+

Search Tips   |   Advanced Search

Signature verification methods using the WSSVerification API


We can verify the signing or signature information using the WSS API for the consumer binding. The signature and canonicalization algorithm methods are used for the generator binding. The WSSVerification API is provided in the com.ibm.websphere.wssecurity.wssapi.verification package.

To configure consumer signing information to protect message integrity, first digitally sign and then verify the signature for the SOAP messages. Integrity refers to digital signature while confidentiality refers to encryption. Integrity decreases the risk of data modification when you transmit data across a network.

 

Methods

Methods that are used for the signature verification include the:

Signature method

Sets the signature algorithm method.

Canonicalization method

Sets the canonicalization algorithm method.

The algorithm specified for the request generator configuration must match the algorithm specified for the response consumer configuration.

 

Signature algorithms

The signature algorithms specify the signature verification algorithm used to sign the certificate. The signature algorithms specify the Uniform Resource Identifiers (URI) of the signature verification method. WAS supports the following pre-configured algorithms:


Table 1. Signature verification algorithms

Algorithm Description
WSSVerification.HMAC_SHA1 A URI of the signature algorithm, HMAC: http://www.w3.org/2000/09/xmldsig#hmac-sha1
WSSVerification.RSA_SHA1 (the default value) A URI of the signature algorithm, RSA: http://www.w3.org/2000/09/xmldsig#rsa-sha1

WAS does not support the algorithm for DSA-SHA1: http://www.w3.org/2000/09/xmldsig#dsa-sha1

 

Canonicalization algorithms

The canonicalization algorithms specify the Uniform Resource Identifiers (URI) of the canonicalization method. WAS supports the following pre-configured algorithms:


Table 2. Verification canonicalization algorithms

Algorithm Description
WSSVerification.C14N A URI of the inclusive canonicalization algorithm, C14N: http://www.w3.org/2001/10/xml-c14n#
WSSVerification.EXC_C14N (the default value) A URI of the exclusive canonicalization algorithm EXC_C14N: http://www.w3.org/2001/10/xml-exc-c14n#

 

Example

The following example provides sample WSS API code that specifies the X.509 token security token for signature verification: 

WSSFactory factory = WSSFactory.getInstance();
 WSSConsumingContext concont = factory.newWSSConsumingContext();


// X509ConsumeCallbackHandler
X509ConsumeCallbackHandler callbackHandler = new 
   X509ConsumeCallbackHandler("dsig-receiver.ks",                               
                              "jks",                               
                              "server".toCharArray(),                               
                              certList,    
                              java.security.Security.getProvider("IBMCertPath")46 );


// Set the verification component


// DEFAULT verification parts: Body, WS-Addressing header, and Timestamp

// DEFAULT data encryption algorithm: RSA-SHA1  

// DEFAULT digest algorithm: SHA1  

// DEFAULT canonicalization algorithm: exc-c14n   
WSSVerification ver = factory.newWSSVerification(X509Token.class,
                                                 callbackhandler);
                                                 concont.add(ver);


// Validate the WS-Security header 
concont.validate(msgctx);



 

Related tasks


Verifying consumer signing information to protect message integrity using WSS APIs

 

Related


Choose the verify parts methods using the WSSVerifyPart API
Signed parts methods using the WSSSignPart API
Digital signing methods using the WSSSignature API