Validate XML Signatures & prove message Integrity

API-Evangelist · December 23, 2015, 7:14pm

How to validate XML Signatures for authentication purposes & use XML Signatures to prove message integrity in apigee?

Signature location is in WS-Security block & signing key is in block in message.

similar functionality as below

==

http://docs.oracle.com/cd/E39820_01/doc.11121/gateway_docs/content/content_integrity.html

==

Is there a sample tor refer to achieve it in apigee?

anonymous · December 23, 2015, 7:47pm

Season’s Greetings @vinay poreddy! Excellent Question!

In my experience, I implemented this by leveraging a Java Callout Policy. The article Signing SOAP Messages - Generation of Enveloped XML Signatures provided some initial thoughts on how to achieve this. One of the challenging parts was to read the keys from a key store, while, for security reasons, Apigee Edge prevents access to the filesystem. However, this is achievable by storing these files in jar files and retrieving them as a file stream. Check full example attached. Hope this sample helps to give you a head start.

public ExecutionResult execute(MessageContext messageContext, ExecutionContext executionContext) {
try
{
    org.apache.xml.security.Init.init();
    InputStream fstream = this.getClass().getResourceAsStream("/templates/stockTemplate.xml"); //read stockTemplate.xml as a class from classpath
    InputStream kfstream = this.getClass().getResourceAsStream("/templates/keystore.jks");

    StringWriter writer = new StringWriter();
    IOUtils.copy(fstream, writer, "UTF-8");
    String theString = writer.toString();
    messageContext.setVariable("stockTemplateFileContent", theString); //assign file content to stockTemplateFileContent variable
    messageContext.setVariable("response.content", theString); // assign file content to response.content variable
    
    String keystoreType = "JKS";
    String keystoreFile = "/keystore.jks";
    String keystorePass = "Password123";
    String privateKeyAlias = "mydomain";
    String privateKeyPass = "Password123";
    String certificateAlias = "mydomain";
    Element element = null;

    KeyStore ks = KeyStore.getInstance(keystoreType);
    String BaseURI = "";//signatureFile.toURI().toURL().toString();  
    ks.load(kfstream, keystorePass.toCharArray());
    PrivateKey privateKey = (PrivateKey) ks.getKey(privateKeyAlias, privateKeyPass.toCharArray());
    
    
    return ExecutionResult.SUCCESS;
} catch (Exception e) {
    StringWriter sw = new StringWriter();
    e.printStackTrace(new PrintWriter(sw));
    String exceptionAsString = sw.toString();           
    messageContext.setVariable("ERROR_MESSAGE", exceptionAsString);
    return ExecutionResult.ABORT;
}
}

API-Evangelist · December 28, 2015, 7:17pm

can you provide a sample proxy for reference.

Topic		Replies	Views
SOAP signature validation Apigee api-runtime	3	16	March 23, 2017
Can any one please specify the process to generate digital signature in apigee Apigee api-runtime	2	9	November 15, 2016
XML Digital Signatures (XMLDSIG) in Apigee Edge Knowledge Hub apigee	3	22	August 7, 2019

Validate XML Signatures & prove message Integrity

AI Suggested topics