">¶
For GOST R 34.11-2012 algorithm with 256-bit hash code the following identifier MUST be used:¶
urn:ietf:params:xml:ns:cpxmlsec:algorithms:gostr34112012-256¶
The following sample includes GOST R 34.11-2012 algorithm with 256-bit hash code in ds:DigestMethod element:¶
<ds:DigestMethod Algorithm= "urn:ietf:params:xml:ns:cpxmlsec:algorithms:gostr34112012-256" />¶
The hash code MUST be represented in little-endian and base64-encoded [RFC4648], then it is included in the ds:DigestValue element (see Section 4.4.3.6 of [XMLDSIG]).¶
For GOST R 34.11-2012 algorithm with 512-bit hash code the following identifier MUST be used:¶
urn:ietf:params:xml:ns:cpxmlsec:algorithms:gostr34112012-512¶
The following sample includes GOST R 34.11-2012 algorithm with 512-bit hash code in the ds:DigestMethod element:¶
<ds:DigestMethod Algorithm= "urn:ietf:params:xml:ns:cpxmlsec:algorithms:gostr34112012-512" />¶
The hash code MUST be represented in little-endian and base64-encoded [RFC4648], then it is included in the ds:DigestValue element (see Section 4.4.3.6 of [XMLDSIG]).¶
The following identifier MUST be used for GOST R 34.11-94 algorithm to provide backward compatibility:¶
urn:ietf:params:xml:ns:cpxmlsec:algorithms:gostr3411¶
The ds:DigestMethod element MAY include a descendant element named cpxmlsec:NamedParameters to specify hash algorithm parameters.¶
If present, hash algorithm parameters MUST be included in the "URI" attribute of the cpxmlsec:NamedParameters element. Parameters are indicated by OIDs and MUST be formatted in accordance with [RFC3061]. OIDs defined in section 8.2 of [RFC4357] MAY be used.¶
If the cpxmlsec:NamedParameters element is not included, id-GostR3411-94-CryptoProParamSet (see [RFC4357]) MUST be presumed.¶
The cpxmlsec:NamedParameters element is described by the following XML schema definition:¶
<xs:element name="NamedParameters"
type="cpxmlsec:NamedParametersType" />
¶
The following sample includes GOST R 34.11-94 algorithm in the ds:DigestMethod element:¶
<ds:DigestMethod Algorithm= "urn:ietf:params:xml:ns:cpxmlsec:algorithms:gostr3411"> <!-- id-GostR3411-94-CryptoProParamSet --> <cpxmlsec:NamedParameters URI="urn:oid:1.2.643.2.2.30.1" /> </ds:DigestMethod>¶
The hash code MUST be represented in little-endian and base64-encoded [RFC4648], then it is included in the ds:DigestValue element (see Section 4.4.3.6 of [XMLDSIG]).¶
For GOST R 34.10-2012 algorithm with 256-bit private key the following identifier MUST be used (without line break in the identifier):¶
urn:ietf:params:xml:ns:cpxmlsec:algorithms:gostr34102012-gostr34112012- 256¶
The following sample includes GOST R 34.10-2012 algorithm with 256-bit private key in the ds:SignatureMethod element (without line break in the attribute value):¶
<ds:SignatureMethod Algorithm= "urn:ietf:params:xml:ns:cpxmlsec:algorithms:gostr34102012- gostr34112012-256" />¶
Digital signature value MUST be represented in accordance with [R1323565.1.023-2018] and base64-encoded [RFC4648], then it is included in the ds:SignatureValue element (see Section 4.3 of [XMLDSIG]).¶
For GOST R 34.10-2012 algorithm with 512-bit private key the following identifier MUST be used (without line break in the identifier):¶
urn:ietf:params:xml:ns:cpxmlsec:algorithms:gostr34102012-gostr34112012- 512¶
The following sample includes GOST R 34.10-2012 algorithm with 512-bit private key in the ds:SignatureMethod element (without line break in the attribute value):¶
<ds:SignatureMethod Algorithm= "urn:ietf:params:xml:ns:cpxmlsec:algorithms:gostr34102012- gostr34112012-512" />¶
Digital signature value MUST be represented in accordance with [R1323565.1.023-2018] and base64-encoded [RFC4648], then it is included in ds:SignatureValue element (see Section 4.3 of [XMLDSIG]).¶
The following identifier MUST be used for GOST R 34.10-2001 algorithm to provide backward compatibility:¶
urn:ietf:params:xml:ns:cpxmlsec:algorithms:gostr34102001-gostr3411¶
The following sample includes GOST R 34.10-2001 algorithm in the ds:SignatureMethod element:¶
<ds:SignatureMethod Algorithm= "urn:ietf:params:xml:ns:cpxmlsec:algorithms:gostr34102001-gostr3411" />¶
Digital signature value MUST be represented in accordance with [R1323565.1.023-2018] and base64-encoded [RFC4648], then it is included in the ds:SignatureValue element (see Section 4.3 of [XMLDSIG]).¶
GOST R 34.11-2012 algorithm MAY be used in HMAC mechanism in accordance with section 6.3.1 [XMLDSIG] and section 4.1.1 [R501113-2016].¶
For GOST R 34.11-2012 algorithm with 256-bit hash code the following identifier MUST be used:¶
urn:ietf:params:xml:ns:cpxmlsec:algorithms:hmac-gostr34112012-256¶
The following sample includes GOST R 34.11-2012 algorithm with 256-bit hash code in the ds:SignatureMethod element:¶
<ds:SignatureMethod Algorithm= "urn:ietf:params:xml:ns:cpxmlsec:algorithms:hmac-gostr34112012-256" />¶
The HMAC_GOSTR3411_2012_256 algorithm result (section 4.1.1 [R501113-2016]) MUST be represented in little-endian and base64-encoded [RFC4648], then it is included in the ds:SignatureValue element (see Section 4.3 of [XMLDSIG]).¶
For GOST R 34.11-2012 algorithm with 512-bit hash code the following identifier MUST be used:¶
urn:ietf:params:xml:ns:cpxmlsec:algorithms:hmac-gostr34112012-512¶
The following sample includes GOST R 34.11-2012 algorithm with 512-bit hash code in the ds:SignatureMethod element:¶
<ds:SignatureMethod Algorithm= "urn:ietf:params:xml:ns:cpxmlsec:algorithms:hmac-gostr34112012-512" />¶
The HMAC_GOSTR3411_2012_512 algorithm result (section 4.1.2 [R501113-2016]) MUST be represented in little-endian and base64-encoded [RFC4648], then it is included in the ds:SignatureValue element (see Section 4.3 of [XMLDSIG]).¶
The information about GOST-based key material or HMAC symmetric key MAY be included in XML digital signature in any way in accordance with [XMLDSIG]. In addition, this document defines new ways to enclose public keys of GOST algorithms: in descendants of the dsig11:DEREncodedKeyValue element (see Section 4.5.9 of [XMLDSIG]), in the ds:KeyValue element (see Section 4.2) and using the "Type" atrribute of the ds:RetrievalMethod element (see Section 4.3).¶
The dsig11:DEREncodedKeyValue element is a descendant of the ds:KeyInfo (see Section 4.5 of [XMLDSIG]) element. To include the public key and its parameters into the dsig11:DEREncodedKeyValue element, the SubjectPublicKeyInfo structure MUST be used. This structure MUST be encoded in accordance with [R1323565.1.023-2018]. Then this key material MUST be represented in accordance with Section 4.5.9 of [XMLDSIG].¶
The ds:KeyValue element is a descendant of the ds:KeyInfo (see Section 4.5 of [XMLDSIG]) element. This element contains the public key and its parameters.¶
For GOST algorithms one of the following extra descendants MUST be included in the ds:KeyValue element:¶
The extended ds:KeyValue element is described by the following XML schema definition:¶
<xs:element name="KeyValue" type="ds:KeyValueType" />
<xs:complexType name="KeyValueType" mixed="true">
<xs:choice>
<xs:element ref="ds:DSAKeyValue"/>
<xs:element ref="ds:RSAKeyValue"/>
<!-- <xs:element ref="cpxmlsec:GOSTR34102012-256-KeyValue "/>
