第二十四章 加密安全标头元素 - 基本示例
以下示例调用 Web
客户端并发送已加密的 <UsernameToken>
。在此示例中,正文未加密。
Set client=##class(XMLEncrSecHeader.Client.XMLEncrSecHeaderSoap).%New()
// Create UsernameToken
set user="_SYSTEM"
set pwd="SYS"
set userToken=##class(%SOAP.Security.UsernameToken).Create(user,pwd)
//get credentials for encryption
set cred = ##class(%SYS.X509Credentials).GetByAlias("servernopassword")
//get EncryptedKey element and add it
set encropt=$$$SOAPWSEncryptNone ; means do not encrypt body
set enckey=##class(%XML.Security.EncryptedKey).CreateX509(cred,encropt)
//create EncryptedData and add a reference to it from EncryptedKey
set encdata=##class(%XML.Security.EncryptedData).Create(,userToken)
set dataref=##class(%XML.Security.DataReference).Create(encdata)
do enckey.AddReference(dataref)
//add EncryptedKey to security header
do client.SecurityOut.AddSecurityElement(enckey)
//add UsernameToken and place it after EncryptedKey
do client.SecurityOut.AddSecurityElement(userToken,enckey)
Quit client.Divide(1,2)
该客户端发送如下消息:
<?xml version="1.0" encoding="UTF-8" ?>
<SOAP-ENV:Envelope [parts omitted]>
<SOAP-ENV:Header>
<Security xmlns="[parts omitted]oasis-200401-wss-wssecurity-secext-1.0.xsd">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<DigestMethod
xmlns="http://www.w3.org/2000/09/xmldsig#"
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1">
</DigestMethod>
</EncryptionMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<SecurityTokenReference
xmlns="[parts omitted]oasis-200401-wss-wssecurity-secext-1.0.xsd">
<KeyIdentifier EncodingType="[parts omitted]#Base64Binary"
ValueType="[parts omitted]#ThumbprintSHA1">[omitted]</KeyIdentifier>
</SecurityTokenReference>
</KeyInfo>
<CipherData>
<CipherValue>pftET8jFDEjNC2x[parts omitted]xEjNC2==</CipherValue>
</CipherData>
<ReferenceList>
<DataReference URI="#Enc-61000920-44DE-471E-B39C-6D08CB17FDC2">
</DataReference>
</ReferenceList>
</EncryptedKey>
<EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#"
Id="Enc-61000920-44DE-471E-B39C-6D08CB17FDC2"
Type="http://www.w3.org/2001/04/xmlenc#Element">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc">
</EncryptionMethod>
<CipherData>
<CipherValue>wW3ZM5tgPD[parts omitted]tgPD==</CipherValue>
</CipherData>
</EncryptedData>
</Security>
</SOAP-ENV:Header>
<SOAP-ENV:Body>
[omitted]
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
作为一个简单的变化,请考虑上一节中的过程。假设我们在步骤 4 中执行以下操作,并且不做其他更改:
set enckey=##class(%XML.Security.EncryptedKey).CreateX509(credset)
在这种情况下,来自客户端的消息包括加密正文和加密的 :
<?xml version="1.0" encoding="UTF-8" ?>
<SOAP-ENV:Envelope [parts omitted]>
<SOAP-ENV:Header>
<Security xmlns="[parts omitted]oasis-200401-wss-wssecurity-secext-1.0.xsd">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<DigestMethod xmlns="http://www.w3.org/2000/09/xmldsig#"
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1">
</DigestMethod>
</EncryptionMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<SecurityTokenReference
xmlns="[parts omitted]oasis-200401-wss-wssecurity-secext-1.0.xsd">
<KeyIdentifier EncodingType="[parts omitted]#Base64Binary"
ValueType="[parts omitted]#ThumbprintSHA1">
5a[parts omitted]dM1r6cM=
</KeyIdentifier>
</SecurityTokenReference>
</KeyInfo>
<CipherData>
<CipherValue>TB8uavpr[parts omitted]nZBiMCcg==</CipherValue>
</CipherData>
<ReferenceList>
<DataReference URI="#Enc-43FE435F-D1D5-4088-A343-0E76D154615A"></DataReference>
<DataReference URI="#Enc-55FE109A-3C14-42EB-822B-539E380EDE48"></DataReference>
</ReferenceList>
</EncryptedKey>
<EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#"
Id="Enc-43FE435F-D1D5-4088-A343-0E76D154615A"
Type="http://www.w3.org/2001/04/xmlenc#Element">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc">
</EncryptionMethod>
<CipherData>
<CipherValue>G+X7dqI[parts omitted]nojroQ==</CipherValue>
</CipherData>
</EncryptedData>
</Security>
</SOAP-ENV:Header>
<SOAP-ENV:Body>
<EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#"
Id="Enc-55FE109A-3C14-42EB-822B-539E380EDE48"
Type="http://www.w3.org/2001/04/xmlenc#Content">
<EncryptionMethod Algorithm="[parts omitted]aes128-cbc"></EncryptionMethod>
<CipherData>
<CipherValue>YJbzyi[parts omitted]NhJoln==</CipherValue>
</CipherData>
</EncryptedData>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
与上一个示例相比,在本例中 <EncryptedKey>
元素包含对两个 <EncryptedData>
元素的引用。一个是安全标头中的 <EncryptedData>
元素,其中包含 <UsernameToken>
;此引用是手动创建和添加的。另一个是 SOAP
主体中的 <EncryptedData>
元素;此引用是自动添加的。