This document contains the test assertions for the WS-I SOAP Message Security Profile definition. These test assertions are used by the analyzer testing tool to determine if a Web service is conformant to the Basic Security Profile. This document uses a number of namespace prefixes throughout; their associated URIs are listed below. Note that the choice of any namespace prefix is arbitrary and not semantically significant. soap - "http://schemas.xmlsoap.org/soap/envelope/" dsig - "http://www.w3.org/2000/09/xmldsig#" xenc - "http://www.w3.org/2001/04/xmlenc#" wsse - "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" wsu - "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" Ed Johns Govind Ramanathan Keith Stobie (Microsoft Corporation), Martin Gudgin (Microsoft Corporation), David Lauzon (IBM), Narendra Patil (Optimyz) The Basic Security Profile requires support for SOAP 1.1 and HTTP 1.0 or 1.1. For any secure envelope, that contains a wsse:BinarySecurityToken meant for SOAP message security. Each wsse:BinarySecurityToken element should contain the EncodingType attribute. One or more wsse:BinarySecurity tokens are present in the message but have no EncodingType attribute. The wsse:BinarySecurityToken element(s) in question. none none R3029 R3030 For any secure envelope, that contains wsse:BinarySecurityToken element meant for SOAP message security. Each wsse:BinarySecurityToken element should have the ValueType attribute. One or more wsse:BinarySecurityToken elements in the message do not have a ValueType attribute. The wsse:BinarySecurityToken element(s) in question. none none R3031 For any secure envelope, that contains a wsse:SecurityTokenReference element which is meant for SOAP message security with wsse:KeyIdentifier child element. The wsse:KeyIdentifier MUST have a ValueType attribute specified. One or more wsse:KeyIdentifier elements present in the message do not contain a ValueType attribute. The wsse:KeyIdentifier elements in question. none none R3054 For any secure envelope, that contains a wsse:SecurityTokenReference which is meant for SOAP message security. The wsse:SecurityTokenReference element should not have ds:KeyName as its child element. ds:KeyName is used to refer to one or more Security Tokens. The wsse:SecurityTokenReference element at fault. none none R3027 For any secure envelope, that contains a wsse:UsernameToken meant for SOAP message security with wsse:Password child element. Every wsse:Password element MUST have the type attribute specified. One or more wsse:UsernameToken/wsse:Password elements are present in the message without their Type attributes. The wsse:Password element(s) in question. none none R4201 For any secure envelope, where the XPath expression "/soap:Envelope/soap:Header/wsse:Security/wsu:Timestamp", returns at least one element. The XPath expression "count(./wsu:Created)", applied to each node returned by the XPath expression "/soap:Envelope/soap:Header/wsse:Security/wsu:Timestamp" must return 1. One or more wsu:Timestamp elements have either a) no wsu:Created child elements or b) more than one wsu:Created child elements. The wsu:Timestamp elements in question. none none BSP6014 R3203 For any secure envelope, that contains a wsse:BinarySecurityToken meant for SOAP message security. The EncodingType attribute on each wsse:BinarySecurityToken element MUST have a value of "http://www.docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#Base64Binary" One or more wsse:BinarySecurity tokens are present in the message where the EncodingType attribute has a value other than "http://www.docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#Base64Binary". The wsse:BinarySecurityToken element(s) in question. none none R3030 For any secure envelope, that contains a wsse:BinarySecurityToken meant for SOAP message security with the ValueType attribute set to "http://www.docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1\" or "http://www.docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#PKCS7\". The ValueType attribute should not be set to "http://www.docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#PKCS7\". One or more X.509 certificates are representing certificate path information using wsse:PKCS7 certificate type. Certificate path information should be represented using the wsse:X509PKIPathv1 format. The wsse:BinarySecurityToken in question none none R5202 For any secure envelope, where the XPath expression "/soap:Envelope/soap:Header/wsse:Security/wsu:Timestamp[wsu:Created or wsu:Expires]" returns at least one element. The values of the nodes returned by the XPath expression "/soap:Envelope/soap:Header/wsse:Security/wsu:Timestamp[wsu:Created or wsu:Expires]", do not include leap seconds. One or more wsse:Created or wsse:Expires elements have values specifying leap seconds. The wsu:Timestamp elements in question. none none R3213 For any secure envelope, where the XPath expression "/soap:Envelope/soap:Header/wsse:Security/wsu:Timestamp" returns