<xs:element ref="cpxmlsec:GOSTR34102012-512-KeyValue "/>
<xs:element ref="cpxmlsec:GOSTR34102001KeyValue "/> -->
<!-- cpxmlsec:GOSTR34102012-256-KeyValue,
cpxmlsec:GOSTR34102012-512-KeyValue,
cpxmlsec:GOSTR34102001KeyValue will use the any element -->
<xs:any namespace="##other" processContents="lax"/>
</xs:choice>
</xs:complexType>
¶
Each of cpxmlsec:GOSTR34102012-256-KeyValue, cpxmlsec:GOSTR34102012-512-KeyValue and cpxmlsec:GOSTR34102001KeyValue elements have cpxmlsec:GOSTKeyValueType type (see schema definition below) and MUST contain the following descendants:¶
Each of cpxmlsec:NamedCurve and cpxmlsec:PublicKey elements belong to cpxmlsec namespace. The cpxmlsec:NamedCurve element has dsig11:NamedCurveType type. The cpxmlsec:PublicKey element has dsig11:ECPointType type. Both types belong to DSIG11 schema [XMLDSIG].¶
Each of cpxmlsec:GOSTR34102012-256-KeyValue, cpxmlsec:GOSTR34102012-512-KeyValue and cpxmlsec:GOSTR34102001KeyValue elements are described by the following XML schema definition:¶
<xs:element name="GOSTR34102012-256-KeyValue"
type="cpxmlsec:GOSTKeyValueType" />
<xs:element name="GOSTR34102012-512-KeyValue"
type="cpxmlsec:GOSTKeyValueType" />
<xs:element name="GOSTR34102001KeyValue"
type="cpxmlsec:GOSTKeyValueType" />
<xs:complexType name="GOSTKeyValueType">
<xs:sequence>
<xs:element name="NamedCurve"
type="dsig11:NamedCurveType" />
<xs:element name="PublicKey"
type="dsig11:ECPointType" />
</xs:sequence>
</xs:complexType>
¶
Each of cpxmlsec:GOSTR34102012-256-KeyValue, cpxmlsec:GOSTR34102012-512-KeyValue and cpxmlsec:GOSTR34102001KeyValue elements MUST be represented in accordance with Section 4.2.1-Section 4.2.3.¶
The elliptic curve identifier (public key parameters) MUST be included in the "URI" attribute of the cpxmlsec:NamedCurve element (see Section 4.2). In case of public key parameters described by OIDs they SHOULD be represented in accordance with [RFC3061]. OID identifiers for GOST algorithms are defined in [R1323565.1.023-2018].¶
The public key MUST be included in the cpxmlsec:GOSTR34102012-256-KeyValue element. It MUST be represented in the same way as subjectPublicKey field of SubjectPublicKeyInfo structure [R1323565.1.023-2018] without enclosing in OCTET STRING and DER encoding. This string MUST be base64-encoded [RFC4648] and included in the cpxmlsec:GOSTR34102012-256-KeyValue element similar to the ds:RSAKeyValue (see [XMLDSIG]). The XML schema of cpxmlsec:GOSTR34102012-256-KeyValue and cpxmlsec:PublicKey elements is defined in Section 4.2.¶
The following sample includes key material in the cpxmlsec:GOSTR34102012-256-KeyValue element:¶
<cpxmlsec:GOSTR34102012-256-KeyValue>
<!-- id-tc26-gost-3410-2012-256-paramSetA -->
<cpxmlsec:NamedCurve URI="urn:oid:1.2.643.7.1.2.1.1.1" />
<cpxmlsec:PublicKey>
<!-- The public key value -->
</cpxmlsec:PublicKey>
</cpxmlsec:GOSTR34102012-256-KeyValue>
¶
The elliptic curve identifier (public key parameters) MUST be included in the "URI" attribute of the cpxmlsec:NamedCurve element (see Section 4.2). In case of public key parameters described by OIDs they SHOULD be represented in accordance with [RFC3061]. OID identifiers for GOST algorithms are defined in [R1323565.1.023-2018].¶
The public key MUST be included in cpxmlsec:GOSTR34102012-512-KeyValue element. It MUST be represented in the same way as subjectPublicKey field of SubjectPublicKeyInfo structure [R1323565.1.023-2018] without enclosing in OCTET STRING and DER encoding. This string MUST be base64-encoded [RFC4648] and included in the cpxmlsec:GOSTR34102012-512-KeyValue element similar to the ds:RSAKeyValue (see [XMLDSIG]). The XML schema of cpxmlsec:GOSTR34102012-512-KeyValue and cpxmlsec:PublicKey elements is defined in Section 4.2.¶
The following sample includes key material in the cpxmlsec:GOSTR34102012-512-KeyValue element:¶
<cpxmlsec:GOSTR34102012-512-KeyValue>
<!-- id-tc26-gost-3410-12-512-paramSetA -->
<cpxmlsec:NamedCurve URI="urn:oid:1.2.643.7.1.2.1.2.1" />
<cpxmlsec:PublicKey>
<!-- The public key value -->
</cpxmlsec:PublicKey>
</cpxmlsec:GOSTR34102012-512-KeyValue>
¶
The elliptic curve identifier (public key parameters) MUST be included in the "URI" attribute of the cpxmlsec:NamedCurve element (see Section 4.2). In case of public key parameters described by OIDs they SHOULD be represented in accordance with [RFC3061]. OID identifiers for GOST algorithms are defined in section 8.4 of [RFC4357].¶
The public key MUST be included in cpxmlsec:GOSTR34102001KeyValue element. It MUST be represented in the same way as subjectPublicKey field of SubjectPublicKeyInfo structure [R1323565.1.023-2018] without enclosing in OCTET STRING and DER encoding. This string MUST be base64-encoded [RFC4648] and included in the cpxmlsec:GOSTR34102001KeyValue similar to the ds:RSAKeyValue (see [XMLDSIG]). The XML schema of cpxmlsec:GOSTR34102001KeyValue and cpxmlsec:PublicKey elements is defined in Section 4.2.¶
The following sample includes key material in the cpxmlsec:GOSTR34102001KeyValue element:¶
<cpxmlsec:GOSTR34102001KeyValue>
<!-- id-GostR3410-2001-CryptoPro-A-ParamSet -->
<cpxmlsec:NamedCurve URI="urn:oid:1.2.643.2.2.35.1" />
<cpxmlsec:PublicKey>
<!-- The public key value -->
</cpxmlsec:PublicKey>
</cpxmlsec:GOSTR34102001KeyValue>
¶
The GOST public key MAY be referenced in the ds:RetrievalMethod element. In this case the public key reference MUST be included in the "URI" attribute. If the "Type" attribute is present one of the following identifiers MUST be used.¶
For GOST R 34.10-2012 algorithm with 256-bit private key:¶
urn:ietf:params:xml:ns:cpxmlsec:types:gostr34102012-256-keyvalue¶
For GOST R 34.10-2012 algorithm with 512-bit private key:¶
urn:ietf:params:xml:ns:cpxmlsec:types:gostr34102012-512-keyvalue¶
For GOST R 34.10-2001 algorithm:¶
urn:ietf:params:xml:ns:cpxmlsec:types:gostr34102001-keyvalue¶
This section registers a new XML sub-namespace, "urn:ietf:params:xml:ns:cpxmlsec" (see Section 2) per the guidelines in [RFC3688]:¶
URI: urn:ietf:params:xml:ns:cpxmlsec¶
Registrant Contact: Pavel Smirnov (spv@cryptopro.ru), Maria Paramonova (mparamonova@cryptopro.ru).¶
XML: None. Namespace URIs do not represent an XML specification.¶
This section registers a new XML sub-namespace identifier, "urn:ietf:params:xml:ns:cpxmlsec:algorithms:gostr34112012-256" (see Section 3.1.1) per the guidelines in [RFC3688]:¶
URI: urn:ietf:params:xml:ns:cpxmlsec:algorithms:gostr34112012-256¶
Registrant Contact: Pavel Smirnov (spv@cryptopro.ru), Maria Paramonova (mparamonova@cryptopro.ru).¶
XML:¶
<?xml version="1.0"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML Basic 1.0//EN"
"http://www.w3.org/TR/xhtml-basic/xhtml-basic10.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type"
content="text/html;charset=iso-8859-1"/>
<title>
GOST R 34.11-2012 algorithm with 256-bit hash code in
DigestMethod element
</title>
</head>
<body>
<h1>
Namespace identifier for GOST R 34.11-2012 algorithm with
256-bit hash code in DigestMethod element
</h1>
<h2>
urn:ietf:params:xml:ns:cpxmlsec:algorithms:gostr34112012-256
</h2>
<p>
See Section 4.1.1 in
<a href="https://tools.ietf.org/html/draft-smirnov-xmldsig-05">
draft-smirnov-xmldsig-05</a>.
