Layer7 API Management

  • 1.  Verifying the signature of a payload

    Posted Apr 18, 2018 02:33 AM

    We are receiving messages from third parties, who are including a certificate in their requests. Also included is a signature which we want to validate against the message to determine nothing has been modified on the way. We have a different system that is responsible for the SSL-connection, so that part is already secure. The problem is how to actually verify that the signature was signed by that specific third party.

     

    We can verify that the certificate comes from the third party, as we have their certificate located elsewhere that we can compare to.

    But when it comes to actually verifying the signature we just don't know what policies to employ. Firstly, since we have the certificate located elsewhere, we have been unable to set context variables with type certificate. This stops us from using the "Extract Attributes from Certificate" assertion. This stops us from retrieving the key from the certificate and decoding the signature. 

    We're also not using XML, which means we can't use the "Verify XML Element" assertion either. This also requires we have a context variable with the certificate type.

    The "Decode Json Web Token" assertion has the same problem, we only have the certificate in string format rather than of the Certificate type.

     

    This means we continually get the "No certificate found for variable" exception in our logs.

     

    So, how do we retrieve certificates when they cannot necessarily be looked up using the "Look Up Certificate" assertion?

    How do we verify that a string/payload is signed using a third party's private key given that we have their public key/certificate?

    If it matters, we are only interested in RSA-SHA256 and RSA-SHA512 and no other encryption algorithms.



  • 2.  Re: Verifying the signature of a payload

    Posted Apr 18, 2018 04:22 AM

    Hi David,
    this is a good question, but in order to better check this, what is the certificate format? you mentioned 'string format' but that I believe is not going to be enough: can you provide example of a signed payload with bogus data?

     

    if you want, send it via email to me directly, although for the sake of this communities question, it would be useful to at least put the certificate in string format example here (anyway, it is a public certificate so there is no security issues to shaw it here)

     

    thanks



  • 3.  Re: Verifying the signature of a payload

    Posted Apr 18, 2018 04:43 AM

    Of course, an example of a certificate in "string format":

    -----BEGIN CERTIFICATE-----
    MIIF0TCCA7mgAwIBAgIJAMWkPQPi3gtDMA0GCSqGSIb3DQEBCwUAMH8xCzAJBgNV
    BAYTAk5MMRUwEwYDVQQIDAxadWlkIEhvbGxhbmQxEjAQBgNVBAcMCVJvdHRlcmRh
    bTEaMBgGA1UECgwRU3BhcmtsaW5nIE5ldHdvcmsxEDAOBgNVBAsMB0lUIERlcHQx
    FzAVBgNVBAMMDkR1bW15IFNpZ24gS2V5MB4XDTE4MDQxODA4NDAwMFoXDTE5MDQx
    ODA4NDAwMFowfzELMAkGA1UEBhMCTkwxFTATBgNVBAgMDFp1aWQgSG9sbGFuZDES
    MBAGA1UEBwwJUm90dGVyZGFtMRowGAYDVQQKDBFTcGFya2xpbmcgTmV0d29yazEQ
    MA4GA1UECwwHSVQgRGVwdDEXMBUGA1UEAwwORHVtbXkgU2lnbiBLZXkwggIiMA0G
    CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC8G48zu2iaMqIeLZIet9pLekOyYzt2
    P5Cgu+zdNntM6YDlhKMACbQxK5RxxPNrtf22NwioIhon/Fcc3+5DAE0bbS+WAfTG
    zh3ysQUXFePPaosnmgWaOtSBi1jFYHwvHQ7IImIDuivx8SbH4FmE5vZpt1vjza8G
    Do4cpR1mPQs5h20Xt+w039AXtV/mPj1+P6TDn6ItcVd8WTEo1Qjw7+TuqVs7/fIh
    Szxi+LiRwQGIYjRmxfwk3QEJ6FHeMl6M7AVkfY8J+Rw3hRgvdHXDjJbEa4Bb4JwE
    jMbRFQPYrHwFLMEdEIsOQ9jA7EhoUgk5wAgsFpjhlZc0UFU1ANT/YldjOgeXnZI3
    aYmx/z4MKcSA5+idJBRTVzxe/UPV0jB2DQEA7Ap1EDI9CoMpNp2SP3Vo8PrDSwio
    QSP9oMMt7DtubSvL36DDTXZXUWSeDTDGzI0NrO+ZtRe0cMUTs5XE7hOsjetulZ8h
    94Ae9Ns8gyIQwuuqq5TBAOGUY/6HzTSjbcEZLv9SQTLPrtwVpvTjfl4r7IZKEXBT
    oWbtF426GEdUPBFDt+zCbMaG9J77UziFFBN5KFmkhmAAA/RjB+5Ed49qzSNjLW0p
    es8/jbQfCQdMz3kGI68RESln3iawsID2yG05LDOe0VhcG1tLYi0r2FxJAeLB4OUr
    ygNUX17nIUd7XQIDAQABo1AwTjAdBgNVHQ4EFgQULspyeNqmbkhaLYbxTO0rEDTj
    Qp8wHwYDVR0jBBgwFoAULspyeNqmbkhaLYbxTO0rEDTjQp8wDAYDVR0TBAUwAwEB
    /zANBgkqhkiG9w0BAQsFAAOCAgEAXjA0jLEcrLbptO81arK6mV+HLU7RLU3AK42c
    1ErD0UWLEi5/6m7InKFZMxYYA1ks9+g2rIic5fYEt3WWnqNF7PWd8C+pQa/GpgC4
    SGGKjhtagnVMN82lC7wE19ja07SCCodl3TsMlmIc+xKlTuj13UPGw3W5GAw2mqdz
    Qn2B72GxWrTD5qF+pvskM9+J3qN/kR4A0zSBLyfBrBDQhPneOeAjfMSc1MFrjnZv
    +5sNU9gjVFen8psE0eOJVn9Gp88j3KuHctJCxOcvyWQboaTUEwGEy0Ly7BKi7JOl
    RzqciTis6lNx5hs9XxbFX8NGUftxH30FW9RcyLlLJ0vuYbB3V2OsDnpSN5rDkTeQ
    nBrgo9M6fuOdx7zk7+Pd29tSSU0zC2/Rpb7pb6y4MWPUgIyzdjrO6HoZ8KdJRTLP
    VShrVxBh3oMqP04chr2cwkI4IPNLR2RBsuiW3NCTQg9y5NLE5Y8S6ldzE8WDAHms
    fSpqUBv1j8rTAZJXbbAToZMqdBqMeE20GyKVSg3XCl57PpNzNvjbUepaHtTzu+gt
    jyWRackMns4Kn4d0YoTyRMJOygpcFMGhh0Ll53ldHH715nWgj9zWqyrOwkjkwsRu
    OStg3/7nCi4dGPknlyB0OcIo3C1cqQ3KfNczm+R9xWYiH7GMWfDHkD/xMItTtlVs
    WMXvxsg=
    -----END CERTIFICATE-----

