Digital signing methods using the WSSSignature API
You can configure the signing information for the generator binding using the WSS API. To configure the client for request signing, choose the digital signing methods. The algorithm methods include the signing and canonicalization methods.
You must configure generator signing information to protect message integrity by digitally signing SOAP messages. Integrity refers to digital signature while confidentiality refers to encryption. Integrity decreases the risk of data modification when you transmit data across a network.
After you have specified which message parts to digitally sign, you must specify which method is used to digitally sign the message.
Methods
- Signature method
- Sets the signature algorithm method.
- Canonicalization method
- Sets the canonicalization algorithm method.
Signature algorithms
The signature algorithms specify the algorithm that is used to sign the certificate. The signature algorithms specify the Uniform Resource Identifiers (URI) of the signature method. WebSphere® Application Server supports the following pre-configured algorithms:
| Algorithm | Description |
|---|---|
| WSSSignature.HMAC_SHA1 | A URI of the signature algorithm, HMAC: http://www.w3.org/2000/09/xmldsig#hmac-sha1 |
| WSSSignature.RSA_SHA1 (the default value) | A URI of the signature algorithm, RSA: http://www.w3.org/2000/09/xmldsig#rsa-sha1 |
For the WSS APIs, WebSphere Application Server does not support the DSA-SHA1 algorithm, http://www.w3.org/2000/09/xmldsig#dsa-sha1
The signing algorithm that is specified for the request generator configuration must match the algorithm that is specified for the request consumer configuration.
Canonicalization algorithms
The canonicalization algorithms specify the Uniform Resource Identifiers (URI) of the canonicalization method. WebSphere Application Server supports the following pre-configured algorithms:
| Algorithm | Description |
|---|---|
| WSSSignature.EXC_C14N (the default value) | A URI of the exclusive canonicalization algorithm EXC_C14N: http://www.w3.org/2001/10/xml-exc-c14n# |
| WSSSignature.C14N | A URI of the inclusive canonicalization algorithm, C14N: http://www.w3.org/2001/10/xml-c14n# |
The canonicalization algorithm that is specified for the request generator configuration must match the algorithm that is specified for the request consumer configuration.
The following example provides sample WSS API code that specifies the HMAC_SHA1 as a signature method and C14n as a canonicalization method:
//generate WSSFactory instance
WSSFactory factory = WSSFactory.getInstance();
//generate WSSGenerationContext instance
WSSGenerationContext gencont = factory.newWSSGenerationContext();
//generate callback handler
X509GenerateCallbackHandler callbackHandler = new
X509GenerateCallbackHandler(
"",
"dsig-sender.ks",
"jks",
"client".toCharArray(),
"soaprequester",
"client".toCharArray(),
"CN=SOAPRequester, OU=TRL, O=IBM, ST=Kanagawa, C=JP",
null);
//generate the security token used to the signature
SecurityToken token = factory.newSecurityToken(X509Token.class,
callbackHandler);
//generate WSSSignature instance
WSSSignature sig = factory.newWSSSignature(token);
//set the canonicalization method
// DEFAULT: WSSSignature.EXC_C14N
sig.setCanonicalizationMethod(WSSSignature.C14N);
//set the signature method
// DEFAULT: WSSSignature.RSA_SHA1
sig.setSignatureMethod(WSSSignature.HMAC_SHA1);
//add the WSSSignature to the WSSGenerationContext
gencont.add(sig);
//generate the WS-Security header
gencont.process(msgcontext);