at least one element. The nodes returned by the XPath expression "/soap:Envelope/soap:Header/wsse:Security/wsu:Timestamp", contain time instants in UTC format as specified by the XML Schema type. One or more wsu:Timestamp elements does not contain time instants in UTC format. The wsu:Timestamp element(s) in question. none none R3217 For any secure envelope, where the XPath expression "/soap:Envelope/soap:Header/wsse:Security//wsu:Timestamp" returns at least one element. Each element returned by the XPath expression "/soap:Envelope/soap:Header/wsse:Security//wsu:Timestamp", must have the wsse:Security element as its parent. One or more wsu:Timestamp elements which are descendants of the wsse:Security element, do not have the wsse:Security element as their parent. The wsu:Timestamp elements in question. none none R3218 For any secure envelope, where the XPath expression "/soap:Envelope/soap:Header/wsse:Security/wsu:Timestamp" returns at least one element. The XPath expression "/soap:Envelope/soap:Header/wsse:Security[count(wsu:Timestamp) > 1]" returns no elements. More than one wsu:Timestamp elements occur as children of a wsse:Security node. The wsse:Security node in question. none none BSP6014 R3219 For any secure message, where the XPath expression "/soap:Envelope/soap:Header/wsse:Security/wsu:Timestamp" returns at least one element. The wsu:Timestamp element must contain the wsu:Created child elements at most once. More than one wsu:Created or wsu:Expires element appears within a wsu:Timestamp element. The wsu:Timestamp element in question. none none BSP6014 R3220 For any secure envelope, where the XPath expression "/soap:Envelope/soap:Header/wsse:Security/wsu:Timestamp" returns at least one element. The wsu:Timestamp must contain wsu:Expires child element at most once. More than one wsu:Expires element appears within a wsu:Timestamp element. The wsu:Timestamp element in question. none none BSP6014 R3220 For any secure envelope, where the XPath expression "/soap:Envelope/soap:Header/wsse:security/wsu:Timestamp[wsu:Created and wsu:Expires]" returns at least one element. For each node returned by the XPath expression "/soap:Envelope/soap:Header/wsse:Security/wsse:security/wsu:Timestamp[wsu:Created and wsu:Expires]", the wsu:Created element appears immediately before the wsu:Expires element. wsu:Created and wsu:Expires occur in an improper order within a wsu:Timestamp element. The wsu:Timestamp element in question. none none BSP6016 BSP6017 R3221 For any secure evelope where the XPath expression "//*[@wsu:Id]" return more than one element. No two elements returned by the XPath expresstion "//*[@wsu:Id]" have the same values for the wsu:Id attribute. Two wsu:Id attributes within a SECURE_ENVELOPE have the same value. The elements containing the attributes in question none none R3204 For any secure envelope. The XPath expression "/soap:Envelope/soap:Header/wsse:Security[@not(actor)]" returns at most one element. More than one security header block exists in the SECURE_ENVELOPE with the actor attribute omitted. The wsse:Security elements in question. none none R3206 For any secure envelope. No two elements returned by the XPath expresstion "./soap:Envelope/soap:Header/wsse:Security[@actor]" have the same values for the actor attribute. Two or more wsse:Security elements are present in the SECURE_ENVELOPE with the same value for the actor attribute. The wsse:Security elements in question. none none R3210 For any secure envelope. The HTTP message containing the secure envelope does not contain a SOAPAction header A secure envelope was transmitted in an HTTP message with a SOAPAction header. The SOAPAction header in question. none none C2010 For any secure envelope, that contains a wsse:SecurityTokenReference which is meant for SOAP message security. The wsse:SecurityTokenReference must have exactly one child element. One or more wsse:SecurityTokenReference elements in the message have either no child elements or else more than one child elements. The wsse:SecurityTokenReference elements in question. none none R3061 For any secure envelope, that contains a wsse:SecurityTokenReference which is meant for SOAP message security with wsse:Reference child element. The wsse:Reference element should have a ValueType attribute. One or more wsse:SecurityTokenReference/wsse:Reference elements does not have a ValueType attribute. The wsse:SecurityTokenReference/wsse:Reference element in question. none none R3059 For any secure envelope, that contains a wsse:SecurityTokenReference element which is meant for SOAP message security with wsse:Reference child element. The wsse:Reference element MUST have the URI attribute. One or more wsse:SecurityTokenReference/wsse:Reference elements does not have a URI attribute. The wsse:SecurityTokenReference/wsse:Reference element(s) in question. none none R3062 For any secure envelope, that contains a wsse:SecurityTokenReference element which