Basic Security Profile [1.0] Test Assertions Version 1.0

Abstract

This document contains the test assertions for the WS-I Basic Security Profile definition. These test assertions are used by the analyzer testing tool to determine if a Web service is conformant to the Basic Security Profile.

Notice

The material contained herein is not a license, either expressly or impliedly, to any intellectual property owned or controlled by any of the authors or developers of this material or WS-I. The material contained herein is provided on an "AS IS" basis and to the maximum extent permitted by applicable law, this material is provided AS IS AND WITH ALL FAULTS, and the authors and developers of this material and WS-I hereby disclaim all other warranties and conditions, either express, implied or statutory, including, but not limited to, any (if any) implied warranties, duties or conditions of merchantability, of fitness for a particular purpose, of accuracy or completeness of responses, of results, of workmanlike effort, of lack of viruses, and of lack of negligence. ALSO, THERE IS NO WARRANTY OR CONDITION OF TITLE, QUIET ENJOYMENT, QUIET POSSESSION, CORRESPONDENCE TO DESCRIPTION OR NON-INFRINGEMENT WITH REGARD TO THIS MATERIAL.

IN NO EVENT WILL ANY AUTHOR OR DEVELOPER OF THIS MATERIAL OR WS-I BE LIABLE TO ANY OTHER PARTY FOR THE COST OF PROCURING SUBSTITUTE GOODS OR SERVICES, LOST PROFITS, LOSS OF USE, LOSS OF DATA, OR ANY INCIDENTAL, CONSEQUENTIAL, DIRECT, INDIRECT, OR SPECIAL DAMAGES WHETHER UNDER CONTRACT, TORT, WARRANTY, OR OTHERWISE, ARISING IN ANY WAY OUT OF THIS OR ANY OTHER AGREEMENT RELATING TO THIS MATERIAL, WHETHER OR NOT SUCH PARTY HAD ADVANCE NOTICE OF THE POSSIBILITY OF SUCH DAMAGES.

Feedback

The Web Services-Interoperability Organization (WS-I) would like to receive input, suggestions and other feedback ("Feedback") on this work from a wide variety of industry participants to improve its quality over time.

By sending email, or otherwise communicating with WS-I, you (on behalf of yourself if you are an individual, and your company if you are providing Feedback on behalf of the company) will be deemed to have granted to WS-I, the members of WS-I, and other parties that have access to your Feedback, a non-exclusive, non-transferable, worldwide, perpetual, irrevocable, royalty-free license to use, disclose, copy, license, modify, sublicense or otherwise distribute and exploit in any manner whatsoever the Feedback you provide regarding the work. You acknowledge that you have no expectation of confidentiality with respect to any Feedback you provide. You represent and warrant that you have rights to provide this Feedback, and if you are providing Feedback on behalf of a company, you represent and warrant that you have the rights to provide Feedback on behalf of your company. You also acknowledge that WS-I is not required to review, discuss, use, consider or in any way incorporate your Feedback into future versions of its work. If WS-I does incorporate some or all of your Feedback in a future version of the work, it may, but is not obligated to include your name (or, if you are identified as acting on behalf of your company, the name of your company) on a list of contributors to the work. If the foregoing is not acceptable to you and any company on whose behalf you are acting, please do not provide any Feedback.

WS-I members should direct feedback on this document to wsi_testing@lists.ws-i.org; non-members should direct feedback to wsi-tools@ws-i.org.

Table of Contents

Document Conventions
Profile Definitions
Test Assertion Artifacts
secureEnvelope
Test Assertion Counts
Profile Requirements Index
Appendix A: Referenced Specifications

Document Conventions

The labels used for entry types in this document map one-to-one with the conformance targets from the profile document, but use a different convention for capitalization. For example, the conformance target SECURITY_HEADER corresponds to the entry type securityHeader.

This document uses a number of namespace prefixes throughout; their associated URIs are listed below. Note that the choice of any namespace prefix is arbitrary and not semantically significant.