</p>
</body>
</html>
¶
This section registers a new XML sub-namespace identifier, "urn:ietf:params:xml:ns:cpxmlsec:algorithms:gostr34112012-512" (see Section 3.1.2) per the guidelines in [RFC3688]:¶
URI: urn:ietf:params:xml:ns:cpxmlsec:algorithms:gostr34112012-512¶
Registrant Contact: Pavel Smirnov (spv@cryptopro.ru), Maria Paramonova (mparamonova@cryptopro.ru).¶
XML:¶
<?xml version="1.0"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML Basic 1.0//EN"
"http://www.w3.org/TR/xhtml-basic/xhtml-basic10.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type"
content="text/html;charset=iso-8859-1"/>
<title>
GOST R 34.11-2012 algorithm with 512-bit hash code in
DigestMethod element
</title>
</head>
<body>
<h1>
Namespace identifier for GOST R 34.11-2012 algorithm with
512-bit hash code in DigestMethod element
</h1>
<h2>
urn:ietf:params:xml:ns:cpxmlsec:algorithms:gostr34112012-512
</h2>
<p>
See Section 4.1.2 in
<a href="https://tools.ietf.org/html/draft-smirnov-xmldsig-05">
draft-smirnov-xmldsig-05</a>.
</p>
</body>
</html>
¶
This section registers a new XML sub-namespace identifier, "urn:ietf:params:xml:ns:cpxmlsec:algorithms:gostr3411" (see Section 3.1.3) per the guidelines in [RFC3688]:¶
URI: urn:ietf:params:xml:ns:cpxmlsec:algorithms:gostr3411¶
Registrant Contact: Pavel Smirnov (spv@cryptopro.ru), Maria Paramonova (mparamonova@cryptopro.ru).¶
XML:¶
<?xml version="1.0"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML Basic 1.0//EN"
"http://www.w3.org/TR/xhtml-basic/xhtml-basic10.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type"
content="text/html;charset=iso-8859-1"/>
<title>
GOST R 34.11-94 algorithm in DigestMethod element
</title>
</head>
<body>
<h1>
Namespace identifier for GOST R 34.11-94 algorithm in
DigestMethod element
</h1>
<h2>
urn:ietf:params:xml:ns:cpxmlsec:algorithms:gostr3411
</h2>
<p>
See Section 4.1.3 in
<a href="https://tools.ietf.org/html/draft-smirnov-xmldsig-05">
draft-smirnov-xmldsig-05</a>.
</p>
</body>
</html>
¶
This section registers a new XML sub-namespace identifier, "urn:ietf:params:xml:ns:cpxmlsec:algorithms:gostr34102012-gostr34112012-256" (see Section 3.2.1) per the guidelines in [RFC3688]:¶
URI: urn:ietf:params:xml:ns:cpxmlsec:algorithms:gostr34102012-gostr34112012-256¶
Registrant Contact: Pavel Smirnov (spv@cryptopro.ru), Maria Paramonova (mparamonova@cryptopro.ru).¶
XML:¶
<?xml version="1.0"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML Basic 1.0//EN"
"http://www.w3.org/TR/xhtml-basic/xhtml-basic10.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type"
content="text/html;charset=iso-8859-1"/>
<title>
GOST R 34.10-2012 algorithm with 256-bit key in
SignatureMethod element
</title>
</head>
<body>
<h1>
Namespace identifier for GOST R 34.10-2012 algorithm with
256-bit key in SignatureMethod element
</h1>
<h2>
urn:ietf:params:xml:ns:cpxmlsec:algorithms:gostr34102012-gostr34112012-256
</h2>
<p>
See Section 4.2.1 in
<a href="https://tools.ietf.org/html/draft-smirnov-xmldsig-05">
draft-smirnov-xmldsig-05</a>.
</p>
</body>
</html>
¶
This section registers a new XML sub-namespace identifier, "urn:ietf:params:xml:ns:cpxmlsec:algorithms:gostr34102012-gostr34112012-512" (see Section 3.2.2) per the guidelines in [RFC3688]:¶
URI: urn:ietf:params:xml:ns:cpxmlsec:algorithms:gostr34102012-gostr34112012-512¶
Registrant Contact: Pavel Smirnov (spv@cryptopro.ru), Maria Paramonova (mparamonova@cryptopro.ru).¶
XML:¶
<?xml version="1.0"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML Basic 1.0//EN"
"http://www.w3.org/TR/xhtml-basic/xhtml-basic10.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type"
content="text/html;charset=iso-8859-1"/>
<title>
GOST R 34.10-2012 algorithm with 512-bit key in
SignatureMethod element
</title>
</head>
<body>
<h1>
Namespace identifier for GOST R 34.10-2012 algorithm with
512-bit key in SignatureMethod element
</h1>
<h2>
urn:ietf:params:xml:ns:cpxmlsec:algorithms:gostr34102012-gostr34112012-512
</h2>
<p>
See Section 4.2.2 in
<a href="https://tools.ietf.org/html/draft-smirnov-xmldsig-05">
draft-smirnov-xmldsig-05</a>.
</p>
</body>
</html>
¶
This section registers a new XML sub-namespace identifier, "urn:ietf:params:xml:ns:cpxmlsec:algorithms:gostr34102001-gostr3411" (see Section 3.2.3) per the guidelines in [RFC3688]:¶
URI: urn:ietf:params:xml:ns:cpxmlsec:algorithms:gostr34102001-gostr3411¶
Registrant Contact: Pavel Smirnov (spv@cryptopro.ru), Maria Paramonova (mparamonova@cryptopro.ru).¶
XML:¶
<?xml version="1.0"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML Basic 1.0//EN"
"http://www.w3.org/TR/xhtml-basic/xhtml-basic10.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type"
content="text/html;charset=iso-8859-1"/>
<title>
GOST R 34.10-2001 algorithm in SignatureMethod element
</title>
</head>
<body>
<h1>
Namespace identifier for GOST R 34.10-2001 algorithm in
SignatureMethod element
</h1>
<h2>
urn:ietf:params:xml:ns:cpxmlsec:algorithms:gostr34102001-gostr3411
</h2>
<p>
See Section 4.2.3 in
<a href="https://tools.ietf.org/html/draft-smirnov-xmldsig-05">
draft-smirnov-xmldsig-05</a>.
</p>
</body>
</html>
¶
This section registers a new XML sub-namespace identifier, "urn:ietf:params:xml:ns:cpxmlsec:algorithms:hmac-gostr34112012-256" (see Section 3.3.1) per the guidelines in [RFC3688]:¶
URI: urn:ietf:params:xml:ns:cpxmlsec:algorithms:hmac-gostr34112012-256¶
Registrant Contact: Pavel Smirnov (spv@cryptopro.ru), Maria Paramonova (mparamonova@cryptopro.ru).¶
XML:¶
<?xml version="1.0"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML Basic 1.0//EN"
"http://www.w3.org/TR/xhtml-basic/xhtml-basic10.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type"
content="text/html;charset=iso-8859-1"/>
<title>
GOST R 34.11-2012 algorithm with 256-bit key in
SignatureMethod element
</title>
</head>
<body>
<h1>
Namespace identifier for GOST R 34.11-2012 algorithm with
256-bit key in SignatureMethod element
</h1>
<h2>
urn:ietf:params:xml:ns:cpxmlsec:algorithms:hmac-gostr34112012-256
</h2>
<p>
See Section 4.3.1 in
<a href="https://tools.ietf.org/html/draft-smirnov-xmldsig-05">
draft-smirnov-xmldsig-05</a>.
</p>
</body>
</html>
¶
This section registers a new XML sub-namespace identifier, "urn:ietf:params:xml:ns:cpxmlsec:algorithms:hmac-gostr34112012-512" (see Section 3.3.2) per the guidelines in [RFC3688]:¶
URI: urn:ietf:params:xml:ns:cpxmlsec:algorithms:hmac-gostr34112012-512¶
Registrant Contact: Pavel Smirnov (spv@cryptopro.ru), Maria Paramonova (mparamonova@cryptopro.ru).¶
XML:¶
<?xml version="1.0"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML Basic 1.0//EN"
"http://www.w3.org/TR/xhtml-basic/xhtml-basic10.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type"
content="text/html;charset=iso-8859-1"/>
<title>
GOST R 34.11-2012 algorithm with 512-bit key in
SignatureMethod element
</title>
</head>
<body>
<h1>
Namespace identifier for GOST R 34.11-2012 algorithm with
512-bit key in SignatureMethod element
</h1>
<h2>
urn:ietf:params:xml:ns:cpxmlsec:algorithms:hmac-gostr34112012-512
</h2>
<p>
See Section 4.3.2 in
<a href="https://tools.ietf.org/html/draft-smirnov-xmldsig-05">
draft-smirnov-xmldsig-05</a>.
