CMS Signature Verification

Print E-mail  

This example shows how to verify a CMS (RFC 3852) signature by accessing the TrustedX signature verification service in a RESTful way. 

The HTTP POST action is used to request to the trustedx-sgw/cms/signature/verification resource, located in the site labs.safelayer.com, the verification of the CMS signature that supposedly corresponds to the message "Hello world !!!". Both the signature (<Base64Signature> element) and the signed data (<Base64Data> element) are provided encoded in base64 in the <SignedData> element of the request being sent (in the the message-body).

Please note that the servicePolicy parameter in the URI is used to specify the policy under which the signature is wanted to be verified (txDemoVerifyPolicy). 

POST /trustedx-sgw/cms/signature/verification?servicePolicy=txDemoVerifyPolicy HTTP/1.1
Host: labs.safelayer.com
Content-Length: 2379
Content-Type: application/x-trustedx-signedData+xml


<SignedData>
<Base64Data>SGVsbG8gd29ybGQgISEh</Base64Data>
<Base64Signature>MIIGnwYJKoZIhvcNAQcCoIIGkDCCBowCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCCBDQwggQwMIIDGKADAgECAgIC2DANBgkqhkiG9w0BAQUFADBuMUEwPwYDVQQKEzhTYWZlbGF5ZXIgU2VjdXJlIENvbW11bmljYXRpb25zLCBTLkEuIFtDLkkuRi4gQTYxOTMwMDQ2XTEpMCcGA1UEAxMgU2FmZWxheWVyIC0gQ2xhc3MgMSBSb290IENBIERlbW8wHhcNMDYwOTIwMTIyMTI3WhcNMTAwOTIwMTIyMTI3WjBCMQswCQYDVQQGEwJFUzERMA8GA1UEChMIVHJ1c3RlZFgxDTALBgNVBAsTBERlbW8xETAPBgNVBAMTCHRydXN0ZWR4MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDMiM8BSVIfTv4PFv3Nzl0YhCWBT/86Z4rVZmlREWPuUGAMTumWJPLhNedSG1woXFgrGxlqjDakLnb+1p60yKRHMSAwHhoaa2nrabDCdm7bGtTlenRP8qnOifIK5hICU+T0/Om4IMcMN6PxBcdWZeMP+TGcUS902AR9bzGIhhM4gwIDAQABo4IBhjCCAYIwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCA8gwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMBEGCWCGSAGG+EIBAQQEAwIFoDAdBgNVHQ4EFgQUJ/V/RYiTtkZwVfrvABPikVAlQs0wgZgGA1UdIwSBkDCBjYAUNEmbBBkEQgCP0PZ4m8TXjcAX7TShcqRwMG4xQTA/BgNVBAoTOFNhZmVsYXllciBTZWN1cmUgQ29tbXVuaWNhdGlvbnMsIFMuQS4gW0MuSS5GLiBBNjE5MzAwNDZdMSkwJwYDVQQDEyBTYWZlbGF5ZXIgLSBDbGFzcyAxIFJvb3QgQ0EgRGVtb4IBATA4BggrBgEFBQcBAQQsMCowKAYIKwYBBQUHMAGGHGh0dHA6Ly92YS5zYWZlbGF5ZXIuY29tOjgwOTQwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2RlbW8uc2FmZWxheWVyLmNvbS9jcmxzL2NybERlbW9zLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAl43/n4Ea6tH5uT/xTUbmjLTjpxlDfLSZXSUWFjLnb49Hxfmlh4R+w4qTdEENDoVLQBvYGUd5cWAT4PBRu4EqO/gcif7bgPcMB9ZwDVlGXwHG5ugjnLQJANLGobhepzNPYxWwx9l9eRtMXsHmBBuWtrpL+fYRF+DX6udwhdb+//1tsg+ibfjvORSPsI7Ou/oC5yv4SFlieYMAQvNpdEK5kwknzsqpZnZ7W/Ruj4sNKXDG0en84sFWGlX3W8cZaVpxTKUsBTO3N5zEoh3WaglBlxJLfjDdrd39nYv8WMEpj+Akt82H+N39e7zH76g4mncpHJcdQWgFj5IeT/YrWV098TGCAjMwggIvAgEBMHQwbjFBMD8GA1UEChM4U2FmZWxheWVyIFNlY3VyZSBDb21tdW5pY2F0aW9ucywgUy5BLiBbQy5JLkYuIEE2MTkzMDA0Nl0xKTAnBgNVBAMTIFNhZmVsYXllciAtIENsYXNzIDEgUm9vdCBDQSBEZW1vAgIC2DAJBgUrDgMCGgUAoIIBFTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wODA4MDYxMzQwNDZaMCMGCSqGSIb3DQEJBDEWBBQsGSnJMJb/HWJVRPcySsD9dyQnnDCBtQYLKoZIhvcNAQkQAi8xgaUwgaIwgZ8wgZwEIHIT6Yg6XdR2pKoVf74hBvHBbQ2nff4P9QNucXq69XV6MHgwcqRwMG4xQTA/BgNVBAoTOFNhZmVsYXllciBTZWN1cmUgQ29tbXVuaWNhdGlvbnMsIFMuQS4gW0MuSS5GLiBBNjE5MzAwNDZdMSkwJwYDVQQDEyBTYWZlbGF5ZXIgLSBDbGFzcyAxIFJvb3QgQ0EgRGVtbwICAtgwDQYJKoZIhvcNAQEBBQAEgYCie4C1OtKT38iZe2oOkWzhbrj0gdJj8s8wk7nkrNvlj/FUjWH4J5g+psDnt7w6teLmri/dDVJRC7ehK7t+tXzLYRmMIJ7K5To57ayXMKXYQUOJKluwrpbvjM88sR9uNUl5IOK6M1DypZk4/R4XqnUU0AzoX+HJSpkgF4UuQzWJCw==</Base64Signature>
</SignedData>
 
 
 
 
 

The following explanation refers to the response provided by TrustedX when it receives the previous request. Consequently, click on Try for TrustedX to generate this response.

As you can see, this response contains (<SignatureStatusInfo> element):

  • An identifier (<signStatusCode> element) that encodes whether or not the signature is authentic. Thus, the value urn:oasis:names:tc:dss:1.0:resultminor:ValidSignature_OnAllDocuments indicates that the signature is authentic, while the value urn:oasis:names:tc:dss:1.0:resultminor:IncorrectSignature indicates that it is not, either because it does not correspond to the data provided in the request or because it has not been generated using the private key that corresponds to the certificate to which the signature refers.
  • A text representation (<certificateXml> element) of the certificate with which the signature has been verified (i.e. the signer's certificate if the signature is authentic).

 

Note:
To implement this example, the TrustedX SmartGateway component must be configured properly. See REST HowTo for an explanation on how to perform this.

 

 
©2010 www.safelayer.com