使用 WSSVerifyPart API 选择验证部件方法

可以使用 WSS API 为使用者绑定配置签名验证信息。变换算法和摘要方法用于使用者绑定。使用 WSSVerifyPart API 来配置算法方法。com.ibm.websphere.wssecurity.wssapi.verification 包中提供了 WSSVerifyPart API。

要配置使用者验证部件信息以保护消息完整性,必须首先进行数字签名,然后验证 SOAP 消息的签名和已签名的部件。完整性是指数字签名,而机密性是指加密。保证完整性可降低数据在网络中传输时被修改的风险。

方法

可以使用下列方法来为信息签名:
摘要方法
设置摘要方法。
变换方法
设置变换算法方法。

摘要算法

在 <Digest> 元素中将使用该元素中所指定的摘要方法算法。WebSphere® Application Server 支持以下预先配置的摘要算法:

表 1. 验证部件摘要方法. 使用验证部件来保护消息完整性。
摘要方法 描述
WSSVerifyPart.SHA1(缺省值) 摘要算法的 URI,SHA1:http://www.w3.org/2000/09/xmldsig#sha1
WSSVerifyPart.SHA256 摘要算法的 URI,SHA256:http://www.w3.org/2001/04/xmlenc#sha256
WSSVerifyPart.SHA512 摘要算法的 URI,SHA256:http://www.w3.org/2001/04/xmlenc#sha512

变换算法

变换算法是在 <Transform> 元素中指定的,并指定已签名部件的变换算法。WebSphere Application Server 支持以下预先配置的变换算法:

表 2. 验证部件变换方法. 使用验证部件来保护消息完整性。
摘要方法 描述
WSSVerifyPart.TRANSFORM_ENVELOPED_SIGNATURE 变换算法的 URI,被包络签名:http://www.w3.org/2000/09/xmldsig#enveloped-signature
WSSVerifyPart.TRANSFORM_STRT10 变换算法的 URI,STR 变换:http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform
WSSVerifyPart.TRANSFORM_EXC_C14N(缺省值) 变换算法的 URI,Exc-C14N:http://www.w3.org/2001/10/xml-exc-c14n#
WSSVerifyPart.TRANSFORM_XPATH2_FILTER 变换算法的 URI,XPath2 过滤器:http://www.w3.org/2002/06/xmldsig-filter2
对于 WSS API,WebSphere Application Server 不支持下列变换算法:
  • http://www.w3.org/TR/1999/REC-xpath-19991116
  • http://www.w3.org/2002/07/decrypt#XML

以下示例提供了样本 WSS API 代码,它通过将 SHA256 用作摘要方法并将 TRANSFORM_EXC_14N 和 TRANSFORM_STRT10 用作变换方法来验证主体:

	  	  // get the message context
	  Object msgcontext = getMessageContext();

	  // generate WSSFactory instance
	  WSSFactory factory = WSSFactory.getInstance();		

	  // generate WSSConsumingContext instance
	  WSSConsumingContext concont = factory.newWSSConsumingContext(); 


	  // generate the cert list
	  	  String certpath = "intca2.cer";// The location of the X509
      certificate file X509Certificate x509cert = null;
	  try {          
		  InputStream is = new FileInputStream(certpath);
		  		  CertificateFactory cf = CertificateFactory.getInstance("X.509");
		  x509cert = (X509Certificate)cf.generateCertificate(is);
	  } catch(FileNotFoundException e1){
		  		  throw new WSSException(e1);
	  } catch (CertificateException e2) {
		  throw new WSSException(e2);
	  }

	  Set<Object> eeCerts = new HashSet<Object>();
	  eeCerts.add(x509cert);  
	  // create certStore
	  	  java.util.List<CertStore> certList = new java.util.ArrayList<CertStore>();
	  CollectionCertStoreParameters certparam = new 
         CollectionCertStoreParameters(eeCerts);
	  CertStore cert = null;
	  try {          
		  		  cert = CertStore.getInstance("Collection", certparam, "IBMCertPath");
	  } catch (NoSuchProviderException e1) {
		  		  throw new WSSException(e1);
	  } catch (InvalidAlgorithmParameterException e2) {
		  throw new WSSException(e2);
	  } catch (NoSuchAlgorithmException e3) {
		  throw new WSSException (e3);
	  }
	  if(certList != null ){
		  certList.add(cert);
	  }

	  // generate callback handler
	  X509ConsumeCallbackHandler callbackHandler = new
         X509ConsumeCallbackHandler(
			  "dsig-receiver.ks", 
			  "jks",
			  "server".toCharArray(), 
			  certList, 
			  java.security.Security.getProvider("IBMCertPath")
	  );

	  	  //generate WSSVerification instance
	  WSSVerification ver = factory.newWSSVerification(X509Token.class, 
        callbackHandler);

	  	  //set one or more candidates of the signature method used for the
    //verification (step. 1)
	  // DEFAULT : WSSVerification.RSA_SHA1
	  ver.addAllowedSignatureMethod(WSSVerification.HMAC_SHA1);

	  	  //set one or more candidates of the canonicalization method used
    //for the verification (step. 2)
	  // DEFAULT : WSSVerification.EXC_C14N 
	  ver.addAllowedCanonicalizationMethod(WSSVerification.C14N);
	  ver.addAllowedCanonicalizationMethod(WSSVerification.EXC_C14N);

	  	  //set the part to be specified by WSSVerifyPart
	  WSSVerifyPart verPart = factory.newWSSVerifyPart();

	  	  //set the part to be specified by the keyword
	  verPart.setRequiredVerifyPart(WSSVerification.BODY);

	  	  //set the candidates of digest methods to use for verification (step. 3)
	  // DEFAULT : WSSVerifypart.TRANSFORM_EXC_C14N 
	  	  verPart.addAllowedTransform(WSSVerifyPart.TRANSFORM_EXC_C14N);
	  verPart.addAllowedTransform(WSSVerifyPart.TRANSFORM_STRT10);

	  	  //set the candidates of digest methods to use for verification (step. 4)
	  // DEFAULT : WSSVerifyPart.SHA1
	  verPart.addAllowedDigestMethod(WSSVerifyPart.SHA256);

	  	  //set WSSVerifyPart to WSSVerification
	  ver.addRequiredVerifyPart(verPart);

	  	  //add the WSSVerification to the WSSConsumingContext
	  concont.add(ver);

	  	  //validate the WS-Security header
	  concont.process(msgcontext);

指示主题类型的图标 参考主题



时间戳记图标 最近一次更新时间: last_date
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-nd-mp&topic=rwbs_wssverifypartalgorithms
文件名:rwbs_wssverifypartalgorithms.html