Basic Security Profile [1.0] Test Assertions Version 1.0

Abstract

This document contains the test assertions for the WS-I Basic Security Profile definition. These test assertions are used by the analyzer testing tool to determine if a Web service is conformant to the Basic Security Profile.

Notice

The material contained herein is not a license, either expressly or impliedly, to any intellectual property owned or controlled by any of the authors or developers of this material or WS-I. The material contained herein is provided on an "AS IS" basis and to the maximum extent permitted by applicable law, this material is provided AS IS AND WITH ALL FAULTS, and the authors and developers of this material and WS-I hereby disclaim all other warranties and conditions, either express, implied or statutory, including, but not limited to, any (if any) implied warranties, duties or conditions of merchantability, of fitness for a particular purpose, of accuracy or completeness of responses, of results, of workmanlike effort, of lack of viruses, and of lack of negligence. ALSO, THERE IS NO WARRANTY OR CONDITION OF TITLE, QUIET ENJOYMENT, QUIET POSSESSION, CORRESPONDENCE TO DESCRIPTION OR NON-INFRINGEMENT WITH REGARD TO THIS MATERIAL.

IN NO EVENT WILL ANY AUTHOR OR DEVELOPER OF THIS MATERIAL OR WS-I BE LIABLE TO ANY OTHER PARTY FOR THE COST OF PROCURING SUBSTITUTE GOODS OR SERVICES, LOST PROFITS, LOSS OF USE, LOSS OF DATA, OR ANY INCIDENTAL, CONSEQUENTIAL, DIRECT, INDIRECT, OR SPECIAL DAMAGES WHETHER UNDER CONTRACT, TORT, WARRANTY, OR OTHERWISE, ARISING IN ANY WAY OUT OF THIS OR ANY OTHER AGREEMENT RELATING TO THIS MATERIAL, WHETHER OR NOT SUCH PARTY HAD ADVANCE NOTICE OF THE POSSIBILITY OF SUCH DAMAGES.

Feedback

The Web Services-Interoperability Organization (WS-I) would like to receive input, suggestions and other feedback ("Feedback") on this work from a wide variety of industry participants to improve its quality over time.

By sending email, or otherwise communicating with WS-I, you (on behalf of yourself if you are an individual, and your company if you are providing Feedback on behalf of the company) will be deemed to have granted to WS-I, the members of WS-I, and other parties that have access to your Feedback, a non-exclusive, non-transferable, worldwide, perpetual, irrevocable, royalty-free license to use, disclose, copy, license, modify, sublicense or otherwise distribute and exploit in any manner whatsoever the Feedback you provide regarding the work. You acknowledge that you have no expectation of confidentiality with respect to any Feedback you provide. You represent and warrant that you have rights to provide this Feedback, and if you are providing Feedback on behalf of a company, you represent and warrant that you have the rights to provide Feedback on behalf of your company. You also acknowledge that WS-I is not required to review, discuss, use, consider or in any way incorporate your Feedback into future versions of its work. If WS-I does incorporate some or all of your Feedback in a future version of the work, it may, but is not obligated to include your name (or, if you are identified as acting on behalf of your company, the name of your company) on a list of contributors to the work. If the foregoing is not acceptable to you and any company on whose behalf you are acting, please do not provide any Feedback.

WS-I members should direct feedback on this document to wsi_testing@lists.ws-i.org; non-members should direct feedback to wsi-tools@ws-i.org.

Table of Contents

Document Conventions
Profile Definitions
Test Assertion Artifacts
secureEnvelope
Test Assertion Counts
Profile Requirements Index
Appendix A: Referenced Specifications

Document Conventions

The labels used for entry types in this document map one-to-one with the conformance targets from the profile document, but use a different convention for capitalization. For example, the conformance target SECURITY_HEADER corresponds to the entry type securityHeader.

This document uses a number of namespace prefixes throughout; their associated URIs are listed below. Note that the choice of any namespace prefix is arbitrary and not semantically significant.

• soap - " http://schemas.xmlsoap.org/soap/envelope/ "
• dsig - "http://www.w3.org/2000/09/xmldsig#"
• xenc - "http://www.w3.org/2001/04/xmlenc#"
• wsse - " http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd "
• wsu - " http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd "
• saml - " urn:oasis:names:tc:SAML:1.0:assertion "
• rel - "urn:mpeg:mpeg21:2003:01-REL-R-NS"

A "candidate" element is one that is to be verified for conformance. The analyzer specification contains a detailed explanation of all of the fields listed in this document.

Test assertion headings that have this background color are disabled and will not be processed by the analyzer.

Profile Definitions

Test Assertion Artifacts

• secureEnvelope

The Basic Security Profile 1.0 requires support for SOAP 1.1 and HTTP 1.0 or 1.1.

Specification Reference List:

• Web Services Security: SOAP Message Security
• Web Services Security: X.509 Token Profile
• Web Services Security: Username Token Profile
• XML-Signature Syntax and Processing
• XML Encryption Syntax and Processing
• Web Services Security: Kerberos Token Profile
• Web Services Security: SAML Token Profile
• Web Services Security: Rights Expression Language (REL) Token Profile

Test Assertion: BSP5607

Context:
For any secureEnvelope containing an encryptedKey or encryptedData.

Assertion Description:
"boolean(./self::soap:Envelope[soap:Header])=true() and boolean(./self::soap:Envelope[soap:Body])=true()"

Failure Message:
A soap:Envelope containing encryption is not a valid SOAP envelope.

