can you help me to generate a digital signature based on the certificate in key store in software ag by passing the input value then return the digital signature please advise me which services I can use?

Hi Yousef,
The service pub.security:sign does not currently support the built in key store, this is planned in the roadmap. The key/trust store can only be used for transport and authentication as well as creating and verifying JWT tokens (pub.jwt.*). Perhaps you could use a JWT token along with your text as a claim ?

regards,
John.

Hi John ,
we doesn’t using the jwt token , but we have a c# code use currently to generate signature if you know can we use c# service in software ag or not?

Theoretically you could, but I wouldn’t recommend it. Instead you could try a java service e.g.

	/** 
* The primary method for the Java service
*
* @param pipeline
*            The IData pipeline
* @throws ServiceException
*/
public static final void signWithKeystore(IData pipeline) throws ServiceException {
// pipeline in

IDataCursor c = pipeline.getCursor();
String key = IDataUtil.getString(c, "key");
String keyPassword = IDataUtil.getString(c, "keyPassword");
String keystore = IDataUtil.getString(c, "keystore");
String keystorePassword = IDataUtil.getString(c, "keystorePassword");

String text = IDataUtil.getString(c, "text");

if (keystore == null)
keystore = "../../../common/conf/keystore.jks";

String sig = null;

try {
PrivateKey privateKey = (PrivateKey) getKeyFromKeystore(key, keyPassword, keystore, keystorePassword);			

sig = sign(privateKey, text);

} catch (KeyStoreException | NoSuchAlgorithmException | CertificateException | IOException e) {
throw new ServiceException(e);
} catch (UnrecoverableKeyException e) {
throw new ServiceException(e);
}

// pipeline out

IDataUtil.put(c, "signature", sig);
c.destroy();	
}

// --- <<IS-BEGIN-SHARED-SOURCE-AREA>> ---

static Key getKeyFromKeystore(String key, String keyPassword, String keystore, String keystorePassword) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, FileNotFoundException, IOException, UnrecoverableKeyException {

KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(new FileInputStream(keystore), keystorePassword != null ? keystorePassword.toCharArray() : null);

return ks.getKey(key, keyPassword != null ? keyPassword.toCharArray() : null);
}

static String sign(PrivateKey privKey, String data) throws ServiceException {

try {

//Creating a Signature object

Signature sign = Signature.getInstance("SHA256WithRSA");
sign.initSign(privKey);

sign.update(data.getBytes());

return Base64.getEncoder().encodeToString(sign.sign());

} catch (InvalidKeyException e) {
e.printStackTrace();
throw new ServiceException("Invalid RSA Key: " + e.getMessage());
} catch (NoSuchAlgorithmException e) {
throw new ServiceException("No Such Algorithm: " + e.getMessage());
} catch (SignatureException e) {
throw new ServiceException("Error signing text:" + e.getMessage());
}
}

thank you I will be trying to use it but can you clear to me some of these variable name what is the key and keyPassword.
thank you .

Hi Yousef,
Sorry for not explaining better. key refers to the reference in the keystore i.e. keystores can manage multiple assets be it public, private keys or certificate and each one has a unique name.

For instance the default key store provided by us DEFAULT_IS_KEYSTORE has a single private key ‘ssos’.

The input keyPassword refers to a password for accessing the key itself, albeit it is optional and may not be required. Thus keys can be secured at two level, password required to access the keystore and a 2nd for accessing the individual key.

regards,
John

Hi John
don’t worry, thank you for clarifying,
excuse me I want to ask you another question there is different java code can we use to generate a signature using xml? I consume soap API then convert the xml request to document request then I need to generate signature in the xml form can you advise me please thank you.

I’m not sure what you mean by xml form?
If you mean that you want to forward your document and signature together formatted as XML, then you can do this easily and don’t need to do it in Java.

1 Transform your document to XML via pub.xml:documentToXMLString.
2. Sign the resulting string with the java service I provided above.
3. transmit your xml to the recipient via pub.client:http and include the signature in Authorization header e.g.

Authorization: "HMAC-SHA256 SignedHeaders=x-ms-date;host;x-ms-content-sha256&Signature=<hmac-sha256-signature>"

step 3 may be different depending on the recipient i.e. they may require that you provide the signature differently and so you may need to adapt it by moving it to the content etc. etc.

The recipient of course will need the public key associated with the private key you provided in step (2) in order to verify the signature on their side.

regards,
John.

Thanks John,

I mean I am passing XML tag as input rather than String to generate signature. So, the signature output will be same whether I pass string or document formatted as XML?
I don’t need java code that produce xml signature.?

if the XML is still in string format, then you can pass it into my service no problem. If it is an xmlNode then you need to call pub.xml:xmlNodeToString first. The output is a the signature, you will need to send it somehow to the recipient as I indicated in step (3) above and that can be done in many different ways.
regards,
John.

ok thank you .