Merge pull request #19 from difi/16-02-wssecurity

new wsdl / xsd for 16-02, updated WS-Security page

ws-security/WebserviceSecurity.textile

@@ -12,100 +12,104 @@ id: WS-security/WebserviceSecurity
 h2. {{page.title}}
 
 
+h3. WS-Security headere
 
-h3. Webservice security headere
-
-Webservice security header skal bestå av følgende elementer:
+Følgende WS-Security elementer skal anvendes:
 
 table(table table-striped).
 |_. Identifikator |_. Kardinalitet |_. Datatype |
-| BinarySecurityToken | 1..1 | "wsse:BinarySecurityToken":http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-errata-os-SOAPMessageSecurity.htm#_Toc118717134 |
 | Timestamp | 1..1 | "wsu:Timestamp":https://www.oasis-open.org/committees/download.php/21256/wss-v1.1-spec-errata-os-SOAPMessageSecurity.htm#_Toc118717167 |
 | Signature | 1..1 | "ds:Signature":https://www.oasis-open.org/committees/download.php/21256/wss-v1.1-spec-errata-os-SOAPMessageSecurity.htm#_Toc118717148 |
 
-Forespørsel skal kun signeres på SOAP nivå, ikke krypteres.  
+Forespørsel skal kun signeres på SOAP nivå, ikke krypteres. Signeringssertifikatet skal representeres som et BinarySecurityToken i meldinga
+
+table(table table-striped).
+|_. Identifikator |_. Kardinalitet |_. Datatype |
+| BinarySecurityToken | 1..1 | "wsse:BinarySecurityToken":http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-errata-os-SOAPMessageSecurity.htm#_Toc118717134 |
+
 Respons frå Difi vil vere både signert og kryptert.
 
 h3. Timestamp
 
 * Time-to-live skal være 120 sekunder.
 
 
-h3. BinarySecurityToken
-
-* Sertifikat for validering av signatur skal inkluderes i SOAP header
-* Security Token være X509 sertifikater 
-* Sertifikatet som brukes skal være et virksomhetssertifikat ihht PKI-rammeverket for offentlig sektor
-** sertifikatet skal være utstedt til behandlingsansvarlig eller databehandler.
-** I testmiljøet brukes test-virksomhetssertifikat utstedt fra samme leverandører som i produksjon
-
 h3. Signature
 
-* Signeringsalgoritmen skal være "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256":http://www.w3.org/2001/04/xmldsig-more#rsa-sha256. 
-* Fingeravtrykksalgoritmen i referansene skal være "http://www.w3.org/2001/04/xmlenc#sha256":http://www.w3.org/2001/04/xmlenc#sha256
-
 Følgende elementer i SOAP meldingen signeres:
 
 * Timestamp
 * Soap body
+* Oppslagstjenesten / Paavegneav - elementet dersom dette benyttes
+
+* Signeringsalgoritmen skal være "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256":http://www.w3.org/2001/04/xmldsig-more#rsa-sha256. 
+* Fingeravtrykksalgoritmen i referansene skal være "http://www.w3.org/2001/04/xmlenc#sha256":http://www.w3.org/2001/04/xmlenc#sha256
+* Signeringssertifikatet skal representeres som et BinarySecurityToken i meldingen. Se spesifikke krav til dette under.
+
 
+h3. Krav til signeringssertifikat
 
+* Sertifikat for validering av signatur skal inkluderes i SOAP headerm representeret som et BinarySecurityToken.
+* Security Token være X509 sertifikater 
+* Sertifikatet som brukes skal være et virksomhetssertifikat ihht PKI-rammeverket for offentlig sektor
+** sertifikatet skal være utstedt til behandlingsansvarlig eller databehandler.
+** I testmiljøet brukes test-virksomhetssertifikat utstedt fra samme leverandører som i produksjon
 
 h3. Eksempel
 
-Under kan er det lagt opp en et eksempel på en gyldig Webservice security header generert fra java klient biblioteket for sending av digital post:
+Under kan er det lagt opp en et eksempel på en gyldig WS-Security header generert fra java klient biblioteket for sending av digital post:
 
