· web viewinterop scenario. working draft 02, 7 june 2005. document identifier:...

Web Services Security 1.1:Interop ScenarioWorking Draft 021, 14 7 May June 2005Document identifier:

wss-11-interop-draft-01.doc

Location:http://www.oasis-open.org/committees/wss/

Editor:Martin Gudgin, Microsoft Corp. <[email protected]>

Contributors:TBD

Abstract:This document documents the scenario to be used in the WSS 1.1 Interoperability Event.

Status:Committee members should send comments on this specification to the [email protected] list. Others should subscribe to and send comments to the [email protected] list. To subscribe, send an email message to [email protected] with the word "subscribe" as the body of the message.

wss-interop2-draft-06.doc 6-Oct-03Copyright © OASIS Open 2003. All Rights Reserved. of 22

1

2

3

4

56

78

910

1112

1314

151617181920

12

mailto:[email protected]






Table of ContentsIntroduction..................................................................................................................................... 3

1.1 Terminology.......................................................................................................................... 32 Test Application...................................................................................................................... 43 Scenario #8 – WSS 1.1..........................................................................................................5

3.1 Agreements.......................................................................................................................... 53.1.1 CERT-VALUE................................................................................................................53.1.2 Signature Trust Root.....................................................................................................5

3.2 Parameters........................................................................................................................... 53.3 General Message Flow.........................................................................................................53.4 First Message - Request.......................................................................................................5

3.4.1 Message Elements and Attributes.................................................................................53.4.2 Message Creation.........................................................................................................83.4.3 Message Processing.....................................................................................................93.4.4 Example (Non-normative).............................................................................................9

3.5 Second Message - Response.............................................................................................113.5.1 Message Elements and Attributes...............................................................................113.5.2 Message Creation.......................................................................................................133.5.3 Message Processing...................................................................................................143.5.4 Message Processing...................................................................................................143.5.5 Example (Non-normative)...........................................................................................14

3.6 Other processing................................................................................................................163.6.1 Requester....................................................................................................................163.6.2 Responder................................................................................................................... 16

3.7 Expected Security Properties.............................................................................................164 References........................................................................................................................... 17

4.1 Normative........................................................................................................................... 17Appendix A. Ping Application WSDL File......................................................................................18Appendix B. Revision History........................................................................................................19Appendix C. Notices..................................................................................................................... 20


21

2223242526272829303132333435363738394041424344454647484950

51

34

IntroductionThis document describes the a message exchange to be tested during the WSS 1.1 interoperability event of the WSS TC. The exchange uses the Request/Response Message Exchange Pattern (MEP) with no intermediaries to invoke a simple application. The scenario is called Scenario #8.This scenario is intended to test the interoperability of different implementations performing common operations and to test the soundness of the various specifications and clarity and mutual understanding of their meaning and proper application.THIS SCENARIO IS NOT INTENDED TO REPRESENT REASONABLE OR USEFUL PRACTICAL APPLICATIONS OF THE SPECIFICATIONS. THEY HAVE BEEN DESIGNED PURELY FOR THE PURPOSES INDICATED ABOVE AND DO NOT NECESSARILY REPRESENT EFFICIENT OR SECURE MEANS OF PERFORMING THE INDICATED FUNCTIONS. IN PARTICULAR THESE SCENARIOS ARE KNOWN TO VIOLATE SECURITY BEST PRACTICES IN SOME RESPECTS AND IN GENERAL HAVE NOT BEEN EXTENSIVELY VETTED FOR ATTACKS.

1.1 TerminologyThe key words must, must not, required, shall, shall not, should, should not, recommended, may, and optional in this document are to be interpreted as described in [RFC2119].


525354555657585960616263646566

676869

56

2 Test ApplicationThe scenario uses a simple application.The Requester sends a Ping element in the SOAP body with a value of a string. The value should be the name of the organization that has developed the software and the number of the scenario, e.g. “Acme Corp. – Scenario #8”. The Requester also include a SOAP header, PingHeader with a value of a string. The value should match that of the Ping element.The Responder returns a PingResponse element with a value of the Ping string and the PingHeader string concatenated.


7071727374757677

78

3 Scenario #8 – WSS 1.1A header and the Request Body are encrypted using a symmetric key. The symmetric key is passed in an EncryptedKey token, encrypted under the Responders X509 certificate. Requester authentication is provided by a UsernameToken which is also encrypted. The header and Request Body are also signed. The Response Body is signed and encrypted and provides Signature Confirmation.

