+

Search Tips   |   Advanced Search

Digital signatures and the UDDI registry

In UDDI Version 3, publishers can digitally sign UDDI elements while they are publishing. The UDDI Version 3 schema supports the signing of businessEntity, businessServices, bindingTemplate, tModel, and publisherAssertion elements.

We can validate UDDI elements that are digitally signed to prove that they have not been modified or tampered with, and that their integrity is intact.

For full details about signing UDDI entities and verifying signatures, see Appendix I: Support for XML Digital Signatures in the UDDI Version 3.0.2. specification.

The UDDI registry does not validate signatures when signed elements are published. When the signed elements are retrieved, the retrieving client is responsible for validating the signature and providing a mechanism to ensure that the signer certificate is signed by a Certificate Authority (CA) that the client approves and trusts. If a signature is decrypted successfully using the signer public key, it indicates that only the owner of the corresponding private key can have signed and published this element.


Signature generation

The attributes of an element are included in the generation of an element signature. Therefore, all entity keys must be available when the signature is generated. Publishers can generate publisher-assigned keys for all the keys of an element before signing. Alternatively, if publishers publish the element without keys, the registry node generates the required entity keys and then retrieves, signs, and republishes the signed element.


Signature validation

The signature element to validate is in the top-level element that a call to the getXXDetails method returns. The client is responsible for the validation. The client must have previously imported the X509.3 certificate of the publisher, and validated that certificate based on the CA it trusts. In this way, the client has access to the public validation key of the publisher that corresponds to the private signing key that the publisher used to sign the entity before publishing it.

Use the UDDI Version 3 Client to construct JAX-RPC objects and to invoke the UDDI Version 3 web service. As part of this client, we can use a helper class, com.ibm.uddi.v3.client.apilayer.xmldig.SignatureUtilities, to create and validate digital signatures on the UDDI Version 3 entities that support them. For details of application programming interfaces (APIs) in this helper class and the SignatureUtilitiesException exception, see the API information.

For UDDI, digital signatures are used to sign the data. They are not used to authenticate the SOAP message.

  • UDDI Version 3 Client
  • Additional Application Programming Interfaces (APIs)
  • UDDI Version 3.0 Specification