Failure Detail Description:
The soap:Envelope in question.

Comments:
Old id="BSP6515"

Return to top of document.

Test Assertion: BSP3204

Context:
For any secureEnvelope.

Assertion Description:
No two "./self::soap:Envelope//*[@wsu:Id]" attributes have the same value.

Failure Message:
Two wsu:Id attributes within a soap:Envelope have the same value.

Failure Detail Description:
The soap:Envelope in question.

Comments:
Old id="BSP6019"

Return to top of document.

Test Assertion: BSP3206

Context:
For any soapHeader.

Assertion Description:
"count(./self::soap:Header/wsse:Security[count(@soap:actor)=0])<=1"

Failure Message:
More than one wsse:Security block exists in a soap:Header with the actor attribute omitted (i.e., it is the case that "count(./self::soap:Header/wsse:Security[count(@soap:actor)=0])>1".

Failure Detail Description:
The soap:Header element in question.

Comments:
Old id="BSP6020"

Return to top of document.

Test Assertion: BSP3210

Context:
For any soapHeader.

Assertion Description:
All ./self::soap:Header/wsse:Security/@soap:actor are unique.

Failure Message:
Two or more wsse:Security elements are present in the soap:Header with the same value for the actor attribute.

Failure Detail Description:
The soap:Header element in question.

Comments:
Old id="BSP6021"

Return to top of document.

Test Assertion: BSP3227

Context:
For any securityHeader.

Assertion Description:
"boolean(./self::wsse:Security[count(wsu:Timestamp)>1])=false()"

Failure Message:
A wsse:Security contains more than one wsu:Timestamp (i.e. it is the case that ./self::wsse:Security[count(wsu:Timestamp)>1]).

Failure Detail Description:
The wsse:Security element in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP3203

Context:
For any timestamp.

Assertion Description:
"boolean(./self::wsu:Timestamp[count(wsu:Created)=1])=true()"

Failure Message:
A wsu:Timestamp element does NOT contain exactly one wsu:Created child element (i.e., it is the case that "./self::wsu:Timestamp[count(wsu:Created)!=1]").

Failure Detail Description:
The wsu:Timestamp element in question.

Comments:
Old id="BSP6006"

Return to top of document.

Test Assertion: BSP3224

Context:
For any timestamp.

Assertion Description:
"boolean(./self::wsu:Timestamp[count(wsu:Expires)>1])=false()"

Failure Message:
A wsu:Timestamp element contains more than one wsu:Expires child element (i.e., it is the case that "./self::wsu:Timestamp[count(wsu:Expires)>1]").

Failure Detail Description:
The wsu:Timestamp element in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP3221

Context:
For any timestamp that contains an expires.

Assertion Description:
"boolean(./self::wsu:Timestamp/wsu:Expires/preceding-sibling::*=./self::wsu:Timestamp/wsu:Created)=true()"

Failure Message:
wsu:Created and wsu:Expires elements appear in an improper order within a wsu:Timestamp element.

Failure Detail Description:
The wsu:Timestamp element in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP3222

Context:
For any timestamp

Assertion Description:
"count(./self::wsu:Timestamp/wsu:Created)+count(./self::wsu:Timestamp/wsu:Expires)=count(./self::wsu:Timestamp/*)"

Failure Message:
A wsu:Timestamp contains child elements other than wsu:Created or wsu:Expires.

Failure Detail Description:
The wsu:Timestamp element in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP3220

Context:
For any created.

Assertion Description:
"seconds-from-duration(./self::wsu:Created/text()) should not contain more than 3 digits to right of decimal."

Failure Message:
A wsu:Created element contains more than three digits to the right of decimal.

Failure Detail Description:
The wsu:Created element in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP3229

Context:
For any expired.

Assertion Description:
"seconds-from-duration(./self::wsu:Expires/text()) should not contain more than 3 digits to right of decimal."

Failure Message:
A wsu:Expires element contains more than three digits to the right of decimal.

Failure Detail Description:
The wsu:Expires element in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP3213

Context:
For any created that contains second values.

Assertion Description:
"seconds-from-duration(./self::wsu:Created/text()) < 60"

Failure Message:
A wsu:Created element has a seconds value greater than or equal to 60.

Failure Detail Description:
The wsu:Created element in question.

Comments:
Old id="BSP6012"

Return to top of document.

Test Assertion: BSP3215

Context:
For any expires that contains second values.

Assertion Description:
"seconds-from-duration(./self::wsu:Expires/text()) < 60"

Failure Message:
A wsu:Expires element has a seconds value greater than or equal to 60.

Failure Detail Description:
The wsu:Expires element in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP3225

Context:
For any created.

Assertion Description:
"boolean(./self::wsu:Created/@ValueType)=false()"

Failure Message:
A wsu:Created element contains a ValueType attribute (i.e. it is the case that ./self::wsu:Created/@ValueType).

Failure Detail Description:
The wsu:Created element in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP3226

Context:
For any expires.

Assertion Description:
"boolean(./self::wsu:Expires/@ValueType)=false()"

Failure Message:
A wsu:Expires element contains a ValueType attribute (i.e. it is the case that ./self::wsu:Expires/@ValueType).

Failure Detail Description:
The wsu:Expires element in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP3217

Context:
For any created.

Assertion Description:
The time value is in UTC format as specified by the XML Schema type (dateTime).