3.1 AgreementsThis section describes the agreements that must be made, directly or indirectly between parties who wish to interoperate.

3.1.1 CERT-VALUE This is an opaque identifier indicating the X.509 certificate to be used. The certificate in question MUST be obtained by the Requester by unspecified means. The certificate SHOULD NOT have a KeyUsage extension. If it does contain a KeyUsage extension, it SHOULD include the value of digitalSignature.

3.1.2 Signature Trust RootThis refers generally to agreeing on at least one trusted key and any other certificates and sources of revocation information sufficient to validate certificates sent for the purpose of signature verification.

3.2 ParametersThis section describes parameters that are required to correctly create or process messages, but not a matter of mutual agreement.No parameters are required.

3.3 General Message FlowThis section provides a general overview of the flow of messages.This contract covers a request/response MEP over the http binding. SOAP 1.1 MUST be used. As required by SOAP 1.1, the SOAPAction http header MUST be present. Any value, including a null string may be used. The recipient SHOULD ignore the value. The request contains a header and a body, both of which are encrypted. The header and body are also signed. The encryption and signature are based on an encrypted key, encrypted under a key associated with an X509 certificate. The certificate used to encrypt the key is included in the message. The Requester also includes a UsernameToken which is also encrypted. The Responder decrypts the key, verifies the signature and decrypts the header, the body and the username token. If no errors are detected it returns the signed and encrypted response using the same key as in the request, along with a Signature Confirmation element.


787980818283

848586

8788899091

92939495

96979899

100101102103104105106107108109110111

910

3.4 First Message - Request

3.4.1 Message Elements and AttributesAll items listed in the following table MUST be generated and processed. Items not listed in the following table MAY be present, but, if they are SOAP headers, MUST NOT be marked with the mustUnderstand=”1” attribute. Items MUST appear in the order specified, except as noted.

Name Notes

wsse11:EncryptedHeader

@wsu:Id

xenc:EncryptedData

xenc:EncryptionMethod

@Algorithm MUST be aes256-cbc

xenc:CipherData

xenc:CipherValue

wsse:Security

@soap:mustUnderstand=“1”

wsu:Timestamp

@wsu:Id

wsu:Created

xenc:EncryptedKey

@Id


@Algorithm MUST be rsa-oaep-mgf1p1_5

ds:KeyInfo

wsse:SecurityTokenReference

wsse:KeyIdentifier Reference to Responder X509 Certificate

@ValueType MUST be X509ThumbprintSHA1

xenc:CipherData

xenc:CipherValue

xenc:ReferenceList

xenc:DataReference One each for the encrypted header, encrypted username


112

113114115116

117

1112

token and encrypted body

xenc:EncryptedData Encrypted UsernameToken

@Id

@Type MUST be #Element



xenc:CipherData

xenc:CipherValue

ds:Signature

ds:SignedInfo

ds:CanonicalizationMethod

@Algorithm MUST be Exclusive C14N

ds:SignatureMethod

@Algorithm MUST be hmac-sha1

ds:Reference One each for Timestamp, unencrypted UsernameToken, unencrypted PingHeader, soap:Body

@URI

ds:Transforms

ds:Transform

@Algorithm Must be Exclusive C14N

ds:DigestMethod

@Algorithm Must be sha1

ds:DigestValue

ds:SignatureValue

ds:KeyInfo


wsse:Reference Reference to EncryptedKey

@URI

soap:Body

@wsu:Id

xenc:EncryptedData


1314

@Id

@Type MUST be #Content

xenc:EncryptionMethod MUST be aes256-cbc

xenc:CipherData

xenc:CipherValue

3.4.2 Message Creation

3.4.2.1 EncryptedHeaderThe wsse11:EncryptedHeader MUST contain an xenc:EncryptedData. The plaintext of the header is a PingHeader element in the http://xmlsoap.org/ping namespace with the string from the Ping element in the body as the content. e.g. <m:PingHeader xmlns:m='http://xmlsoap.org/ping' >Acme Corp – Scenario #8</m:Ping>. The m:PingHeader MUST be signed (before being encrypted). The EncryptionMethod MUST be aes256-cbc.

3.4.2.2 SecurityThe wsse:Security element MUST carry the soap:mustUnderstand=“1” attribute.

3.4.2.3 TimestampThe wsu:Created element within the wsu:Timestamp SHOULD contain the current local time at the sender expressed in the UTC time zone. The Timestamp element is signed.

