加密對(duì)外發(fā)送的報(bào)文

我已經(jīng)修改了前面的GetXmlDocument方法，讓它可以使用由WSE實(shí)現(xiàn)的基于X.509非對(duì)稱加密技術(shù)。加密回應(yīng)報(bào)文，F(xiàn)indCertificateBySubjectString方法可以用來接收客戶端證書的公開備份，一個(gè)來自本地機(jī)器賬號(hào)的個(gè)人儲(chǔ)存室給的客戶端證書。這個(gè)證書然后被用來創(chuàng)建一個(gè)新的 X.509安全Token，這個(gè)Token將被加入到響應(yīng)報(bào)文的SoapContext的安全Token集合里。另外，在對(duì)稱加密例子中引用的命名空間，你應(yīng)該再加一個(gè)using指示附來引用一個(gè)Microsoft.WebServices.Security.X509命名空間。GetXmlDocument方法代碼如下：

//創(chuàng)建一個(gè)用于返回的簡(jiǎn)單XML文檔

XmlDocument myDoc = new XmlDocument();

myDoc.InnerXml =

"<EncryptedResponse>This is sensitive data.</EncryptedResponse>";

"<EncryptedResponse>這里是敏感數(shù)據(jù).</EncryptedResponse>";



//得到響應(yīng)報(bào)文的SoapContext

SoapContext myContext = HttpSoapContext.ResponseContext;



//打開并讀取本地機(jī)器帳號(hào)的個(gè)人證書儲(chǔ)存室

X509CertificateStore myStore =

X509CertificateStore.LocalMachineStore(

X509CertificateStore.MyStore);

myStore.OpenRead();



//查找所有名為”我的證書”的證書，然后將所有匹配的證書添加到證書集合中

X509CertificateCollection myCerts =

myStore.FindCertificateBySubjectString("My Certificate");

X509Certificate myCert = null;



//查找在集合中中的第一個(gè)證書

if (myCerts.Count > 0)

{

myCert = myCerts[0];

}



//確定我們有一個(gè)可以用于加密的證書

if (myCert == null !myCert.SupportsDataEncryption)

{

throw new ApplicationException("Service is not able to

encrypt the response");



return null;

}

else

{

//使用有效的證書來創(chuàng)建一個(gè)安全Token

X509SecurityToken myToken = new X509SecurityToken(myCert);

//WSE將使用這個(gè)標(biāo)記來加密報(bào)文正文的

//WSE產(chǎn)生一個(gè)KeyInfo元素，用來請(qǐng)求客戶端上曾用于給報(bào)文解密的證書



EncryptedData myEncData = new EncryptedData(myToken);

//將已加密數(shù)據(jù)元素添加到響應(yīng)報(bào)文的SoapContext上

myContext.Security.Elements.Add(myEncData);



return myDoc;

}

基于前面的方法，WSE管道產(chǎn)生了下面的有相應(yīng)Security頭、密文和密鑰信息的元素：

<?xml version="1.0" encoding="utf-8"?>

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xmlns:xsd="http://www.w3.org/2001/XMLSchema">

<soap:Header>

<wsu:Timestamp

xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility">

<wsu:Created>2003-02-11T01:34:01Z</wsu:Created>

<wsu:Expires>2003-02-11T01:39:01Z</wsu:Expires>

</wsu:Timestamp>

<wsse:Security soap:mustUnderstand="1"

xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/07/secext">

<xenc:EncryptedKey

Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey"

xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">

<xenc:EncryptionMethod

Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />

<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">

<wsse:SecurityTokenReference>

<wsse:KeyIdentifier ValueType="wsse:X509v3">

YmlKVwXYD8vuGuYliuIYdEAQQPw=

</wsse:KeyIdentifier>

</wsse:SecurityTokenReference>

</KeyInfo>

<xenc:CipherData>

<xenc:CipherValue>UJ64Addf3Fd59XsaQ=&Atilde;&#8218;&Acirc;…</xenc:CipherValue>

</xenc:CipherData>

<xenc:ReferenceList>

<xenc:DataReference URI=

"#EncryptedContent-608eef8b-4104-4469-95b6-7cb4703cfa03" />

</xenc:ReferenceList>

</xenc:EncryptedKey>

</wsse:Security>

</soap:Header>

<soap:Body xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility"

wsu:Id="Id-70179c5b-4975-4932-9ecd-a58feb34b0d3">

<xenc:EncryptedData

Id="EncryptedContent-608eef8b-4104-4469-95b6-7cb4703cfa03"

Type="http://www.w3.org/2001/04/xmlenc#Content"

xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">

<xenc:EncryptionMethod

Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />

<xenc:CipherData>

<xenc:CipherValue>

4o1b4befwBJu6tzuaygfrAaX0UGtaYKcw2klIbuZPjLi...z8i2ypHN4+w==

</xenc:CipherValue>

</xenc:CipherData>

</xenc:EncryptedData>

</soap:Body>

</soap:Envelope>

注意在這個(gè)已加密的報(bào)文里面，由非對(duì)稱加密過的EncryptedKey元素包含了用于給報(bào)文正文加密的對(duì)稱加密密鑰。ReferenceList元素引用了報(bào)文正文的EncryptedData元素的Id屬性。雖然我在我的例子中沒這樣做，標(biāo)記這個(gè)消息以便能讓容器驗(yàn)證發(fā)送者其實(shí)是個(gè)不錯(cuò)的想法。關(guān)于使用WSE來標(biāo)記報(bào)文的詳細(xì)信息，看WS-Security Authentication and Digital Signatures with Web Services Enhancements