Message Encryption Examples
In this example, the web client (not shown) sends a signed request message and the web service sends an encrypted response.
The web service obtains the public key from the client certificate in the signature of the request message and uses that to add an <EncryptedKey> element in its response, which is encrypted. The <EncryptedKey> element is encrypted with the client’s public key and it contains the symmetric key used to encrypt the response message body.
The web service is as follows:
Class XMLEncr.DivideWS Extends %SOAP.WebService
{
Parameter SECURITYIN = "REQUIRE";
Parameter SERVICENAME = "XMLEncryptionDemo";
Parameter NAMESPACE = "http://www.myapp.org";
Method Divide(arg1 As %Numeric = 2, arg2 As %Numeric = 8) As %Numeric [ WebMethod ]
{
Do ..EncryptBody()
Try {
Set ans=arg1 / arg2
} Catch {
Do ..ApplicationError("division error")
}
Quit ans
}
Method EncryptBody()
{
//Retrieve X.509 certificate from the signature of the inbound request
Set clientsig = ..SecurityIn.Signature
Set clientcred = clientsig.X509Credentials
set bst=##class(%SOAP.Security.BinarySecurityToken).CreateX509Token(clientcred)
do ..SecurityOut.AddSecurityElement(bst)
//generate a symmetric key, encrypt that with the public key of
//the certificate contained in the token, and create an
//<EncryptedKey> element with a direct reference to the token (default)
Set enc=##class(%XML.Security.EncryptedKey).CreateX509(bst)
//add the <EncryptedKey> element to the security header
Do ..SecurityOut.AddSecurityElement(enc)
}
/// Create our own method to produce application specific SOAP faults.
Method ApplicationError(detail As %String)
{
//details omitted
}
}
This service sends response messages like the following:
<?xml version="1.0" encoding="UTF-8" ?>
<SOAP-ENV:Envelope [parts omitted]>
<SOAP-ENV:Header>
<Security xmlns="[parts omitted]oasis-200401-wss-wssecurity-secext-1.0.xsd">
<BinarySecurityToken wsu:Id="SecurityToken-4EC1997A-AD6B-48E3-9E91-8D50C8EA3B53"
EncodingType="[parts omitted]#Base64Binary"
ValueType="[parts omitted]#X509v3">
MIICnDCCAYQ[parts omitted]ngHKNhh
</BinarySecurityToken>
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="[parts omitted]xmlenc#rsa-oaep-mgf1p">
<DigestMethod xmlns="http://www.w3.org/2000/09/xmldsig#"
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1">
</DigestMethod>
</EncryptionMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<SecurityTokenReference
xmlns="[parts omitted]oasis-200401-wss-wssecurity-secext-1.0.xsd">
<Reference URI="#SecurityToken-4EC1997A-AD6B-48E3-9E91-8D50C8EA3B53"
ValueType="[parts omitted]#X509v3"></Reference>
</SecurityTokenReference>
</KeyInfo>
<CipherData>
<CipherValue>WtE[parts omitted]bSyvg==</CipherValue>
</CipherData>
<ReferenceList>
<DataReference URI="#Enc-143BBBAA-B75D-49EB-86AC-B414D818109F"></DataReference>
</ReferenceList>
</EncryptedKey>
</Security>
</SOAP-ENV:Header>
<SOAP-ENV:Body>
<EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#"
Id="Enc-143BBBAA-B75D-49EB-86AC-B414D818109F"
Type="http://www.w3.org/2001/04/xmlenc#Content">
<EncryptionMethod Algorithm="[parts omitted]#aes128-cbc"></EncryptionMethod>
<CipherData>
<CipherValue>MLwR6hvKE0gon[parts omitted]8njiQ==</CipherValue>
</CipherData>
</EncryptedData>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