3.4.2.4 EncryptedKeyThe EncryptionMethod MUST be rsa-oaep-mgf1p1_5. The keysize MUST be 256 bits. The SecurityTokenReference MUST use a KeyIdentifier to refer to the X509 certificate of the responder. The Requester must have access to the public key corresponding to the private key in the certificate. A ReferenceList MUST be present.

3.4.2.5 ReferenceListThis xenc:ReferenceList MUST contain an xenc:DataReference that refers to the EncryptedHeader, an xenc:DataReference that refers to the encrypted username token and an xenc:DataReference that refers to the Body.

3.4.2.6 EncryptedDataThis xenc:EncryptedData contains an encrypted wsse:UsernameToken. The encryption Type MUST be #Element. The EncryptionMethod MUST be aes256-cbc.

3.4.2.7 SignatureThis signature is over the unencrypted SOAP body, the timestamp, the PingHeader and the unencrypted UsernameToken.

3.4.2.7.1 SignedInfoThe CanonicalizationMethod MUST be Exclusive Canonicalization. The SignatureMethod MUST be HMAC-SHA1. References MUST use relative URI. There must be four Reference elements


118

119

120121122123124125

126127

128129130

131132133134135

136137138139

140141142

143144145

146147148

1516

that refer to the SOAP Body element, the wsu:Timestamp element, the wsse:UsernameToken and the PingHeader. The only Transform specified MUST be Exclusive Canonicalization. The DigestMethod MUST be SHA1.

3.4.2.7.2 SignatureValueThe SignatureValue MUST be calculated as specified by the specification, using the key encrypted under the EncryptedKey.

3.4.2.7.3 KeyInfoThe KeyInfo MUST contain a SecurityTokenReference with a reference to a relative URI which indicates the EncryptedKey containing the key material which will be used for signature verification.

3.4.2.8 BodyThe body element MUST be signed then encrypted.

3.4.3 Message ProcessingThis section describes the processing performed by the Responder. If an error is detected, the Responder MUST cease processing the message and issue a Fault with a value of FailedAuthentication.

3.4.3.1 EncryptedHeaderThe signature MUST be verified and the header decrypted.

3.4.3.2 Security

3.4.3.3 TimestampThe signature over the Timestamp element MUST be verified.

3.4.3.4 EncryptedKeyThe certificate referred to by the KeyIdentifier MUST be validated. The key material under EncryptedKey MUST be extracted.

3.4.3.5 ReferenceListThe encrypted header, usernametoken and body MUST be decrypted.

3.4.3.6 SignatureThe signature over the timestamp, unencrypted PingHeader, unencrypted username token and unencrypted body MUST be verified against the signature using the specified algorithms and transforms and the indicated public key.

3.4.3.7 BodyAfter decrypting the body and verifying the signature, if no errors are detected, the body MUST be passed to the application. The content of the Ping element in the Body MUST match the content of the m:PingHeader element in the decrypted form of the EncryptedHeader.


