Quick Review:Ajax
Implementing WS-Security

Let’s look at the elements that make up the Signed Content portion of the message. Line 5, <CanonicalizationMethod Algorithm=””/>, identifies the canonicalization algorithm that is used to create a canonicalized form of the information being signed — in this case, the digest. This step is needed because of the nature of XML documents and the programming tools that work with them. XML documents, in some cases, can have slight textual differences, yet be essentially the same logical document. Small variations in the way comments are represented or in the way an XML parser handles line delimiters when serializing/ deserializing an XML data structure can create slightly different binary representations of the same content. If the algorithm that verifies the digital signature were to be run against a slightly different serialized version of the data, the result could be a fail when indeed it should be a pass.

To avoid this problem, the document is first transformed into its canonicalized form through the use of a canonicalization algorithm. This algorithm, an implementation of the W3C Exclusive XML Canonicalization Version 1.0 Specification (see Resources), a W3C recommendation, transforms the document into its basic canonicalized form. This allows us to get a consistent binary representation that can be correctly compared and thus yield the correct result.

Line 6, <SignatureMethod Algorithm=”"/>, indicates the Signature Method Algorithm. This is the algorithm that is used to convert the output of the canonicalization algorithm into the Signature Value. Our signature algorithm is a combination of a key dependent algorithm (RSA) and a hash algorithm (SHA1). This algorithm is an implementation of the RSASSA-PKCS1-v1_5 specification described in W3C RFC 2437 (see Resources).

Line 7, <Reference URI=”#sign_content_1043176028580">, indicates the reference element. The optional URI attribute of Reference identifies the data object that was signed. The Reference block includes the algorithm that is used to compute the digest, the digest value that was computed, and the final transform that is performed prior to computing the digest value. Lines 8- 10, <Transforms> <Transform Algorithm=””/> </ Transforms>, indicate the transformation algorithm, while lines 11 and 12 specify the digest algorithm and the computed digest value, <DigestMethod Algorithm=” 09/xmldsig#sha1"/> <DigestValue>FLuQTa/LqDIZ5F2JSaMRHSRuaiQ=</DigestValue>.

In our application, the Transform algorithm is once again the W3C Exclusive XML Canonicalization algorithm discussed above. The method used to compute the digest, the Secure Hash Algorithm, is part of the U.S. Department of Commerce/National Institute of Standards and Technology’s Secure Hash standard.

Lines 15-16, <SignatureValue>kGlrrXjKku/WXKxID+JJkEXY+aGNYHc5dy8GwbLFtB5Msll2/ MhwdnO9wastJ0gLPzLy3oHL 7A8ggkMkjgAqnLg6PTzM7MdKoIAhe+xRHdOysamGucFJQRMrU+JQ4WATJt0bpdClwJy6mexT Su48mq1q5rM9YZh61P7UEUKt+EQ=</SignatureValue>, contain the signature value, which is actually the encrypted digest value. This value is the output of the Signature Method Algorithm indicated on line 6 Keys.

Lines 20-48 introduce the concept of keys. A key is used to mathematically transform a normal, readable text message into an unreadable one for transmission across the internet. Our Web service will use a public/private-key (a pair of mathematically related keys) or an asymmetric key encryption scheme. One of these keys is kept secret; this is the private key. In our application, the Web service requester will sign the digest with his private key prior to sending the document to the service provider.

June 2008 | Java Jazz Up |30
Pages: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29,

, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51,   Download PDF