Failure Message:
A wsu:Created element does NOT contain time instants in UTC format as specified by the XML Schema type (dateTime).

Failure Detail Description:
The wsu:Created element(s) in question.

Comments:
Old id="BSP6013"

Return to top of document.

Test Assertion: BSP3223

Context:
For any expires.

Assertion Description:
The time value is in UTC format as specified by the XML Schema type (dateTime).

Failure Message:
A wsu:Expires element does NOT contain time instants in UTC format as specified by the XML Schema type (dateTime).

Failure Detail Description:
The wsu:Expires element(s) in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP3057

Context:
For any strReference.

Assertion Description:
The //[@wsu:Id=./self::wsse:Reference/@URI] is not a wsse:SecurityTokenReference element.

Failure Message:
A wsse:Reference element references a wsse:SecurityTokenReference.

Failure Detail Description:
The wsse:Reference element in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP3064

Context:
For any strReference.

Assertion Description:
The //[@wsu:Id=./self::wsse:Reference/@URI] is not a wsse:Embedded element.

Failure Message:
A wsse:Reference element references a wsse:Embedded.

Failure Detail Description:
The wsse:Reference element in question.

Comments:
Old id="BSP6608"

Return to top of document.

Test Assertion: BSP3059

Context:
For any strReference.

Assertion Description:
"boolean(./self::wsse:Reference/@ValueType)=true()"

Failure Message:
A wsse:Reference element does NOT contain a ValueType attribute (i.e., it is NOT the case that "./self::wsse:Reference/@ValueType").

Failure Detail Description:
The wsse:Reference element in question.

Comments:
Old id="BSP6201"

Return to top of document.

Test Assertion: BSP3062

Context:
For any strReference.

Assertion Description:
"boolean(./self::wsse:Reference/@URI)=true()"

Failure Message:
A wsse:Reference element does NOT have a URI attribute (i.e., it is NOT the case that "./self::wsse:Reference/@URI").

Failure Detail Description:
The wsse:Reference element in question.

Comments:
Old id="BSP6202"

Return to top of document.

Test Assertion: BSP3027

Context:
For any securityTokenReference.

Assertion Description:
"boolean(./self::wsse:SecurityTokenReference[ds:KeyName])=false()"

Failure Message:
A wsse:SecurityTokenReference contains an ds:KeyName (i.e., it is the case that "./self::wsse:SecurityTokenReference[ds:KeyName]").

Failure Detail Description:
The wsse:SecurityTokenReference element in question.

Comments:
Old id="BSP6004"

Return to top of document.

Test Assertion: BSP3054

Context:
For any strKeyIdentifier.

Assertion Description:
"boolean(./self::wsse:KeyIdentifier[@ValueType])=true()"

Failure Message:
A wsse:KeyIdentifier element does NOT contain a ValueType attribute (i.e., it is NOT the case that "./self::wsse:KeyIdentifier[@ValueType]").

Failure Detail Description:
The wsse:KeyIdentifier element in question.

Comments:
Old id="BSP6003"

Return to top of document.

Test Assertion: BSP3070

Context:
For any strKeyIdentifier that refers to a securityToken other than a samlToken.

Assertion Description:
"boolean(./self::wsse:KeyIdentifier[@EncodingType])=true()"

Failure Message:
A wsse:KeyIndetifier element does NOT contain a EncodingType attribute (i.e., it is NOT the case that "./self::wsse:KeyIdentifier[@EncodingType]").

Failure Detail Description:
The wsse:KeyIdentifier element in question

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP3071

Context:
For any strKeyIdentifier that has an EncodingType attribute.

Assertion Description:
"boolean(./self::wsse:KeyIdentifier[@EncodingType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary'])=true()"

Failure Message:
A wsse:KeyIdentifier element contains an EncodingType attribute that does NOT have a value of "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" (i.e., it is NOT the case that "./self::wsse:KeyIdentifier[@EncodingType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary']").

Failure Detail Description:
The wsse:KeyIdentifier element in question

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP3060

Context:
For any strEmbedded.

Assertion Description:
"count(./self::wsse:Embedded/*)=1" AND the child is an internalSecurityToken.

Failure Message:
A wsse:Embedded element has zero or more than one security token child element (i.e. it is not the case that count(./self::wsse:Embedded/*)=1)

Failure Detail Description:
The wsse:Embedded element in question.

Comments:
Old id="BSP6606".

Return to top of document.

Test Assertion: BSP3056

Context:
For any strEmbedded.

Assertion Description:
"boolean(./self::wsse:Embedded[wsse:SecurityTokenReference])=false()"

Failure Message:
A wsse:Embedded element contains a wsse:SecurityTokenReference child element (i.e. it is the case that ./self::wsse:Embedded[wsse:SecurityTokenReference]).

Failure Detail Description:
The wsse:Embedded element in question.

Comments:
Old id="BSP6604"

Return to top of document.

Test Assertion: BSP3066

Context:
For any strReference that is a descendant of a securityHeader.

Assertion Description:
For __thisURI = "./self::wsse:Reference/@URI" "boolean(./self::wsse:Reference/ancestor::wsse:Security=//*[concat('#',@wsu:Id)=__thisURI]/ancestor::wsse:Security)=true()"

Failure Message:
A wsse:Reference uses a shorthand XPointer does not reference any security tokens located in the same wsse:Security element.

Failure Detail Description:
The wsse:Reference in question.

Comments:
Old id="BSP6420"

Return to top of document.