149150151

152153154

155156157158

159160

161162163164

165166

167

168169

170171172

173174

175176177178

179180181182

1718

3.4.4 Example (Non-normative)Here is an example request.


183184

1920

<?xml version="1.0" encoding="utf-8" ?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsse11="http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-wssecurity-secext-1.1.xsd" > <soap:Header> <wsse11:EncryptedHeader wsu:Id="EncPingHeader"> <xenc:EncryptedData> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" /> <xenc:CipherData> <xenc:CipherValue>Ii0t6VeDmNQ6pWVQpz1MdZwchSTs7W+i1pRL3hutniZU2GFxJabDbE56ge5Whx2r+zrKlTkvOUjbEe2sE4WaJw48h/oO+/8wD95MfBMgVv+u7pNmp7UUWbM2pFvEesuYqHBlrlFxV593FOdbX/FI0HcdXLnJglS5/lLUr6Mridy9ENBWYh1P0sr1H2OCzgRtyxK0UjzyBcpH6QN36WxMX+XM/yC6SjVHifKpc11sCvEqAPrgAvlAh4AL2NSAfzQ8coC6c90mZhsd1xzoc3YsbJd79aW9SVMizrXScnDaUiEvIi2GJ0trHiDtSdY/jzBX </xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </wsse11:EncryptedHeader> <wsse:Security soap:mustUnderstand="1" > <wsu:Timestamp wsu:Id="Timestamp" > <wsu:Created>2005-05-14T05:55:22.994Z</wsu:Created> <wsu:Expires>2005-05-15T05:55:22.994Z</wsu:Expires> </wsu:Timestamp> <xenc:EncryptedKey Id="EncKey" > <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p1_5" /> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/xx/oasis-2004xx-wss-x509-token-profile-1.1#X509ThumbprintSHA1" > LKiQ/CmFrJDJqCLFcjlhIsmZ/+0= </wsse:KeyIdentifier> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>bYfDxlgGGoaF40mDswdACx0RGuwSubQbcM9N06QqmIQ8oy9TMyUk1dMnw7y/sPWYx3uXy0rYhC8sLRGsVdihpvS+RTb/K0B2P/kCryEG4iJvJCacTXoR9lDP1CCjbTdCXrkNfZ0ocmiA2mcHdhLeibAT+XYgqs+c9kgGmwaMSJM= </xenc:CipherValue> </xenc:CipherData> <xenc:ReferenceList> <xenc:DataReference URI="#EncPingHeader" /> <xenc:DataReference URI="#EncBody" /> <xenc:DataReference URI="#EncUsernameToken" /> </xenc:ReferenceList> </xenc:EncryptedKey> <xenc:EncryptedData Id="EncUsernameToken" Type="http://www.w3.org/2001/04/xmlenc#Element" > <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" /> <xenc:CipherData> <xenc:CipherValue>TJezCegnJjeS6EcUh0wFVcseeri/QBXBsE1y0JMT0bIiqTnMeDL8gWWMPau4PVHjm+n47kVno2+KIXu3wjdJnASOS1kErchWiF6fC1kf9LSj5B2VTOqFPTazyaDFuVfZ9PmOyfsyGrE/9IzZLUCjAtY3gqjZUtVpTwHbeV8/p4neSRwHLUMZ1+AnvqgejjzkowgB43Z9y7Sourb+7mat1MPTCrP1aDyIBBS11v81xg7JGStvO6xA6Ufd9KjSv9uDEU5I4K5w6IY6Iv0P3xgxw7VxBP9xzi0GmbvYJFa7RPcOHUN2S+Sqr8jvZZAv6QjbI494y07h/tWgrQEBe/qQSi7tWfhGVoeh30JuBaaplP/yzXruVFImlP5lMZT7SITKQKjt+WiEwvmfKoFOrWPEO03e2EdHlDtzz6qoMY7LKswtelIexlXVcbF9bKCc7hc/VsdbTCJGLwehNP84cBk1tCJKIHQd8oq8CLOMuazMlT4= </xenc:CipherValue>


185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255

2122

</xenc:CipherData> </xenc:EncryptedData> <ds:Signature> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1" /> <ds:Reference URI="#Timestamp"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>IiFV7HSiL3mHn9gAHQmosC4MLiM=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#UsernameToken"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>Y43GKqThYec5VhjJo9uMUUmijTI=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#PingHeader"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>qNh8qc0JAeT2DHKLDhnhx1SeLIs=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#Body"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>AApMppXTUonGAvIEvijdw3MRd/Y=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>fNa57H35Xm/14dDK3wBJ1pkW6i4=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI="#EncKey" /> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> </soap:Header> <soap:Body wsu:Id="Body"> <xenc:EncryptedData Id="EncPing" Type="http://www.w3.org/2001/04/xmlenc#Content" > <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" /> <xenc:CipherData> <xenc:CipherValue>ZLpEO/voXN4dDw2Sp2/9Hcqvs8cT48RcozXrtNzKeOcewom3zMANIxg2sZBZ47DCISJL61hdPwLdoqBfbY6LDfXr0ghK2gwlj70jOMsrLWU= </xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </soap:Body></soap:Envelope>


256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315

316

2324

3.5 Second Message - Response

3.5.1 Message Elements and AttributesAll items listed in the following table MUST be generated and processed. Items not listed in the following table MUST NOT be created or processed. Items MUST appear in the order specified, except as noted.

Name Notes

wsse:Security

@soap:mustUnderstand=“1”

