Set Up Key Exchange Provide a Receiver Hint
8.3.2.1 Set Up Key Exchange
The key exchange needs to happen out of band. For example, if you signing with a certificate, the receiver should already be set up with the trust points, so that the receiver can verify your certificate. Or if you are signing with a symmetric key, the receiver should already know this symmetric key. The XML Signature specification does not define this initial key exchange mechanism.8.3.2.2 Provide a Receiver Hint
You also need to provide a hint to the receiver so that it knows how to verify your signature. This will be in the dsig:KeyInfo tag inside the dsig:Signature. This can be accomplished in different ways: ■ You can provide no hint at all. This perfectly acceptable, if you have already communicated the key to the receiver, and the receiver is expecting all signatures to be signed by this key. However this is not a likely situation. ■ When signing with an X509Certificate, you can provide one or more of the following: – The entire X509Certificate. This is the most common usage. – The Subject DN of the certificate – This is useful when the receiver has access to a LDAP directory, and it can look up the certificate based on the DN. – The SubjectKeyIdentifier or the IssuerDNSerial number pair – This is useful when the receiver is only expecting a signatures from a set of certificates, and it every time it has to verify a signature, it can loop over all the certificates and find the one with matching SKI or IssuerSerial. ■ When signing with a raw asymmetric key, you can provide the actual values of the RSADSADH public key. This is not recommended as the receiver cannot verify the key; alternatively, if you include the certificate, the receiver can do PKIX processing and verify it; that is, the receiver can check for certificate validity and check against an OCSP or CRL. ■ When signing with a symmetric key, you can provide a key name. This is just a string that conveys some information that the receiver can use to retrieveconstruct the symmetric key.8.4 How Data is Verified
Parts
» Oracle Fusion Middleware Online Documentation Library
» Symmetric Cryptographic Algorithms Asymmetric Cryptographic Algorithms
» Key Pairs Certificate Authority Digital Certificates Related PKI Standards
» SAML Request and Response Cycle
» Web Services Security Federation
» Toolkit Architecture Overview of Oracle Security Developer Tools
» Supported Standards Oracle Crypto Oracle Security Engine Oracle CMS
» Oracle PKI LDAP SDK Oracle PKI TSP SDK Oracle PKI OCSP SDK Oracle PKI CMP SDK
» Oracle SMIME Oracle XML Security Oracle SAML Oracle Web Services Security
» Oracle Liberty SDK Oracle XKMS
» Converting an Existing Key Object to a JCE Key Object
» The JCE Framework JCE Certificate Revocation Lists CRLs
» Working with standard KeyStore-type Wallets Working with PKCS12 and PKCS8 Wallets
» The RSA Cipher Password Based Encryption
» The oracle.security.crypto.core.MessageDigest Class The oracle.security.crypto.core.MAC Class
» Signatures Key Agreement Core Classes and Interfaces
» The oracle.security.crypto.cert.X500RDN Class The oracle.security.crypto.cert.X500Name Class
» The oracle.security.crypto.cert.CertificateRequest Class
» Abstract Base Class CMSContentInfo The CMSDataContentInfo Class
» The ESSReceipt Class The CMSDigestedDataContentInfo Class
» The CMSSignedDataContentInfo Class Constructing CMS Objects using the CMSContentInfo Classes
» The CMSEncryptedDataContentInfo Class Constructing CMS Objects using the CMSContentInfo Classes
» The CMSEnvelopedDataContentInfo Class Constructing CMS Objects using the CMSContentInfo Classes
» Using the CMSOutputStream and CMSInputStream Classes
» The oracle.security.crypto.smime.SmimeSigned Class
» The oracle.security.crypto.smime.SmimeSignedReceipt Class
» Using the Abstract Class SmimeObject
» Creating MultipartSigned Entities Creating Digital Envelopes
» Creating Certificates-Only Messages Reading Messages Authenticating Signed Messages
» Opening Digital Envelopes Encrypted Messages Adding Enhanced Security Services ESS
» System Requirements for Oracle PKI TSP SDK Setting the CLASSPATH Environment Variable
» The Oracle PKI LDAP SDK Java API Reference Example Programs
» Set Up Key Exchange Provide a Receiver Hint
» Construct the Wrapper Object Obtain the DOM Element from the Wrapper Object Parse Complex Elements
» Construct Complex Elements About Element Wrappers in the Oracle Security Developer Tools XML APIs
» Multiple References Enveloped Signature XPath Expression Certificate Hint Sign with HMAC Key
» Basic Procedure to Check What is Signed Set Up Callbacks
» Encrypt with a Shared Symmetric Key Encrypt with a Random Symmetric Key
» Core Classes Classes and Interfaces
» Oracle SAML 2.0 Packages The Oracle SAML 2.0 Java API Reference Example Programs
» Element Wrappers Classes and Interfaces
» Creating an X509 Token Creating a Kerberos Token
» Signing SOAP Messages Signing and Verifying
» Verifying SOAP Messages Signing and Verifying
» Encrypting SOAP messages with EncryptedKey
» Supporting Classes and Interfaces
» The Oracle Liberty SDK 1.2 API Reference Example Programs
» oracle.security.xmlsec.xkms.xkiss.LocateRequest oracle.security.xmlsec.xkms.xkiss.LocateResult
» oracle.security.xmlsec.xkms.xkiss.ValidateRequest oracle.security.xmlsec.xkms.xkiss.ValidateResult
Show more