Decryption methods
The decryption algorithms specify the data and key encryption algorithms used to decrypt the SOAP message. The WSS API for decryption (WSSDecryption) specifies the algorithm uniform resource identifier (URI) of the data and key encryption methods. The WSSDecryption interface is part of the com.ibm.websphere.wssecurity.wssapi.decryption package.
Data encryption algorithms
The data encryption algorithms are the algorithms used to encrypt and decrypt data. This algorithm type is used for encrypting data to encrypt and decrypt various parts of the message, including the body content and the signature.
Data decryption algorithms specify the algorithm uniform resource identifier (URI) of the data encryption method. WebSphere Application Server supports the following pre-configured data decryption algorithms:
WSS API URI WSSDecryption.AES128 (the default value) A URI of data encryption algorithm, AES 128: http://www.w3.org/2001/04/xmlenc#aes128-cbc WSSDecryption.AES192 A URI of data encryption algorithm, AES 192: http://www.w3.org/2001/04/xmlenc#aes192-cbc WSSDecryption.AES256 A URI of data encryption algorithm, AES 256: http://www.w3.org/2001/04/xmlenc#aes256-cbc WSSDecryption.TRIPLE_DES A URI of data encryption algorithm, TRIPLE DES: http://www.w3.org/2001/04/xmlenc#tripledes-cbc By default, the Java Cryptography Extension (JCE) is shipped with restricted or limited strength ciphers. To use 192-bit and 256-bit AES encryption algorithms, we must apply unlimited jurisdiction policy files.
Important: Your country of origin might have restrictions on the import, possession, use, or re-export to another country, of encryption software. Before downloading or using the unrestricted policy files, we must check the laws of our country, its regulations, and its policies concerning the import, possession, use, and re-export of encryption software, to determine if it is permitted.
For the AES256-cbc and the AES192-cbc algorithms, we must download the unrestricted Java Cryptography Extension (JCE) policy files from the following website: http://www.ibm.com/developerworks/java/jdk/security/index.html.
The data encryption algorithm must match the data decryption algorithm configured for the consumer.
Key encryption algorithms
The key encryption algorithms are the algorithms used to encrypt and decrypt keys.
This key information specifies the configuration needed to generate the key for digital signature and encryption. The signing information and encryption information configurations can share the key information. The key information on the consumer side is used for specifying the information about the key that is used for validating the digital signature in the received message or for decrypting the encrypted parts of the message. The request generator is configured for the client.
Key encryption algorithms specify the algorithm uniform resource identifier (URI) of the key encryption method. WAS supports the following pre-configured key encryption algorithms:
WSS API URI WSSDecryption.KW_AES128 A URI of key encryption algorithm, key wrap AES 128: http://www.w3.org/2001/04/xmlenc#kw-aes128 WSSDecryption.KW_AES192 A URI of key encryption algorithm, key wrap AES 192: http://www.w3.org/2001/04/xmlenc#kw-aes192 Restriction: Do not use the 192-bit key encryption algorithm if we want your configured application to be in compliance with the Basic Security Profile (BSP).
WSSDecryption.KW_AES256 A URI of key encryption algorithm, key wrap AES 256: http://www.w3.org/2001/04/xmlenc#kw-aes256 WSSDecryption.KW_RSA_OAEP (the default value) A URI of key encryption algorithm, key wrap RSA OAEP: http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p WSSDecryption.KW_RSA15 A URI of key encryption algorithm, key wrap RSA 1.5: http://www.w3.org/2001/04/xmlenc#rsa-1_5 WSSDecryption.KW_TRIPLE_DES A URI of data encryption algorithm, key wrap TRIPLE DES: http://www.w3.org/2001/04/xmlenc#kw-tripledes
By default, the RSA-OAEP algorithm uses the SHA1 message digest algorithm to compute a message digest as part of the encryption operation. Optionally, we can use the SHA256 or SHA512 message digest algorithm by specifying a key encryption algorithm property. The property name is: com.ibm.wsspi.wssecurity.enc.rsaoaep.DigestMethod. The property value is one of the following URIs of the digest method: http://www.w3.org/2001/04/xmlenc#sha256 http://www.w3.org/2001/04/xmlenc#sha512
By default, the RSA-OAEP algorithm uses a null string for the optional encoding octet string for the OAEPParams. We can provide an explicit encoding octet string by specifying a key encryption algorithm property. For the property name, we can specify com.ibm.wsspi.wssecurity.enc.rsaoaep.OAEPparams. The property value is the base 64-encoded value of the octet string.
Important: We can set these digest method and OAEPParams properties on the generator side only. On the consumer side, these properties are read from the incoming SOAP message.
For the kw-aes256 and the kw-aes192 key encryption algorithms, we must download the unrestricted JCE policy files from the following website: http://www.ibm.com/developerworks/java/jdk/security/index.html.
The key encryption algorithm for the generator and the consumer must match.
The following example provides a sample of the WSS API code for the default algorithms used for WebSphere Application Server decryption:
WSSFactory factory = WSSFactory.getInstance(); WSSConsumingContext concont = factory.newWSSConsumingContext(); // Required to attach username token into the message. X509ConsumeCallbackHandler callbackHandler = new X509ConsumeCallbackHandler("", "enc-sender.jceks", "JCEKS", "storepass".toCharArray(), "alice", "keypass".toCharArray(), "CN=Alice, O=IBM, C=US"); // Set the decrypt component. // Default encrypted part: Body-Content // Default data encryption algorithm: AES128 // Default key encryption algorithm: KW-RSA-OAEP WSSDecryption dec = factory.newWSSDecryption(X509Token.Type, callbackHandler); concont.add(dec); // validate the WS-Security header. concont.process(msgctx);
Choosing decryption methods for the consumer binding Decrypting SOAP messages using the WSSDecryption API Encryption methods