wsu:Timestamp

@wsu:Id

wsu:Created

xenc:ReferenceList

xenc:DataReference Reference to encrypted body

@URI

wsse11:SignatureConfirmation

@wsu:Id

@Value The SignatureValue from the request message

ds:Signature

ds:SignedInfo

ds:CanonicalizationMethod MUST be Exclusive C14N

ds:SignatureMethod MUST be hmac-sha1

ds:Reference One each for Timestamp, SignatureConfirmation, soap:Body

@URI

ds:Transforms

ds:Transform

@Algorithm MUST be Exclusive C14N

ds:DigestMethod

@Algorithm MUST be sha1

ds:DigestValue

ds:SignatureValue

ds:KeyInfo



317

318319320321

322

2526

wsse:KeyIdentifier

@ValueType MUST be #EncryptedKeySHA1

soap:Body

@wsu:Id

xenc:EncryptedData

@Id

@Type MUST be #Content



ds:KeyInfo


wsse:KeyIdentifier

@ValueType MUST be #EncryptedKeySHA1

xenc:CipherData

xenc:CipherValue

3.5.2 Message Creation

3.5.2.1 SecurityThe wsse:Security element MUST contain the mustUnderstand=“1” attribute.

3.5.2.2 TimestampThe wsu:Created element within the wsu:Timestamp SHOULD contain the current local time at the sender expressed in the UTC time zone.

3.5.2.3 ReferenceListThis ReferenceList MUST contain a DataReference that refers to the Body.

3.5.2.4 SignatureConfirmationThe SignatureConfirmation/@Value MUST contain the SignatureValue from the request.

3.5.2.5 SignatureThis signature is over the unencrypted SOAP body, the timestamp and the signature confirmation.

3.5.2.5.1 SignedInfoThe CanonicalizationMethod MUST be Exclusive Canonicalization. The SignatureMethod MUST be HMAC-SHA1. References MUST use relative URI. The MUST be 3 Reference elements that refer to the SOAP Body element, the timestamp and the signature confirmation. The only Transform specified MUST be Exclusive Canonicalization. The DigestMethod MUST be SHA1.


323

324325

326327328

329330

331332

333334335

336337338339340

2728

3.5.2.5.2 SignatureValueThe SignatureValue MUST be calculated as specified by the specification, using the key encrypted under the EncryptedKey in the request.

3.5.2.5.3 KeyInfoThe KeyInfo MUST contain a SecurityTokenReference with a reference to the EncryptedKey using a KeyIdentifier. The ValueType attribute on the KeyIdentifier MUST have a value of " http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-soap-message-security-1.1#EncryptedKeySHA1".

3.5.2.6 BodyThe body element MUST be signed and then encrypted.

3.5.3 Message ProcessingThis section describes the processing performed by the Responder. If an error is detected, the Responder MUST cease processing the message and issue a Fault with a value of FailedAuthentication.

3.5.3.1 Security

3.5.3.2 TimestampThe signature over the Timestamp element MUST be verified.

3.5.3.3 ReferenceListThe body MUST be decrypted.

3.5.3.4 SignatureConfirmationThe signature over the SignatureConfirmation element MUST be verified. The @Value attribute MUST be checked against the signature value used in the request.

3.5.3.5 SignatureThe signature over the timestamp, the signature confirmation and unencrypted body MUST be verified using the specified algorithms and transforms and the symmetric key.

3.5.3.6 BodyAfter decrypting the body and verifying the signature, if no errors are detected, the body MUST be passed to the application. The content of the PingResponse element in the Body MUST match the content of the Ping element in the original request concatenated with the content of the PingHeader element in the original request.

3.5.4 Message ProcessingThe body is passed to the application without modification.

3.5.5 Example (Non-normative)Here is an example response.


341342343

344345346347348

349350

351352353354

355

356357

358359

360361362

363364365

366367368369370

371372

373374

2930

<?xml version="1.0" encoding="utf-8" ?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsse11="http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-wssecurity-secext-1.1.xsd" > <soap:Header> <wsse:Security soap:mustUnderstand="1" > <wsu:Timestamp wsu:Id="Timestamp" > <wsu:Created>2005-05-14T05:55:23.044Z</wsu:Created> <wsu:Expires>2005-05-15T05:55:23.044Z</wsu:Expires> </wsu:Timestamp> <xenc:ReferenceList> <xenc:DataReference URI="#EncBody" /> </xenc:ReferenceList> <wsse11:SignatureConfirmation wsu:Id="SigConf" Value="fNa57H35Xm/14dDK3wBJ1pkW6i4=" /> <ds:Signature> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1" /> <ds:Reference URI="#Timestamp" > <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>AQ0P8TGCKhgzVci+sc6BEknMyUA=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#SigConf"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>0w+mnbSl3pCCLBsEXS9aju0jhbQ=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#Body"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>44hQEvD7btVVf7Mz9MrwQ/u/0y4=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>eIUZHpNd/Y7ZfKgyHd244RoeqPA=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-soap-message-security-1.1#EncryptedKeySHA1" >SfoOtslHhtkdVlRTrRqCJzXUaeY= </wsse:KeyIdentifier> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> </soap:Header> <soap:Body wsu:Id="Body"> <xenc:EncryptedData Id="EncBody" Type="http://www.w3.org/2001/04/xmlenc#Content" > <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" /> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-soap-


