Network Deployment (Distributed operating systems), v8.0 > Develop and deploying applications > Develop web services - Security (WS-Security) > Develop applications that use Web Services Security > Develop message-level security for JAX-WS web services > Secure web services applications using the WSS APIs at the message level > Secure messages at the response consumer using WSS APIs > Verify consumer signing information to protect message integrity using WSS APIs


Configure response signature verification methods for the client

Use the WSSVerification and WSSVerifyPart APIs to choose the signing verification methods. The request signing verification methods include the digest algorithm and the transport methods.

To complete configuration of the signature verification information to secure SOAP messages, perform the following algorithm tasks:

to configure the algorithm methods to use when configuring the client for request signing.

The following table describes the purpose of this information. Some of these definitions are based on the XML-Signature specification, which is located at the following website http://www.w3.org/TR/xmldsig-core.

Signing verification methods. Use signing verification information to secure messages.

Name of method Purpose
Digest algorithm Applies to the data after transforms are applied, if specified, to yield the <DigestValue> element. Signing the <DigestValue> element binds the resource content to the signer key. The algorithm selected for the client request sender configuration must match the algorithm selected in the client request receiver configuration.
Transform algorithm Applies to the <Transform> element.
Signature algorithm Specifies the Uniform Resource Identifiers (URI) of the signature verification method.
Canonicalization algorithm Specifies the Uniform Resource Identifiers (URI) of the canonicalization method.

After configuring the client to digitally sign the message, configure the client to verify the digital signature. You can use the WSS APIs or configure policy sets using the administrative console to verify the digital signature and to choose the verification and verify part algorithms. If using the WSS APIs to configure, use the WSSVerification and WSSVerifyPart APIs to specify which digitally signed message parts to verify and to specify which algorithm methods to use when configuring the client for request signing.

The WSSVerification and WSSVerifyPart APIs perform the following steps to configure the signature verification and verify parts algorithm methods:


Procedure

  1. For the consumer binding, the WSSVerification API specifies the signature methods to allow for the signature verification. WAS supports the following pre-configured signature methods:

    • WSSVerification.RSA_SHA1 (the default value): http://www.w3.org/2000/09/xmldsig#rsa-sha1
    • WSSVerification.HMAC_SHA1: http://www.w3.org/2000/09/xmldsig#hmac-sha1

    The DSA-SHA1 digital signature method (http://www.w3.org/2000/09/xmldsig#dsa-sha1) is not supported.

  2. For the consumer binding, the WSSVerification API specifies the canonicalization method to allow for the signature verification. WAS supports the following pre-configured canonicalization methods by default:

    • WSSVerification.EXC_C14N (the default value): http://www.w3.org/2001/10/xml-exc-c14n#
    • WSSVerification.C14N: http://www.w3.org/2001/10/xml-c14n#

  3. For the consumer binding, the WSSVerifyPart API specifies the digest method, as needed. WAS supports the following digest method algorithms for signed parts verification:

    • WSSVerifyPart.SHA1 (the default value): http://www.w3.org/2000/09/xmldsig#sha1
    • WSSVerifyPart.SHA256: http://www.w3.org/2001/04/xmlenc#sha256
    • WSSVerifyPart.SHA512: http://www.w3.org/2001/04/xmlenc#sha512

  4. For the consumer binding, the WSSVerifyPart API specifies the transform method. WAS supports the following transform algorithms for verify parts:

    • WSSVerifyPart.TRANSFORM_EXC_C14N (the default value): http://www.w3.org/2001/10/xml-exc-c14n#
    • WSSVerifyPart.TRANSFORM_XPATH2_FILTER: http://www.w3.org/2002/06/xmldsig-filter2
    • WSSVerifyPart.TRANSFORM_STRT10: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
    • WSSVerifyPart.TRANSFORM_ENVELOPED_SIGNATURE: http://www.w3.org/2000/09/xmldsig#enveloped-signature

    For the WSS APIs, WAS does not support these algorithms:

    • http://www.w3.org/2002/07/decrypt#XML
    • http://www.w3.org/TR/1999/REC-xpath-19991116


Results

You have specified which method to use when verifying a digital signature when the client sends a message.


