第三十三章 使用派生密钥令牌进行加密和签名 - 使用 DerivedKeyToken _进行加密（一）

第三十三章 使用派生密钥令牌进行加密和签名 - 使用

进行加密（一）

7. 如果加密了任何安全标头元素，请将它们添加到 WS-Security 标头元素中。为此，请调用 Web 客户端或 Web 服务的 SecurityOut 属性的 AddSecurityElement() 方法。在这种情况下，需要两个参数：

a. 安全标头元素（而不是从中生成的的 %XML.Security.EncryptedData）。

b. 引用列表实例。第二个参数指定将第一个参数指定的项目放在何处。如果参数是 A、B，则 IRIS 确保 A 在 B 之后。指定此项以便收件人首先处理引用列表，然后再处理依赖于它的加密安全标头元素。

 do client.SecurityOut.AddSecurityElement(userToken,reflist)

如果仅加密了 SOAP 主体，系统会自动将 <EncryptedData> 元素作为 <Body>的子元素。

8. 发送 SOAP 消息。请参阅添加安全标头元素中的一般注释。

例如，以下客户端代码对 SOAP 主体和 <UsernameToken>进行加密：

  // Create UsernameTokenset userToken=##class(%SOAP.Security.UsernameToken).Create("_SYSTEM","SYS")// get credentials for encryptionset cred = ##class(%SYS.X509Credentials).GetByAlias("servercred") // get EncryptedKey element to encrypt <UsernameToken)// $$$SOAPWSEncryptNone means that this key does not encrypt the bodyset enckey=##class(%XML.Security.EncryptedKey).CreateX509(cred,$$$SOAPWSEncryptNone)//add to WS-Security Headerdo client.SecurityOut.AddSecurityElement(enckey)// get derived key to use for encryption// second argument specifies how the derived key // refers to the key on which it is basedset dkenc=##class(%SOAP.WSSC.DerivedKeyToken).Create(enckey,$$$SOAPWSReferenceEncryptedKey)//add to WS-Security Headerdo client.SecurityOut.AddSecurityElement(dkenc)// create <EncryptedData> element to contain <UserToken>set encdata=##class(%XML.Security.EncryptedData).Create(dkenc,userToken,$$$SOAPWSReferenceDerivedKey)// create <EncryptedData> element to contain SOAP bodyset encdata2=##class(%XML.Security.EncryptedData).Create(dkenc,"",$$$SOAPWSReferenceDerivedKey)// create <ReferenceList> with <DataReference> elements that// point to these two <EncryptedData> elementsset reflist=##class(%XML.Security.ReferenceList).%New()set dataref=##class(%XML.Security.DataReference).Create(encdata)do reflist.AddReference(dataref)set dataref2=##class(%XML.Security.DataReference).Create(encdata2)do reflist.AddReference(dataref2)// add <ReferenceList> to WS-Security headerdo client.SecurityOut.AddSecurityElement(reflist)// add encrypted <UserName> to security header;// 2nd argument specifies positiondo client.SecurityOut.AddSecurityElement(userToken,reflist)// encrypted SOAP body is handled automatically

客户端发送如下消息：

<?xml version="1.0" encoding="UTF-8" ?>
<SOAP-ENV:Envelope [parts omitted]><SOAP-ENV:Header><Security xmlns="[parts omitted]oasis-200401-wss-wssecurity-secext-1.0.xsd"><EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#" Id="Id-658202BF-239A-4A8C-A100-BB25579F366B"><EncryptionMethod Algorithm="[parts omitted]#rsa-oaep-mgf1p"><DigestMethod xmlns="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod></EncryptionMethod><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><SecurityTokenReference xmlns="[parts omitted]oasis-200401-wss-wssecurity-secext-1.0.xsd"><KeyIdentifier EncodingType="[parts omitted]#Base64Binary" ValueType="[parts omitted]#ThumbprintSHA1">5afOHv1w7WSXwDyz6F3WdM1r6cM=</KeyIdentifier></SecurityTokenReference></KeyInfo><CipherData><CipherValue>tFeKrZKw[parts omitted]r+bx7KQ==</CipherValue></CipherData></EncryptedKey><DerivedKeyToken xmlns="[parts omitted]ws-secureconversation/200512" xmlns:wsc="[parts omitted]ws-secureconversation/200512" wsu:Id="Enc-943C6673-E3F3-48E4-AA24-A7F82CCF6511"><SecurityTokenReference xmlns="[parts omitted]oasis-200401-wss-wssecurity-secext-1.0.xsd"><Reference URI="#Id-658202BF-239A-4A8C-A100-BB25579F366B"></Reference></SecurityTokenReference><Nonce>GbjRvVNrPtHs0zo/w9Ne0w==</Nonce></DerivedKeyToken><ReferenceList xmlns="http://www.w3.org/2001/04/xmlenc#"><DataReference URI="#Enc-358FB189-81B3-465D-AFEC-BC28A92B179C"></DataReference><DataReference URI="#Enc-9EF5CCE4-CF43-407F-921D-931B5159672D"></DataReference></ReferenceList><EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#" Id="Enc-358FB189-81B3-465D-AFEC-BC28A92B179C" Type="http://www.w3.org/2001/04/xmlenc#Element"><EncryptionMethod Algorithm="[parts omitted]#aes256-cbc"></EncryptionMethod><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><SecurityTokenReference xmlns="[parts omitted]oasis-200401-wss-wssecurity-secext-1.0.xsd"><Reference URI="#Enc-943C6673-E3F3-48E4-AA24-A7F82CCF6511"></Reference></SecurityTokenReference></KeyInfo><CipherData><CipherValue>e4//6aWGqo1dIQ7ZAF[parts omitted]KZcj99N78A==</CipherValue></CipherData></EncryptedData></Security></SOAP-ENV:Header><SOAP-ENV:Body><EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#" Id="Enc-9EF5CCE4-CF43-407F-921D-931B5159672D" Type="http://www.w3.org/2001/04/xmlenc#Content"><EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"></EncryptionMethod><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><SecurityTokenReference xmlns="[parts omitted]oasis-200401-wss-wssecurity-secext-1.0.xsd"><Reference URI="#Enc-943C6673-E3F3-48E4-AA24-A7F82CCF6511"></Reference></SecurityTokenReference></KeyInfo><CipherData><CipherValue>Q3XxuNjSan[parts omitted]x9AD7brM4</CipherValue></CipherData></EncryptedData></SOAP-ENV:Body>
</SOAP-ENV:Envelope>