is meant for SOAP message security wth wsse:Embedded child element. The wsse:Embedded element should not have wsse:SecurityTokenReference as its child element. One or more wsse:Embedded elements contains a wsse:SecurityToken reference child element. The wsse:Embedded element(s) in question none none R3055 For any secure envelope, that contains a ds:KeyInfo which is meant for SOAP message security. The ds:KeyInfo element does not contain xenc:AgreementMethod child element. One or more ds:KeyInfo elements has an xenc:AgreementMethod child element. The ds:KeyInfo elements in question. none none R5605 For any secure envelope, that contains a ds:KeyInfo which is meant for SOAP message security. The ds:KeyInfo must each have exactly one child element. One or more ds:KeyInfo elements in the message have either no child elements, or more than one child elements. The ds:KeyInfo element(s) in question. none none R5402 For any secure envelope, that contains a ds:KeyInfo which is meant for SOAP message security. Each ds:KeyInfo must either have wsse:SecurityTokenReference or ds:MgmtData as one of its child element. One or more ds:KeyInfo elements in the message have child elements other than wsse:SecurityTokenReference or ds:MgmtData The ds:KeyInfo element(s) in question. none none BSP6302 R5409 R5605 For any secure envelope, where the XPath expression "/soap:Envelope/soap:Header/wsse:Security/ds:Signature/ds:KeyInfo" returns at lease one element. Any element returned by the XPath expression "/soap:Envelope/soap:Header/wsse:Security/ds:Signature/ds:KeyInfo" must have wsse:SecurityTokenReference as its child element. One or more ds:Signature elements in the Security Header of the message contain ds:KeyIfo elements that do not use wsse:SecurityTokenReference to refer to the relevant Security Token. The ds:Signature element(s) in question. none none BSP6302 R3052 For any secure envelope, where the XPath expression "/soap:Envelope/soap:Header/wsse:Security/ds:Signature" returns one or more elements. The XPath expression "/soap:Envelope/soap:Header/wsse:Security/ds:Signature[//ds:Manifest]" will not return any elements. One or more ds:Signature elements in the message contains a ds:Manifest element. The ds:Signature element(s) in question. none none R5403 For any secure envelope, where the XPath expression "/soap:Envelope/soap:Header/wsse:Security/ds:Signature/ds:SignedInfo/ds:Reference/ds:DigestMethod/@Algorithm", returns one or more attributes. The XPath expression "/soap:Envelope/soap:Header/wsse:Security/ds:Signature[ds:SignedInfo/ds:Reference/ds:DigestMethod/@Algorithm!=\"http://www.w3.org/2000/09/xmldsig#sha1\"]" must not return any elements. One or more ds:Signature elements contains a ds:DigestMethod/@Algorithm element with a value other than "http://www.w3.org/2000/09/xmldsig#sha1" The ds:Signature element(s) in question. none none R5420 For any secure envelope, where the XPath expression "/soap:Envelope/soap:Header/wsse:Security/ds:Signature/ds:SignedInfo/ds:Reference", returns one or more elements. The XPath expression "/soap:Envelope/soap:Header/wsse:Security/ds:Signature/ds:SignedInfo/ds:Reference[not(ds:Transforms)]" does not return any elements. One or more ds:Reference elements in the message does not have a ds:Transforms child element. The ds:Reference element(s) in question. none none R5410 For any secure envelope, where the XPath expression "/soap:Envelope/soap:Header/wsse:Security/ds:Signature/ds:SignedInfo/ds:Reference/ds:Transforms", returns one or more elements. The XPath expression "/soap:Envelope/soap:Header/wsse:Security/ds:Signature/ds:SignedInfo/ds:Reference/ds:Transforms[not(ds:Transform)]" does not return any elements. One or more ds:Transforms elements in the message does not have any ds:Transform child elements. The ds:Transforms element(s) in question. none none BSP6405 R5411 For any secure envelope, where the XPath expression "/soap:Envelope/soap:Header/wsse:Security/ds:Signature/ds:SignedInfo/ds:CanonicalizationMethod/@Algorithm", returns one or more elements. The XPath expression "/soap:Envelope/soap:Header/wsse:Security/ds:Signature/ds:SignedInfo/ds:CanonicalizationMethod[@Algorithm != \"http://www.w3.org/2001/10/xml-exc-c14n#\"]" does not return any elements. One or more ds:CanonicalizationMethod/@Algorithm attributes in the message have values other than "http://www.w3.org/2001/10/xml-exc-c14n#". The ds:CanonicalizationMethod element(s) in question. none none R5404 For any secure envelope, where the XPath expression "/soap:Envelope/soap:Header/wsse:Security/ds:Signature/ds:SignedInfo/ds:CanonicalizationMethod[@Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"]", returns one or more elements. The elements returned by the XPath expression "/soap:Envelope/soap:Header/wsse:Security/ds:Signature/ds:SignedInfo/ds:CanonicalizationMethod[@Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"]" must have a c14N:InclusiveNamespace child element with a @PrefixList