Set the client for response signature verification methods
Use the WSSVerification and WSSVerifyPart APIs to choose the signing verification methods. The request signing verification methods include the digest algorithm and the transport methods.
To complete configuration of the signature verification information to secure SOAP messages, perform the following algorithm tasks:
- Use the WSSVerification API to configure the canonicalization and signature methods.
- Use the WSSVerifyPart API to configure the digest and transform methods.
to configure the algorithm methods to use when configuring the client for request signing.
The following table describes the purpose of this information. Some of these definitions are based on the XML-Signature specification, which is located at the following Web site http://www.w3.org/TR/xmldsig-core.
Table 1. Signing verification methods
Name of method Purpose Digest algorithm Applies to the data after transforms are applied, if specified, to yield the <DigestValue> element. Signing the <DigestValue> element binds the resource content to the signer key. The algorithm selected for the client request sender configuration must match the algorithm selected in the client request receiver configuration. Transform algorithm Applies to the <Transform> element. Signature algorithm Specifies the Uniform Resource Identifiers (URI) of the signature verification method. Canonicalization algorithm Specifies the Uniform Resource Identifiers (URI) of the canonicalization method.
After configuring the client to digitally sign the message, configure the client to verify the digital signature. You can use the WSS APIs or configure policy sets using the admin console to verify the digital signature and to choose the verification and verify part algorithms. If using the WSS APIs to configure, use the WSSVerification and WSSVerifyPart APIs to specify which digitally signed message parts to verify and to specify which algorithm methods to use when configuring the client for request signing.
The WSSVerification and WSSVerifyPart APIs perform the following steps to configure the signature verification and verify parts algorithm methods:
- For the consumer binding, the WSSVerification API specifies the signature methods to allow for the signature verification.
WAS supports the following pre-configured signature methods:
- WSSVerification.RSA_SHA1 (the default value): http://www.w3.org/2000/09/xmldsig#rsa-sha1
- WSSVerification.HMAC_SHA1: http://www.w3.org/2000/09/xmldsig#hmac-sha1
The DSA-SHA1 digital signature method (http://www.w3.org/2000/09/xmldsig#dsa-sha1) is not supported.
- For the consumer binding, the WSSVerification API specifies the canonicalization method to allow for the signature verification.
WAS supports the following pre-configured canonicalization methods by default:
- WSSVerification.EXC_C14N (the default value): http://www.w3.org/2001/10/xml-exc-c14n#
- WSSVerification.C14N: http://www.w3.org/2001/10/xml-c14n#
- For the consumer binding, the WSSVerifyPart API specifies the digest method, as needed. WAS supports the following digest method algorithms for signed parts verification:
- WSSVerifyPart.SHA1 (the default value): http://www.w3.org/2000/09/xmldsig#sha1
- WSSVerifyPart.SHA256: http://www.w3.org/2001/04/xmlenc#sha256
- WSSVerifyPart.SHA512: http://www.w3.org/2001/04/xmlenc#sha512
- For the consumer binding, the WSSVerifyPart API specifies the transform method. WAS supports the following transform algorithms for verify parts:
- WSSVerifyPart.TRANSFORM_EXC_C14N (the default value): http://www.w3.org/2001/10/xml-exc-c14n#
- WSSVerifyPart.TRANSFORM_XPATH2_FILTER: http://www.w3.org/2002/06/xmldsig-filter2
- WSSVerifyPart.TRANSFORM_STRT10: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
- WSSVerifyPart.TRANSFORM_ENVELOPED_SIGNATURE: http://www.w3.org/2000/09/xmldsig#enveloped-signature
For the WSS APIs, WAS does not support these algorithms:
- http://www.w3.org/2002/07/decrypt#XML
- http://www.w3.org/TR/1999/REC-xpath-19991116
Results
we have specified which method to use when verifying a digital signature when the client sends a message.
Example
The following example provides sample WSS API code that specifies the verification information, the body as a part to be verified, the HMAC_SHA1 as a signature method, C14N and EXC_C14N as the candidates of canonicalization methods, TRANSFORM_STRT10 as a transform method, and SHA256 as a digest method.
// Get the message context Object msgcontext = getMessageContext(); // Generate the WSSFactory instance WSSFactory factory = WSSFactory.getInstance(); // Generate the WSSConsumingContext instance WSSConsumingContext concont = factory.newWSSConsumingContext(); // Generate the certificate list String certpath = "intca2.cer"; // The location of the X509 certificate file X509Certificate x509cert = null; try { InputStream is = new FileInputStream(certpath); CertificateFactory cf = CertificateFactory.getInstance("X.509"); x509cert = (X509Certificate)cf.generateCertificate(is); } catch(FileNotFoundException e1){ throw new WSSException(e1); } catch (CertificateException e2) { throw new WSSException(e2); } Set<Object> eeCerts = new HashSet<Object>(); eeCerts.add(x509cert); // Create the certStore java.util.List<CertStore> certList = new java.util.ArrayList<CertStore>(); CollectionCertStoreParameters certparam = new CollectionCertStoreParameters(eeCerts); CertStore cert = null; try { cert = CertStore.getInstance("Collection", certparam, "IBMCertPath"); } catch (NoSuchProviderException e1) { throw new WSSException(e1); } catch (InvalidAlgorithmParameterException e2) { throw new WSSException(e2); } catch (NoSuchAlgorithmException e3) { throw new WSSException (e3); } if(certList != null ){ certList.add(cert); } // Generate the callback handler X509ConsumeCallbackHandler callbackHandler = new X509ConsumeCallbackHandler( "dsig-receiver.ks", "jks", "server".toCharArray(), certList, java.security.Security.getProvider( "IBMCertPath") ); // Generate the WSSVerification instance WSSVerification ver = factory.newWSSVerification(X509Token.class, callbackHandler); // Set one or more candidates of the signature method used for // verification (step. 1) // DEFAULT : WSSVerification.RSA_SHA1 ver.addAllowedSignatureMethod(WSSVerification.HMAC_SHA1); // Set one or more candidates of the canonicalization method used for // verification (step. 2) // DEFAULT : WSSVerification.EXC_C14N ver.addAllowedCanonicalizationMethod(WSSVerification.C14N); ver.addAllowedCanonicalizationMethod(WSSVerification.EXC_C14N); // Set the part to be specified by WSSVerifyPart WSSVerifyPart verPart = factory.newWSSVerifyPart(); // Set the part to be specified by the keyword verPart.setRequiredVerifyPart(WSSVerification.BODY); // Set the candidates of digest methods to use for verification (step. 3) // DEFAULT : WSSVerifypart.TRANSFORM_EXC_C14N : String verPart.addAllowedTransform(WSSVerifyPart.TRANSFORM_STRT10); // Set the candidates of digest methods to use for verification (step. 4) // DEFAULT : WSSVerifyPart.SHA1 verPart.addAllowedDigestMethod(WSSVerifyPart.SHA256); // Set WSSVerifyPart to WSSVerification ver.addRequiredVerifyPart(verPart); // Add the WSSVerification to the WSSConsumingContext concont.add(ver); // Validate the WS-Security header concont.process(msgcontext);
Next steps
we have completed configuring the signature verification algorithms. Next, configure the encryption or decryption algorithms, if not already configured. Or, configure the security token information, as needed.
Related concepts
XML digital signature
Related tasks
Set the signature information using the WSSSignature API
Set the client for request signing methods
Set generator signing information to protect message integrity using the WSS APIs
Related
Signature verification methods using the WSSVerification API