Test Assertion: BSP3067

Context:
For any strReference that is a descendant of an encryptedData.

Assertion Description:
The wsse:Reference must not use a Shorthand XPointer to refer to a security token located in a wsse:Security element other than the wsse:Security element containing a reference to the xenc:Encrypted element that contains the wsse:Reference.

Failure Message:
A wsse:Reference uses a shorthand XPointer does not reference any security tokens located in the wsse:Security element that contains a reference to the wsse:Reference's containing xenc:Encrypted.

Failure Detail Description:
The wsse:Reference in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP3102

Context:
For any signature.

Assertion Description:
For __thisURI="./self::ds:Signature/ds:SignedInfo/ds:Reference/@URI" "boolean(./self::ds:Signature//*[concat('#',@Id)=__thisURI])=false"

Failure Message:
A wsse:Signature element includes an Enveloping Signature.

Failure Detail Description:
The wsse:Signature element in question.

Comments:
Old id="BSP6609"

Return to top of document.

Test Assertion: BSP3104

Context:
For any signature.

Assertion Description:
For __thisURI="./self::ds:Signature/ds:SignedInfo/ds:Reference/@URI" "boolean(./ancestor::ds:Signature[concat('#',@Id)=__thisURI]=false()"

Failure Message:
A wsse:Signature element is an Enveloped Signature.

Failure Detail Description:
The wsse:Signature element in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP3103

Context:
For any signature.

Assertion Description:
For __thisURI="./self::ds:Signature/ds:SignedInfo/ds:Reference/@URI" "boolean(/soap:Envelope//*[concat('#',@Id)=__thisURI]/self::ds:Signature/ds:SignedInfo/ds:Reference/@URI=__thisURI)=true()"

Failure Message:
A wsse:Signature element is not a Detached Signature.

Failure Detail Description:
The wsse:Signature element in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP3001

Context:
For any sigReference.

Assertion Description:
"boolean(./self::ds:Reference/@URI)=true()" and the value ./self::ds:Reference/@URI is a Shorthand XPointer Reference.

Failure Message:
A ds:Reference element does not contain URI attribute (i.e., it is NOT the case that "boolean(./self::ds:Reference/@URI)=true()") or the value ./self:ds:Reference/@URI is not Shorthand XPointer Reference.

Failure Detail Description:
The ds:Reference element in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP5416

Context:
For any sigReference.

Assertion Description:
"boolean(./self::ds:Reference/ds:Transforms)=true()"

Failure Message:
A ds:Reference element does NOT contain a ds:Transforms child element (i.e., it is NOT the case that "./self::ds:Reference/ds:Transforms").

Failure Detail Description:
The ds:Reference element in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP5411

Context:
For any sigTransforms.

Assertion Description:
"boolean(./self::ds:Transforms[count(ds:Transform)>=1])=true()"

Failure Message:
A ds:Transforms elements in the signature does NOT contain a ds:Transform child element (i.e., it is NOT the case that "./self::ds:Transforms/ds:Transform").

Failure Detail Description:
The ds:Transforms element in question.

Comments:
Old id="BSP6406"

Return to top of document.

Test Assertion: BSP5423

Context:
For any sigTransform with an Algorithm attribute.

Assertion Description:
"boolean(./self::ds:Transform[ @Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' or @Algorithm='http://www.w3.org/2002/06/xmldsig-filter2' or @Algorithm='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform' or @Algorithm='http://www.w3.org/2000/09/xmldsig#enveloped-signature' or @Algorithm='http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Content-Signature-Transform' or @Algorithm='http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Complete-Signature-Transform'])=true()"

Failure Message:
A ds:Transform/@Algorithm attribute in a signature has a value other than those specified in the profile (i.e., it is NOT the case that "./self::ds:Transform[ @Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' or @Algorithm='http://www.w3.org/2002/06/xmldsig-filter2' or @Algorithm='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform' or @Algorithm='http://www.w3.org/2000/09/xmldsig#enveloped-signature' or @Algorithm='http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Content-Signature-Transform' or @Algorithm='http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Complete-Signature-Transform'])".

Failure Detail Description:
The ds:Transform elements in question.

Comments:
Old id="BSP6409"

Return to top of document.

Test Assertion: BSP5412

Context:
For any sigTransforms.

Assertion Description:
"./self::ds:Transforms/child::*[last()]=./self::ds:Transforms/child::ds:Transform[last()] and boolean(./self::ds:Transforms/child::*[last()] [@Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' or @Algorithm='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform' or @Algorithm='http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-swa-profile-1.0#Attachment-Content-Signature-Transform' or @Algorithm='http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-swa-profile-1.0#Attachment-Complete-Signature-Transform'])=true()"

Failure Message:
A ds:Transforms element in the signature does NOT have a ds:Transform element as its last child or the ds:Transform Element contains an Agorithm attribute is not one of "http://www.w3.org/2001/10/xml-exc-c14n#" or "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform" or "http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-swa-profile-1.0#Attachment-Content-Signature-Transform" or "http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-swa-profile-1.0#Attachment-Complete-Signature-Transform" (i.e., it is NOT the case that "./self::ds:Transforms/child::*[last()]=./self::ds:Transforms/child::ds:Transform[last()]" or "./sel;f::ds:Transforms/child::*[last()][@Alorithm='http://www.w3.org/2001/10/xml-exc-c14n#' or @Alorithm='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform' or @Alorithm='http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-swa-profile-1.0#Attachment-Content-Signature-Transform' or @Alorithm='http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-swa-profile-1.0#Attachment-Complete-Signature-Transform']").