attribute. One or more ds:CanonicalizationMethod elements with @Algorithm attributes whose value is "http://www.w3.org/2001/10/xml-exc-c14n#" do not have c14N:InclusiveNamespace child elements, or else the c14N:InclusiveNamespace elements do not have a @PrefixList attribute. The ds:Canonicalization elements in question. none none BSP6407 R5406 For any secure envelope, where the XPath expression "/soap:Envelope/soap:Header/wsse:Security/ds:Signature/ds:SignedInfo/ds:Reference/ds:Transforms/ds:Transform/@Algorithm ", returns one or more elements. The XPath expression "/soap:Envelope/soap:Header/wsse:Security/ds:Signature/ds:SignedInfo/ds:Reference/ds:Transforms/ds:Transform/[not(@Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\" or @Algorithm=\"http://www.w3.org/2002/06/xmldsig-filter2#\" or @Algorithm=\"http://www.docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#STR-Transform\" or @Algorithm=\"http://www.w3.org/2000/09/xmldsig#enveloped-signature\")]" does not return any elements. One or more ds:Transform/@Algorithm attributes have values that are not one of "http://www.w3.org/2001/10/xml-exc-c14n#" or "http://www.w3.org/2002/06/xmldsig-filter2" or "http://www.docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#STR-Transform" or "http://www.w3.org/2000/09/xmldsig#enveloped-signature" The ds:Transform elements in question. none none R5423 For any secure envelope,where the XPath expression "/soap:Envelope/soap:Header/wsse:Security/ds:Signature/ds:SignedInfo/ds:SignatureMethod" returns at least one element. The XPath expression "/soap:Envelope/soap:Header/wsse:Security/ds:Signature/ds:SignedInfo/ds:SignatureMethod[ds:HMACOutputLength]" must not return any elements. One or more ds:Signature/ds:SignedInfo/ds:SignatureMethod elements contains a ds:HMACOutputLength element. The ds:SignatureMethod element(s) in question. none none R5401 For any secure envelope, where the XPath expression "/soap:Envelope/soap:Header/wsse:Security/ds:Signature/ds:SignedInfo/ds:Reference/ds:Transforms/ds:Transform[@Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"]" returns at least one element. Any element returned by the XPath expression "/soap:Envelope/soap:Header/wsse:Security/ds:Signature/ds:SignedInfo/ds:Reference/ds:Transforms/ds:Transform[@Algorithm=\"http://www.w3.org/2001/10/xml-exc-c14n#\"]" must have a c14NInclusiveNamespace child element with a @Prefix attribute. A ds:Transform element with an @Algorithm attribute whose value is "http://www.w3.org/2001/10/xml-exc-c14n#" either does not have a c14N:InclusiveNamespace child element, or the c14N:InclusiveNamespace child element does not have a @PrefixList attribute. The ds:signature element containing the elements in question. none none R5407 For any secure envelope, where the XPath expression "/soap:Envelope/soap:Header/wsse:Security/ds:Signature/ds:SignedInfo/ds:Reference/ds:Transforms/ds:Transform[@Algorithm=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform\"]" returns one or more elements. The XPath expression "./wsse:TransformationParameters/dsig:CanonicalizationMethod" applied successively to the elements returned by the XPath expression "/soap:Envelope/soap:Header/wsse:Security/ds:Signature/ds:SignedInfo/ds:Reference/ds:Transforms/ds:Transform[@Algorithm=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform\"]" must return at least one element in each case. A signature in the SECURE_ENVELOPE, using the SecurityTokenReference transform, does not have the dsig:CanonicalizationMethod element present and wrapped in a wsse:TransformationParameters element. The signature element in question. none none R3065 For any secure envelope, that contains a xenc:EncryptedData which is meant for SOAP message security. Each xenc:EncryptedData must have xenc:EncryptionMethod as one of its child elements. One or more xenc:EncryptedData elements are present without xenc:EncryptionMethod children. The xenc:EncryptedData element(s) in question none none R5601 For any secure envelope, where the XPath expression "/soap:Envelope/soap:Header/wsse:Security/xenc:EncryptedKey", returns at least one element. The XPath expression "/soap:Envelope/soap:Header/wsse:Security/xenc:EncryptedKey[@Recipient]" must not return any elements. One or more xenc:EncryptedKey elements has a Recipient attribute. The xenc:EncryptedKey element(s) in question. none none R5602 For any secure envelope, where the XPath expression "/soap:Envelope/soap:Header/wsse:Security/xenc:EncryptedKey" returns at least one element. The XPath expression "/soap:Envelope/soap:Header/wsse:Security/xenc:EncryptedKey[not(xenc:EncryptionMethod)]" does not return any elements. One or more xenc:EncryptedKey elements are present without xenc:EncryptionMethod children. The xenc:EncryptedKey element(s) in question none none R5603 For any secure envelope, that contains a xenc:EncryptedData which is meant for SOAP message security and has a xenc:EncryptionMethod/@Algorithm as its child element. The