再举一个例子，以下 Web 服务在入站消息中接收 <EncryptedKey> ，并使用它来生成 <DerivedKeyToken> ，用于加密响应的各个部分：

  // create <DerivedKeyToken> based on first <EncryptedKey> in inbound message;// refer to it with SHA1 thumbprintset refopt=$$$SOAPWSReferenceEncryptedKeySHA1set dkenc=##class(%SOAP.WSSC.DerivedKeyToken).Create(,refopt)do ..SecurityOut.AddSecurityElement(dkenc)// create <EncryptedData> element to contain SOAP bodyset encdata=##class(%XML.Security.EncryptedData).Create(dkenc,"",$$$SOAPWSReferenceDerivedKey)// create <ReferenceList> with <DataReference> elements that// point to the <EncryptedData> elementsset reflist=##class(%XML.Security.ReferenceList).%New()set dataref=##class(%XML.Security.DataReference).Create(encdata)do reflist.AddReference(dataref)// add <ReferenceList> to WS-Security headerdo ..SecurityOut.AddSecurityElement(reflist)

该 Web 服务发送如下消息：

<SOAP-ENV:Envelope [parts omitted]>  <SOAP-ENV:Header><Security xmlns="[parts omitted]oasis-200401-wss-wssecurity-secext-1.0.xsd"><DerivedKeyToken xmlns="[parts omitted]ws-secureconversation/200512" xmlns:wsc="[parts omitted]ws-secureconversation/200512" wsu:Id="Enc-D69085A9-9608-472D-85F3-44031586AB35"><SecurityTokenReference xmlns="[parts omitted]oasis-200401-wss-wssecurity-secext-1.0.xsd" s01:TokenType="[parts omitted]#EncryptedKey" xmlns:s01="h[parts omitted]oasis-wss-wssecurity-secext-1.1.xsd"><KeyIdentifier EncodingType="[parts omitted]#Base64Binary" [parts omitted]#EncryptedKeySHA1">U8CEWXdUPsIk/r8JT+2KdwU/gSw=</KeyIdentifier></SecurityTokenReference><Nonce>nJWyIJUcXXLd4k1tbNg10w==</Nonce></DerivedKeyToken><ReferenceList xmlns="http://www.w3.org/2001/04/xmlenc#"><DataReference URI="#Enc-0FF09175-B594-4198-9850-57D40EB66DC3"></DataReference></ReferenceList></Security>  </SOAP-ENV:Header>  <SOAP-ENV:Body><EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#" Id="Enc-0FF09175-B594-4198-9850-57D40EB66DC3" Type="http://www.w3.org/2001/04/xmlenc#Content"><EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"></EncryptionMethod><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><SecurityTokenReference xmlns="[parts omitted]oasis-200401-wss-wssecurity-secext-1.0.xsd"><Reference URI="#Enc-D69085A9-9608-472D-85F3-44031586AB35"></Reference></SecurityTokenReference></KeyInfo><CipherData><CipherValue>NzI94WnuQU4uBO[parts omitted]xHZpJSA==</CipherValue></CipherData></EncryptedData></SOAP-ENV:Body>
</SOAP-ENV:Envelope>