</p>
</body>
</html>
¶
This section registers a new XML sub-namespace identifier, "urn:ietf:params:xml:ns:cpxmlsec:types:gostr34102012-256-keyvalue" (see Section 4.3) per the guidelines in [RFC3688]:¶
URI: urn:ietf:params:xml:ns:cpxmlsec:types:gostr34102012-256-keyvalue¶
Registrant Contact: Pavel Smirnov (spv@cryptopro.ru), Maria Paramonova (mparamonova@cryptopro.ru).¶
XML:¶
<?xml version="1.0"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML Basic 1.0//EN"
"http://www.w3.org/TR/xhtml-basic/xhtml-basic10.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type"
content="text/html;charset=iso-8859-1"/>
<title>
GOST R 34.10-2012 256-bit public key at external location
</title>
</head>
<body>
<h1>
Namespace identifier for GOST R 34.10-2012 256-bit
public key at external location
</h1>
<h2>
urn:ietf:params:xml:ns:cpxmlsec:types:gostr34102012-256-keyvalue
</h2>
<p>
See Section 5.3 in
<a href="https://tools.ietf.org/html/draft-smirnov-xmldsig-05">
draft-smirnov-xmldsig-05</a>.
</p>
</body>
</html>
¶
This section registers a new XML sub-namespace identifier, "urn:ietf:params:xml:ns:cpxmlsec:types:gostr34102012-512-keyvalue" (see Section 4.3) per the guidelines in [RFC3688]:¶
URI: urn:ietf:params:xml:ns:cpxmlsec:types:gostr34102012-512-keyvalue¶
Registrant Contact: Pavel Smirnov (spv@cryptopro.ru), Maria Paramonova (mparamonova@cryptopro.ru).¶
XML:¶
<?xml version="1.0"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML Basic 1.0//EN"
"http://www.w3.org/TR/xhtml-basic/xhtml-basic10.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type"
content="text/html;charset=iso-8859-1"/>
<title>
GOST R 34.10-2012 512-bit public key at external location
</title>
</head>
<body>
<h1>
Namespace identifier for GOST R 34.10-2012 512-bit
public key at external location
</h1>
<h2>
urn:ietf:params:xml:ns:cpxmlsec:types:gostr34102012-512-keyvalue
</h2>
<p>
See Section 5.3 in
<a href="https://tools.ietf.org/html/draft-smirnov-xmldsig-04">
draft-smirnov-xmldsig-05</a>.
</p>
</body>
</html>
¶
This section registers a new XML sub-namespace identifier, "urn:ietf:params:xml:ns:cpxmlsec:types:gostr34102001-keyvalue" (see Section 4.3) per the guidelines in [RFC3688]:¶
URI: urn:ietf:params:xml:ns:cpxmlsec:types:gostr34102001-keyvalue¶
Registrant Contact: Pavel Smirnov (spv@cryptopro.ru), Maria Paramonova (mparamonova@cryptopro.ru).¶
XML:¶
<?xml version="1.0"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML Basic 1.0//EN"
"http://www.w3.org/TR/xhtml-basic/xhtml-basic10.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type"
content="text/html;charset=iso-8859-1"/>
<title>
GOST R 34.10-2001 public key at external location
</title>
</head>
<body>
<h1>
Namespace identifier for GOST R 34.10-2001 public
key at external location
</h1>
<h2>
urn:ietf:params:xml:ns:cpxmlsec:types:gostr34102001-keyvalue
</h2>
<p>
See Section 5.3 in
<a href="https://tools.ietf.org/html/draft-smirnov-xmldsig-05">
draft-smirnov-xmldsig-05</a>.
</p>
</body>
</html>
¶
This section registers an XML schema per the guidelines in [RFC3688]:¶
URI: urn:ietf:params:xml:schema:cpxmlsec¶
Registrant Contact: Pavel Smirnov (spv@cryptopro.ru), Maria Paramonova (mparamonova@cryptopro.ru).¶
XML: The XML schema can be found in Appendix A.¶
<?xml version="1.0" encoding="UTF-8"?>
<!-- Declare helper entities to avoid overrunning right margin of text
while importing schemata.-->
<!DOCTYPE schema [
<!ENTITY xmldsiguri
"http://www.w3.org/TR/2008/REC-xmldsig-core-20080610">
]>
<xs:schema
xmlns:cpxmlsec="urn:ietf:params:xml:ns:cpxmlsec"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:dsig11="http://www.w3.org/2009/xmldsig11#"
targetNamespace="urn:ietf:params:xml:ns:cpxmlsec"
elementFormDefault="qualified"
version="0.4">
<xs:import namespace="http://www.w3.org/2000/09/xmldsig#" />
<xs:import namespace="http://www.w3.org/2009/xmldsig11#" />
<xs:element name="NamedParameters"
type="cpxmlsec:NamedParametersType" />
<xs:complexType name="NamedParametersType">
<xs:attribute name="URI" type="xs:anyURI" use="required" />
</xs:complexType>
<xs:complexType name="GOSTKeyValueType">
<xs:sequence>
<xs:element name="NamedCurve"
type="dsig11:NamedCurveType" />
<xs:element name="PublicKey" type="dsig11:ECPointType" />
</xs:sequence>
</xs:complexType>
<xs:element name="GOSTR34102012-256-KeyValue"
type="cpxmlsec:GOSTKeyValueType" />
<xs:element name="GOSTR34102012-512-KeyValue"
type="cpxmlsec:GOSTKeyValueType" />
<xs:element name="GOSTR34102001KeyValue"
type="cpxmlsec:GOSTKeyValueType" />
</xs:schema>
¶
Note: Line breaks in the coordinates, identifiers, XML elements or in the attribute values MUST be ignored.¶
The following sample was constructed using the X.509 certificate from Appendix A of [R1323565.1.023-2018].¶
X-coordinate of public key:¶
0x971566CEDA436EE7678F7E07E84EBB7217406C0B4747AA8FD2AB1453C3D0DFBA¶
Y-coordinate of public key:¶
