Parametrizable Web Service Security Signature algorithm? [Akami]

[Jesús Gómez]

Hello!

I'm following some directions to interoperate with a Webservice.

They provide me directives with examples using Java and Apache libraries.

So far so good: I can follow examples with Savon.

But... for the WebSecurity part they provide me with instructions using Apache WSS4J

And there there is something I noticed in the instructions that I think I can't do with Akami. Let me exaplain with the code example they give me, it is in Java, but consider it a pseudo code:

  # Suppose a secret key `key` and a reference to the username token `sref`
  WSSecSignature sign = new WSSecSignature();
  sign.setSigCanonicalization(WSConstants.C14N_EXCL_OMIT_COMMENTS);
  sign.setSignatureAlgorithm(XMLSignature.ALGO_ID_MAC_HMAC_SHA1);
  sign.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
  sign.setSecretKey(key);

  sign.setEncrKeySha1value(digest(key));

  sign.setSecurityTokenReference(sref);

What I want to highlight, is the fact that they configure the signing process, parametrizing the signing algorithm as ALGO_ID_MAC_HMAC_SHA1 and other things. But they do it as the users of the WSSec Libraries.

But reviewing Akami (our WSSec library in Ruby), I think the corresponding part is this line of code[1] (maybe I'm wrong), in the file `akami/wsse/signature.rb`:

  def the_signature
    ...

    signature = certs.private_key.sign(OpenSSL::Digest::SHA1.new, signed_info)
    ...

and looks like something I can't parametrize from the library's client point of view.

If that is the case, can you please give me some light on strategies to extend Akami/Savon so I can follow these instructions?

Thank you!

[1] https://github.com/savonrb/akami/blob/40feaa14a1e5aa0009853850a24c6463ac78db44/lib/akami/wsse/signature.rb#L146