Failure Detail Description:
The ds:Transforms element in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP3065

Context:
For any sigTransform containing an Algorithm attribute with a value of "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform".

Assertion Description:
"boolean(./self::ds:Transform/wsse:TransformationParameters/ds:CanonicalizationMethod)=true()"

Failure Message:
A ds:Transform element for a Security Token Dereferencing Transform does not contain a wsse:TransformationParameters child element containing a ds:CanonicalizationMethod child element (i.e. it is NOT the case that ./self::ds:Transform/wsse:TransformationParameters/ds:CanonicalizationMethod.

Failure Detail Description:
The ds:Transform element in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP5404

Context:
For any canonicalizationMethod.

Assertion Description:
"boolean(./self::ds:CanonicalizationMethod[@Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#'])=true()"

Failure Message:
A ds:CanonicalizationMethod/@Algorithm attribute has a value other than "http://www.w3.org/2001/10/xml-exc-c14n#" (i.e., it is NOT the case that "./self::ds:CanonicalizationMethod[@Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#']").

Failure Detail Description:
The ds:CanonicalizationMethod element in question.

Comments:
Old id="BSP6407"

Return to top of document.

Test Assertion: BSP5420

Context:
For any digestMethod.

Assertion Description:
"boolean(./self::ds:DigestMethod[@Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"])=true()"

Failure Message:
A ds:DigestMethod element does not contain a Algorithm attribute or the Algorithm attribute does not contain the value "http://www.w3.org/2000/09/xmldsig#sha1" (i.e., it is NOT the case that "boolean(./self::ds:DigestMethod[@Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"])=true()").

Failure Detail Description:
The ds:DigestMethod element in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP5421

Context:
For any signatureMethod.

Assertion Description:
"boolean(./self::ds:SignatureMethod[@Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1" or @Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"])=true()"

Failure Message:
A ds:SignatureMethod element does not contain a Algorithm attribute or the Algorithm attribute does not contain the value "http://www.w3.org/2000/09/xmldsig#hmac-sha1" or "http://www.w3.org/2000/09/xmldsig#rsa-sha1" (i.e., it is NOT the case that "boolean(./self::ds:SignatureMethod[@Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1" or @Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"])=true()").

Failure Detail Description:
The ds:SignatureMethod element in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP5401

Context:
For any signatureMethod.

Assertion Description:
"boolean(./self::ds:SignatureMethod/ds:HMACOutputLength)=false()"

Failure Message:
A ds:SignatureMethod elements contains a ds:HMACOutputLength element as a child element (i.e., it is the case that "./self::ds:SignatureMethod/ds:HMACOutputLength").

Failure Detail Description:
The ds:SignatureMethod element in question.

Comments:
Old id="BSP6410"

Return to top of document.

Test Assertion: BSP5402

Context:
For any sigKeyInfo.

Assertion Description:
"boolean(./self::ds:KeyInfo[count(child::*)=1])=true()"

Failure Message:
A ds:KeyInfo element in a signature does NOT have exactly one child element (i.e., it is the case that "ds:Signature//ds:KeyInfo[count(child::*)!=1]").

Failure Detail Description:
The ds:KeyInfo element in question.

Comments:
Old id="BSP6302"

Return to top of document.

Test Assertion: BSP5417

Context:
For any sigKeyInfo element.

Assertion Description:
"boolean(./self::ds:KeyInfo/wsse:SecurityTokenReference)=true()"

Failure Message:
A ds:KeyInfo element in a signature does NOT have a wsse:SecurityTokenReference child element (i.e., it is NOT the case that "ds:KeyInfo/wsse:SecurityTokenReference").

Failure Detail Description:
The ds:KeyInfo element in question

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP5403

Context:
For any signature.

Assertion Description:
"boolean(./self::ds:Signature[descendant::ds:Manifest])=false()"

Failure Message:
A ds:Signature element in the message contains a ds:Manifest element.(i.e., it is the case that "./self::ds:Signature[descendant::ds:Manifest]").

Failure Detail Description:
The ds:Signature element in question.

Comments:
Old id="BSP6402"

Return to top of document.

Test Assertion: BSP5440

Context:
For any signature.

Assertion Description:
"boolean(./self::ds:Signature[descendant::xenc:EncryptedData])=false()"

Failure Message:
A ds:Signature element in the message contains an xenc:EncryptedData element.(i.e., it is the case that "./self::ds:Signature[descendant::xenc:EncryptedData]").

Failure Detail Description:
The ds:Signature element in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP3208

Context:
For any encryptedKey.

Assertion Description:
For __thisURI = "xenc:EncryptedKey//xenc:ReferenceList/xenc:DataReference/@URI", "boolean(./self::xenc:EncryptedKey/ancestor::wsse:Security//xenc:EncryptedData[concat('#',@Id)=__thisURI]/preceding-sibling::xenc:EncryptedKey=./self::xenc:EncryptedKey)=true()"

Failure Message:
An xenc:EncryptedKey element does not precedes the xenc:EncryptedData element that is referenced by the associated xenc:ReferenceList element specified in the xenc:EncryptedKey.

Failure Detail Description:
The xenc:EncryptedKey element in question.

Comments:
Old id="BSP6612"

Return to top of document.

Test Assertion: BSP3216

Context:
For any encryptedKey.