375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445

3132

message-security-1.1#EncryptedKeySHA1" >SfoOtslHhtkdVlRTrRqCJzXUaeY= </wsse:KeyIdentifier> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>OeW+tktu8NV7NLraPtPrBAAXvwPGje2VeWM8QN16coPmY9V2rTJdU5zVohebVOCh6Yh56qZGQkqzv9PWdh1Hx4qLIvcQ+hkb05dPgW19AsaQ4GSAWNcQyQG6Ep+hE85d+N3GHtLUMY9SOoGxZTaTK8BExB6I6KdOrmjtRCFBbVE= </xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </soap:Body></soap:Envelope>

3.6 Other processingThis section describes processing that occurs outside of generating or processing a message.

3.6.1 RequesterNo additional processing is required.

3.6.2 ResponderNo additional processing is required.

3.7 Expected Security PropertiesUse of the service is restricted to authorized parties as specified by the UsernameToken.. The service is authenticated to the client. The Body of the request is protected against modification and inspection. The response is Authenticated, protected against modification and inspection and correlated to the request.


446447448449450451452453454455456457458459460

461462

463464

465466

467468469470471

3334

4 References4.1 Normative

[RFC2119] S. Bradner, Key words for use in RFCs to Indicate Requirement Levels, http://www.ietf.org/rfc/rfc2119.txt, IETF RFC 2119, March 1997.


472

473474475

3536

http://www.ietf.org/rfc/rfc2119.txt

Appendix A. Ping Application WSDL File<wsdl:definitions xmlns:tns="http://xmlsoap.org/Ping" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" targetNamespace="http://xmlsoap.org/Ping" name="Ping" > <wsdl:types>

<xs:schema targetNamespace="http://xmlsoap.org/Ping" elementFormDefault="qualified" >

<xs:import namespace="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" schemaLocation="utility.xsd"/>

<xs:element name="Ping" type="xs:string" /> <xs:element name="PingResponse" type="xs:string" /> <xs:element name='PingHeader' type='tns:PingHeaderType' /> <xs:complexType name="PingHeaderType">

<xs:simpleContent> <xs:extension base='xs:string' >

<xs:attribute ref='wsu:Id' /> </xs:extension></xs:simpleContent>

</xs:complexType></xs:schema>

</wsdl:types> <wsdl:message name="PingRequest">

<wsdl:part name="Ping" element="tns:Ping"/> </wsdl:message> <wsdl:message name="PingResponse">

<wsdl:part name="pingResponse" element="tns:PingResponse"/> </wsdl:message> <wsdl:portType name="PingPort">

<wsdl:operation name="Ping"> <wsdl:input message="tns:PingRequest"/> <wsdl:output message="tns:PingResponse"/></wsdl:operation>

</wsdl:portType> <wsdl:binding name="PingBinding" type="tns:PingPort">

<soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>

<wsdl:operation name="Ping"> <soap:operation/> <wsdl:input>

<soap:body use="literal"/> </wsdl:input> <wsdl:output>

<soap:body use="literal"/> </wsdl:output></wsdl:operation>

</wsdl:binding> <wsdl:service name="PingService">

<wsdl:port name="Ping1" binding="tns:PingBinding"> <soap:address location="http://localhost:9080/pingservice/Ping8"/></wsdl:port>

</wsdl:service></wsdl:definitions>


476

477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532

3738


533

3940

Appendix B. Revision History

Rev Date By Whom What

wss11-01 2005-05-14 Martin Gudgin Initial version


534

535

4142

Appendix C. NoticesOASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on OASIS's procedures with respect to rights in OASIS specifications can be found at the OASIS website. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification, can be obtained from the OASIS Executive Director.OASIS invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to implement this specification. Please address the information to the OASIS Executive Director.Copyright © OASIS Open 2003. All Rights Reserved.This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself does not be modified in any way, such as by removing the copyright notice or references to OASIS, except as needed for the purpose of developing OASIS specifications, in which case the procedures for copyrights defined in the OASIS Intellectual Property Rights document must be followed, or as required to translate it into languages other than English.The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns.This document and the information contained herein is provided on an “AS IS” basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


536

537538539540541542543544545546547548549550551552553554555556557558559560561562563564565

4344

· web viewinterop scenario. working draft 02, 7 june 2005. document identifier:...

Documents