Use of digital signatures with the UDDI Registry
Overview
In UDDI V3, Publishers can digitally sign UDDI elements while they are publishing. The UDDI V3 schema supports the signing of businessEntity, businessServices, bindingTemplate, tModel, and publisherAssertion elements.
We can validate UDDI elements that have been digitally signed to prove that they have not been modified or tampered with and that their integrity is intact.
The UDDI registry does not validate signatures at the time that signed elements are published. When the signed elements are retrieved, the retrieving client is responsible for validating the signature and to provide his own mechanism for ensuring the signer's certificate is signed by a Certification Authority (CA) that the clients approves and trusts. If a signature is decrypted successfully by using the signer's public key, it is an indication that only the owner of the corresponding private key could have signed and published this element.
Generating a signature
Because an element's attributes are included in the generation of an element's signature, all entity keys must be available at the time that the signature is generated. Publishers are recommended to generate publisher-assigned-keys for all of an element's keys before signing. Alternatively, publishers can publish the element without keys; this causes the Registry Node to generate the required entity keys and then retrieve, sign, and republish the signed element.
Validating a signature
The signature element to validate is the one in the top level element that is returned by a call to getXXDetails(). It is the client's responsibility to perform the validation. The client must have previously imported the publishers X509.3 certificate and validated it based on the CA it trusts. This way the client will have access to the publisher's public validation key that corresponds to the private signing key that the publisher used to sign the entity before publishing it.
The UDDI V3 Registry provides helper classes to assist you when you generate applications to create, sign and use the UDDI V3 publish UDDI elements. These classes also help generating client applications that are designed to use the UDDI Version 3 Inquire service to retrieve and validate UDDI V3 elements.
The IBM UDDI V3 Client can be used to construct JAX-RPC objects and to invoke the UDDI V3 WebService. As part of this client a helper class, com.ibm.uddi.v3.client.apilayer.xmldig.SignatureUtilities, can be used to create and validate digital signatures on the UDDI Version 3 Entities that support them. See the Javadoc welcome page for details of API of this class and its Exception SignatureUtilitiesException.
An example of how to use this class can be found at Samples Central called UDDIv3ClientSignedBusinessSample.java.
See Securing Web services using XML digital signature for a full explanation about Digital Signatures.
Note: For UDDI, digital signatures are being used to sign the data and not to authenticate the SOAP message.
IBM is a trademark of the IBM Corporation in the United States, other countries, or both.