Digital signing methods using the WSSSignature API
We can configure the signing information for the generator binding using the WSS API. To configure the client for request signing, choose the digital signing methods. The algorithm methods include the signing and canonicalization methods.
Configure generator signing information to protect message integrity by digitally signing SOAP messages. Integrity refers to digital signature while confidentiality refers to encryption. Integrity decreases the risk of data modification when you transmit data across a network.
After we have specified which message parts to digitally sign, specify which method is used to digitally sign the message.
Methods
Methods used for the signing information include the:
- Signature method
- Set the signature algorithm method.
- Canonicalization method
- Set the canonicalization algorithm method.
Signature algorithms
The signature algorithms specify the algorithm used to sign the certificate. The signature algorithms specify the Uniform Resource Identifiers (URI) of the signature method. WebSphere Application Server supports the following pre-configured algorithms:
Algorithm Description WSSSignature.HMAC_SHA1 A URI of the signature algorithm, HMAC: http://www.w3.org/2000/09/xmldsig#hmac-sha1 WSSSignature.RSA_SHA1 (the default value) A URI of the signature algorithm, RSA: http://www.w3.org/2000/09/xmldsig#rsa-sha1 For the WSS APIs, WAS does not support the DSA-SHA1 algorithm, http://www.w3.org/2000/09/xmldsig#dsa-sha1
The signing algorithm specified for the request generator configuration must match the algorithm specified for the request consumer configuration.
Canonicalization algorithms
The canonicalization algorithms specify the Uniform Resource Identifiers (URI) of the canonicalization method. WAS supports the following pre-configured algorithms:
Algorithm Description WSSSignature.EXC_C14N (the default value) A URI of the exclusive canonicalization algorithm EXC_C14N: http://www.w3.org/2001/10/xml-exc-c14n# WSSSignature.C14N A URI of the inclusive canonicalization algorithm, C14N: http://www.w3.org/2001/10/xml-c14n# The canonicalization algorithm specified for the request generator configuration must match the algorithm specified for the request consumer configuration.
The following example provides sample WSS API code that specifies the HMAC_SHA1 as a signature method and C14n as a canonicalization method:
//generate WSSFactory instance WSSFactory factory = WSSFactory.getInstance(); //generate WSSGenerationContext instance WSSGenerationContext gencont = factory.newWSSGenerationContext(); //generate callback handler X509GenerateCallbackHandler callbackHandler = new X509GenerateCallbackHandler( "", "dsig-sender.ks", "jks", "client".toCharArray(), "soaprequester", "client".toCharArray(), "CN=SOAPRequester, OU=TRL, O=IBM, ST=Kanagawa, C=JP", null); //generate the security token used to the signature SecurityToken token = factory.newSecurityToken(X509Token.class, callbackHandler); //generate WSSSignature instance WSSSignature sig = factory.newWSSSignature(token); //set the canonicalization method // DEFAULT: WSSSignature.EXC_C14N sig.setCanonicalizationMethod(WSSSignature.C14N); //set the signature method // DEFAULT: WSSSignature.RSA_SHA1 sig.setSignatureMethod(WSSSignature.HMAC_SHA1); //add the WSSSignature to the WSSGenerationContext gencont.add(sig); //generate the WS-Security header gencont.process(msgcontext);
Add signed parts using the WSSSignPart API Signed parts methods using the WSSSignPart API Choosing the verify parts methods using the WSSVerifyPart API Signature verification methods using the WSSVerification API