xenc:EncryptionMethod/@Algorithm attribute should contain as its value one of the following URIs. "http://www.w3.org/2001/04/xmlenc#tripledes-cbc\" "http://www.w3.org/2001/04/xmlenc#aes128-cbc\" "http://www.w3.org/2001/04/xmlenc#aes256-cbc\". One or more xenc:EncryptedData/xenc:EncryptionMethod/@Algorithm attributes have values that are not one of "http://www.w3.org/2001/04/xmlenc#tripledes-cbc", "http://www.w3.org/2001/04/xmlenc#aes128-cbc" or "http://www.w3.org/2001/04/xmlenc#aes256-cbc" The xenc:EncryptedData element(s) in question. none none BSP6501 R5620 For any secure envelope, where the XPath expression "/soap:Envelope/soap:Header/wsse:Security/xenc:EncryptedKey/xenc:EncryptionMethod/@Algorithm" returns at least one element. The XPath expression "/soap:Envelope/soap:Header/wsse:Security/xenc:EncryptedKey[xenc:EncryptionMethod/not(@Algorithm=\"http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p\" or @Algorithm=\"http://www.w3.org/2001/04/xmlenc#kw-tripledes\" or @Algorithm=\"http://www.w3.org/2001/04/xmlenc#kw-aes128\" or @Algorithm=\"http://www.w3.org/2001/04/xmlenc#kw-aes256\")] does not return any values. One or more xenc:EncryptedKey/xenc:EncryptionMethod/@Algorithm attributes have values that are not one of "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p", "http://www.w3.org/2001/04/xmlenc#kw-tripledes", "http://www.w3.org/2001/04/xmlenc#kw-aes128" or "http://www.w3.org/2001/04/xmlenc#kw-aes256" The xenc:EncryptedKey element(s) in question none none BSP6503 R5621 For any secure envelope, where the XPath expresson "/soap:Envelope/soap:Header/wsse:Security/xenc:EncryptedKey" returns at least one element. The XPath expresson "/soap:Envelope/soap:Header/wsse:Security/EncryptedKey[@Type]" must not return any elements. One or more xenc:EncryptedKey elements in the message contains a Type attribute. The xenc:EncryptedKey element(s) in question. none none R3209 For any secure envelope, where the XPath expresson "/soap:Envelope/soap:Header/wsse:Security/xenc:EncryptedKey", returns at least one element. The XPath expression "/soap:Envelope/soap:Header/wsse:Security/xenc:EncryptedKey[not(xenc:ReferenceList)]" must not return any elements. One or more xenc:EncryptedKey elements are present in the message without xenc:ReferenceList child elements. The xenc:EncryptedKey element(s) in question. none none R3216 For any secure envelope, where the XPath expression "/soap:Envelope/soap:Header/wsse:Security/[xenc:EncryptedData or xenc:EncryptedKey]/ds:KeyInfo" returns at least one element. The XPath expression "/soap:Envelope/soap:Header/wsse:Security/[xenc:EncryptedData or xenc:EncryptedKey]/ds:KeyInfo[not(wsse:SecurityTokenReference)]" returns no elements. One or more xenc:EncryptedData elements in the security header contain ds:Keyinfo without wsse:SecurityTokenReference children. The ds:Keyinfo element(s) in question. none none BSP6302 BSP6303 R3053 For any secure envelope, where the XPath expression "/soap:Envelope/soap:Header/wsse:Security/xenc:EncryptedKey" returns one or more elements. The XPath expression "/soap:Envelope/soap:Header/wsse:Security/xenc:EncryptedKey[@MimeType]" does not return any values. One or more xenc:EncryptedKey elements have a MimeType attribute. The xenc:EncryptedKey elements in question. none none R5622 For any secure envelope, where the XPath expression "/soap:Envelope/soap:Header/wsse:Security/xenc:EncryptedKey" returns one or more elements. The XPath expression "/soap:Envelope/soap:Header/wsse:Security/xenc:EncryptedKey[@Encoding]" must not return any elements. One or more xenc:EncryptedKey elements have an Encoding attribute. The xenc:EncryptedKey elements in question none none R5623 For any secure envelope, where the XPath expression "/soap:Envelope/soap:Header/wsse:Security/xenc:EncryptedKey" returns one or more elements. The XPath expression "/soap:Envelope/soap:Header/wsse:Security/xenc:EncryptedKey[not(@Id)]" must not return any elements. One or more xenc:EncryptedKey elements do not have an Id attribute. The xenc:EncryptedKey elements in question. none none R5624 For any secure envelope, that contains a xenc:EncryptedData or xenc:EncryptedKey which is meant for SOAP message security. The soap:Envelope, soap:Header and soap:Body elements are present in the secure envelope. A secure envelope containing encryption is not a valid SOAP envelope. The secure envelope in question. none none R5607 For a message obtained by reversing the SOAP Messsage Security of any secure message. Not testable. Not testable. none none R5800 R5801 R5802 R5803 R5804 R5805 R5806 R5807 R5808 R5809 R5810 R5811 R5812 R5813 These restrictions are intended to clarify BP1.0 and BP1.1 statements that might be unclear when SOAP Message Security is applied in compliance with the Basic Security Profile. These assertions provide guidance for protecting attachements when they are used with SOAP Messages Not testable. Not testable. none none R6000 R6001 R6002 R6100 R6101 R6103 