Assertion Description:
"boolean(./self::xenc:EncryptedKey/xenc:ReferenceList)=true()"

Failure Message:
An xenc:EncryptedKey element does not contain xenc:ReferenceList child element.

Failure Detail Description:
The xenc:EncryptedKey element in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP3209

Context:
For any encryptedKey.

Assertion Description:
"boolean(./self::xenc:EncryptedKey[@Type])=false()"

Failure Message:
An xenc:EncryptedKey elements in the security header contains a Type attribute (i.e., it is the case that "./self::xenc:EncryptedKey[@Type]").

Failure Detail Description:
The xenc:EncryptedKey element in question.

Comments:
Old id="BSP6507"

Return to top of document.

Test Assertion: BSP5622

Context:
For any encryptedKey.

Assertion Description:
"boolean(./self::xenc:EncryptedKey[@MimeType])=false()"

Failure Message:
An xenc:EncryptedKey elements in the security header contains a MimeType attribute (i.e., it is the case that "./self::xenc:EncryptedKey[@MimeType]").

Failure Detail Description:
The xenc:EncryptedKey element in question.

Comments:
Old id="BSP6512"

Return to top of document.

Test Assertion: BSP5623

Context:
For any encryptedKey.

Assertion Description:
"boolean(./self::xenc:EncryptedKey[@Encoding])=false()"

Failure Message:
An xenc:EncryptedKey elements in the security header contains a Encoding attribute (i.e., it is the case that "./self::xenc:EncryptedKey[@Encoding]").

Failure Detail Description:
The xenc:EncryptedKey element in question.

Comments:
Old id="BSP6513"

Return to top of document.

Test Assertion: BSP5602

Context:
For any encryptedKey.

Assertion Description:
"boolean(./self::xenc:EncryptedKey[@Recipient])=false()"

Failure Message:
An xenc:EncryptedKey element contains a Recipient attribute (i.e., it is the case that "./self::xenc:EncryptedKey[@Recipient]").

Failure Detail Description:
The xenc:EncryptedKey element in question.

Comments:
Old id="BSP6502"

Return to top of document.

Test Assertion: BSP5603

Context:
For any encryptedKey.

Assertion Description:
"boolean(./self::xenc:EncryptedKey[xenc:EncryptionMethod])=true()"

Failure Message:
An xenc:EncryptedKey element does NOT contain an xenc:EncryptionMethod child element (i.e., it is NOT the case that "./self::xenc:EncryptedKey[xenc:EncryptionMethod]").

Failure Detail Description:
The xenc:EncryptedKey element in question

Comments:
Old id="BSP6503"

Return to top of document.

Test Assertion: BSP5629

Context:
For any encryptedData which is not referenced from an encryptedKey.

Assertion Description:
"boolean(./self::xenc:EncryptedData[ds:KeyInfo])=true()"

Failure Message:
The xenc:EncryptedData element does not contain a ds:KeyInfo element (i.e. it is NOT the case that "./self::xenc:EncryptedData[ds:KeyInfo]").

Failure Detail Description:
The xenc:EncryptedData element in question

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP5601

Context:
For any encryptedData.

Assertion Description:
"boolean(./self::xenc:EncryptedData[xenc:EncryptionMethod])=true()"

Failure Message:
An xenc:EncryptedData element does NOT contain an xenc:EncryptionMethod child element (i.e., it is NOT the case that "./self::xenc:EncryptedData[xenc:EncryptionMethod]").

Failure Detail Description:
The xenc:EncryptedData element in question

Comments:
Old id="BSP6501"

Return to top of document.

Test Assertion: BSP5424

Context:
For any encKeyInfo.

Assertion Description:
"boolean(./self::ds:KeyInfo[count(child::*)=1])=true()"

Failure Message:
A ds:KeyInfo element in an xenc:EncryptedKey does NOT have exactly one child element.(i.e., it is NOT the case that "./self::ds:KeyInfo[count(child::*)=1]").

Failure Detail Description:
The ds:KeyInfo element in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP5426

Context:
For any encKeyInfo.

Assertion Description:
"boolean(./self::ds:KeyInfo[wsse:SecurityTokenReference])=true()"

Failure Message:
A ds:KeyInfo element in an xenc:EncryptedKey does NOT contain a wsse:SecurityTokenReference child (i.e., it is NOT the case that "./self::ds:KeyInfo[wsse:SecurityTokenReference]").

Failure Detail Description:
The ds:KeyInfo element in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP5608

Context:
For any encDataReference.

Assertion Description:
./self::xenc:DataReference/@URI contains a Shorthand XPointer reference value based on the ID attribute of the referred to xenc:EncryptedData.

Failure Message:
An xenc:DataReference refers to an xenc:EncryptedData without using a Shorthand XPointer reference based on its ID attribute.

Failure Detail Description:
The xenc:DataReference element in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP3006

Context:
For any ekDataReference.

Assertion Description:
./self::xenc:DataReference/@URI contains a Shorthand XPointer reference value based on the ID attribute of the referred to xenc:EncryptedData.

Failure Message:
An xenc:DataReference refers to an xenc:EncryptedData without using a Shorthand XPointer reference based on its ID attribute.

Failure Detail Description:
The xenc:DataReference element in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP5613

Context:
For any encKeyReference.

Assertion Description:
./self::xenc:KeyReference/@URI contains a Shorthand XPointer reference value based on the ID attribute of the referred to xenc:EncryptedKey.

Failure Message:
An xenc:KeyReference refers to an xenc:EncryptedKey without using a Shorthand XPointer reference based on its ID attribute.

