第三十四章 使用派生密钥令牌进行加密和签名 - 使用 <DerivedKeyToken> 进行签名
要使用 <DerivedKeyToken>进行签名,请使用以下步骤:
- 如果想要签署任何安全标头元素,请创建这些安全标头元素。
- 创建
<DerivedKeyToken>并将其添加到WS-Security标头,如创建和添加<DerivedKeyToken>中所述。
请注意,此步骤还会创建并添加 <DerivedKeyToken> 所基于的 <EncryptedKey> 元素。
- 根据派生的密钥令牌创建
<Signature>元素。为此,请调用%XML.Security.Signature的Create()类方法。例如:
set dsig=##class(%XML.Security.Signature).Create(dkt)
此方法返回 %XML.Security.Signature 的实例,该实例表示 <Signature> 标头元素。签名值通过 HMAC-SHA1 摘要算法计算,使用 <DerivedKeyToken> 隐含的对称密钥。
<Signature> 元素适用于消息的一组默认部分;可以指定一组不同的部分。
- 将数字签名添加到
WS-Security标头元素。为此,请调用Web客户端或Web服务的SecurityOut属性的AddSecurityElement()方法。对于参数,请指定上一步中创建的签名对象。例如:
do ..SecurityOut.AddSecurityElement(dsig)
例如,以下客户端代码对 SOAP 主体进行签名:
// get credentials
set cred = ##class(%SYS.X509Credentials).GetByAlias("servercred")
// get EncryptedKey element that does not encrypt the body
set enckey=##class(%XML.Security.EncryptedKey).CreateX509(cred,$$$SOAPWSEncryptNone)
//add to WS-Security Header
do client.SecurityOut.AddSecurityElement(enckey)
// get derived key & add to header
set dksig=##class(%SOAP.WSSC.DerivedKeyToken).Create(enckey,$$$SOAPWSReferenceEncryptedKey)
//add to WS-Security Header
do client.SecurityOut.AddSecurityElement(dksig)
// create a signature and add it to the security header
set sig=##class(%XML.Security.Signature).Create(dksig,,$$$SOAPWSReferenceDerivedKey)
do client.SecurityOut.AddSecurityElement(sig)
客户端发送如下消息:
<?xml version="1.0" encoding="UTF-8" ?>
<SOAP-ENV:Envelope [parts omitted]>
<SOAP-ENV:Header>
<Security xmlns="[parts omitted]oasis-200401-wss-wssecurity-secext-1.0.xsd">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#"
Id="Id-6188CA15-22BF-41EB-98B1-C86D4B242C9F">
<EncryptionMethod Algorithm="[parts omitted]#rsa-oaep-mgf1p">
<DigestMethod xmlns="http://www.w3.org/2000/09/xmldsig#"
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
</EncryptionMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<SecurityTokenReference
xmlns="[parts omitted]oasis-200401-wss-wssecurity-secext-1.0.xsd">
<KeyIdentifier EncodingType="[parts omitted]#Base64Binary"
ValueType="[parts omitted]#ThumbprintSHA1">5afOHv1w7WSXwDyz6F3WdM1r6cM=
</KeyIdentifier>
</SecurityTokenReference>
</KeyInfo>
<CipherData>
<CipherValue>VKyyi[parts omitted]gMVfayVYxA==</CipherValue>
</CipherData>
</EncryptedKey>
<DerivedKeyToken xmlns="[parts omitted]ws-secureconversation/200512"
xmlns:wsc=[parts omitted]ws-secureconversation/200512"
wsu:Id="Enc-BACCE807-DB34-46AB-A9B8-42D05D0D1FFD">
<SecurityTokenReference
xmlns="[parts omitted]oasis-200401-wss-wssecurity-secext-1.0.xsd">
<Reference URI="#Id-6188CA15-22BF-41EB-98B1-C86D4B242C9F"></Reference>
</SecurityTokenReference>
<Offset>0</Offset>
<Length>24</Length>
<Nonce>IgSfZJ1jje710zadbPXf1Q==</Nonce>
</DerivedKeyToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
</CanonicalizationMethod>
<SignatureMethod Algorithm="[parts omitted]#hmac-sha1"></SignatureMethod>
<Reference URI="#Body-B08978B3-8BE8-4365-A352-1934D7C33D2D">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>56gxpK1mSVW7DN5LUYRvqDbMt0s=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>aY4dKX17zDS2SF+BXlVTHcEituc=</SignatureValue>
<KeyInfo>
<SecurityTokenReference
xmlns="[parts omitted]oasis-200401-wss-wssecurity-secext-1.0.xsd">
<Reference URI="#Enc-BACCE807-DB34-46AB-A9B8-42D05D0D1FFD"></Reference>
</SecurityTokenReference>
</KeyInfo>
</Signature>
</Security>
</SOAP-ENV:Header>
<SOAP-ENV:Body wsu:Id="Body-B08978B3-8BE8-4365-A352-1934D7C33D2D">
[omitted]
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
网友评论