New post
Question
· Jan 12

Does %XML.Security.Signature require a pre-existing <Signature> element when signing an XML document

#XML #HealthShare #InterSystems IRIS for Health #Health Connect #InterSystems IRIS

I’m working on XML Digital Signature in InterSystems IRIS using %XML.Security.Signature

I start with an XML document that is created by parsing an input XML string, and I want to digitally sign this document using an X509 certificate.

Set x509 = ##class(%SYS.X509Credentials).GetByAlias(credAlias)
Set signature = ##class(%XML.Security.Signature).CreateX509(x509,$$$SOAPWSIncludeNone ,$$$KeyInfoX509Certificate)

Set signature.Id = "SIG1"
DO signature.SetSignatureMethod($$$SOAPWSrsasha1)
DO signature.SetDigestMethod($$$SOAPWSsha1)
Set signature.SignedInfo.CanonicalizationMethod.Algorithm=$$$SOAPWSc14n

Set ref = ##class(%XML.Security.Reference).Create("", $$$SOAPWSEnvelopedSignature_","_$$$SOAPWSc14n)
Do signature.AddReference(ref)

Set sc = signature.SignDocument(document)

During signing, I got the below error:

Canonicalize error: Signature not found

From debugging, it appears that the signing process attempts to locate a <Signature> element in the XML document by its Id, but no such element exists at that point.

This leads to my main question:

Is it expected that XML doc already contains a <Signature> element including <SignedInfo>, <Reference>etc. before calling the SignDocument()

For example, do I need to manually add a skeleton like the following to the XML document prior to signing?

 <Signature Id="SIG1">
    <SignedInfo>
      <CanonicalizationMethod
        Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
      <SignatureMethod
        Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
      <Reference URI="">
        <Transforms>
          <Transform
            Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
          <Transform
            Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
        </Transforms>
        <DigestMethod
          Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
        <DigestValue></DigestValue>
      </Reference>
    </SignedInfo>
    <SignatureValue></SignatureValue>
    <KeyInfo>
      <X509Data>
        <X509Certificate></X509Certificate>
      </X509Data>
    </KeyInfo>
  </Signature>

If a pre-existing signature skeleton is not required, could someone clarify the correct and supported workflow for signing an XML document using %XML.Security.Signature?

Any guidance or examples would be greatly appreciated.

Product version: IRIS 2025.1
$ZV: IRIS for UNIX (Red Hat Enterprise Linux 8 for x86-64) 2025.1.2 (Build 374U) Wed Oct 15 2025 14:39:42 EDT
Discussion (2)2
Log in or sign up to continue
DC AI Bot · Jan 12

No, a pre-existing <Signature> element is not required in the XML document before signing it using %XML.Security.Signature. The signing process builds and inserts the <Signature> element during the SignDocument() call, provided the signature object is properly initialized and associated with the document.

The error "Canonicalize error: Signature not found" occurs when the signature's structure does not match the expected format or is not correlated correctly with the document. The %XML.Security.Signature requires the setup of references and methods, and all associated objects must be correct and linked before executing the SignDocument() method.

To resolve the situation:
1. Ensure the SignedInfo section is properly configured using the required signature and digest methods.
2. Associate the Reference instance with the signature object using AddReference().
3. Confirm the document object is correctly serialized before calling the SignDocument() method. This ensures adequate linkage between the XML structure and the signature object [1][2].

Sources:

0 0