Failure Detail Description:
The xenc:KeyReference element in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP3007

Context:
For any ekKeyReference.

Assertion Description:
./self::xenc:KeyReference/@URI contains a Shorthand XPointer reference value based on the ID attribute of the referred to xenc:EncryptedKey.

Failure Message:
An xenc:KeyReference refers to an xenc:EncryptedKey without using a Shorthand XPointer reference based on its ID attribute.

Failure Detail Description:
The xenc:KeyReference element in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP5620

Context:
For any edEncryptionMethod.

Assertion Description:
"boolean(./self::xenc:EncryptionMethod[ @Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc' or @Algorithm='http://www.w3.org/2001/04/xmlenc#aes128-cbc' or @Algorithm='http://www.w3.org/2001/04/xmlenc#aes256-cbc'])=true()"

Failure Message:
An xenc:EncryptionMethod contains an Algorithm attribute with a value other than one of "http://www.w3.org/2001/04/xmlenc#tripledes-cbc" or "http://www.w3.org/2001/04/xmlenc#aes128-cbc" or "http://www.w3.org/2001/04/xmlenc#aes256-cbc" (i.e., it is NOT the case that "./self::xenc:EncryptionMethod[ @Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc' or @Algorithm='http://www.w3.org/2001/04/xmlenc#aes128-cbc' or @Algorithm='http://www.w3.org/2001/04/xmlenc#aes256-cbc']").

Failure Detail Description:
The xenc:EncryptionMethod element in question.

Comments:
Old id="BSP6505"

Return to top of document.

Test Assertion: BSP5626

Context:
For any ekEncryptionMethod.

Assertion Description:
"boolean( ./self::xenc:EncryptionMethod[@Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5' or @Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p' or @Algorithm='http://www.w3.org/2001/04/xmlenc#kw-tripledes' or @Algorithm='http://www.w3.org/2001/04/xmlenc#kw-aes128' or @Algorithm='http://www.w3.org/2001/04/xmlenc#kw-aes256'])=true()"

Failure Message:
A xenc:EncryptionMethod elements Algorithm attribute contains a value other than "http://www.w3.org/2001/04/xmlenc#rsa-1_5" or "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" or "http://www.w3.org/2001/04/xmlenc#kw-tripledes" or "http://www.w3.org/2001/04/xmlenc#kw-aes128" or "http://www.w3.org/2001/04/xmlenc#kw-aes256".

Failure Detail Description:
The headerElement element in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP5614

Context:
For any headerElement.

Assertion Description:
"count(./self::xenc:EncryptedData)=0"

Failure Message:
The soap:Header has a xenc:EncryptedData element as its child.

Failure Detail Description:
The headerElement element in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP3029

Context:
For any binarySecurityToken.

Assertion Description:
"boolean(./self::wsse:BinarySecurityToken[@EncodingType])=true()"

Failure Message:
A wsse:BinarySecurityToken does NOT contain a EncodingType attribute (i.e., it is NOT the case that "./self::wsse:BinarySecurityToken[@EncodingType]").

Failure Detail Description:
The wsse:BinarySecurityToken element in question.

Comments:
old id="BSP6001"

Return to top of document.

Test Assertion: BSP3030

Context:
For any binarySecurityToken.

Assertion Description:
"boolean(./self::wsse:BinarySecurityToken[@EncodingType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary'])=true()"

Failure Message:
A wsse:BinarySecurity tokens contains an EncodingType attribute with a value other than "http://www.docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#Base64Binary" (i.e., it is NOT the case that "./self::wsse:BinarySecurityToken[@EncodingType='http://www.docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#Base64Binary']".

Failure Detail Description:
The wsse:BinarySecurityToken element in question.

Comments:
Old id="BSP6007"

Return to top of document.

Test Assertion: BSP3031

Context:
For any binarySecurityToken.

Assertion Description:
"boolean(./self::wsse:BinarySecurityToken[@ValueType])=true()"

Failure Message:
A wsse:BinarySecurityToken does NOT contain a ValueType attribute (i.e., it is NOT the case that "./self::wsse:BinarySecurityToken[@ValueType]").

Failure Detail Description:
The wsse:BinarySecurityToken element in question.

Comments:
Old id="BSP6002"

Return to top of document.

Test Assertion: BSP3032

Context:
For any binarySecurityToken.

Assertion Description:
./self::wsse:BinarySecurityToken/@ValueType has a value specified by a related security token profile.

Failure Message:
A wsse:BinarySecurityToken element has a ValueType attribute whose value is outside the defined token profiles.

Failure Detail Description:
The wsse:BinarySecurityToken element in question.

Comments:
Old id="BSP6603".

Return to top of document.

Test Assertion: BSP4222

Context:
For any usernameToken.

Assertion Description:
"count(./self::wsse:UsernameToken/wsse:Password)<=1"

Failure Message:
A wsse:UsernameToken element contains more than one wsse:Password (i.e., it is NOT the case that "count(./self::wsse:UsernameToken/wsse:Password)<=1").

Failure Detail Description:
The wsse:UsernameToken element in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP4201

Context:
For any password.

Assertion Description:
"boolean(./self::wsse:Password/@Type)=true()"

Failure Message:
A wsse:Password element does NOT contain a Type attribute (i.e., it is NOT the case that "./self::wsse:Password/@Type").

Failure Detail Description:
The wsse:Password element in question.

