Flow 22 --- Detached-JWS Stream Verification
This scenario walks through a constant-memory verification of a detached JWS created from a multi-megabyte payload:
-
Generate an XMSS key-pair that can sign and verify.
-
Create a 1 MB dummy payload.
-
Sign that file as a detached JWS (General JSON with
"payload": null) viasignFileStream. -
Verify the detached signature in streaming mode with
verifySignatureStream. -
Print rich server metadata and confirm the signature's validity.
Key points
Uses tree-based XMSS signatures --- quantum-resistant and state-aware.
Detached-JWS keeps large payloads out of the token; the signature file stays tiny.
Streaming helpers (
signFileStream,verifySignatureStream) hold only a small buffer in RAM --- ideal for 100 MiB+ artefacts.Produces repeatable 1 MB test data under
temp_files/, then cleans itself up automatically.
When to use it
-
High-volume log pipelines that need to stamp gigabytes with a quantum-safe signature without exhausting memory.
-
Content-distribution networks where the asset (video, image, dataset) travels separately from its JWS header & signature.
-
Compliance or audit trails that demand verifiable integrity proofs while keeping tokens lightweight.
Shared helper – this code imports the utility class from
example_util.md (configuration, authentication, JSON).
Complete Java implementation
src/main/java/co/ankatech/ankasecure/sdk/examples/ExampleScenario22.java
/*
* Copyright 2025 ANKATech Solutions Inc
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* SPDX-License-Identifier: Apache-2.0
*/
/* *****************************************************************************
* FILE: ExampleScenario22.java
* ****************************************************************************/
package co.ankatech.ankasecure.sdk.examples;
import co.ankatech.ankasecure.sdk.AnkaSecureSdk;
import co.ankatech.ankasecure.sdk.model.GenerateKeySpec;
import co.ankatech.ankasecure.sdk.model.SignResult;
import co.ankatech.ankasecure.sdk.model.VerifySignatureResult;
import co.ankatech.ankasecure.sdk.util.FileIO;
import java.nio.file.Files;
import java.nio.file.Path;
import java.util.List;
import java.util.Properties;
import static co.ankatech.ankasecure.sdk.examples.ExampleUtil.*;
/**
* End-to-end, file-oriented demonstration of streaming *detached JWS*
* verification with an XMSS key.
*
* @author ANKATech – Security Engineering
* @since 2.2.1
*/
public final class ExampleScenario22 {
/* ------------------------------------------------------------------ */
private static final String SIGN_KID =
"scenario22_XMSS_" + System.currentTimeMillis();
private static final Path LARGE_PAYLOAD = TEMP_DIR.resolve("scenario22_payload.bin");
private static final Path DETACHED_SIG = TEMP_DIR.resolve("scenario22_payload.sig");
/* ====================================================================== */
public static void main(String[] args) {
System.out.println("===== SCENARIO 22 START =====");
System.out.println("""
Purpose :
* Generate an XMSS sign/verify key-pair.
* Create and sign a 1 MB payload as a detached JWS.
* Verify the detached signature in streaming mode.
Steps :
1) Generate XMSS key
2) Create dummy payload
3) Sign payload (detached JWS)
4) Verify signature stream
--------------------------------------------------------------""");
try {
Files.createDirectories(TEMP_DIR);
Properties props = loadProperties();
AnkaSecureSdk sdk = authenticate(props);
runScenario(sdk);
} catch (Exception ex) {
fatal("Scenario 22 failed", ex);
}
System.out.println("===== SCENARIO 22 END =====");
}
/* ====================================================================== */
private static void runScenario(AnkaSecureSdk sdk) throws Exception {
/* 1 – XMSS key generation ------------------------------------- */
sdk.generateKey(new GenerateKeySpec()
.setKid(SIGN_KID)
.setKty("XMSS")
.setAlg("XMSS")
.setKeyOps(List.of("sign", "verify")));
System.out.println("[1] XMSS key generated -> kid = " + SIGN_KID);
/* 2 – 1 MB dummy payload ------------------------------------ */
byte[] blob = new byte[1 * 1024 * 1024]; // zero-filled buffer
FileIO.writeBytes(LARGE_PAYLOAD, blob);
System.out.println("[2] Payload created -> " + LARGE_PAYLOAD);
/* 3 – detached-JWS streaming sign ----------------------------- */
SignResult signMeta = sdk.signFileStream(SIGN_KID, LARGE_PAYLOAD, DETACHED_SIG);
System.out.println("[3] Detached JWS written -> " + DETACHED_SIG);
printSignMeta(signMeta);
/* 4 – detached-JWS streaming verify --------------------------- */
VerifySignatureResult verifyMeta =
sdk.verifySignatureStream(LARGE_PAYLOAD, DETACHED_SIG);
System.out.println("[4] Signature valid? -> " + verifyMeta.isValid());
printVerifyMeta(verifyMeta);
}
private ExampleScenario22() {/* no-instantiation */}
}
How to run
Console milestones
-
XMSS key generated
-
1 MB payload written to
scenario22_payload.bin -
Detached-JWS signature file created
-
Signature verified valid in streaming mode
-
Sign & verify metadata (key IDs, algorithm, warnings)
Where next?
© 2025 ANKATech Solutions INC. All rights reserved.