Problem with xml signature

Question

Question

Daniel Sanches · Jun 28, 2019

#Authentication #XML #Caché #InterSystems IRIS

I'm trying to sign an xml but this is showing an Id attribute in the Signature tag and the xmlns attribute is not appearing.

This is the xml generated:

<Signature Id="Id-80170FF0-0678-47D5-8C8B-771AA4E334E6">
            <SignedInfo>
                <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
                <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                <Reference URI="#ID2102103519037442275900010755000000003309115569507501">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                        <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                    <DigestValue>wwcIz10ydGwGr3DYsCl+l6IfwyY=</DigestValue>
                </Reference>
            </SignedInfo>
            <SignatureValue>PyJvYnxxS/...</SignatureValue>
            <KeyInfo>
                <X509Data>
                    <X509Certificate>MIIHqjCCBZKg...</X509Certificate>
                </X509Data>
            </KeyInfo>
 </Signature>

And this is the xml expected:

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
            <SignedInfo>
                <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
                <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
                <Reference URI="#ID2102103519037442275900010755000000003309115569507501">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    <DigestValue>wwcIz10ydGwGr3DYsCl+l6IfwyY=</DigestValue>
                </Reference>
            </SignedInfo>
            <SignatureValue>aJLT3XDORDA8..</SignatureValue>
            <KeyInfo>
                <X509Data>
                    <X509Certificate>MIIHqjCCBZKgAwIBAg...</X509Certificate>
                </X509Data>
            </KeyInfo>
</Signature>

I'm trying sign the xml using this code:

SET tCredencial = ##class(%SYS.X509Credentials).GetByAlias("Credential")
    
    SET tParts  = $$$SOAPWSIncludeSoapBody
    SET tRef = $$$KeyInfoX509Certificate
    
    SET tSignature = ##class(%XML.Security.Signature).CreateX509(tCredencial,tParts,tRef,.tSC)
    
DO tSignature.SetSignatureMethod($$$SOAPWSrsasha1)
DO tSignature.SetDigestMethod($$$SOAPWSsha1)
Set tSignature.SignedInfo.CanonicalizationMethod.Algorithm=$$$SOAPWSc14n

    SET tRefid = XML.evento.infEvento.Id
    
    SET tAlgorithm = $$$SOAPWSEnvelopedSignature_","_$$$SOAPWSc14n
    #DIM tReference As %XML.Security.Reference
    SET tReference = ##class(%XML.Security.Reference).Create(tRefid,tAlgorithm)
    DO tSignature.AddReference(tReference)

    SET XML.evento.Signature = tSignature
    // this method convert %XML.Adapter on %XML.Document
    SET document = ..GetXMLDoc(XML)

SET tSC = tSignature.SignDocument(document)

Discussion (7)0

Log in or sign up to continue

Dale du Preez · Jul 1, 2019

@daniel-sanches-0, could you please include the complete XML output that you are seeing? (You may be able to exclude large, irrelevant portions of the content), but there may be relevant xmlns attributes higher up in the XML tree.

Also, how are you adding the signature to your XML and getting your XML content back out from the objects?

0 0

score 0 · Answer 1 · 2019-06-29T04:36:43-04:00

Is it Xades?

I've done Xades signing, but not with RSA algorithms. Still, might be useful for you. Drop me your GitHub username if you need the code.

To add Xades support I used a reference implementation in .Net - read the Xades docs on how it's supposed to work, then decompiled .Net libraries to see how it all actually works, and recreated it in ObjectScript.

score 0 · Answer 2 · 2019-07-01T10:11:14-04:00

Daniel Sanches · Jul 1, 2019

Yes is a XADES, My github is https://github.com/SanchesDaniel

0 0

score 0 · Answer 3 · 2019-07-02T14:41:47-04:00

Sander Cornet · Jul 2, 2019

Nice! I will defenitly try this out, thanks

0 0

score 0 · Answer 4 · 2019-07-01T10:09:50-04:00

This is the full Xml I'm signing.

<envEvento versao="1.00" xmlns="http://www.portalfiscal.inf.br/nfe">
    <idLote>1</idLote>
    <evento versao="1.00">
        <infEvento Id="ID2102103519037442275900010755000000003309115569507501">
            <cOrgao>91</cOrgao>
            <tpAmb>2</tpAmb>
            <CNPJ>00000000000000</CNPJ>
            <chNFe>35190374422759000107550000000033091155695075</chNFe>
            <dhEvento>2019-06-25T15:57:30-03:00</dhEvento>
            <tpEvento>210210</tpEvento>
            <nSeqEvento>1</nSeqEvento>
            <verEvento>1.00</verEvento>
            <detEvento versao="1.00">
                <descEvento>Ciencia da Operacao</descEvento>
            </detEvento>
        </infEvento>
        <Signature Id="Id-80170FF0-0678-47D5-8C8B-771AA4E334E6">
            <SignedInfo>
                <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
                <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                <Reference URI="#ID2102103519037442275900010755000000003309115569507501">
                    <Transforms>
                        <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                        <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
                    </Transforms>
                    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                    <DigestValue>wwcIz10ydGwGr3DYsCl+l6IfwyY=</DigestValue>
                </Reference>
            </SignedInfo>
            <SignatureValue>PyJvYnxxS..</SignatureValue>
            <KeyInfo>
                <X509Data>
                    <X509Certificate>MIIHqjCCBZKgAwI..</X509Certificate>
                </X509Data>
            </KeyInfo>
        </Signature>
    </evento>
</envEvento>

I set the tSignature inside my XML object that has a property Signature of type% XML.Security.Signature and then convert to% XML.Document and do the sign

SET XML.evento.Signature = tSignature
// this method convert %XML.Adapter on %XML.Document
SET document = ..GetXMLDoc(XML)

SET tSC = tSignature.SignDocument(document)

score 0 · Answer 5 · 2020-06-05T15:05:14-04:00

Hi.

I have the same problem in Ensemble.

I don't know how to hidden the Id's attribute in Signature's tag, on XML.

I've tried to change XMLPROJECTION of the Property Id to "NONE", but it makes an error.

Please, can you post the solution?

Thanks.

score 0 · Answer 6 · 2019-07-01T10:20:37-04:00

Eduard Lebedyuk · Jul 1, 2019

Done. Check isc.xades package.

0 0