I have attempted to utilize https://github.com/DinoChiesa/Apigee-Java-WsSec-Signature-2GitHub - DinoChiesa/Apigee-Java-WsSec-Signature-2: 2nd implementation of a Java callout that performs WS-Security Signing and Validating and was wondering if the cited limitation of this JAVA callout package is being planned to be updated to enable validation of certificates which uses SHA-256 thumbprint?
Bugs
- Limitation: The Sign callout always uses XML Canonicalization, never uses Transform.ENVELOPED.
- The Validate callout cannot check the SHA-256 thumbprint of a signing certificate, only SHA-1.
@dchiesa1 requesting your advise and feedback for these query items and much appreciated!
Many thanks!
1 Like
Ahh, I understand.
I’ve updated the callout to also be able to validate SHA256 thumbprints. To get it, you configure it like this:
<JavaCallout name='Java-WSSEC-Validate'>
<Properties>
<Property name='source'>message.content</Property>
<Property name='max-lifetime'>10m</Property>
<Property name='require-expiry'>true</Property>
<Property name='accept-thumbprints-sha256'>ef3712c45743b3f4405f597a1f6173c4c7d0992eda38c0a3a42983d91a2cf489</Property>
</Properties>
<ClassName>com.google.apigee.callouts.wssecdsig.Validate</ClassName>
<ResourceURL>java://apigee-wssecdsig-20230721.jar</ResourceURL>
</JavaCallout>
The thumbprint must be hex-encoded. You need to pull the latest version from github to get this capability. Let me know how it goes.