• soap - " http://schemas.xmlsoap.org/soap/envelope/ "
• dsig - "http://www.w3.org/2000/09/xmldsig#"
• xenc - "http://www.w3.org/2001/04/xmlenc#"
• wsse - " http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd "
• wsu - " http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd "
• saml - " urn:oasis:names:tc:SAML:1.0:assertion "
• samlp - " urn:oasis:names:tc:SAML:1.0:protocol "
• rel - "urn:mpeg:mpeg21:2003:01-REL-R-NS"

A "candidate" element is one that is to be verified for conformance. The analyzer specification contains a detailed explanation of all of the fields listed in this document.

Test assertion headings that have this background color are disabled and will not be processed by the analyzer.

Profile Definitions

Test Assertion Artifacts

• secureEnvelope

The Basic Security Profile 1.0 requires support for SOAP 1.1 and HTTP 1.0 or 1.1.

Specification Reference List:

• Web Services Security: SOAP Message Security
• Web Services Security: X.509 Token Profile
• Web Services Security: Username Token Profile
• XML-Signature Syntax and Processing
• XML Encryption Syntax and Processing
• Web Services Security: Kerberos Token Profile
• Web Services Security: SAML Token Profile
• Web Services Security: Rights Expression Language (REL) Token Profile

Test Assertion: BSP5607

Context:
For any secureEnvelope containing an encryptedKey or encryptedData.

Assertion Description:
"boolean(./self::soap:Envelope[soap:Header])=true() and boolean(./self::soap:Envelope[soap:Body])=true()"

Failure Message:
A soap:Envelope containing encryption is not a valid SOAP envelope.

Failure Detail Description:
The soap:Envelope in question.

Comments:
Old id="BSP6515"

Return to top of document.

Test Assertion: BSP3204

Context:
For any secureEnvelope.

Assertion Description:
No two "./self::soap:Envelope//*[@wsu:Id]" attributes have the same value.

Failure Message:
Two wsu:Id attributes within a soap:Envelope have the same value.

Failure Detail Description:
The soap:Envelope in question.

Comments:
Old id="BSP6019"

Return to top of document.

Test Assertion: BSP3206

Context:
For any soapHeader.

Assertion Description:
"count(./self::soap:Header/wsse:Security[count(@soap:actor)=0])<=1"

Failure Message:
More than one wsse:Security block exists in a soap:Header with the actor attribute omitted (i.e., it is the case that "count(./self::soap:Header/wsse:Security[count(@soap:actor)=0])>1".

Failure Detail Description:
The soap:Header element in question.

Comments:
Old id="BSP6020"

Return to top of document.

Test Assertion: BSP3210

Context:
For any soapHeader.

Assertion Description:
All ./self::soap:Header/wsse:Security/@soap:actor are unique.

Failure Message:
Two or more wsse:Security elements are present in the soap:Header with the same value for the actor attribute.

Failure Detail Description:
The soap:Header element in question.

Comments:
Old id="BSP6021"

Return to top of document.

Test Assertion: BSP3227

Context:
For any securityHeader.

Assertion Description:
"boolean(./self::wsse:Security[count(wsu:Timestamp)>1])=false()"

Failure Message:
A wsse:Security contains more than one wsu:Timestamp (i.e. it is the case that ./self::wsse:Security[count(wsu:Timestamp)>1]).

Failure Detail Description:
The wsse:Security element in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP3203

Context:
For any timestamp.

Assertion Description:
"boolean(./self::wsu:Timestamp[count(wsu:Created)=1])=true()"

Failure Message:
A wsu:Timestamp element does NOT contain exactly one wsu:Created child element (i.e., it is the case that "./self::wsu:Timestamp[count(wsu:Created)!=1]").

Failure Detail Description:
The wsu:Timestamp element in question.

Comments:
Old id="BSP6006"

Return to top of document.

Test Assertion: BSP3224

Context:
For any timestamp.

Assertion Description:
"boolean(./self::wsu:Timestamp[count(wsu:Expires)>1])=false()"

Failure Message:
A wsu:Timestamp element contains more than one wsu:Expires child element (i.e., it is the case that "./self::wsu:Timestamp[count(wsu:Expires)>1]").

Failure Detail Description:
The wsu:Timestamp element in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP3221

Context:
For any timestamp that contains an expires.

Assertion Description:
"boolean(./self::wsu:Timestamp/wsu:Expires/preceding-sibling::*=./self::wsu:Timestamp/wsu:Created)=true()"

Failure Message:
wsu:Created and wsu:Expires elements appear in an improper order within a wsu:Timestamp element.

