Ws Security signature verification - follow up que...

pauljosh · 07-10-2023 02:57 AM

I have attempted to utilize https://github.com/DinoChiesa/Apigee-Java-WsSec-Signature-2GitHub - DinoChiesa/Apigee-Java-WsSec-Sig... and was wondering if the cited limitation of this JAVA callout package is being planned to be updated to enable validation of certificates which uses SHA-256 thumbprint?

Bugs

Limitation: The Sign callout always uses XML Canonicalization, never uses Transform.ENVELOPED.
The Validate callout cannot check the SHA-256 thumbprint of a signing certificate, only SHA-1.

@dchiesa1 requesting your advise and feedback for these query items and much appreciated!

Many thanks!

dchiesa1

@pauljosh wrote:

wondering if the cited limitation of this JAVA callout package is being planned to be updated to enable validation of certificates which uses SHA-256 thumbprint?

Ahh, I understand.

I've updated the callout to also be able to validate SHA256 thumbprints. To get it, you configure it like this:

<JavaCallout name='Java-WSSEC-Validate'>
  <Properties>
    <Property name='source'>message.content</Property>
    <Property name='max-lifetime'>10m</Property>
    <Property name='require-expiry'>true</Property>
    <Property name='accept-thumbprints-sha256'>ef3712c45743b3f4405f597a1f6173c4c7d0992eda38c0a3a42983d91a2cf489</Property>
  </Properties>
  <ClassName>com.google.apigee.callouts.wssecdsig.Validate</ClassName>
  <ResourceURL>java://apigee-wssecdsig-20230721.jar</ResourceURL>
</JavaCallout>

The thumbprint must be hex-encoded. You need to pull the latest version from github to get this capability. Let me know how it goes.

Ws Security signature verification - follow up question

Bugs