You can configure the signing verification information for the consumer binding using the WSS API. The transform algorithm and digest methods are used for the consumer binding. Use the WSSVerifyPart API to configure the algorithm methods. The WSSVerifyPart API is provided in the com.ibm.websphere.wssecurity.wssapi.verification package.
To configure consumer verify parts information to protect message integrity, you must first digitally sign and then verify the signature and signed parts for the SOAP messages. Integrity refers to digital signature while confidentiality refers to encryption. Integrity decreases the risk of data modification when you transmit data across a network.
The digest method algorithm is specified within the element is used in the <Digest> element. WebSphere Application Server supports the following pre-configured digest algorithms:
Digest method | Description |
---|---|
WSSVerifyPart.SHA1 (the default value) | A URI of the digest algorithm, SHA1: http://www.w3.org/2000/09/xmldsig#sha1 |
WSSVerifyPart.SHA256 | A URI of the digest algorithm, SHA256: http://www.w3.org/2001/04/xmlenc#sha256 |
WSSVerifyPart.SHA512 | A URI of the digest algorithm, SHA256: http://www.w3.org/2001/04/xmlenc#sha512 |
The transform algorithm is specified within the <Transform> element and specifies the transform algorithm for the signed part. WebSphere Application Server supports the following pre-configured transform algorithms:
Digest method | Description |
---|---|
WSSVerifyPart.TRANSFORM_ENVELOPED_SIGNATURE | A URI of the transform algorithm, enveloped signature: http://www.w3.org/2000/09/xmldsig#enveloped-signature |
WSSVerifyPart.TRANSFORM_STRT10 | A URI of the transform algorithm, STR-Transform: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform |
WSSVerifyPart.TRANSFORM_EXC_C14N (the default value) | A URI of the transform algorithm, Exc-C14N: http://www.w3.org/2001/10/xml-exc-c14n# |
WSSVerifyPart.TRANSFORM_XPATH2_FILTER | A URI of the transform algorithm, XPath2 filter: http://www.w3.org/2002/06/xmldsig-filter2 |
The following example provides sample WSS API code that verifies the body using SHA256 as the digest method and TRANSFORM_EXC_14N and TRANSFORM_STRT10 as the transform methods:
// get the message context Object msgcontext = getMessageContext(); // generate WSSFactory instance WSSFactory factory = WSSFactory.getInstance(); // generate WSSConsumingContext instance WSSConsumingContext concont = factory.newWSSConsumingContext(); // generate the cert list String certpath = "intca2.cer";// The location of the X509 certificate file X509Certificate x509cert = null; try { InputStream is = new FileInputStream(certpath); CertificateFactory cf = CertificateFactory.getInstance("X.509"); x509cert = (X509Certificate)cf.generateCertificate(is); } catch(FileNotFoundException e1){ throw new WSSException(e1); } catch (CertificateException e2) { throw new WSSException(e2); } Set<Object> eeCerts = new HashSet<Object>(); eeCerts.add(x509cert); // create certStore java.util.List<CertStore> certList = new java.util.ArrayList<CertStore>(); CollectionCertStoreParameters certparam = new CollectionCertStoreParameters(eeCerts); CertStore cert = null; try { cert = CertStore.getInstance("Collection", certparam, "IBMCertPath"); } catch (NoSuchProviderException e1) { throw new WSSException(e1); } catch (InvalidAlgorithmParameterException e2) { throw new WSSException(e2); } catch (NoSuchAlgorithmException e3) { throw new WSSException (e3); } if(certList != null ){ certList.add(cert); } // generate callback handler X509ConsumeCallbackHandler callbackHandler = new X509ConsumeCallbackHandler( "dsig-receiver.ks", "jks", "server".toCharArray(), certList, java.security.Security.getProvider("IBMCertPath") ); //generate WSSVerification instance WSSVerification ver = factory.newWSSVerification(X509Token.class, callbackHandler); //set one or more candidates of the signature method used for the verification (step. 1) // DEFAULT : WSSVerification.RSA_SHA1 ver.addAllowedSignatureMethod(WSSVerification.HMAC_SHA1); //set one or more candidates of the canonicalization method used for the verification (step. 2) // DEFAULT : WSSVerification.EXC_C14N ver.addAllowedCanonicalizationMethod(WSSVerification.C14N); ver.addAllowedCanonicalizationMethod(WSSVerification.EXC_C14N); //set the part to be specified by WSSVerifyPart WSSVerifyPart verPart = factory.newWSSVerifyPart(); //set the part to be specified by the keyword verPart.setRequiredVerifyPart(WSSVerification.BODY); //set the candidates of digest methods to use for verification (step. 3) // DEFAULT : WSSVerifypart.TRANSFORM_EXC_C14N verPart.addAllowedTransform(WSSVerifyPart.TRANSFORM_EXC_C14N); verPart.addAllowedTransform(WSSVerifyPart.TRANSFORM_STRT10); //set the candidates of digest methods to use for verification (step. 4) // DEFAULT : WSSVerifyPart.SHA1 verPart.addAllowedDigestMethod(WSSVerifyPart.SHA256); //set WSSVerifyPart to WSSVerification ver.addRequiredVerifyPart(verPart); //add the WSSVerification to the WSSConsumingContext concont.add(ver); //validate the WS-Security header concont.process(msgcontext);