Server Signature Processing
Once the server receives the SOAP document, verify that the document is from the correct user and that it has not been altered in transit. Most SOAP engines are J2EE servlets and process all requests that arrive for a particular URL. If the SOAP Engine provides support for embedded XML-Signature documents, your work is pretty simple.
Currently, there is one SOAP engine that provides automatic digital signature support, WASP Advanced Server by Systinet. For all other cases, you'll need to intercept the SOAP document, extract the header element, and verify the signature prior to processing the SOAP request. To do this, use the SOAP toolkit, the cryptographic toolkit, and the PKI vendor. The verification steps are outlined below:
- Extract the header element from the SOAP message using the SOAP engine/toolkit.
- Get the contents of the SOAP body element (the original data that was signed) for use in verification.
- Parse the XML-Signature document to extract the public key, algorithm details, and signed data using the XML Parser (and possibly the cryptographic toolkit, if yours provides an API for handling XML-Signature documents).
- Verify the signature by creating the digest from the SOAP body element with the public key.
- (Optional) Retrieve the certificate from the certificate repository managed by the PKI.
- (Optional) Verify that the certificate is not on a Certificate Revocation List (CRL). This ensures that the associated key pair has not expired and the security of the private key has not been compromised.
Next, add the logic to sign the SOAP body element. The key gains access to the SOAP body element. Once the body element has been extracted from the SOAP document, it becomes the input for the XML-Signature document processing. The following code sample does this using Apache Axis and XML Security packages.
These instructions are for configuring Tomcat 4.04 Beta2 for use with the Apache Axis SOAP engine and the Apache XML Security package to enable the code samples to work. However, it is safe to assume that similar configuration is required for other SOAP engines and J2EE application servers.
- Download the Axis distribution. This has several dependencies, which are:
- Download a JAXP 1.1 compatible XML parser. Try Xerces2 Java Parser from Apache or the JAXP from Sun.
- Download the Apache-XML-Security-J 1.0.2 toolkit (this provides implementation for the "XML-Signature Syntax and Processing" recommendation, which is essentially the ability to create XML Digital Signature documents as well as encryption algorithms).
- Download a JCE provider implementation. Click here for a list of open-source JCE implementations.
Configure Tomcat (Version 4.04) by adding the following jars to the webapps/axis/web-inf/lib directory:
Add these jar files to your client classpath environment variable as well.
- xmlsec.jar (XMLSecurity class files)
- JCE jar file (if you are using the Bouncy Castle JCE provider, it requires you to actually create the JAR since the distribution comes with a directory of class files).
- Logger jar file (bundled with XMLSecurity project) Replace the log4j-core.jar that is part of Axis with the jakarta-log4j-1.2beta2.jar from XMLSecurity.
- XML Parser jar files (bundled with XMLSecurity project)
- xalan.jar (bundled with XMLSecurity project)
- xml-apis.jar (bundled with XMLSecurity project)