Skip to content
Permalink
Browse files

fiks på #13

  • Loading branch information...
joergenb committed Dec 17, 2015
2 parents 82fb984 + 744c150 commit 1d5a38c27686a55f04fc68831947ba83b9382757
Showing with 111 additions and 1 deletion.
  1. +1 −1 index.textile
  2. +110 −0 ws-security/WebserviceSecurity.textile
@@ -19,7 +19,7 @@ h3. Tjenestespesifikasjonen:
* "XSD metadata":xsd/oppslagstjeneste-metadata-14-05.xsd
* "XSD definisjon for fil eksport":xsd/kontaktregister-export-14-05.xsd
* "Egendefinert SOAP header: paaVegneAv":paaVegneAv.textile

* "Web Service Security header":ws-security/WebserviceSecurity.textile

h3. Datamodell:

@@ -0,0 +1,110 @@
---
layout: default
title: Webservice sikkerhet
headtitle: Oppslagstjenesten
group: WS-security

id: WS-security/WebserviceSecurity


---

h2. {{page.title}}



h3. Webservice security headere

Webservice security header består av følgende elementer:

table(table table-striped).
|_. Identifikator |_. Kardinalitet |_. Datatype |
| BinarySecurityToken | 1..1 | "wsse:BinarySecurityToken":http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-errata-os-SOAPMessageSecurity.htm#_Toc118717134 |
| Timestamp | 1..1 | "wsu:Timestamp":https://www.oasis-open.org/committees/download.php/21256/wss-v1.1-spec-errata-os-SOAPMessageSecurity.htm#_Toc118717167 |
| Signature | 1..1 | "ds:Signature":https://www.oasis-open.org/committees/download.php/21256/wss-v1.1-spec-errata-os-SOAPMessageSecurity.htm#_Toc118717148 |

Meldingen er kun signert på SOAP nivå, ikke kryptert.

h3. Timestamp

* Time-to-live skal være 120 sekunder.


h3. BinarySecurityToken

* Sertifikat for validering av signatur skal inkluderes i SOAP header
* Security Token være X509 sertifikater
* Sertifikatet som brukes skal være et virksomhetssertifikat
** sertifikatet skal være utstedt til behandlingsansvarlig eller databehandler.
** I testmiljøet brukes test-virksomhetssertifikat utstedt fra samme leverandører som i produksjon

h3. Signature

* Signeringsalgoritmen skal være "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256":http://www.w3.org/2001/04/xmldsig-more#rsa-sha256.
* Fingeravtrykksalgoritmen i referansene skal være "http://www.w3.org/2001/04/xmlenc#sha256":http://www.w3.org/2001/04/xmlenc#sha256

Følgende elementer i SOAP meldingen signeres:

* Timestamp
* Soap body



h3. Eksempel

Under kan er det lagt opp en et eksempel på en gyldig Webservice security header generert fra java klient biblioteket for sending av digital post:

<pre class="brush: xml; toolbar: false">
<env:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
env:mustUnderstand="true">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-244252673B3D355C931450257103397162">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="env"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#TS-244252673B3D355C931450257103397157">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="wsse env"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>n9zf4yS/8INARRo0ivLPzkv5oxc=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-244252673B3D355C931450257103397161">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList=""/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>9mpFuEMb2ZXDyDci15D5e0Ni6FI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
WmOS7fzEpE4mn50qgwahz9NxVb8ujMYN+160VdBWgXmKVpHLIqz2MJJJ34Et10+nvn+PGx6wIuZGylnQ9pZCN+RRSIE986sRgvoQ3ZeM0aLqasP3pGk+luOoesVN8sY+jLfyhRliuFgF3oyE/JrefJO9T7YR3UvXMjGg+5QqzP92CSkDplPlzMQa38BO1JKySfE9iF+5oewUEdExUBzuayzlm+EqqQLcpygkuSGfgbFdqQzDrEjHRfBlNZ44+JmmOCxpNYp8UWBAUOqso7qvfANIY5ieGJtKY6/yURe79gjptphhERDGAQNGtNfhf522JwEnEfXLPrDT2eNlNUzrmQ==
</ds:SignatureValue>
<ds:KeyInfo Id="KI-244252673B3D355C931450257103397159">
<wsse:SecurityTokenReference wsu:Id="STR-244252673B3D355C931450257103397160">
<wsse:KeyIdentifier
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">
SERTIFIKAT-VERDI
</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp wsu:Id="TS-244252673B3D355C931450257103397157">
<wsu:Created>2015-12-16T09:11:43.397Z</wsu:Created>
<wsu:Expires>2015-12-16T09:16:43.397Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
<Oppslagstjenesten xmlns="http://kontaktinfo.difi.no/wsdl/oppslagstjeneste-16-02">
<PaaVegneAv>991825827</PaaVegneAv>
</Oppslagstjenesten>
</env:Header>
</pre>

0 comments on commit 1d5a38c

Please sign in to comment.
You can’t perform that action at this time.