Use the WSSVerification and WSSVerifyPart APIs to choose the signing verification methods. The request signing verification methods include the digest algorithm and the transport methods.
The following table describes the purpose of this information. Some of these definitions are based on the XML-Signature specification, which is located at the following website http://www.w3.org/TR/xmldsig-core.
Name of method | Purpose |
---|---|
Digest algorithm | Applies to the data after transforms are applied, if specified, to yield the <DigestValue> element. Signing the <DigestValue> element binds the resource content to the signer key. The algorithm selected for the client request sender configuration must match the algorithm selected in the client request receiver configuration. |
Transform algorithm | Applies to the <Transform> element. |
Signature algorithm | Specifies the Uniform Resource Identifiers (URI) of the signature verification method. |
Canonicalization algorithm | Specifies the Uniform Resource Identifiers (URI) of the canonicalization method. |
After configuring the client to digitally sign the message, you must configure the client to verify the digital signature. You can use the WSS APIs or configure policy sets using the administrative console to verify the digital signature and to choose the verification and verify part algorithms. If using the WSS APIs to configure, use the WSSVerification and WSSVerifyPart APIs to specify which digitally signed message parts to verify and to specify which algorithm methods to use when configuring the client for request signing.
The WSSVerification and WSSVerifyPart APIs perform the following steps to configure the signature verification and verify parts algorithm methods:
The following example provides sample WSS API code that specifies the verification information, the body as a part to be verified, the HMAC_SHA1 as a signature method, C14N and EXC_C14N as the candidates of canonicalization methods, TRANSFORM_STRT10 as a transform method, and SHA256 as a digest method.
// Get the message context
Object msgcontext = getMessageContext();
// Generate the WSSFactory instance
WSSFactory factory = WSSFactory.getInstance();
// Generate the WSSConsumingContext instance
WSSConsumingContext concont = factory.newWSSConsumingContext();
// Generate the certificate list
String certpath = "intca2.cer";
// The location of the X509 certificate file
X509Certificate x509cert = null;
try {
InputStream is = new FileInputStream(certpath);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
x509cert = (X509Certificate)cf.generateCertificate(is);
} catch(FileNotFoundException e1){
throw new WSSException(e1);
} catch (CertificateException e2) {
throw new WSSException(e2);
}
Set<Object> eeCerts = new HashSet<Object>();
eeCerts.add(x509cert);
// Create the certStore
java.util.List<CertStore> certList = new
java.util.ArrayList<CertStore>();
CollectionCertStoreParameters certparam = new
CollectionCertStoreParameters(eeCerts);
CertStore cert = null;
try {
cert = CertStore.getInstance("Collection",
certparam,
"IBMCertPath");
} catch (NoSuchProviderException e1) {
throw new WSSException(e1);
} catch (InvalidAlgorithmParameterException e2) {
throw new WSSException(e2);
} catch (NoSuchAlgorithmException e3) {
throw new WSSException (e3);
}
if(certList != null ){
certList.add(cert);
}
// Generate the callback handler
X509ConsumeCallbackHandler callbackHandler = new
X509ConsumeCallbackHandler(
"dsig-receiver.ks",
"jks",
"server".toCharArray(),
certList,
java.security.Security.getProvider(
"IBMCertPath")
);
// Generate the WSSVerification instance
WSSVerification ver = factory.newWSSVerification(X509Token.class,
callbackHandler);
// Set one or more candidates of the signature method used for
// verification (step. 1)
// DEFAULT : WSSVerification.RSA_SHA1
ver.addAllowedSignatureMethod(WSSVerification.HMAC_SHA1);
// Set one or more candidates of the canonicalization method used for
// verification (step. 2)
// DEFAULT : WSSVerification.EXC_C14N
ver.addAllowedCanonicalizationMethod(WSSVerification.C14N);
ver.addAllowedCanonicalizationMethod(WSSVerification.EXC_C14N);
// Set the part to be specified by WSSVerifyPart
WSSVerifyPart verPart = factory.newWSSVerifyPart();
// Set the part to be specified by the keyword
verPart.setRequiredVerifyPart(WSSVerification.BODY);
// Set the candidates of digest methods to use for verification (step. 3)
// DEFAULT : WSSVerifypart.TRANSFORM_EXC_C14N : String
verPart.addAllowedTransform(WSSVerifyPart.TRANSFORM_STRT10);
// Set the candidates of digest methods to use for verification (step. 4)
// DEFAULT : WSSVerifyPart.SHA1
verPart.addAllowedDigestMethod(WSSVerifyPart.SHA256);
// Set WSSVerifyPart to WSSVerification
ver.addRequiredVerifyPart(verPart);
// Add the WSSVerification to the WSSConsumingContext
concont.add(ver);
// Validate the WS-Security header
concont.process(msgcontext);
You have completed configuring the signature verification algorithms. Next, configure the encryption or decryption algorithms, if not already configured. Or, configure the security token information, as needed.