     

    Using that certificate, signed dummy data in base64 encoding:

    tQ0sS5JGan7WyStLIozaFnE1aIpduXc5jQm7r7J2kTO/xTmVmLnxaPXqdE4WKG6VhPj/EtZG/Vsw
    ndVhfpWEgD1uuCW6ODjh7jomvpFTkl7QNd/Hgv0weQzeaXpmyBuX4f7Blc5+ctFJNPP93CBdSjYb
    +7DlVSROmBGSq5ZPpJNdIOZLt+J1ttkq5kKLZWztp968uXnKHM7pnFoETCLYHn8qwFlf5nyiuErU
    Es1jXBfIMt0thtjBkgXWXpJejdtS6O02M4PnEaoL3G/EcKJg/aqdythpJ61D7l06P3tWlrV19iSg
    26sb1GF8QC9C6IV9fKmHSX1fyWN1BwxvPGyomzp95DacwZsxA8V742jyOpV8vsJRMgai2TttWg9i
    mHsSnzmxNjAITKgIOqpma6bCTqdheP223dN+s2E7HF3apDDjuh4y4D6oFJowum/hizI1Rjk503lq
    ec67fyIEvHbchYMPou4u2TZGUIOjdlPjkeE0xos6AhKd7MFHyicyRsu8/XpUmjux0kngEW/Mo2jr
    xWKy3MeWx+752Bcpvp/8/FAZX/re1BugO1topYBq9fKm8PYe0wCZVRopXXMilYF5qmWlWrFnMHzD
    LDN2PyMpYqqMkuAswCkJ/KvKIU46EoUF39frqCZGZTCY5KyrLnTme4IysMhq8ZVLcdQSSecAVlQ=

     

    The dummy data is:

    Payload-Hash: SHA-256=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=
    Transaction-ID: ABCDEFGHIJKLMNOPQRSTUVWXYZ
    Request-ID: 1234567891011121314151617181920
    Customer-ID: Customer1234
    Date: 2018-01-01 12:00:00 GMT

     

    If there is any other information missing, I'll be happy to provide more.



  • 4.  Re: Verifying the signature of a payload
    Best Answer

    Broadcom Employee
    Posted Apr 23, 2018 12:31 PM

    Hi David,

     

    Just came across this tactical assertion in CA Wiki. This assertion can use the base64 public key value and perform signature validation. Hope this solves your requirement.

     

    https://cawiki.ca.com/display/Tactical/ValidateSecuritySignatureAssertion+-+User+Documentation

     

    Regards,

    Karthik



  • 5.  Re: Verifying the signature of a payload

    Posted Apr 23, 2018 03:36 PM

    When I try to access this https://cawiki.ca.com/display/Tactical/ValidateSecuritySignatureAssertion+-+User+Documentation, I get redirected to MFA Login , is this a new authentication control on the site? I am logged on currently to communities but that is not enough to access Wiki site. Apologies for deviating the core discussion, but intention is to let karthik know that the link is not accessible.



  • 6.  Re: Verifying the signature of a payload

    Posted Apr 24, 2018 04:57 AM

    This seemed to work!

     

    I also had to use the "Encode/Decode Data" assertion to turn the string into a certificate. The string without the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lets you do this. Then any certificate attributes can be extracted from the certificate (Certificate Attributes Context Variables - CA API Gateway - 9.3 - CA Technologies Documentation ). 

     

    SamWalker I don't know about the documentation, but I had to make a request to CA by starting a case to gain access to the assertion. When I did so I also got access to some documentation.