Has anyone created a test sequence to create a digital signature (SOAP format) and then read in an XML document with that signature and get a positive verification ?
I have created a signature ok, but the SOAP XML contains loads of empty namespaces and redundant namespaces and when you try to verify the signature all the output properties are false indicating a failure…
I tried to tidy up the XML but still no joy.
I have attached the signing sequence (if switch to sign or verify) and the original unsigned xml that i ran through the sign branch, then copied the output of that into the signed xml and tried to verify it…
Did you try running the samples that are shipped along with the product? It does what you are trying. It does generate empty namespaces and please don’t remove them as it may invalidate the digital signature. How did you store the signed sequence into the file. There can be a possibility wherein your whitespace characters are getting lost during store / retrival process. Can you try running your input SOAP Message under Samples and see whether it works.
SOAP signing sample works OK, but with three questions…
The following three properties are set during verification of a digital signature :-
xbd.verifier.status.core
xbd.verifier.status.sign
xbd.verifier.status.cert
and the documentation implies all should be true for a valid signature verification - the sample only checks the “xbd.verifier.status.core” property for being true - do i need to check all three or just the core property ?
The sample creates a signed SOAP message in a particular way (includes empty namespaces and repeats the SOAP-SEC and SOAP-ENV namespaces against all security nodes), but a message from another source may not have these namespaces expressed in this way - will it matter to the verifier ?
What would we have to do to verifier a dsa-sha256 signature method rather than the three choices you get in the signer or does it only need to be referenced in the signed message and the verifier will handle it ?
***** question 2 above may not be that clear, but i basically want to be sure that if the incoming message is created along the SOAP and SOAP security extensions definitions then we will be able to verify the signature - not if we have to mandate how you use namespaces, as they can be expressed at a higher level than is shown in the signer output and empty namespaces not used at all.
The attached file is what the signer produces, but as you can see it’s not the best use of namespaces.
Checking for .core should be sufficient, other two indicates status of the certificate and signature itself.
Presence of these namespaces need not matter to verifier. As long as message is valid, verifier should be okay.
We have not tried it, but in theory it should be okay. If it does not work, you may want to consider adding security providers for your JDK.
Also, I am not sure how you plan to use verifier. If you plan to use verifying messages to the SOAP Portal, you can also consider using Vordel. More information on this can be obtained from support / sales.
We want to be able to receive XML messages in a SOAP format including the digital signature section through a number of channels (as attachment to email, via EntireX Broker or via Web Service) and verify the digital signature before routing the message.
Do you generally have to buy the extra signature provider jars for inclusion into mediator ?