Skip to main content

Encrypting and Then Signing with Asymmetric Keys

Encrypting and Then Signing with Asymmetric Keys

To encrypt only the SOAP body and then add a digital signature (when using asymmetric keys), do the following:

  1. Follow the steps in Encrypting the SOAP Body.

  2. Follow the steps in Adding a Digital Signature.

To encrypt any security header elements and then add a digital signature (when using asymmetric keys), it is necessary to use a top-level <ReferenceList> element (which has not been necessary elsewhere in the documentation). In this case, do the following:

  1. Follow steps 1 — 4 in Encrypting Security Header Elements.

  2. For each security header element to encrypt, create an <EncryptedData> element based on that element. To do so, call the Create() class method of %XML.Security.EncryptedDataOpens in a new tab. In this procedure, specify all three arguments:

    1. The encrypted key instance that you created in the previous steps.

    2. The security header element to encrypt.

    3. $$$SOAPWSReferenceEncryptedKey, which specifies how the <EncryptedData> uses the encrypted key instance.

    For example:

     set refopt=$$$SOAPWSReferenceEncryptedKey
 set encdata=##class(%XML.Security.EncryptedData).Create(enckey,userToken,refopt)

  3. Create a <ReferenceList> element. To do so, call the %New() method of the %XML.Security.ReferenceListOpens in a new tab class. For example:

     set reflist=##class(%XML.Security.ReferenceList).%New()

  4. Within this <ReferenceList>, create a <Reference> that points to the <EncryptedData> elements. To do so, do the following for each <EncryptedData>:

    1. Call the Create() class method of %XML.Security.DataReferenceOpens in a new tab and specify the encrypted data instance as the argument. This method returns an instance of %XML.Security.DataReferenceOpens in a new tab.

    2. Call the AddReference() method of your reference list instance and specify the data reference instance as the argument.

    For example:

     set dataref=##class(%XML.Security.DataReference).Create(encdata)
 do reflist.AddReference(dataref)

  5. Add the <ReferenceList> element to the WS-Security header element. To do so, call the AddSecurityElement() method of the SecurityOut property of your web client or web service. For the element to add, specify your reference list instance. For example:

     do ..SecurityOut.AddSecurityElement(reflist)
    Note:

    The <ReferenceList> element must be added before you add the other items.

  6. Add the <EncryptedKey> element to the WS-Security header element. Use the AddSecurityElement(). For example:

     do ..SecurityOut.AddSecurityElement(enckey)

  7. Add the encrypted security header element to the WS-Security header element. To do so, call the AddSecurityElement() method of the SecurityOut property of your web client or web service. In this case, you specify two arguments:

    1. The security header element to include (not the instance of the %XML.Security.EncryptedDataOpens in a new tab based on that element).

    2. The encrypted key instance. The second argument specifies where to place the item specified by the first argument. If the arguments are A,B, then InterSystems IRIS ensures that A is after B. You specify this so that the recipient processes the encrypted key first and later processes the encrypted security header element that depends on it.

    For example:

     do ..SecurityOut.AddSecurityElement(userToken,enckey)

    Or, if the encrypted security header element is <Signature>, use AddSecurityElement() instead.

  8. Follow the steps Adding a Digital Signature.

  9. Send the SOAP message. See the general comments in Adding Security Header Elements.

Next sectionSigning and Then Encrypting with Symmetric Keys
Previous sectionSigning and Then Encrypting with Asymmetric Keys
FeedbackOpens in a new tab