Decryption methods
The decryption algorithms specify the data and key encryption algorithms that are used to decrypt the SOAP message. The WSS API for decryption (WSSDecryption) specifies the algorithm uniform resource identifier (URI) of the data and key encryption methods. The WSSDecryption interface is part of the com.ibm.websphere.wssecurity.wssapi.decryption package.
Data encryption algorithms
The data encryption algorithms are the algorithms that are used to encrypt and decrypt data. This algorithm type is used for encrypting data to encrypt and decrypt various parts of the message, including the body content and the signature.
Data decryption algorithms specify the algorithm uniform resource identifier (URI) of the data encryption method. WAS supports the following pre-configured data decryption algorithms:
Table 1. Supported pre-configured data decryption algorithms
WSS API URI WSSDecryption.AES128 (the default value) A URI of data encryption algorithm, AES 128: http://www.w3.org/2001/04/xmlenc#aes128-cbc WSSDecryption.AES192 A URI of data encryption algorithm, AES 192: http://www.w3.org/2001/04/xmlenc#aes192-cbc WSSDecryption.AES256 A URI of data encryption algorithm, AES 256: http://www.w3.org/2001/04/xmlenc#aes256-cbc WSSDecryption.TRIPLE_DES A URI of data encryption algorithm, TRIPLE DES: http://www.w3.org/2001/04/xmlenc#tripledes-cbc
By default, the JCE is shipped with restricted or limited strength ciphers. To use 192-bit and 256-bit Advanced Encryption Standard (AES) encryption algorithms, apply unlimited jurisdiction policy files.
For the AES256-cbc and the AES192-cbc algorithms, download the unrestricted JCE policy files from the following Web site: http://www.ibm.com/developerworks/java/jdk/security/IBM_HTTP_Server_v735.html.
The data encryption algorithm must match the data decryption algorithm configured for the consumer.
Key encryption algorithms
The key encryption algorithms are the algorithms that are used to encrypt and decrypt keys.
This key information is used to specify the configuration that is needed to generate the key for digital signature and encryption. The signing information and encryption information configurations can share the key information. The key information on the consumer side is used for specifying the information about the key used for validating the digital signature in the received message or for decrypting the encrypted parts of the message. The request generator is configured for the client.
Key encryption algorithms specify the algorithm uniform resource identifier (URI) of the key encryption method. WAS supports the following pre-configured key encryption algorithms:
Table 2. Supported pre-configured key encryption algorithms
WSS API URI WSSDecryption.KW_AES128 A URI of key encryption algorithm, key wrap AES 128: http://www.w3.org/2001/04/xmlenc#kw-aes128 WSSDecryption.KW_AES192 A URI of key encryption algorithm, key wrap AES 192: http://www.w3.org/2001/04/xmlenc#kw-aes192 Restriction: Do not use the 192-bit key encryption algorithm if we want the configured application to be in compliance with the Basic Security Profile (BSP). WSSDecryption.KW_AES256 A URI of key encryption algorithm, key wrap AES 256: http://www.w3.org/2001/04/xmlenc#kw-aes256 WSSDecryption.KW_RSA_OAEP (the default value) A URI of key encryption algorithm, key wrap RSA OAEP: http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p WSSDecryption.KW_RSA15 A URI of key encryption algorithm, key wrap RSA 1.5: http://www.w3.org/2001/04/xmlenc#rsa-1_5 WSSDecryption.KW_TRIPLE_DES A URI of data encryption algorithm, key wrap TRIPLE DES: http://www.w3.org/2001/04/xmlenc#kw-tripledes
By default, the RSA-OAEP algorithm uses the SHA1 message digest algorithm to compute a message digest as part of the encryption operation. Optionally, we can use the SHA256 or SHA512 message digest algorithm by specifying a key encryption algorithm property. The property name is: com.ibm.wsspi.wssecurity.enc.rsaoaep.DigestMethod. The property value is one of the following URIs of the digest method: http://www.w3.org/2001/04/xmlenc#sha256 http://www.w3.org/2001/04/xmlenc#sha512
By default, the RSA-OAEP algorithm uses a null string for the optional encoding octet string for the OAEPParams. We can provide an explicit encoding octet string by specifying a key encryption algorithm property. For the property name, we can specify com.ibm.wsspi.wssecurity.enc.rsaoaep.OAEPparams. The property value is the base 64-encoded value of the octet string.
We can set these digest method and OAEPParams properties on the generator side only. On the consumer side, these properties are read from the incoming SOAP message.
For the kw-aes256 and the kw-aes192 key encryption algorithms, download the unrestricted JCE policy files from the following Web site: http://www.ibm.com/developerworks/java/jdk/security/IBM_HTTP_Server_v735.html.
The key encryption algorithm for the generator and the consumer must match.
Example
The following example provides a sample of the WSS API code for the default algorithms that are used for WAS decryption:
WSSFactory factory = WSSFactory.getInstance(); WSSConsumingContext concont = factory.newWSSConsumingContext(); // Required to attach username token into the message. X509ConsumeCallbackHandler callbackHandler = new X509ConsumeCallbackHandler("", "enc-sender.jceks", "JCEKS", "storepass".toCharArray(), "alice", "keypass".toCharArray(), "CN=Alice, O=IBM, C=US"); // Set the decrypt component. // Default encrypted part: Body-Content // Default data encryption algorithm: AES128 // Default key encryption algorithm: KW-RSA-OAEP WSSDecryption dec = factory.newWSSDecryption(X509Token.Type, callbackHandler); concont.add(dec); // validate the WS-Security header. concont.process(msgctx);
Related tasks
Choose the decryption methods for the consumer binding
Decrypting the SOAP message using the WSSDecryption API
Set decryption to protect message confidentiality using the WSS APIs
Related
Encryption methods