Failure Detail Description:
The wsu:Timestamp element in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP3222

Context:
For any timestamp

Assertion Description:
"count(./self::wsu:Timestamp/wsu:Created)+count(./self::wsu:Timestamp/wsu:Expires)=count(./self::wsu:Timestamp/*)"

Failure Message:
A wsu:Timestamp contains child elements other than wsu:Created or wsu:Expires.

Failure Detail Description:
The wsu:Timestamp element in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP3220

Context:
For any created.

Assertion Description:
"seconds-from-duration(./self::wsu:Created/text()) should not contain more than 3 digits to right of decimal."

Failure Message:
A wsu:Created element contains more than three digits to the right of decimal.

Failure Detail Description:
The wsu:Created element in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP3229

Context:
For any expired.

Assertion Description:
"seconds-from-duration(./self::wsu:Expires/text()) should not contain more than 3 digits to right of decimal."

Failure Message:
A wsu:Expires element contains more than three digits to the right of decimal.

Failure Detail Description:
The wsu:Expires element in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP3213

Context:
For any created that contains second values.

Assertion Description:
"seconds-from-duration(./self::wsu:Created/text()) < 60"

Failure Message:
A wsu:Created element has a seconds value greater than or equal to 60.

Failure Detail Description:
The wsu:Created element in question.

Comments:
Old id="BSP6012"

Return to top of document.

Test Assertion: BSP3215

Context:
For any expires that contains second values.

Assertion Description:
"seconds-from-duration(./self::wsu:Expires/text()) < 60"

Failure Message:
A wsu:Expires element has a seconds value greater than or equal to 60.

Failure Detail Description:
The wsu:Expires element in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP3225

Context:
For any created.

Assertion Description:
"boolean(./self::wsu:Created/@ValueType)=false()"

Failure Message:
A wsu:Created element contains a ValueType attribute (i.e. it is the case that ./self::wsu:Created/@ValueType).

Failure Detail Description:
The wsu:Created element in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP3226

Context:
For any expires.

Assertion Description:
"boolean(./self::wsu:Expires/@ValueType)=false()"

Failure Message:
A wsu:Expires element contains a ValueType attribute (i.e. it is the case that ./self::wsu:Expires/@ValueType).

Failure Detail Description:
The wsu:Expires element in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP3217

Context:
For any created.

Assertion Description:
The time value is in UTC format as specified by the XML Schema type (dateTime).

Failure Message:
A wsu:Created element does NOT contain time instants in UTC format as specified by the XML Schema type (dateTime).

Failure Detail Description:
The wsu:Created element(s) in question.

Comments:
Old id="BSP6013"

Return to top of document.

Test Assertion: BSP3223

Context:
For any expires.

Assertion Description:
The time value is in UTC format as specified by the XML Schema type (dateTime).

Failure Message:
A wsu:Expires element does NOT contain time instants in UTC format as specified by the XML Schema type (dateTime).

Failure Detail Description:
The wsu:Expires element(s) in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP3057

Context:
For any strReference.

Assertion Description:
The //[@wsu:Id=./self::wsse:Reference/@URI] is not a wsse:SecurityTokenReference element.

Failure Message:
A wsse:Reference element references a wsse:SecurityTokenReference.

Failure Detail Description:
The wsse:Reference element in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP3064

Context:
For any strReference.

Assertion Description:
The //[@wsu:Id=./self::wsse:Reference/@URI] is not a wsse:Embedded element.

Failure Message:
A wsse:Reference element references a wsse:Embedded.

Failure Detail Description:
The wsse:Reference element in question.

Comments:
Old id="BSP6608"

Return to top of document.

Test Assertion: BSP3059

Context:
For any strReference.

Assertion Description:
"boolean(./self::wsse:Reference/@ValueType)=true()"

Failure Message:
A wsse:Reference element does NOT contain a ValueType attribute (i.e., it is NOT the case that "./self::wsse:Reference/@ValueType").

Failure Detail Description:
The wsse:Reference element in question.

Comments:
Old id="BSP6201"

Return to top of document.

Test Assertion: BSP3062

Context:
For any strReference.

