+

Search Tips   |   Advanced Search

Choose the verify parts methods using the WSSVerifyPart API


Configure the signing verification information for the consumer binding using the WSS API. The transform algorithm and digest methods are used for the consumer binding. Use the WSSVerifyPart API to configure the algorithm methods. The WSSVerifyPart API is provided in the com.ibm.websphere.wssecurity.wssapi.verification package.

To configure consumer verify parts information to protect message integrity, first digitally sign and then verify the signature and signed parts for the SOAP messages. Integrity refers to digital signature while confidentiality refers to encryption. Integrity decreases the risk of data modification when you transmit data across a network.

 

Methods

Methods that are used for the signing information include the:

Digest method

Sets the digest method.

Transform method

Sets the transform algorithm method.

 

Digest algorithms

The digest method algorithm is specified within the element is used in the <Digest> element. WAS supports the following pre-configured digest algorithms:


Table 1. Verify parts digest methods

Digest method Description
WSSVerifyPart.SHA1 (the default value) A URI of the digest algorithm, SHA1: http://www.w3.org/2000/09/xmldsig#sha1
WSSVerifyPart.SHA256 A URI of the digest algorithm, SHA256: http://www.w3.org/2001/04/xmlenc#sha256
WSSVerifyPart.SHA512 A URI of the digest algorithm, SHA256: http://www.w3.org/2001/04/xmlenc#sha512

 

Transform algorithms

The transform algorithm is specified within the <Transform> element and specifies the transform algorithm for the signed part. WAS supports the following pre-configured transform algorithms:


Table 2. Verify parts transform methods

Digest method Description
WSSVerifyPart.TRANSFORM_ENVELOPED_SIGNATURE A URI of the transform algorithm, enveloped signature: http://www.w3.org/2000/09/xmldsig#enveloped-signature
WSSVerifyPart.TRANSFORM_STRT10 A URI of the transform algorithm, STR-Transform: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
WSSVerifyPart.TRANSFORM_EXC_C14N (the default value) A URI of the transform algorithm, Exc-C14N: http://www.w3.org/2001/10/xml-exc-c14n#
WSSVerifyPart.TRANSFORM_XPATH2_FILTER A URI of the transform algorithm, XPath2 filter: http://www.w3.org/2002/06/xmldsig-filter2

For the WSS APIs, WAS does not support the following transform algorithms:

 

Example

The following example provides sample WSS API code that verifies the body using SHA256 as the digest method and TRANSFORM_EXC_14N and TRANSFORM_STRT10 as the transform methods:

    
// get the message context
    Object msgcontext = getMessageContext();

    
// generate WSSFactory instance
    WSSFactory factory = WSSFactory.getInstance();    

    
// generate WSSConsumingContext instance
    WSSConsumingContext concont = factory.newWSSConsumingContext();


    
// generate the cert list
    String certpath = "intca2.cer";
// The location of the X509 
      certificate file X509Certificate x509cert = null;
    try {
      InputStream is = new FileInputStream(certpath);
      CertificateFactory cf = CertificateFactory.getInstance("X.509");
      x509cert = (X509Certificate)cf.generateCertificate(is);
    } catch(FileNotFoundException e1){
      throw new WSSException(e1);
    } catch (CertificateException e2) {
      throw new WSSException(e2);
    }

    Set<Object> eeCerts = new HashSet<Object>();
    eeCerts.add(x509cert);  
    
// create certStore
    java.util.List<CertStore> certList = new java.util.ArrayList<CertStore>();
    CollectionCertStoreParameters certparam = new 
         CollectionCertStoreParameters(eeCerts);
    CertStore cert = null;
    try {
      cert = CertStore.getInstance("Collection", certparam, "IBMCertPath");
    } catch (NoSuchProviderException e1) {
      throw new WSSException(e1);
    } catch (InvalidAlgorithmParameterException e2) {
      throw new WSSException(e2);
    } catch (NoSuchAlgorithmException e3) {
      throw new WSSException (e3);
    }
    if(certList != null ){
      certList.add(cert);
    }

    
// generate callback handler          
    X509ConsumeCallbackHandler callbackHandler = new 
         X509ConsumeCallbackHandler(
        "dsig-receiver.ks", 
        "jks",         "server".toCharArray(), 
        certList, 
        java.security.Security.getProvider("IBMCertPath")
    );

    
//generate WSSVerification instance
    WSSVerification ver = factory.newWSSVerification(X509Token.class, 
        callbackHandler);

    
//set one or more candidates of the signature method used for the 
    
//verification (step. 1)
    
// DEFAULT : WSSVerification.RSA_SHA1
    ver.addAllowedSignatureMethod(WSSVerification.HMAC_SHA1);

    
//set one or more candidates of the canonicalization method used 
    
//for the verification (step. 2)
    
// DEFAULT : WSSVerification.EXC_C14N 
    ver.addAllowedCanonicalizationMethod(WSSVerification.C14N);
    ver.addAllowedCanonicalizationMethod(WSSVerification.EXC_C14N);

    
//set the part to be specified by WSSVerifyPart
    WSSVerifyPart verPart = factory.newWSSVerifyPart();

    
//set the part to be specified by the keyword
    verPart.setRequiredVerifyPart(WSSVerification.BODY);

    
//set the candidates of digest methods to use for verification (step. 3)
    
// DEFAULT : WSSVerifypart.TRANSFORM_EXC_C14N 
    verPart.addAllowedTransform(WSSVerifyPart.TRANSFORM_EXC_C14N);
    verPart.addAllowedTransform(WSSVerifyPart.TRANSFORM_STRT10);

    
//set the candidates of digest methods to use for verification (step. 4)
    
// DEFAULT : WSSVerifyPart.SHA1
    verPart.addAllowedDigestMethod(WSSVerifyPart.SHA256);

    
//set WSSVerifyPart to WSSVerification
    ver.addRequiredVerifyPart(verPart);

    
//add the WSSVerification to the WSSConsumingContext
    concont.add(ver);

    
//validate the WS-Security header
    concont.process(msgcontext);




 

Related tasks


Verifying consumer signing information to protect message integrity using WSS APIs

 

Related


Signature verification methods using the WSSVerification API
Digital signing methods using the WSSSignature API
Signed parts methods using the WSSSignPart API