R6200 R6201 R6202 R6203 R6204 R6205 R6206 R6207 Not testable. Not testable. Not testable. Not testable. none none R2001 R2002 R3021 R3022 R3023 R3024 R3025 R3026 R3212 C4210 C4211 R4212 R4213 R4214 R4215 R5201 R5203 R5206 R5207 C5440 C5441 R5606 C5630 R5701 R5702 R5703 R5704 E0001 R3207 R4213 All of these profile requirements are NOT testable. Some of these test assertions represent capabilities which can not be validated. For any secure envelope, that contains wsse:SecurityTokenReference which is meant for SOAP message security. For each token referenced by the wsse:SecurityTokenReference get the referenced token and check if it is in the additional token profile. none none E0002 For any secure envelope, where the XPath expression "/soap:Envelope/soap:Header/wsse:Security/ds:Signature/ds:SignedInfo/ds:Reference" returns one or more elements. All the elements in the secure envelope that has a ID attribute and which is referred from the ds:Reference element use the shorthand XPointer format. A element in the secure envelope that has a ID attribute is referred from ds:Reference element without using the shorthand XPointer format. The ds:Reference element which is not using the shorthand XPointer format. none none R3001 For any secure envelope, where the XPath expression "/soap:Envelope/soap:Header/wsse:Security/ds:Signature/ds:SignedInfo/ds:Reference/ds:Transforms/ds:Transform[@Algorithm=''http://www.w3.org/2002/06/xmldsig-filter2"]" returns one or more elements. The ds:Reference element use the XPath filter 2.0 transform (http://www.w3.org/2002/06/xmldsig-filter2) to refer to the elements in the message that does not have an ID attribute. The ds:Reference element does not use the XPath filter 2.0 transform (http://www.w3.org/2002/06/xmldsig-filter2) to refer to the elements in the message that does not have an ID attribute. The ds:Reference element which is not using the XPath Filter 2.0 transform. none none R3002 For any secure envelope, that contains a wsse:BinarySecurityToken which is meant for SOAP message security. For each wsse:BinarySecurityToken element the ValueType attribute has a value specified within the token profile. The message contains at least one wsse:BinarySecurityToken element which has a ValueType attribute whose value is outside the defined token profile. The wsse:BinarySecurityToken element whose ValueType attribute specified a value which is not specified by the Token profile. none none BSP6600 R3032 For any secure envelope, that contains a wsse:SecurityTokenReference which is meant for SOAP Message security and which has a direct reference to a Security Token. Each wsse:SecurityTokenReference if it contains a direct reference to another wsse:SecurityTokenReference element, then the referenced wsse:SecurityTokenReference should have a wsse:Embedded child element. A direct reference from a wsse:SecurityTokenReference refers to a wsse:SecurityTokenReference element that does not have a wsse:Embedded element as the child node or the embedded security token is not of the expected type. The wsse:SecurityTokenReference element that contains the invalid reference. none none BSP6600 R3056 For any secure envelope, that contains a wsse:SecurityTokenReference which is meant for SOAP message security contains a child element wsse:Reference with attribute ValueType. The ValueType attribute should match the value of the ValueType attribute, if any, on the referenced token. A direct reference from a wsse:SecurityTokenReference to a security token have mismatched ValueType attributes. The wsse:SecurityTokenReference element that contains the invalid reference. none none BSP6600 R3058 For any secure envelope, that contains a wsse:SecurityTokenReference which is meant for SOAP message security and which contains wsse:Embedded child element. The wsse:Embedded element contains one child element which is a Security Token from the support token profile. The wsse:Embedded element has more than one child element or specifies a Security Token that is not supported. The wsse:SecurityTokenReference element that contains the invalid wsse:Embedded child element. none none BSP6600 R3060 For any secure envelope, that contains a wsse:SecurityTokenReference which is meant for SOAP message security and wsse:KeyIdentifier child element. For each wsse:SecurityTokenReference the child element wsse:KeyIdentifier/@ValueType attribute value is specified within the appropriate token profile. The wsse:KeyIdentifier element has the ValueType attribute set to a value which is inappropriate for the token profile. The wsse:SecurityTokenReference element that contains the invalid wsse:KeyIdentifier child element. none none BSP6600 R3063 For any secure envelope, that contains a wsse:SecurityTokenReference which is meant for SOAP message security with a child element wsse:Reference. For each wsse:SecurityTokenReference the wsse:Reference child element should not reference the node with name wsse:Embedded. The