0xAD58736965949F8E59830F8DE20FC6C0D177F6AB599874F1E2E24FF71F9CE643¶
Corresponding private key (d):¶
0xBFCF1D623E5CDD3032A7C6EABB4A923C46E43D640FFEAAF2C3ED39A8FA399924¶
K value:¶
0x5782C53F110C596F9155D35EBD25A06A89C50391850A8FEFE33B0E270318857C¶
H-bar value:¶
0x054D1DABB161D63424F8DABB2800708B00F78DA7582699E8F2F0A521C7CE8144¶
Signed XML document:¶
<?xml version="1.0" encoding="utf-8"?>
<root>
<DataToSign Id="ToSign">Data</DataToSign>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm=
"http://www.w3.org/TR/2001/REC-xml-c14n-20010315"
/>
<SignatureMethod Algorithm=
"urn:ietf:params:xml:ns:cpxmlsec:algorithms:gostr34102012-
gostr34112012-256"
/>
<Reference URI="#ToSign">
<Transforms>
<Transform Algorithm=
"http://www.w3.org/TR/2001/REC-xml-c14n-
20010315"
/>
</Transforms>
<DigestMethod Algorithm=
"urn:ietf:params:xml:ns:cpxmlsec:algorithms:
gostr34112012-256"
/>
<DigestValue>
9QLsxPPo7LlX6IXqwzjcNDmbFuCCGivQ1s61hcPuITM=
</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
jcQJhWtWbTCV7bjFky5vGXXUFigc74FXRi79lZnFHK7pMjpeiN2H+3xyQ4O//n
zs1Ln/oqwzvu9zpaH3Q0BPaw==
</SignatureValue>
<KeyInfo>
<KeyValue>
<GOSTR34102012-256-KeyValue xmlns=
"urn:ietf:params:xml:ns:cpxmlsec">
<NamedCurve URI="urn:oid:1.2.643.2.2.36.0" />
<PublicKey>
ut/Qw1MUq9KPqkdHC2xAF3K7TugHfo9n525D2s5mFZdD5pwf90/i4v
F0mFmr9nfRwMYP4o0Pg1mOn5RlaXNYrQ==
</PublicKey>
</GOSTR34102012-256-KeyValue>
</KeyValue>
</KeyInfo>
</Signature>
</root>
¶
Base64-encoded signed XML document:¶
77u/PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz48cm9vdD4NCiAgIDxE YXRhVG9TaWduIElkPSJUb1NpZ24iPkRhdGE8L0RhdGFUb1NpZ24+DQogICA8U2lnbmF0dXJl IHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4NCiAgICAgIDxT aWduZWRJbmZvPg0KICAgICAgICAgPENhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGht PSJodHRwOi8vd3d3LnczLm9yZy9UUi8yMDAxL1JFQy14bWwtYzE0bi0yMDAxMDMxNSIgLz4N CiAgICAgICAgIDxTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJ1cm46aWV0ZjpwYXJhbXM6 eG1sOm5zOmNweG1sc2VjOmFsZ29yaXRobXM6Z29zdHIzNDEwMjAxMi1nb3N0cjM0MTEyMDEy LTI1NiIgLz4NCiAgICAgICAgIDxSZWZlcmVuY2UgVVJJPSIjVG9TaWduIj4NCiAgICAgICAg ICAgIDxUcmFuc2Zvcm1zPg0KICAgICAgICAgICAgICAgPFRyYW5zZm9ybSBBbGdvcml0aG09 Imh0dHA6Ly93d3cudzMub3JnL1RSLzIwMDEvUkVDLXhtbC1jMTRuLTIwMDEwMzE1IiAvPg0K ICAgICAgICAgICAgPC9UcmFuc2Zvcm1zPg0KICAgICAgICAgICAgPERpZ2VzdE1ldGhvZCBB bGdvcml0aG09InVybjppZXRmOnBhcmFtczp4bWw6bnM6Y3B4bWxzZWM6YWxnb3JpdGhtczpn b3N0cjM0MTEyMDEyLTI1NiIgLz4NCiAgICAgICAgICAgIDxEaWdlc3RWYWx1ZT45UUxzeFBQ bzdMbFg2SVhxd3pqY05EbWJGdUNDR2l2UTFzNjFoY1B1SVRNPTwvRGlnZXN0VmFsdWU+DQog ICAgICAgICA8L1JlZmVyZW5jZT4NCiAgICAgIDwvU2lnbmVkSW5mbz4NCiAgICAgIDxTaWdu YXR1cmVWYWx1ZT5qY1FKaFd0V2JUQ1Y3YmpGa3k1dkdYWFVGaWdjNzRGWFJpNzlsWm5GSEs3 cE1qcGVpTjJIKzN4eVE0Ty8vbnpzMUxuL29xd3p2dTl6cGFIM1EwQlBhdz09PC9TaWduYXR1 cmVWYWx1ZT4NCiAgICAgIDxLZXlJbmZvPg0KICAgICAgICAgPEtleVZhbHVlPg0KICAgICAg ICAgICAgPEdPU1RSMzQxMDIwMTItMjU2LUtleVZhbHVlIHhtbG5zPSJ1cm46aWV0ZjpwYXJh bXM6eG1sOm5zOmNweG1sc2VjIj4NCiAgICAgICAgICAgICAgIDxOYW1lZEN1cnZlIFVSST0i dXJuOm9pZDoxLjIuNjQzLjIuMi4zNi4wIiAvPg0KICAgICAgICAgICAgICAgPFB1YmxpY0tl eT51dC9RdzFNVXE5S1Bxa2RIQzJ4QUYzSzdUdWdIZm85bjUyNUQyczVtRlpkRDVwd2Y5MC9p NHZGMG1GbXI5bmZSd01ZUDRvMFBnMW1PbjVSbGFYTllyUT09PC9QdWJsaWNLZXk+DQogICAg ICAgICAgICA8L0dPU1RSMzQxMDIwMTItMjU2LUtleVZhbHVlPg0KICAgICAgICAgPC9LZXlW YWx1ZT4NCiAgICAgIDwvS2V5SW5mbz4NCiAgIDwvU2lnbmF0dXJlPg0KPC9yb290Pg==¶
The following sample was constructed using the X.509 certificate from Appendix A of [R1323565.1.023-2018].¶
X-coordinate of public key:¶
0x07134627CE7FC6770953ABA4714B38AF8DE764B8870A502C2F4CC2D05541459A18DA3B 9D4EBC09BC06CB2EA1856A03747561CF04C34382111539230A550F1913¶
Y-coordinate of public key:¶
0x7E08A434CB2FA300F8974E3FF69A4BCDF36B6308E1D7A56144693A35E11CBD14D50291 6E680E35FE1E6ABBA85BD4DAE7065308B16B1CCABFE3D91CE0655B0FFD¶
Corresponding private key (d):¶
0x3FC01CDCD4EC5F972EB482774C41E66DB7F380528DFE9E67992BA05AEE462435757530 E641077CE587B976C8EEB48C48FD33FD175F0C7DE6A44E014E6BCB074B¶
K value:¶
0x72ABB44536656BF1618CE10BF7EADD40582304A51EE4E2A25A0A32CB0E773ABB23B7D8 FDD8FA5EEE91B4AE452F2272C86E1E2221215D405F51B5D5015616E1F6¶
H-bar value:¶
0x33DEF8422879AA68482339BC65E5DCA9A5D77E80C5C0371DB13D3B88F4CCA8A89ED3CE 85849231DD61B35E4B47A3722317663859A2BE088C1BB6EEC87410DAF2¶
Signed XML document:¶
<?xml version="1.0" encoding="utf-8"?>
<root>
<DataToSign Id="ToSign">Data</DataToSign>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm=
"http://www.w3.org/TR/2001/REC-xml-c14n-20010315"
/>
<SignatureMethod Algorithm=
"urn:ietf:params:xml:ns:cpxmlsec:algorithms:
gostr34102012-gostr34112012-512"
/>
<Reference URI="#ToSign">
<Transforms>
<Transform Algorithm=
"http://www.w3.org/TR/2001/REC-xml-c14n-
20010315"
/>
</Transforms>
<DigestMethod Algorithm=
"urn:ietf:params:xml:ns:cpxmlsec:algorithms:
gostr34112012-512"
/>
<DigestValue>
wiOFD9D7zKHNlo58t/9tUtCJA5ZO9vmDhMlt3HIkyXZvQxIp5PE+txwsI
AVfUIOULvGTFxAZlwuHTB+qD5s54g==
</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
