I am using signing and verify services for wM over http (and NOT https)…
My understanding was we need to use private key for signing and the source’s public key for verification.
But the pub.security.pkcs7:verify service does not uses public key to verify. I have sucessfully coded the verification service without the public key…
I am confused…
Rockey,
You only need the signer’s certificate/s for signature verification process. If you need to sign/decrypt the data then you can use the wm.public.security:setKeyAndChain to set the key/certificates before your calls and then call wm.public.security:clearKeyAndChain to clear the current key setting.
~tS
Thanks for the info…We are doing signing and verification over http…
I have successfully signed the source (using pub.security.pkcs7:sign) with the private key. At the target side I am verifying the signature using pub.security.pkcs7:verify service. But this service does NOT have “public key” Service-In in its input…
wm.public.security:setKeyAndChain and wm.public.security:clearKeyAndChain services might be used for handling multiple client certificates…
The question for me is – How can we use a public key to verify signature at the target side? (pub.security.pkcs7:verify service does not have any Service-In for public Key input)
Am I missing something ??
Rocky,
Public Key=Public Certificate=CertificateChain
You’d pass in the public key into the certificateChain/certificate list input to these services.
~tS
at the source side ?
OK…I tried
But it works even if you take the above steps out
Rocky,
As I mentioned earlier, you do not need your private key for verification.
Not sure what u mean by source side?
~tS
I got my answer from webMethods…though I disagree to the fact that this is how it should work…
Question: Sign at source side (Private Key) and verification at the target (Public Key) over HTTP. My problem – the verify service do not have any pipeline-In to map public key !!
Solution: The public key information is passed along with the signature. The sign/verify simply checks if the signature is modified after it leaves the source and before it reaches the target.
Where I disagree: Taking about the way sign/verify should work, is – target must use explicit source’s public key to verify the source signature. It’s like, I am signing with my own signature (using my private key) to withdraw money on somebody’s else bank account and the bank verify’s this transaction signature just fine…
What a bug !?
rocky,
You are correct, it does seem counter intuitive to not always have to pass the public key in seperately. However, with implicitly signed documents, the certificate is included.
The verify process extracts the certificate used to sign the document and this can be compared to the public certificate previously provided.
Verify is basically an integrity check. For checking out a good example of use, check out the samples wM provides, as well as checking out what wM does in their EDIINT receive process.