Comments:
Old id="BSP6005"

Return to top of document.

Test Assertion: BSP4223

Context:
For any usernameToken.

Assertion Description:
"count(./self::wsse:UsernameToken/wsu:Created)<=1"

Failure Message:
A wsse:UsernameToken element contains more than one wsu:Created (i.e., it is NOT the case that "count(./self::wsse:UsernameToken/wsu:Created)<=1").

Failure Detail Description:
The wsse:UsernameToken element in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP4225

Context:
For any usernameToken.

Assertion Description:
"count(./self::wsse:UsernameToken/wsse:Nonce)<=1"

Failure Message:
A wsse:UsernameToken element contains more than one wsse:Nonce (i.e., it is NOT the case that "count(./self::wsse:UsernameToken/wsse:Nonce)<=1").

Failure Detail Description:
The wsse:UsernameToken element in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP4220

Context:
For any nonce.

Assertion Description:
"boolean(./self::wsse:Nonce/@EncodingType)=true()"

Failure Message:
A wsse:Nonce does NOT contain an EncodingType attribute (i.e, it is NOT the case that "./self::wsse:Nonce/@EncodingType").

Failure Detail Description:
The wsse:Nonce element in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP4221

Context:
For any nonce.

Assertion Description:
"boolean(./self::wsse:Nonce[@EncodingType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary'])=true()"

Failure Message:
A wsse:Nonce contains an EncodingType attribute that does NOT have a value "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" (i.e., it is NOT the case that "./self::wsse:Nonce[@EncodingType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary']").

Failure Detail Description:
The wsse:Nonce element in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP4214

Context:
For any strReference to a usernameToken.

Assertion Description:
"boolean(./self::wsse:Reference[@ValueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken'])=true()"

Failure Message:
A wsse:Reference element that refers to a wsse:UsernameToken does not have a ValueType attribute of "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken" (i.e., it is NOT the case that "./self::wsse:Reference[@ValueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken'").

Failure Detail Description:
The wsse:Reference element in question.

Comments:
Because of R5204, we can assume that the strReference uses a Shorthand XPointer URI, and so we can always determine if a strReference references a usernameToken.

Return to top of document.

Test Assertion: BSP6301

Context:
For any strReference that refers to an internalSecurityToken that is an relToken containing a wsu:Id attribute.

Assertion Description:
"starts-with(./self::wsse:Reference/@URI, '#') = true()"

Failure Message:
A wsse:Reference element that refers to an rel:license element can use the shorthand XPointer format but does not.

Failure Detail Description:
The wsse:Reference element in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP6602

Context:
For any strKeyIdentifier that references an internalSamlToken.

Assertion Description:
"boolean(./self::wsse:KeyIdentifier[@ValueType])=true()"

Failure Message:
A wsse:KeyIdentifier element that references an internalSamlToken does not contain a ValueType attribute (i.e. it is NOT the case that ./self::wsse:KeyIdentifier[@ValueType]).

Failure Detail Description:
The wsse:KeyIdentifier element in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP6604

Context:
For Any strKeyIdentifier that references a samlToken.

Assertion Description:
"boolean(./self::wsse:KeyIdentifier[@EncodingType])=false()"

Failure Message:
A wsse:KeyIdentifier that references a saml:Assertion includes an EncodingType attribue (i.e., it IS the case that "boolean(./self::wsse:KeyIdentifier[@EncodingType])=false()"

Failure Detail Description:
The wsse:KeyIdentifier in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP6607

Context:
For any samlAuthorityBinding that contains an AuthorityKind attribute.

Assertion Description:
"boolean(./self::saml:AuthorityBinding[@AuthorityKind='saml:AssertionIdReference'])=true()"

Failure Message:
The AuthorityKind attribute in saml:AuthorityBinding element does NOT contain the value "saml:AssertionIdReference" (i.e., it is NOT the case that "./self::saml:AuthorityBinding[@AuthorityKind='saml:AssertionIdReference']").

Failure Detail Description:
The saml:AuthorityBinding in question.

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP6997

Context:
For a message obtained by reversing the SOAP Messsage Security of any secure message.

Assertion Description:
Not testable.

Failure Message:
Not testable.

Failure Detail Description:
[Not specified]

Comments:
These restrictions are intended to clarify BP1.0 and BP1.1 statements that might be unclear when SOAP Message Security is applied in compliance with the Basic Security Profile.

Return to top of document.

Test Assertion: BSP6998

Context:
These assertions provide guidance for protecting attachements when they are used with SOAP Messages.

Assertion Description:
Not testable.

Failure Message:
Not testable.

Failure Detail Description:
[Not specified]

Comments:
[Not specified]

Return to top of document.

Test Assertion: BSP6999

Context:
Not testable.

Assertion Description:
Not testable.

Failure Message:
Not testable.

Failure Detail Description:
Not testable.

Comments:
All of these profile requirements are NOT testable. Some of these test assertions represent capabilities which can not be validated.

Return to top of document.

Test Assertion: BSP0002

Context:
For any secure envelope containing a wsse:SecurityTokenReference element.

Assertion Description:
For each token referenced by the wsse:SecurityTokenReference get the referenced token and check if it is in the additional token profile.

Detail Description:

Comments:
Old id="BSP6600"

Return to top of document.

Test Assertion Counts

Total Count: 83

Count By Type:

Count By Enabled Indicator:

Profile Requirement Index

This index contains a list of all of the requirements listed in the test assertion document.