dn+oWg6n3wJ20kBmO1GvURc4SuZ3h3nKXYWy4uHdmeS2nlTlNWFKca4fTBlc+fp
nCS8IEVNFX25Ndh4UXJLLNl2/L0wtancFiA+xRYzFgzUGW+pWIfyfvBdsSspbwe
ZyJUWajqN3lDRZDchycEApNlqDpTtes8BpNrXSh+Cpg+c=
</SignatureValue>
<KeyInfo>
<KeyValue>
<GOSTR34102012-512-KeyValue xmlns=
"urn:ietf:params:xml:ns:cpxmlsec">
<NamedCurve URI="urn:oid:1.2.643.7.1.2.1.2.2" />
<PublicKey>
ExkPVQojORURgkPDBM9hdXQDaoWhLssGvAm8Tp072hiaRUFV0MJMLy
xQCoe4ZOeNrzhLcaSrUwl3xn/OJ0YTB/0PW2XgHNnjv8oca7EIUwbn
2tRbqLtqHv41DmhukQLVFL0c4TU6aURhpdfhCGNr881LmvY/Tpf4AK
MvyzSkCH4=
</PublicKey>
</GOSTR34102012-512-KeyValue>
</KeyValue>
</KeyInfo>
</Signature>
</root>
¶
Base64-encoded signed XML document:¶
77u/PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz48cm9vdD4NCiAgIDxE YXRhVG9TaWduIElkPSJUb1NpZ24iPkRhdGE8L0RhdGFUb1NpZ24+DQogICA8U2lnbmF0dXJl IHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4NCiAgICAgIDxT aWduZWRJbmZvPg0KICAgICAgICAgPENhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGht PSJodHRwOi8vd3d3LnczLm9yZy9UUi8yMDAxL1JFQy14bWwtYzE0bi0yMDAxMDMxNSIgLz4N CiAgICAgICAgIDxTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJ1cm46aWV0ZjpwYXJhbXM6 eG1sOm5zOmNweG1sc2VjOmFsZ29yaXRobXM6Z29zdHIzNDEwMjAxMi1nb3N0cjM0MTEyMDEy LTUxMiIgLz4NCiAgICAgICAgIDxSZWZlcmVuY2UgVVJJPSIjVG9TaWduIj4NCiAgICAgICAg ICAgIDxUcmFuc2Zvcm1zPg0KICAgICAgICAgICAgICAgPFRyYW5zZm9ybSBBbGdvcml0aG09 Imh0dHA6Ly93d3cudzMub3JnL1RSLzIwMDEvUkVDLXhtbC1jMTRuLTIwMDEwMzE1IiAvPg0K ICAgICAgICAgICAgPC9UcmFuc2Zvcm1zPg0KICAgICAgICAgICAgPERpZ2VzdE1ldGhvZCBB bGdvcml0aG09InVybjppZXRmOnBhcmFtczp4bWw6bnM6Y3B4bWxzZWM6YWxnb3JpdGhtczpn b3N0cjM0MTEyMDEyLTUxMiIgLz4NCiAgICAgICAgICAgIDxEaWdlc3RWYWx1ZT53aU9GRDlE N3pLSE5sbzU4dC85dFV0Q0pBNVpPOXZtRGhNbHQzSElreVhadlF4SXA1UEUrdHh3c0lBVmZV SU9VTHZHVEZ4QVpsd3VIVEIrcUQ1czU0Zz09PC9EaWdlc3RWYWx1ZT4NCiAgICAgICAgIDwv UmVmZXJlbmNlPg0KICAgICAgPC9TaWduZWRJbmZvPg0KICAgICAgPFNpZ25hdHVyZVZhbHVl PmRuK29XZzZuM3dKMjBrQm1PMUd2VVJjNFN1WjNoM25LWFlXeTR1SGRtZVMybmxUbE5XRktj YTRmVEJsYytmcG5DUzhJRVZORlgyNU5kaDRVWEpMTE5sMi9MMHd0YW5jRmlBK3hSWXpGZ3pV R1crcFdJZnlmdkJkc1NzcGJ3ZVp5SlVXYWpxTjNsRFJaRGNoeWNFQXBObHFEcFR0ZXM4QnBO clhTaCtDcGcrYz08L1NpZ25hdHVyZVZhbHVlPg0KICAgICAgPEtleUluZm8+DQogICAgICAg ICA8S2V5VmFsdWU+DQogICAgICAgICAgICA8R09TVFIzNDEwMjAxMi01MTItS2V5VmFsdWUg eG1sbnM9InVybjppZXRmOnBhcmFtczp4bWw6bnM6Y3B4bWxzZWMiPg0KICAgICAgICAgICAg ICAgPE5hbWVkQ3VydmUgVVJJPSJ1cm46b2lkOjEuMi42NDMuNy4xLjIuMS4yLjIiIC8+DQog ICAgICAgICAgICAgICA8UHVibGljS2V5PkV4a1BWUW9qT1JVUmdrUERCTTloZFhRRGFvV2hM c3NHdkFtOFRwMDcyaGlhUlVGVjBNSk1MeXhRQ29lNFpPZU5yemhMY2FTclV3bDN4bi9PSjBZ VEIvMFBXMlhnSE5uanY4b2NhN0VJVXdibjJ0UmJxTHRxSHY0MURtaHVrUUxWRkwwYzRUVTZh VVJocGRmaENHTnI4ODFMbXZZL1RwZjRBS012eXpTa0NIND08L1B1YmxpY0tleT4NCiAgICAg ICAgICAgIDwvR09TVFIzNDEwMjAxMi01MTItS2V5VmFsdWU+DQogICAgICAgICA8L0tleVZh bHVlPg0KICAgICAgPC9LZXlJbmZvPg0KICAgPC9TaWduYXR1cmU+DQo8L3Jvb3Q+¶
The following sample was constructed using the X.509 certificate from section 4.2 of [RFC4491].¶
X-coordinate of public key:¶
0x577E324FE70F2B6DF45C437A0305E5FD2C89318C13CD0875401A026075689584¶
Y-coordinate of public key:¶
0x601AEACABC660FDFB0CBC7567EBBA6EA8DE40FAE857C9AD0038895B916CCEB8F¶
Corresponding private key (d):¶
0x0B293BE050D0082BDAE785631A6BAB68F35B42786D6DDA56AFAF169891040F77¶
K value:¶
0x5782C53F110C596F9155D35EBD25A06A89C50391850A8FEFE33B0E270318857C¶
H-bar value:¶
0xEF3E03620C2B0E87E43F503A839AB7868071EA28CA38AABD915D56A5F74400F4¶
Signed XML document:¶
<?xml version="1.0" encoding="utf-8"?>
<root>
<DataToSign Id="ToSign">Data</DataToSign>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm=
"http://www.w3.org/TR/2001/REC-xml-c14n-20010315"
/>
<SignatureMethod Algorithm=
"urn:ietf:params:xml:ns:cpxmlsec:algorithms:
gostr34102001-gostr3411"
/>
<Reference URI="#ToSign">
<Transforms>
<Transform Algorithm=
"http://www.w3.org/TR/2001/REC-xml-c14n-
20010315"
/>
</Transforms>
<DigestMethod Algorithm=
"urn:ietf:params:xml:ns:cpxmlsec:algorithms:
gostr3411"
/>
<DigestValue>
FVQbzF2djfNNJO3JG0OLfSODlZkibTcUmF2DS4nnuPY=
</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
n2UHtdu25fPzJNYyojbNTq52V1D3UBVQqI5xNhdYopDpMjpeiN2H+3xyQ4O//nz
s1Ln/oqwzvu9zpaH3Q0BPaw==
</SignatureValue>
<KeyInfo>
<KeyValue>
<GOSTR34102001KeyValue xmlns=
"urn:ietf:params:xml:ns:cpxmlsec">
<NamedCurve URI="urn:oid:1.2.643.2.2.36.0" />
<PublicKey>
hJVodWACGkB1CM0TjDGJLP3lBQN6Q1z0bSsP508yfleP68wWuZWIA9
CafIWuD+SN6qa7flbHy7DfD2a8yuoaYA==
</PublicKey>
</GOSTR34102001KeyValue>
</KeyValue>
</KeyInfo>
</Signature>
</root>
¶
Base64-encoded signed XML document:¶