wsse:Reference element refers to the wsse:Embedded element instead of the Security Token embedded inside the element. The wsse:SecurityTokenReference element that contains the invalid wsse:Reference child element. none none R3064 For any secure envelope, where the XPath expression "/soap:Envelope/soap:Header/wsse:Security/ds:Signature" returns one or more elements. For each element returned by the XPath "/soap:Envelope/soap:Header/wsse:Security/ds:Signature" the XPath expression "./wsse:Object" should not return any element. The wsse:Signature element includes a Enveloping Signature. The wsse:Signature element that contains the Enveloping Signature. none none R3102 For any secure envelope, where the XPath expression "/soap:Envelope/soap:Header/wsse:Security/ds:Signature/ds:SignedInfo/ds:Reference" returns one or more elements. For each element returned by the XPath expression "/soap:Envelope/soap:Header/wsse:Security/ds:Signature/ds:SignedInfo/ds:Reference" the element should refers to a object outside the ds:Signature element. The wsse:Signature element does not use Detached Signature format. The wsse:Signature element that contains the non-Detached Signature. none none R3103 For any secure envelope, where the XPath expression "/soap:Envelope/soap:Header/wsse:Security/xenc:ReferenceList" returns one or more elements. For each element returned by the XPath expression "/soap:Envelope/soap:Header/wsse:Security/xenc:ReferenceList" all the xenc:DataReference child elements should be referring to xenc:EncryptedData element that is encrypted with the same key. The xenc:ReferenceList contains xenc:DataReference elements that is referring to xenc:EncryptedData elements all of which are not encrypted with the same key. The xenc:ReferenceList element in question. none none BSP6600 R3205 For any secure envelope, where the XPath expression "/soap:Envelope/soap:Header/wsse:Security/wsse:EncryptedData" returns one or more elements. For each element returned by the XPath expression "/soap:Envelope/soap:Header/wsse:Security/wsse:EncryptedData" the xenc:EncryptedKey element that contains the encryption key preceeds the wsse:EncryptedData element in the header. The xenc:EncryptedData element preceeds the xenc:EncryptedKey element which contains its encryption key. The xenc:EncryptedData element in question. none none R3208 For any secure envelope, with a xenc:EncryptedData element which is meant for SOAP message security and the xenc:EncryptedData has a child element ds:KeyInfo/wsse:SecurityTokenReference/wsse:Reference. The ds:KeyInfo/wsse:SecurityTokenReference/wsse:Reference element should not reference another ds:KeyInfo element. The xenc:EncryptedData element contains a ds:KeyInfo element that points to another ds:KeyInfo element. The xenc:EncryptedData element in question. none none R3211 For any secure envelope, where the XPath expression "/soap:Envelope/soap:Header/wsse:Security/xenc:EncryptedKey" returns one or more elements. For each element returned by the XPath expression "/soap:Envelope/soap:Header/wsse:Security/xenc:EncryptedKey" the XPath expression "./xenc:ReferenceList/xenc:DataReference" return one or more elements. The xenc:EncryptedKey element either does not contain a xenc:ReferenceList element or the child element xence:ReferenceList does not contain xenc:EncryptedData child element. The xenc:EncryptedKey element in question. none none R3214 For any secure envelope, where the XPath expression "/soap:Envelope/soap:Header/wsse:Security//xenc:ReferenceList" returns one or more elements. For each element returned by the XPath expression "/soap:Envelope/soap:Header/wsse:Security//xenc:ReferenceList" must have a xenc:DataReference child element that refers to a xenc:EncryptedData element. The xenc:ReferenceList element does not contain xenc:DataReference as the child element. The xenc:EncryptedKey element at fault. none none R3215 For any secure envelope, that contains a wsse:SecurityTokenReference which is meant for SOAP message security and has wsse:Reference child element. If the URI attribute of the wsse:Reference element uses a shorthand XPointer format, then the Security token it refers to is contained within the message. The wsse:SecurityTokenReference uses a shorthand XPointer to a security token that is not contained within the message. The wsse:SecurityTokenReference element in question. none none BSP6600 R5204 For any secure envelope, that contains a wsse:BinarySecurityToken meant for SOAP message security. For each wsse:BinarySecurityToken the element preceeds a wsse:SecurityTokenReference element that refers to it. The wsse:BinarySecurityToken element does not preceed its reference in a wsse:SecurityToken Reference. The wsse:SecurityTokenReference element in question. none none BSP6600 R5205 For any secure envelope, where the XPath expression "/soap:Envelope/soap:Header/wsse:Security/ds:Signature//ds:Transform/c14n:InclusiveNamespaces[@PrefixList]" returns one or more elements. For