API Connect

 View Only
Expand all | Collapse all

validate signature in header using public key using gateway script

  • 1.  validate signature in header using public key using gateway script

    Posted Thu February 29, 2024 10:29 AM

    Hi ,

    we have a requirement to develop a script to validate the signature on the header using a public key.

    var apim = require('apim');
    var Signature = apim.getvariable('message.Signing Header');
    // Beginning public key 
    const l1 = "-----BEGIN PUBLIC KEY-----\n"
     
    // Encrypted data 
    const l2 = 
    "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEXIvPbzLjaPLd8jgiv1TL/X8PXpJNgDkGRj9U9Lcx1yKURpQFVavcMkfWyO8r7JlZNMax0JKfLZUM1IePRjHlFw=="
     
    // Ending public key 
    const l3 = "\n-----END PUBLIC KEY-----"
     
    // Constructing public key 
    const publicKey = l1 + l2 + l3 
     
    if ((verify.verify(publicKey, signature))=== false)
    {
    apim.error('Unauthorized', XXX, 'Unauthorized','Signature  validation failed');
    }
     
     
    })
    }
    }

    In stead of making public key hardcoded in script want to read the content of the certificate . Anybody can suggest how to read the certificate and its content content as hardcoded in the code. 



    ------------------------------
    Debasis Samal
    ------------------------------


  • 2.  RE: validate signature in header using public key using gateway script

    Posted Thu February 29, 2024 11:12 AM
    Hi,

    We can create as Datapower crypto key then it can be referered in the script with object name. 

    Thx





  • 3.  RE: validate signature in header using public key using gateway script

    Posted Fri March 01, 2024 02:53 PM

    Hi Debasis,

    Per https://www.ibm.com/docs/en/datapower-gateway/10.5.0?topic=apis-fs-module#fs__read, assuming your crypto file itself is in the cert:/// directory, the GatewayScript fs module can only read from the local, store, and temporary directories, so you can't read the file directly from GatewayScript.  When GatewayScript was implemented in the DataPower 7.0 timeframe, the decision was made not to make GatewayScript equivalent functions for the many xslt security extension functions, so your requirement is going to take some work.  There is in GatewayScript the transform.xslt function which will allow you to execute an xsl stylesheet from your GatewayScript.  You can also pass parameters from your GatewayScript (for example, the name of the certificate object you're interested in), and receive a response from the xslt in the GatewayScript's asynchronous callback function which hopefully would be your certificate file contents.  See https://www.ibm.com/docs/en/datapower-gateway/10.5.0?topic=apis-transform-module for examples of this including how to pass parameters to your stylesheet, how the stylesheet will receive those parameter values and then return a result back.

    Since your example GatewayScript shows a hardcoded public key source, if you have a DataPower certificate object referencing your certificate file, you can use the dp:base64-cert extension function with the function argument of name:<certificate object name> which you could pass from the GatewayScript as a parameter to the stylesheet.  The difficulty though may be determining the actual DataPower certificate object name if you're relying on an API Connect TLS profile's truststore's certificate object as the one that you're wanting to obtain.  You could use a gateway extension to push your own certificate file and create your named certificate object which would make your effort simpler since you'll know the object name. If you do want a certificate from an API Connect TLS profile's truststore, that's going to take more work in the stylesheet to determine the object name which I won't detail unless you really need to do that.

    Hope this helps,

    Regards,
    Steve



    ------------------------------
    Steve Linn
    Senior Consulting I/T Specialist
    IBM
    ------------------------------