Example

The following example provides sample WSS API code that specifies the verification information, the body as a part to be verified, the HMAC_SHA1 as a signature method, C14N and EXC_C14N as the candidates of canonicalization methods, TRANSFORM_STRT10 as a transform method, and SHA256 as a digest method.

// Get the message context    Object msgcontext = getMessageContext();

// Generate the WSSFactory instance
   WSSFactory factory = WSSFactory.getInstance();

// Generate the WSSConsumingContext instance
   WSSConsumingContext concont = factory.newWSSConsumingContext();

// Generate the certificate list    String certpath = "intca2.cer";
// The location of the X509 certificate file
      X509Certificate x509cert = null;
      try {
            InputStream is = new FileInputStream(certpath);
            CertificateFactory cf = CertificateFactory.getInstance("X.509");
           x509cert = (X509Certificate)cf.generateCertificate(is);
      } catch(FileNotFoundException e1){
          throw new WSSException(e1);
      } catch (CertificateException e2) {
          throw new WSSException(e2);
      }

      Set
<Object> eeCerts = new HashSet
<Object>();
      eeCerts.add(x509cert);
// Create the certStore
   java.util.List
<CertStore> certList = new
        java.util.ArrayList
<CertStore>();
   CollectionCertStoreParameters certparam = new
        CollectionCertStoreParameters(eeCerts);
   CertStore cert = null;
      try {
            cert = CertStore.getInstance("Collection",
                                           certparam,
                                          "IBMCertPath");
      } catch (NoSuchProviderException e1) {
           throw new WSSException(e1);
      } catch (InvalidAlgorithmParameterException e2) {
           throw new WSSException(e2);
      } catch (NoSuchAlgorithmException e3) {
           throw new WSSException (e3);
      }
      if(certList != null ){
            certList.add(cert);
      }

// Generate the callback handler
   X509ConsumeCallbackHandler callbackHandler = new
      X509ConsumeCallbackHandler(
                                 "dsig-receiver.ks",
                                 "jks",                                  "server".toCharArray(),
                                 certList,
                                 java.security.Security.getProvider(
                                       "IBMCertPath")
                                 );

// Generate the WSSVerification instance
   WSSVerification ver = factory.newWSSVerification(X509Token.class,
                                                    callbackHandler);

// Set one or more candidates of the signature method used for
//    verification (step. 1)
// DEFAULT : WSSVerification.RSA_SHA1
      ver.addAllowedSignatureMethod(WSSVerification.HMAC_SHA1);

// Set one or more candidates of the canonicalization method used for
//    verification (step. 2)
// DEFAULT : WSSVerification.EXC_C14N
      ver.addAllowedCanonicalizationMethod(WSSVerification.C14N);
      ver.addAllowedCanonicalizationMethod(WSSVerification.EXC_C14N);

// Set the part to be specified by WSSVerifyPart
   WSSVerifyPart verPart = factory.newWSSVerifyPart();

// Set the part to be specified by the keyword
      verPart.setRequiredVerifyPart(WSSVerification.BODY);

// Set the candidates of digest methods to use for verification (step. 3)
// DEFAULT : WSSVerifypart.TRANSFORM_EXC_C14N : String
      verPart.addAllowedTransform(WSSVerifyPart.TRANSFORM_STRT10);

// Set the candidates of digest methods to use for verification (step. 4)
// DEFAULT : WSSVerifyPart.SHA1
      verPart.addAllowedDigestMethod(WSSVerifyPart.SHA256);

// Set WSSVerifyPart to WSSVerification
      ver.addRequiredVerifyPart(verPart);

// Add the WSSVerification to the WSSConsumingContext
   concont.add(ver);

// Validate the WS-Security header concont.process(msgcontext);


What to do next

You have completed configuring the signature verification algorithms. Next, configure the encryption or decryption algorithms, if not already configured. Or, configure the security token information, as needed.
XML digital signature
Configure signing information using the WSSSignature API
Configure request signing methods for the client
Configure generator signing information to protect message integrity using the WSS APIs


Related


Signature verification methods using the WSSVerification API

+

Search Tips   |   Advanced Search