Verifying Digital Signatures
Trading Networks supports x.509v3 certificates for verifying the digital signature of documents sent by a partner. Trading Networks verifies the digital signature to make sure the documents have arrived unchanged and the sender is who it claims to be. To verify the digital signature, you do the following:
Save the partner’s Verify certificate in the partner’s profile.
Trading Networks must have access to the partner’s certificates. When you add a Verify certificate,
Trading Networks stores the certificate in its database.
Note: | If you include the private key in the certificate information, Trading Networks can also use this information to digitally sign documents on behalf of the partner. You might have the private key if the profile describes an internal group (for example, a department within your corporation). |
For XML documents, set up the document type to extract the SignedBody and Signature system attributes. The SignedBody attribute identifies the portion of the document that was digitally signed. The Signature attribute identifies the portion of the document that contains the digital signature. The signature must be a base64 encoded PKCS#7 detached digital signature and can contain information for one or more signers.
Specify the Verify Digital Signature pre-processing action in the document type or processing rule.
When a partner sends a document to you, Trading Networks looks at the partner’s profile to see if it contains the specific public certificate to use to verify the document. If Trading Networks finds a set of certificates to use for that specific receiver, it uses the appropriate certificate in that set. If Trading Networks does not find a set of certificates to use for that specific receiver, it uses the default set of certificates specified in the partner’s profile.
To verify that the document arrived unchanged from the partner to you, Trading Networks invokes the Integration Server pub.security.pkcs7:verify built-in service. Trading Networks passes this service the value of the SignedBody and Signature system attributes that it extracted from the document.
Trading Networks can only verify information on itself because it does not have the certification/verification for the partner. Trading Networks makes sure that the CA that signed the certificate is included in the list of trusted CA certificates that the Integration Server maintains.
To ensure that the signed body has not changed, Trading Networks verifies the digital signature, which is the value of the Signature system attribute. To verify that the sender is who it claims to be, Trading Networks matches the certificate from the digital signature to the Verify certificate that Trading Networks has on file for the partner.