77u/PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz48cm9vdD4NCiAgIDxE YXRhVG9TaWduIElkPSJUb1NpZ24iPkRhdGE8L0RhdGFUb1NpZ24+DQogICA8U2lnbmF0dXJl IHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4NCiAgICAgIDxT aWduZWRJbmZvPg0KICAgICAgICAgPENhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGht PSJodHRwOi8vd3d3LnczLm9yZy9UUi8yMDAxL1JFQy14bWwtYzE0bi0yMDAxMDMxNSIgLz4N CiAgICAgICAgIDxTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJ1cm46aWV0ZjpwYXJhbXM6 eG1sOm5zOmNweG1sc2VjOmFsZ29yaXRobXM6Z29zdHIzNDEwMjAwMS1nb3N0cjM0MTEiIC8+ DQogICAgICAgICA8UmVmZXJlbmNlIFVSST0iI1RvU2lnbiI+DQogICAgICAgICAgICA8VHJh bnNmb3Jtcz4NCiAgICAgICAgICAgICAgIDxUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8v d3d3LnczLm9yZy9UUi8yMDAxL1JFQy14bWwtYzE0bi0yMDAxMDMxNSIgLz4NCiAgICAgICAg ICAgIDwvVHJhbnNmb3Jtcz4NCiAgICAgICAgICAgIDxEaWdlc3RNZXRob2QgQWxnb3JpdGht PSJ1cm46aWV0ZjpwYXJhbXM6eG1sOm5zOmNweG1sc2VjOmFsZ29yaXRobXM6Z29zdHIzNDEx IiAvPg0KICAgICAgICAgICAgPERpZ2VzdFZhbHVlPkZWUWJ6RjJkamZOTkpPM0pHME9MZlNP RGxaa2liVGNVbUYyRFM0bm51UFk9PC9EaWdlc3RWYWx1ZT4NCiAgICAgICAgIDwvUmVmZXJl bmNlPg0KICAgICAgPC9TaWduZWRJbmZvPg0KICAgICAgPFNpZ25hdHVyZVZhbHVlPm4yVUh0 ZHUyNWZQekpOWXlvamJOVHE1MlYxRDNVQlZRcUk1eE5oZFlvcERwTWpwZWlOMkgrM3h5UTRP Ly9uenMxTG4vb3F3enZ1OXpwYUgzUTBCUGF3PT08L1NpZ25hdHVyZVZhbHVlPg0KICAgICAg PEtleUluZm8+DQogICAgICAgICA8S2V5VmFsdWU+DQogICAgICAgICAgICA8R09TVFIzNDEw MjAwMUtleVZhbHVlIHhtbG5zPSJ1cm46aWV0ZjpwYXJhbXM6eG1sOm5zOmNweG1sc2VjIj4N CiAgICAgICAgICAgICAgIDxOYW1lZEN1cnZlIFVSST0idXJuOm9pZDoxLjIuNjQzLjIuMi4z Ni4wIiAvPg0KICAgICAgICAgICAgICAgPFB1YmxpY0tleT5oSlZvZFdBQ0drQjFDTTBUakRH SkxQM2xCUU42UTF6MGJTc1A1MDh5ZmxlUDY4d1d1WldJQTlDYWZJV3VEK1NONnFhN2ZsYkh5 N0RmRDJhOHl1b2FZQT09PC9QdWJsaWNLZXk+DQogICAgICAgICAgICA8L0dPU1RSMzQxMDIw MDFLZXlWYWx1ZT4NCiAgICAgICAgIDwvS2V5VmFsdWU+DQogICAgICA8L0tleUluZm8+DQog ICA8L1NpZ25hdHVyZT4NCjwvcm9vdD4=¶
The following sample was constructed using the X.509 certificate from Appendix A of [R1323565.1.023-2018].¶
X-coordinate of public key:¶
0x971566CEDA436EE7678F7E07E84EBB7217406C0B4747AA8FD2AB1453C3D0DFBA¶
Y-coordinate of public key:¶
0xAD58736965949F8E59830F8DE20FC6C0D177F6AB599874F1E2E24FF71F9CE643¶
Corresponding private key (d):¶
0xBFCF1D623E5CDD3032A7C6EABB4A923C46E43D640FFEAAF2C3ED39A8FA399924¶
K value:¶
0x5782C53F110C596F9155D35EBD25A06A89C50391850A8FEFE33B0E270318857C¶
H-bar value:¶
0x054D1DABB161D63424F8DABB2800708B00F78DA7582699E8F2F0A521C7CE8144¶
Signed XML document:¶
<?xml version="1.0" encoding="utf-8"?>
<root>
<DataToSign Id="ToSign">Data</DataToSign>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm=
"http://www.w3.org/TR/2001/REC-xml-c14n-20010315"
/>
<SignatureMethod Algorithm=
"urn:ietf:params:xml:ns:cpxmlsec:algorithms:
gostr34102012-gostr34112012-256"
/>
<Reference URI="#ToSign">
<Transforms>
<Transform Algorithm=
"http://www.w3.org/TR/2001/REC-xml-c14n-
20010315"
/>
</Transforms>
<DigestMethod Algorithm=
"urn:ietf:params:xml:ns:cpxmlsec:algorithms:
gostr34112012-256"
/>
<DigestValue>
9QLsxPPo7LlX6IXqwzjcNDmbFuCCGivQ1s61hcPuITM=
</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
jcQJhWtWbTCV7bjFky5vGXXUFigc74FXRi79lZnFHK7pMjpeiN2H+3xyQ4O//nz
s1Ln/oqwzvu9zpaH3Q0BPaw==
</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>
MIICYjCCAg+gAwIBAgIBATAKBggqhQMHAQEDAjBWMSkwJwYJKoZIhvcNA
QkBFhpHb3N0UjM0MTAtMjAxMkBleGFtcGxlLmNvbTEpMCcGA1UEAxMgR2
9zdFIzNDEwLTIwMTIgKDI1NiBiaXQpIGV4YW1wbGUwHhcNMTMxMTA1MTQ
wMjM3WhcNMzAxMTAxMTQwMjM3WjBWMSkwJwYJKoZIhvcNAQkBFhpHb3N0
UjM0MTAtMjAxMkBleGFtcGxlLmNvbTEpMCcGA1UEAxMgR29zdFIzNDEwL
TIwMTIgKDI1NiBiaXQpIGV4YW1wbGUwZjAfBggqhQMHAQEBATATBgcqhQ
MCAiQABggqhQMHAQECAgNDAARAut/Qw1MUq9KPqkdHC2xAF3K7TugHfo9
n525D2s5mFZdD5pwf90/i4vF0mFmr9nfRwMYP4o0Pg1mOn5RlaXNYraOB
wDCBvTAdBgNVHQ4EFgQU1fIeN1HaPbw+XWUzbkJ+kHJUT0AwCwYDVR0PB
AQDAgHGMA8GA1UdEwQIMAYBAf8CAQEwfgYDVR0BBHcwdYAU1fIeN1HaPb
w+XWUzbkJ+kHJUT0ChWqRYMFYxKTAnBgkqhkiG9w0BCQEWGkdvc3RSMzQ
xMC0yMDEyQGV4YW1wbGUuY29tMSkwJwYDVQQDEyBHb3N0UjM0MTAtMjAx
MiAoMjU2IGJpdCkgZXhhbXBsZYIBATAKBggqhQMHAQEDAgNBAF5bm4BbA
RR6hJLEoWJkOsYV3Hd7kXQQjz3CdqQfmHrz6TI6Xojdh/t8ckODv/587N
S5/6KsM77vc6Wh90NAT2s=
</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
</root>
¶
Base64-encoded signed XML document:¶
77u/PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz48cm9vdD4NCiAgIDxE YXRhVG9TaWduIElkPSJUb1NpZ24iPkRhdGE8L0RhdGFUb1NpZ24+DQogICA8U2lnbmF0dXJl IHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4NCiAgICAgIDxT aWduZWRJbmZvPg0KICAgICAgICAgPENhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGht PSJodHRwOi8vd3d3LnczLm9yZy9UUi8yMDAxL1JFQy14bWwtYzE0bi0yMDAxMDMxNSIgLz4N CiAgICAgICAgIDxTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJ1cm46aWV0ZjpwYXJhbXM6 eG1sOm5zOmNweG1sc2VjOmFsZ29yaXRobXM6Z29zdHIzNDEwMjAxMi1nb3N0cjM0MTEyMDEy LTI1NiIgLz4NCiAgICAgICAgIDxSZWZlcmVuY2UgVVJJPSIjVG9TaWduIj4NCiAgICAgICAg ICAgIDxUcmFuc2Zvcm1zPg0KICAgICAgICAgICAgICAgPFRyYW5zZm9ybSBBbGdvcml0aG09 Imh0dHA6Ly93d3cudzMub3JnL1RSLzIwMDEvUkVDLXhtbC1jMTRuLTIwMDEwMzE1IiAvPg0K ICAgICAgICAgICAgPC9UcmFuc2Zvcm1zPg0KICAgICAgICAgICAgPERpZ2VzdE1ldGhvZCBB bGdvcml0aG09InVybjppZXRmOnBhcmFtczp4bWw6bnM6Y3B4bWxzZWM6YWxnb3JpdGhtczpn b3N0cjM0MTEyMDEyLTI1NiIgLz4NCiAgICAgICAgICAgIDxEaWdlc3RWYWx1ZT45UUxzeFBQ bzdMbFg2SVhxd3pqY05EbWJGdUNDR2l2UTFzNjFoY1B1SVRNPTwvRGlnZXN0VmFsdWU+DQog ICAgICAgICA8L1JlZmVyZW5jZT4NCiAgICAgIDwvU2lnbmVkSW5mbz4NCiAgICAgIDxTaWdu