each element returned by the XPath expression "/soap:Envelope/soap:Header/wsse:Security/ds:Signature//ds:Transform/c14n:InclusiveNamespaces[@PrefixList]" the attribute value includes prefix of all in-scope namespaces for the element being signed that are not visibly utilized, per Exclusive XML Canonicalization Version 1.0. The "/soap:Envelope/soap:Header/wsse:Security/ds:Signature//ds:Transform/c14n:InclusiveNamespaces[@PrefixList]" does not include all the not visibly utilized namespace prefixes. The ds:Transform element at fault. none none R5405 For any secure envelope, where the XPath expression "/soap:Envelope/soap:Header/wsse:Security//ds:Transform/c14n:InclusiveNamespaces[@PrefixList]" returns one or more elements. For each element returned by the XPath expression "/soap:Envelope/soap:Header/wsse:Security//ds:Transform/c14n:InclusiveNamespaces[@PrefixList]" the attribute value should include "#default" if the default namespace is in-scope for the element being signed but is not visibly utilized, per Exclusive XML Canonicalization Version 1.0. The "/soap:Envelope/soap:Header/wsse:Security//ds:Transform/c14n:InclusiveNamespaces[@PrefixList]" does not include #default even though a defaul namespace is being used in the element being signed but is not visibly utilized. The ds:Transform element at fault. none none R5408 For any secure envelope, where the XPath expression "/soap:Envelope/soap:Header/wsse:Security/ds:Signature/ds:SignatureMethod[@Algorithm]" return one or more elements. For each element returned by the XPath expression "/soap:Envelope/soap:Header/wsse:Security/ds:Signature/ds:SignatureMethod[@Algorithm]" the Attribute value is set to "http://www.w3.org/2000/09/xmldsig#hmac-sha1" if the Security Token used is Symmetric. The ds:Signature element has the Algorithm attribute value of its child element wsse:SignatureMethod set to something other than "http://www.w3.org/2000/09/xmldsig#hmac-sha1" when the underlying security token used for signing is a Symmetric Token. The ds:Signature element at fault. none none BSP6600 R5421 For any secure envelope, where the XPath expression "/soap:Envelope/soap:Header/wsse:Security/ds:Signature/ds:SignatureMethod[@Algorithm]" return one or more elements. For each element returned by the XPath expression "/soap:Envelope/soap:Header/wsse:Security/ds:Signature/ds:SignatureMethod[@Algorithm]" the Attribute value is set to "http://www.w3.org/2000/09/xmldsig#rsa-sha1" if the Security Token used is Asymmetric. The wsse:Signature element has the Algorithm attribute value of its child element wsse:SignatureMethod set to something other than "http://www.w3.org/2000/09/xmldsig#rsa-sha1" when the underlying security token used for signing is a Asymmetric token. The ds:Signature element at fault. none none BSP6600 R5422 For any secure envelope, that contains a wsse:SecurityTokenReference meant for SOAP message security and has wsse:Reference[@URI] child element. For each wsse:Reference[@URI] if the value points to a Security Token which is not contained in the message then verify that the Security Token can be referred to using Direct References. The wsse:SecurityTokenReference element refers to a Security Token that is not present in the message and also that token cannot be referred to using a direct reference. The wsse:SecurityTokenReference element at fault. none none BSP6600 R3024 For any secure envelope, that contains a wsse:SecurityTokenReference meant for SOAP message security and has wsse:Embedded child element. The format of the contained security token in wsse:Embedded element MUST be the same as if the security token was a child of a wsse:Security element. The wsse:SecurityTokenReference element refers to a Security Token inside its child element wsse:Embedded whose format is different than what would be expected if the Security token was specified as a child element of wsse:Security. The wsse:SecurityTokenReference element at fault. none none BSP6600 R3025 For any secure envelope, where the XPath expression "/soap:Envelope/soap:Header/wsse:Security/wsse:Nonce" returns one or more elements. For each element returned by the XPath expression "/soap:Envelope/soap:Header/wsse:Security/wsse:Nonce" the value of the element must be unique among all the messages seen. The wsse:Nonce value is not unique among messages. The wsse:Nonce element whose value is not unique. none none R4213 For any secure envelope, where the XPath expression "/soap:Envelope/soap:Header/wsse:Security/xenc:ReferenceList/xenc:DataReference" and/or the XPath expression "/soap:Envelope/soap:Header/wsse:Security/xenc:EncryptedKey/xenc:ReferenceList/xenc:DataReference" returns one or more elements. For each element returned by the XPath expressions the element being referenced should be a xenc:EncryptedData. The xenc:DataReference elment refers to an element whose element name is not xenc:EncryptedData. The xenc:DataReference that contains the incorrect reference. none none R5606