We are receiving messages from third parties, who are including a certificate in their requests. Also included is a signature which we want to validate against the message to determine nothing has been modified on the way. We have a different system that is responsible for the SSL-connection, so that part is already secure. The problem is how to actually verify that the signature was signed by that specific third party.
We can verify that the certificate comes from the third party, as we have their certificate located elsewhere that we can compare to.
But when it comes to actually verifying the signature we just don't know what policies to employ. Firstly, since we have the certificate located elsewhere, we have been unable to set context variables with type certificate. This stops us from using the "Extract Attributes from Certificate" assertion. This stops us from retrieving the key from the certificate and decoding the signature.
We're also not using XML, which means we can't use the "Verify XML Element" assertion either. This also requires we have a context variable with the certificate type.
The "Decode Json Web Token" assertion has the same problem, we only have the certificate in string format rather than of the Certificate type.
This means we continually get the "No certificate found for variable" exception in our logs.
So, how do we retrieve certificates when they cannot necessarily be looked up using the "Look Up Certificate" assertion?
How do we verify that a string/payload is signed using a third party's private key given that we have their public key/certificate?
If it matters, we are only interested in RSA-SHA256 and RSA-SHA512 and no other encryption algorithms.