YXR1cmVWYWx1ZT5qY1FKaFd0V2JUQ1Y3YmpGa3k1dkdYWFVGaWdjNzRGWFJpNzlsWm5GSEs3 cE1qcGVpTjJIKzN4eVE0Ty8vbnpzMUxuL29xd3p2dTl6cGFIM1EwQlBhdz09PC9TaWduYXR1 cmVWYWx1ZT4NCiAgICAgIDxLZXlJbmZvPg0KICAgICAgICAgPFg1MDlEYXRhPg0KICAgICAg ICAgICAgPFg1MDlDZXJ0aWZpY2F0ZT5NSUlDWWpDQ0FnK2dBd0lCQWdJQkFUQUtCZ2dxaFFN SEFRRURBakJXTVNrd0p3WUpLb1pJaHZjTkFRa0JGaHBIYjNOMFVqTTBNVEF0TWpBeE1rQmxl R0Z0Y0d4bExtTnZiVEVwTUNjR0ExVUVBeE1nUjI5emRGSXpOREV3TFRJd01USWdLREkxTmlC aWFYUXBJR1Y0WVcxd2JHVXdIaGNOTVRNeE1UQTFNVFF3TWpNM1doY05NekF4TVRBeE1UUXdN ak0zV2pCV01Ta3dKd1lKS29aSWh2Y05BUWtCRmhwSGIzTjBVak0wTVRBdE1qQXhNa0JsZUdG dGNHeGxMbU52YlRFcE1DY0dBMVVFQXhNZ1IyOXpkRkl6TkRFd0xUSXdNVElnS0RJMU5pQmlh WFFwSUdWNFlXMXdiR1V3WmpBZkJnZ3FoUU1IQVFFQkFUQVRCZ2NxaFFNQ0FpUUFCZ2dxaFFN SEFRRUNBZ05EQUFSQXV0L1F3MU1VcTlLUHFrZEhDMnhBRjNLN1R1Z0hmbzluNTI1RDJzNW1G WmRENXB3ZjkwL2k0dkYwbUZtcjluZlJ3TVlQNG8wUGcxbU9uNVJsYVhOWXJhT0J3RENCdlRB ZEJnTlZIUTRFRmdRVTFmSWVOMUhhUGJ3K1hXVXpia0ora0hKVVQwQXdDd1lEVlIwUEJBUURB Z0hHTUE4R0ExVWRFd1FJTUFZQkFmOENBUUV3ZmdZRFZSMEJCSGN3ZFlBVTFmSWVOMUhhUGJ3 K1hXVXpia0ora0hKVVQwQ2hXcVJZTUZZeEtUQW5CZ2txaGtpRzl3MEJDUUVXR2tkdmMzUlNN elF4TUMweU1ERXlRR1Y0WVcxd2JHVXVZMjl0TVNrd0p3WURWUVFERXlCSGIzTjBVak0wTVRB dE1qQXhNaUFvTWpVMklHSnBkQ2tnWlhoaGJYQnNaWUlCQVRBS0JnZ3FoUU1IQVFFREFnTkJB RjVibTRCYkFSUjZoSkxFb1dKa09zWVYzSGQ3a1hRUWp6M0NkcVFmbUhyejZUSTZYb2pkaC90 OGNrT0R2LzU4N05TNS82S3NNNzd2YzZXaDkwTkFUMnM9PC9YNTA5Q2VydGlmaWNhdGU+DQog ICAgICAgICA8L1g1MDlEYXRhPg0KICAgICAgPC9LZXlJbmZvPg0KICAgPC9TaWduYXR1cmU+ DQo8L3Jvb3Q+¶
The following sample was constructed using the X.509 certificate from Appendix A of [R1323565.1.023-2018].¶
X-coordinate of public key:¶
0x971566CEDA436EE7678F7E07E84EBB7217406C0B4747AA8FD2AB1453C3D0DFBA¶
Y-coordinate of public key:¶
0xAD58736965949F8E59830F8DE20FC6C0D177F6AB599874F1E2E24FF71F9CE643¶
Corresponding private key:¶
0xBFCF1D623E5CDD3032A7C6EABB4A923C46E43D640FFEAAF2C3ED39A8FA399924¶
K value:¶
0x5782C53F110C596F9155D35EBD25A06A89C50391850A8FEFE33B0E270318857C¶
H-bar value:¶
0x054D1DABB161D63424F8DABB2800708B00F78DA7582699E8F2F0A521C7CE8144¶
Signed XML document:¶
<?xml version="1.0" encoding="utf-8"?>
<root>
<DataToSign Id="ToSign">Data</DataToSign>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm=
"http://www.w3.org/TR/2001/REC-xml-c14n-
20010315"
/>
<SignatureMethod Algorithm=
"urn:ietf:params:xml:ns:cpxmlsec:algorithms:
gostr34102012-gostr34112012-256"
/>
<Reference URI="#ToSign">
<Transforms>
<Transform Algorithm=
"http://www.w3.org/TR/2001/REC-xml-c14n-
20010315"
/>
</Transforms>
<DigestMethod Algorithm=
"urn:ietf:params:xml:ns:cpxmlsec:algorithms:
gostr34112012-256"
/>
<DigestValue>
9QLsxPPo7LlX6IXqwzjcNDmbFuCCGivQ1s61hcPuITM=
</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
jcQJhWtWbTCV7bjFky5vGXXUFigc74FXRi79lZnFHK7pMjpeiN2H+3xyQ4O//nz
s1Ln/oqwzvu9zpaH3Q0BPaw==
</SignatureValue>
<KeyInfo>
<DEREncodedKeyValue xmlns="http://www.w3.org/2009/xmldsig11#">
MGYwHwYIKoUDBwEBAQEwEwYHKoUDAgIkAAYIKoUDBwEBAgIDQwAEQLrf0MNT
FKvSj6pHRwtsQBdyu07oB36PZ+duQ9rOZhWXQ+acH/dP4uLxdJhZq/Z30cDG
D+KND4NZjp+UZWlzWK0=
</DEREncodedKeyValue>
</KeyInfo>
</Signature>
</root>
¶
Base64-encoded signed XML document:¶
77u/PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz48cm9vdD4NCiAgIDxE YXRhVG9TaWduIElkPSJUb1NpZ24iPkRhdGE8L0RhdGFUb1NpZ24+DQogICA8U2lnbmF0dXJl IHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4NCiAgICAgIDxT aWduZWRJbmZvPg0KICAgICAgICAgPENhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGht PSJodHRwOi8vd3d3LnczLm9yZy9UUi8yMDAxL1JFQy14bWwtYzE0bi0yMDAxMDMxNSIgLz4N CiAgICAgICAgIDxTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJ1cm46aWV0ZjpwYXJhbXM6 eG1sOm5zOmNweG1sc2VjOmFsZ29yaXRobXM6Z29zdHIzNDEwMjAxMi1nb3N0cjM0MTEyMDEy LTI1NiIgLz4NCiAgICAgICAgIDxSZWZlcmVuY2UgVVJJPSIjVG9TaWduIj4NCiAgICAgICAg ICAgIDxUcmFuc2Zvcm1zPg0KICAgICAgICAgICAgICAgPFRyYW5zZm9ybSBBbGdvcml0aG09 Imh0dHA6Ly93d3cudzMub3JnL1RSLzIwMDEvUkVDLXhtbC1jMTRuLTIwMDEwMzE1IiAvPg0K ICAgICAgICAgICAgPC9UcmFuc2Zvcm1zPg0KICAgICAgICAgICAgPERpZ2VzdE1ldGhvZCBB bGdvcml0aG09InVybjppZXRmOnBhcmFtczp4bWw6bnM6Y3B4bWxzZWM6YWxnb3JpdGhtczpn b3N0cjM0MTEyMDEyLTI1NiIgLz4NCiAgICAgICAgICAgIDxEaWdlc3RWYWx1ZT45UUxzeFBQ bzdMbFg2SVhxd3pqY05EbWJGdUNDR2l2UTFzNjFoY1B1SVRNPTwvRGlnZXN0VmFsdWU+DQog ICAgICAgICA8L1JlZmVyZW5jZT4NCiAgICAgIDwvU2lnbmVkSW5mbz4NCiAgICAgIDxTaWdu YXR1cmVWYWx1ZT5qY1FKaFd0V2JUQ1Y3YmpGa3k1dkdYWFVGaWdjNzRGWFJpNzlsWm5GSEs3 cE1qcGVpTjJIKzN4eVE0Ty8vbnpzMUxuL29xd3p2dTl6cGFIM1EwQlBhdz09PC9TaWduYXR1 cmVWYWx1ZT4NCiAgICAgIDxLZXlJbmZvPg0KICAgICAgICAgPERFUkVuY29kZWRLZXlWYWx1 ZSB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwOS94bWxkc2lnMTEjIj5NR1l3SHdZSUtv VURCd0VCQVFFd0V3WUhLb1VEQWdJa0FBWUlLb1VEQndFQkFnSURRd0FFUUxyZjBNTlRGS3ZT ajZwSFJ3dHNRQmR5dTA3b0IzNlBaK2R1UTlyT1poV1hRK2FjSC9kUDR1THhkSmhacS9aMzBj REdEK0tORDROWmpwK1VaV2x6V0swPTwvREVSRW5jb2RlZEtleVZhbHVlPg0KICAgICAgPC9L ZXlJbmZvPg0KICAgPC9TaWduYXR1cmU+DQo8L3Jvb3Q+¶
We thank Ekaterina Griboedova and Evgeny Alekseev for their useful comments.¶