Assertion Description:
"boolean(./self::wsse:Reference/@URI)=true()"

Failure Message:
A wsse:Reference element does NOT have a URI attribute (i.e., it is NOT the case that "./self::wsse:Reference/@URI").

Failure Detail Description:
The wsse:Reference element in question.

Comments:
Old id="BSP6202"

Return to top of document.

Test Assertion: BSP3027

Context:
For any securityTokenReference.

Assertion Description:
"boolean(./self::wsse:SecurityTokenReference[ds:KeyName])=false()"

Failure Message:
A wsse:SecurityTokenReference contains an ds:KeyName (i.e., it is the case that "./self::wsse:SecurityTokenReference[ds:KeyName]").

Failure Detail Description:
The wsse:SecurityTokenReference element in question.

Comments:
Old id="BSP6004"

Return to top of document.

Test Assertion: BSP3054

Context:
For any strKeyIdentifier.

Assertion Description:
"boolean(./self::wsse:KeyIdentifier[@ValueType])=true()"

Failure Message:
A wsse:KeyIdentifier element does NOT contain a ValueType attribute (i.e., it is NOT the case that "./self::wsse:KeyIdentifier[@ValueType]").

Failure Detail Description:
The wsse:KeyIdentifier element in question.

Comments:
Old id="BSP6003"

Return to top of document.

Test Assertion: BSP3070

Context:
For any strKeyIdentifier that refers to a securityToken other than a samlToken.

Assertion Description:
"boolean(./self::wsse:KeyIdentifier[@EncodingType])=true()"

Failure Message:
A wsse:KeyIndetifier element does NOT contain a EncodingType attribute (i.e., it is NOT the case that "./self::wsse:KeyIdentifier[@EncodingType]").

Failure Detail Description:
The wsse:KeyIdentifier element in question

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP3071

Context:
For any strKeyIdentifier that has an EncodingType attribute.

Assertion Description:
"boolean(./self::wsse:KeyIdentifier[@EncodingType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary'])=true()"

Failure Message:
A wsse:KeyIdentifier element contains an EncodingType attribute that does NOT have a value of "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" (i.e., it is NOT the case that "./self::wsse:KeyIdentifier[@EncodingType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary']").

Failure Detail Description:
The wsse:KeyIdentifier element in question

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP3060

Context:
For any strEmbedded.

Assertion Description:
"count(./self::wsse:Embedded/*)=1" AND the child is an internalSecurityToken.

Failure Message:
A wsse:Embedded element has zero or more than one security token child element (i.e. it is not the case that count(./self::wsse:Embedded/*)=1)

Failure Detail Description:
The wsse:Embedded element in question.

Comments:
Old id="BSP6606".

Return to top of document.

Test Assertion: BSP3056

Context:
For any strEmbedded.

Assertion Description:
"boolean(./self::wsse:Embedded[wsse:SecurityTokenReference])=false()"

Failure Message:
A wsse:Embedded element contains a wsse:SecurityTokenReference child element (i.e. it is the case that ./self::wsse:Embedded[wsse:SecurityTokenReference]).

Failure Detail Description:
The wsse:Embedded element in question.

Comments:
Old id="BSP6604"

Return to top of document.

Test Assertion: BSP3066

Context:
For any strReference that is a descendant of a securityHeader.

Assertion Description:
For __thisURI = "./self::wsse:Reference/@URI" "boolean(./self::wsse:Reference/ancestor::wsse:Security=//*[concat('#',@wsu:Id)=__thisURI]/ancestor::wsse:Security)=true()"

Failure Message:
A wsse:Reference uses a shorthand XPointer does not reference any security tokens located in the same wsse:Security element.

Failure Detail Description:
The wsse:Reference in question.

Comments:
Old id="BSP6420"

Return to top of document.

Test Assertion: BSP3067

Context:
For any strReference that is a descendant of an encryptedData.

Assertion Description:
The wsse:Reference must not use a Shorthand XPointer to refer to a security token located in a wsse:Security element other than the wsse:Security element containing a reference to the xenc:Encrypted element that contains the wsse:Reference.

Failure Message:
A wsse:Reference uses a shorthand XPointer does not reference any security tokens located in the wsse:Security element that contains a reference to the wsse:Reference's containing xenc:Encrypted.

Failure Detail Description:
The wsse:Reference in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP3102