For a customer I have to implement RSA Signature verification on the API Gateway. So this means that I receive a soap message (without ws security) with several attributes, a signature hash and a public key as well.
The sender of the soap message told me that he created the signature out of a simple pattern like: <attrName1>AttrName1</attrName1><attrName2>AttrName2</attrName2><attrNameN>AttrNameN</attrNameN>.
- Created a String out of all Attributes according to the pattern
- Hashed this String with SHA-256
- Signed this hash with his private key
- Sends Attributes, signatur and public key to my API Gateway over soap
What I have to do:
- Extract attributes [done]
- Create a String out of all Attributes according to the pattern [done]
- Perform a RSA Signature verification of the String with the given public key and signatur [don't know how to do that???]
What I found in the given API GW policies is the "(Non SOAP) Verify XML Element" policy but here i could not set the string...
What is the right policy for doing this?