 <pre class="brush: xml; toolbar: false">
-<env:Header>
-    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
-                   xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
-                   env:mustUnderstand="true">
-        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-244252673B3D355C931450257103397162">
-            <ds:SignedInfo>
-                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
-                    <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="env"/>
-                </ds:CanonicalizationMethod>
-                <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
-                <ds:Reference URI="#TS-244252673B3D355C931450257103397157">
-                    <ds:Transforms>
-                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
-                            <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
-                                                    PrefixList="wsse env"/>
-                        </ds:Transform>
-                    </ds:Transforms>
-                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
-                    <ds:DigestValue>n9zf4yS/8INARRo0ivLPzkv5oxc=</ds:DigestValue>
-                </ds:Reference>
-                <ds:Reference URI="#id-244252673B3D355C931450257103397161">
-                    <ds:Transforms>
-                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
-                            <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList=""/>
-                        </ds:Transform>
-                    </ds:Transforms>
-                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
-                    <ds:DigestValue>9mpFuEMb2ZXDyDci15D5e0Ni6FI=</ds:DigestValue>
-                </ds:Reference>
-            </ds:SignedInfo>
-            <ds:SignatureValue>
-                WmOS7fzEpE4mn50qgwahz9NxVb8ujMYN+160VdBWgXmKVpHLIqz2MJJJ34Et10+nvn+PGx6wIuZGylnQ9pZCN+RRSIE986sRgvoQ3ZeM0aLqasP3pGk+luOoesVN8sY+jLfyhRliuFgF3oyE/JrefJO9T7YR3UvXMjGg+5QqzP92CSkDplPlzMQa38BO1JKySfE9iF+5oewUEdExUBzuayzlm+EqqQLcpygkuSGfgbFdqQzDrEjHRfBlNZ44+JmmOCxpNYp8UWBAUOqso7qvfANIY5ieGJtKY6/yURe79gjptphhERDGAQNGtNfhf522JwEnEfXLPrDT2eNlNUzrmQ==
-            </ds:SignatureValue>
-            <ds:KeyInfo Id="KI-244252673B3D355C931450257103397159">
-                <wsse:SecurityTokenReference wsu:Id="STR-244252673B3D355C931450257103397160">
-                    <wsse:KeyIdentifier
-                            EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
-                            ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">
-                        SERTIFIKAT-VERDI
-                    </wsse:KeyIdentifier>
-                </wsse:SecurityTokenReference>
-            </ds:KeyInfo>
-        </ds:Signature>
-        <wsu:Timestamp wsu:Id="TS-244252673B3D355C931450257103397157">
-            <wsu:Created>2015-12-16T09:11:43.397Z</wsu:Created>
-            <wsu:Expires>2015-12-16T09:16:43.397Z</wsu:Expires>
-        </wsu:Timestamp>
-    </wsse:Security>
-    <Oppslagstjenesten xmlns="http://kontaktinfo.difi.no/wsdl/oppslagstjeneste-16-02">
-        <PaaVegneAv>991825827</PaaVegneAv>
-    </Oppslagstjenesten>
-</env:Header>
+<soap:Header xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
+	<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="true">
+		<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs
+.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-15730854BE4465A46D14538884282111">MIIFOjCCBCKgAwIBAgIKGQqI22LuZ+0U6TANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJOTzEdMBsGA1UECgwUQnV5cGFzcyBBUy05ODMxNjMzMjcxI
