Question
· 8 hr ago

Does %XML.Security.Signature require a pre-existing <Signature> element when signing an XML document

#XML #InterSystems IRIS

I’m working on XML Digital Signature in InterSystems IRIS using %XML.Security.Signature

I start with an XML document that is created by parsing an input XML string, and I want to digitally sign this document using an X509 certificate.

Set x509 = ##class(%SYS.X509Credentials).GetByAlias(credAlias)
Set signature = ##class(%XML.Security.Signature).CreateX509(x509,$$$SOAPWSIncludeNone ,$$$KeyInfoX509Certificate)

Set signature.Id = "SIG1"
DO signature.SetSignatureMethod($$$SOAPWSrsasha1)
DO signature.SetDigestMethod($$$SOAPWSsha1)
Set signature.SignedInfo.CanonicalizationMethod.Algorithm=$$$SOAPWSc14n

Set ref = ##class(%XML.Security.Reference).Create("", $$$SOAPWSEnvelopedSignature_","_$$$SOAPWSc14n)
Do signature.AddReference(ref)

Set sc = signature.SignDocument(document)

During signing, I got the below error:

Canonicalize error: Signature not found

From debugging, it appears that the signing process attempts to locate a <Signature> element in the XML document by its Id, but no such element exists at that point.

This leads to my main question:

Is it expected that XML doc already contains a <Signature> element including <SignedInfo>, <Reference>etc. before calling the SignDocument()

For example, do I need to manually add a skeleton like the following to the XML document prior to signing?

 <Signature Id="SIG1">
    <SignedInfo>
      <CanonicalizationMethod
        Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
      <SignatureMethod
        Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
      <Reference URI="">
        <Transforms>
          <Transform
            Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
          <Transform
            Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
        </Transforms>
        <DigestMethod
          Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
        <DigestValue></DigestValue>
      </Reference>
    </SignedInfo>
    <SignatureValue></SignatureValue>
    <KeyInfo>
      <X509Data>
        <X509Certificate></X509Certificate>
      </X509Data>
    </KeyInfo>
  </Signature>

If a pre-existing signature skeleton is not required, could someone clarify the correct and supported workflow for signing an XML document using %XML.Security.Signature?

Any guidance or examples would be greatly appreciated.

Product version: IRIS 2025.1
$ZV: IRIS for UNIX (Red Hat Enterprise Linux 8 for x86-64) 2025.1.2 (Build 374U) Wed Oct 15 2025 14:39:42 EDT
Discussion (0)1
Log in or sign up to continue