Use the WSSVerification and WSSVerifyPart APIs to choose the signing verification methods. The request signing verification methods include the digest algorithm and the transport methods.
The following table describes the purpose of this information. Some of these definitions are based on the XML-Signature specification, which is located at the following Web site http://www.w3.org/TR/xmldsig-core.
Name of method | Purpose |
---|---|
Digest algorithm | Applies to the data after transforms are applied, if specified, to yield the <DigestValue> element. Signing the <DigestValue> element binds the resource content to the signer key. The algorithm selected for the client request sender configuration must match the algorithm selected in the client request receiver configuration. |
Transform algorithm | Applies to the <Transform> element. |
Signature algorithm | Specifies the Uniform Resource Identifiers (URI) of the signature verification method. |
Canonicalization algorithm | Specifies the Uniform Resource Identifiers (URI) of the canonicalization method. |
After configuring the client to digitally sign the message, you must configure the client to verify the digital signature. You can use the WSS APIs or configure policy sets using the administrative console to verify the digital signature and to choose the verification and verify part algorithms. If using the WSS APIs to configure, use the WSSVerification and WSSVerifyPart APIs to specify which digitally signed message parts to verify and to specify which algorithm methods to use when configuring the client for request signing.
The WSSVerification and WSSVerifyPart APIs perform the following steps to configure the signature verification and verify parts algorithm methods:
The following example provides sample WSS API code that specifies the verification information, the body as a part to be verified, the HMAC_SHA1 as a signature method, C14N and EXC_C14N as the candidates of canonicalization methods, TRANSFORM_STRT10 as a transform method, and SHA256 as a digest method.
// Get the message context Object msgcontext = getMessageContext(); // Generate the WSSFactory instance WSSFactory factory = WSSFactory.getInstance(); // Generate the WSSConsumingContext instance WSSConsumingContext concont = factory.newWSSConsumingContext(); // Generate the certificate list String certpath = "intca2.cer"; // The location of the X509 certificate file X509Certificate x509cert = null; try { InputStream is = new FileInputStream(certpath); CertificateFactory cf = CertificateFactory.getInstance("X.509"); x509cert = (X509Certificate)cf.generateCertificate(is); } catch(FileNotFoundException e1){ throw new WSSException(e1); } catch (CertificateException e2) { throw new WSSException(e2); } Set<Object> eeCerts = new HashSet<Object>(); eeCerts.add(x509cert); // Create the certStore java.util.List<CertStore> certList = new java.util.ArrayList<CertStore>(); CollectionCertStoreParameters certparam = new CollectionCertStoreParameters(eeCerts); CertStore cert = null; try { cert = CertStore.getInstance("Collection", certparam, "IBMCertPath"); } catch (NoSuchProviderException e1) { throw new WSSException(e1); } catch (InvalidAlgorithmParameterException e2) { throw new WSSException(e2); } catch (NoSuchAlgorithmException e3) { throw new WSSException (e3); } if(certList != null ){ certList.add(cert); } // Generate the callback handler X509ConsumeCallbackHandler callbackHandler = new X509ConsumeCallbackHandler( "dsig-receiver.ks", "jks", "server".toCharArray(), certList, java.security.Security.getProvider( "IBMCertPath") ); // Generate the WSSVerification instance WSSVerification ver = factory.newWSSVerification(X509Token.class, callbackHandler); // Set one or more candidates of the signature method used for // verification (step. 1) // DEFAULT : WSSVerification.RSA_SHA1 ver.addAllowedSignatureMethod(WSSVerification.HMAC_SHA1); // Set one or more candidates of the canonicalization method used for // verification (step. 2) // DEFAULT : WSSVerification.EXC_C14N ver.addAllowedCanonicalizationMethod(WSSVerification.C14N); ver.addAllowedCanonicalizationMethod(WSSVerification.EXC_C14N); // Set the part to be specified by WSSVerifyPart WSSVerifyPart verPart = factory.newWSSVerifyPart(); // Set the part to be specified by the keyword verPart.setRequiredVerifyPart(WSSVerification.BODY); // Set the candidates of digest methods to use for verification (step. 3) // DEFAULT : WSSVerifypart.TRANSFORM_EXC_C14N : String verPart.addAllowedTransform(WSSVerifyPart.TRANSFORM_STRT10); // Set the candidates of digest methods to use for verification (step. 4) // DEFAULT : WSSVerifyPart.SHA1 verPart.addAllowedDigestMethod(WSSVerifyPart.SHA256); // Set WSSVerifyPart to WSSVerification ver.addRequiredVerifyPart(verPart); // Add the WSSVerification to the WSSConsumingContext concont.add(ver); // Validate the WS-Security header concont.process(msgcontext);
You have completed configuring the signature verification algorithms. Next, configure the encryption or decryption algorithms, if not already configured. Or, configure the security token information, as needed.
In this information ...Related concepts
Related tasks
Related reference
| IBM Redbooks, demos, education, and more(Index) |