+zAhBgNVBAMMGkJ1eXBhc3MgQ2xhc3MgMyBUZXN0NCBDQSAzMB4XDTE0MDYxNjA4NTYyNloXDTE3MDYxNjIxNTkwMFowgaAxCzAJBgNVBAYTAk5PMSwwKgYDVQQKDCNESVJFS1RPUkFURVQgRk9SIEZPUlZBTFROSU5HIE9HIElLVDEhMB8GA1UECwwYU0RQIC0gbWVsZGluZ3N1dHZla3NsaW5nMSwwKgYDVQQDDCNESVJFS
+1RPUkFURVQgRk9SIEZPUlZBTFROSU5HIE9HIElLVDESMBAGA1UEBRMJOTkxODI1ODI3MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx6IPA2KSAkSupen5fFM1LEnW6CRqSK20wjpBnXf414W03eWUvBlw97c6k5sl2tYdn4aVb6Z9GeDaz1bLKN3XwhFGPk9PnjSIhrFJNAPnWVEBDqGqfeMrEsYdOEgM2veBZ
+DYkhVwipjr8AesmptTRAat61q+6hCJe8UZqjXb4Mg6YKSTAHfJdthAG06weBMgVouQkTkeIIawM+QPcKQ3Wao0gIZi17V0+8xzgDu1PXr90eJ/Xjsw9t0C8Ey/3N7n3j3hplsZkjOJMBNHzbeBG/doroC6uzVURiuEn9Bc9Nk224b+7lOBZ1FvNNrJVUu5Ty3xyMDseCV7z1QTwW7wcpwIDAQABo4IBwjCCAb4wCQYDVR0TB
+AIwADAfBgNVHSMEGDAWgBQ/rvV4C5KjcCA1X1r69ySgUgHwQTAdBgNVHQ4EFgQU6JguiqDjkgjEGRHhzkbeKeqyWQEwDgYDVR0PAQH/BAQDAgSwMBYGA1UdIAQPMA0wCwYJYIRCARoBAAMCMIG7BgNVHR8EgbMwgbAwN6A1oDOGMWh0dHA6Ly9jcmwudGVzdDQuYnV5cGFzcy5uby9jcmwvQlBDbGFzczNUNENBMy5jcmwwd
+aBzoHGGb2xkYXA6Ly9sZGFwLnRlc3Q0LmJ1eXBhc3Mubm8vZGM9QnV5cGFzcyxkYz1OTyxDTj1CdXlwYXNzJTIwQ2xhc3MlMjAzJTIwVGVzdDQlMjBDQSUyMDM/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdDCBigYIKwYBBQUHAQEEfjB8MDsGCCsGAQUFBzABhi9odHRwOi8vb2NzcC50ZXN0NC5idXlwYXNzLm5vL29jc
+3AvQlBDbGFzczNUNENBMzA9BggrBgEFBQcwAoYxaHR0cDovL2NydC50ZXN0NC5idXlwYXNzLm5vL2NydC9CUENsYXNzM1Q0Q0EzLmNlcjANBgkqhkiG9w0BAQsFAAOCAQEAKOTM1zSdGHWUBKPzDPYCcci9cpbktd2WuBg028bRC0NwKSWUKeuUfWesTiu/P4UlYGe86qd/+z3MNpN89aGA8pr0E0WpI+NM+v+Cb0dQwxHAS
+HtrkVo9CVx6V6/QSBqIUEMfNquDHzxB2/mXbv6GuO5eIl3OSVKg7Ffd/1wdE6zeMmHQO+zRpfj+OVEhNPb5cLa13Ah9+JrMkr1O7VUFbozLQgFPhuI8/5+u8U/6cDOOmcFV4f4IYUmhbcLiW5MQnvaJ8044+uInOQTNtSkKmZAo7Jnm4KUyhFXftJOStOHSlODOQcepVS7csszO5yWQRMTV8doEsaH5p/LBXYF56Q==</wss
+e:BinarySecurityToken>
+		<wsu:Timestamp wsu:Id="TS-1">
+			<wsu:Created>2016-01-27T09:53:48.201Z</wsu:Created>
+			<wsu:Expires>2016-01-27T09:58:48.201Z</wsu:Expires>
+		</wsu:Timestamp>
+		<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-3">
+			<ds:SignedInfo>
+				<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
+					<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="soap"/>
+				</ds:CanonicalizationMethod>
+				<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+				<ds:Reference URI="#id-2">
+					<ds:Transforms>
+						<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
+							<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList=""/>
+						</ds:Transform>
+					</ds:Transforms>
+					<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+					<ds:DigestValue>q7aba13DrQlwblPtH+u8fkJ2nnVPzOOQVfzk5IOOjpg=</ds:DigestValue>
+				</ds:Reference>
+				<ds:Reference URI="#TS-1">
+					<ds:Transforms>
+						<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
+							<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse soap"/>
+						</ds:Transform>
+					</ds:Transforms>
+					<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+					<ds:DigestValue>sypzNs+XRwRKoV/cdG0AqdfsoeVz1QnI94dGuUUqI8g=</ds:DigestValue>
+				</ds:Reference>
+			</ds:SignedInfo>
+			<ds:SignatureValue>JOKR3CLGpQnyHQL6oHY7qVhrETfAl8iRzFbYKdWS8jFxTsuH1nVHcFN0tHpHx5NJzx2HB8LmNNlZP
+t4HxeZ97dETLRAaI2NUm197Ln8ATAQ23iC2MiVrFdNf2XZjVVd9WWcqdrwQDzDwS5tz78mAd0wL5Tk1fgppEWX1mniYmLrzTJVQQ5tXm8rD0RRKTpgADf+9ZLLj+k6jTBaRvEqKx9DWLOyNv3nAQI8tkGHxMR8vYDjg0pfFPsetaW+D/xLWHNuVZremHFDDHRtbQxp7wGaFLV/5NLYLJmA+oxWYAxlwmxQHPYg+nQMynlhak
+D1HopGeX/bGuJc2M8p5vg9I7g==</ds:SignatureValue>
+			<ds:KeyInfo Id="KI-15730854BE4465A46D14538884282132">
+				<wsse:SecurityTokenReference wsu:Id="STR-15730854BE4465A46D14538884282153">
+					<wsse:Reference URI="#X509-15730854BE4465A46D14538884282111" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
+				</wsse:SecurityTokenReference>
+			</ds:KeyInfo>
+		</ds:Signature>
+	</wsse:Security>
+</soap:Header>
 </pre>