Question
· Jun 28, 2019

Problem with xml signature

I'm trying to sign an xml but this is showing an Id attribute in the Signature tag and the xmlns attribute is not appearing.

This is the xml generated:

<Signature Id="Id-80170FF0-0678-47D5-8C8B-771AA4E334E6">
            <SignedInfo>
                <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
                <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                <Reference URI="#ID2102103519037442275900010755000000003309115569507501">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                        <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                    <DigestValue>wwcIz10ydGwGr3DYsCl+l6IfwyY=</DigestValue>
                </Reference>
            </SignedInfo>
            <SignatureValue>PyJvYnxxS/...</SignatureValue>
            <KeyInfo>
                <X509Data>
                    <X509Certificate>MIIHqjCCBZKg...</X509Certificate>
                </X509Data>
            </KeyInfo>
 </Signature>

And this is the xml expected:

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
            <SignedInfo>
                <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
                <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
                <Reference URI="#ID2102103519037442275900010755000000003309115569507501">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    <DigestValue>wwcIz10ydGwGr3DYsCl+l6IfwyY=</DigestValue>
                </Reference>
            </SignedInfo>
            <SignatureValue>aJLT3XDORDA8..</SignatureValue>
            <KeyInfo>
                <X509Data>
                    <X509Certificate>MIIHqjCCBZKgAwIBAg...</X509Certificate>
                </X509Data>
            </KeyInfo>
</Signature>

I'm trying sign the xml using this code:

SET tCredencial = ##class(%SYS.X509Credentials).GetByAlias("Credential")
    
    SET tParts  = $$$SOAPWSIncludeSoapBody
    SET tRef = $$$KeyInfoX509Certificate
    
    SET tSignature = ##class(%XML.Security.Signature).CreateX509(tCredencial,tParts,tRef,.tSC)
    
DO tSignature.SetSignatureMethod($$$SOAPWSrsasha1)
DO tSignature.SetDigestMethod($$$SOAPWSsha1)
Set tSignature.SignedInfo.CanonicalizationMethod.Algorithm=$$$SOAPWSc14n

    SET tRefid = XML.evento.infEvento.Id
    
    SET tAlgorithm = $$$SOAPWSEnvelopedSignature_","_$$$SOAPWSc14n
    #DIM tReference As %XML.Security.Reference
    SET tReference = ##class(%XML.Security.Reference).Create(tRefid,tAlgorithm)
    DO tSignature.AddReference(tReference)

    SET XML.evento.Signature = tSignature
    // this method convert %XML.Adapter on %XML.Document
    SET document = ..GetXMLDoc(XML)

SET tSC = tSignature.SignDocument(document)
Discussion (7)0
Log in or sign up to continue

Is it Xades?

I've done Xades signing, but not with RSA algorithms. Still, might be useful for you. Drop me your GitHub username if you need the code.

To add Xades support I used a reference implementation in .Net - read the Xades docs on how it's supposed to work, then decompiled .Net libraries to see how it all actually works, and recreated it in ObjectScript.

This is the full Xml I'm signing.

<envEvento versao="1.00" xmlns="http://www.portalfiscal.inf.br/nfe">
    <idLote>1</idLote>
    <evento versao="1.00">
        <infEvento Id="ID2102103519037442275900010755000000003309115569507501">
            <cOrgao>91</cOrgao>
            <tpAmb>2</tpAmb>
            <CNPJ>00000000000000</CNPJ>
            <chNFe>35190374422759000107550000000033091155695075</chNFe>
            <dhEvento>2019-06-25T15:57:30-03:00</dhEvento>
            <tpEvento>210210</tpEvento>
            <nSeqEvento>1</nSeqEvento>
            <verEvento>1.00</verEvento>
            <detEvento versao="1.00">
                <descEvento>Ciencia da Operacao</descEvento>
            </detEvento>
        </infEvento>
        <Signature Id="Id-80170FF0-0678-47D5-8C8B-771AA4E334E6">
            <SignedInfo>
                <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
                <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                <Reference URI="#ID2102103519037442275900010755000000003309115569507501">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                        <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                    <DigestValue>wwcIz10ydGwGr3DYsCl+l6IfwyY=</DigestValue>
                </Reference>
            </SignedInfo>
            <SignatureValue>PyJvYnxxS..</SignatureValue>
            <KeyInfo>
                <X509Data>
                    <X509Certificate>MIIHqjCCBZKgAwI..</X509Certificate>
                </X509Data>
            </KeyInfo>
        </Signature>
    </evento>
</envEvento>

I set the tSignature inside my XML object that has a property Signature of type% XML.Security.Signature and then convert to% XML.Document and do the sign

SET XML.evento.Signature = tSignature
// this method convert %XML.Adapter on %XML.Document
SET document = ..GetXMLDoc(XML)

SET tSC = tSignature.SignDocument(document)

@daniel-sanches-0, could you please include the complete XML output that you are seeing? (You may be able to exclude large, irrelevant portions of the content), but there may be relevant xmlns attributes higher up in the XML tree.

Also, how are you adding the signature to your XML and getting your XML content back out from the objects?