Skip to main content

%XML.Security.Signature

Class %XML.Security.Signature Extends %SOAP.Security.Element [ System = 4 ]

For details on using this class, see Signing XML Documents. and Adding Digital Signatures.

XML Signature element.

Parameters

XMLFORMAT

Parameter XMLFORMAT = "literal";

NAMESPACE

Parameter NAMESPACE = "http://www.w3.org/2000/09/xmldsig#";

ELEMENTQUALIFIED

Parameter ELEMENTQUALIFIED = 1;

Properties

PreProcessed

Property PreProcessed As %Boolean(XMLPROJECTION = "NONE") [ InitialExpression = 0, Internal ];

The PreProcessed flag indicates whether the signature data in this signature is already valid and should not be recalculated when preparing a SOAP request for retransmission. In general this would only be useful when attempting to forward a specific signed entity such as a SAML assertion which contains a Signature element.

Id

Property Id As %String(MAXLEN = "", XMLPROJECTION = "attribute") [ Internal ];

Local Id attribute defined for XML Signature

SignedInfo

Property SignedInfo As %XML.Security.SignedInfo [ Internal ];

SignatureValue

Property SignatureValue As %xsd.base64Binary(CANONICALXML = 1) [ Internal ];

KeyInfo

Property KeyInfo As %XML.Security.KeyInfo [ Internal ];

Object

Property Object As %XML.Security.Object [ Internal ];

SignatureOptions

Property SignatureOptions As %Integer(XMLPROJECTION = "none") [ Internal ];

SignatureOptions specifies which parts of the message are to be signed. See %soap.inc definitions of $$$SOAPWSInclude.... for possibilities.

X509Credentials

Property X509Credentials As %RawString(XMLPROJECTION = "none") [ Internal ];

If signing is based on X509 certificate, this is the X509 certificate class. If signing is based on EncryptedKey, BinarySecret, DerivedKeyToken or SecurityContextToken element, then this element and Key property is defined.

Key

Property Key As %Binary(XMLPROJECTION = "none") [ Internal ];

The symmetric key for hmac-sha1 signing.

ReferenceOption

Property ReferenceOption As %String(XMLPROJECTION = "none") [ Internal ];

ReferenceOption argument from the Create call.

DigestMethodAlgorithm

Property DigestMethodAlgorithm As %String(XMLPROJECTION = "none") [ Internal ];

The default DigestMethod Algorithm for any references added to this Signature.

NodeId

Property NodeId As %String(XMLPROJECTION = "none") [ Internal ];

Save the node id of this element in the tree during import for canonicalizing later during signature verification.

IsBodySigned

Property IsBodySigned As %Boolean(XMLPROJECTION = "none") [ Internal ];

If true, then the SOAP Body is signed

Confirmed

Property Confirmed As %Boolean(XMLPROJECTION = "none") [ Internal ];

If true, this signature has been confirmed by a WS-Security 1.1 SubjectConfirmation element.

Methods

XMLNew

ClassMethod XMLNew(document As %XML.Document, nodeId As %Integer, containerOref As %RegisteredObject = "") As %RegisteredObject

Save the node if when getting a new class instance.

CreateX509

ClassMethod CreateX509(credentials As %SYS.X509Credentials = "", signatureOptions As %Integer, referenceOption As %Integer, Output status As %Status) As %XML.Security.Signature

Create a Signature element that is to be signed using the RSA private key that is associated with the specified X509 certificate.

  • The first argument can be a %SYS.X509Credentials instance, a %SAML.Assertion instance, or a %SOAP.Security.BinarySecurityToken instance. This argument indicates the X509 certificate to use.
    • If this argument is a %SYS.X509Credentials instance, the instance should refer to the X509 certificate to use.
    • If this argument is a %SAML.Assertion instance, its SubjectConfirmation should be based on the X.509 credentials to use.
    • If this argument is a %SOAP.Security.BinarySecurityToken instance, it should contain the X.509 certificate to use; this is the technique for a direct reference.
  • The signatureOptions argument specifies the parts of the SOAP message to be signed. The default is to sign all addressing header, body and timestamp. See %soap.inc definitions of $$$SOAPWSInlcude.... for possibilities.
  • The referenceOption argument specifies the type of reference to create. See %soap.inc definitions of $$$SOAPWSReference.... and $$$KeyInfoX509.... The default is to use a direct reference if the first argument is a binary security token or to use the Thumbprint if the first argument is a %SYS.X509Credentials instance.
  • If no signature is returned the status argument is set to the error %Status.

Create

ClassMethod Create(keyElement As %RegisteredObject = "", signatureOptions As %Integer, referenceOption As %Integer = "") As %XML.Security.Signature

Create a Signature element that is to be signed using the hmac-sha1 algorithm with a symmetric key specified by its KeyInfo element.

  • keyElement is the Security element which will supply the symmetric key. keyElement is meaningful only when referenceOption specified. See referenceOption for details.
  • The signatureOptions argument specifies the parts of the SOAP message to be signed. The default is to sign all addressing header, body and timestamp. See %soap.inc definitions of $$$SOAPWSInlcude.... for possibilities.
  • The referenceOption argument specifies the type of reference which will be in the KeyInfo. If referenceOption is "" or not specified, no KeyInfo is created. This is the default.
    • $$$SOAPWSReferenceEncryptedKey is reference to an EncryptedKey element in this message. The keyElement argument must be specified and is the EncryptedKey element.
    • $$$SOAPWSReferenceEncryptedKeySHA1 is reference by the SHA1 hash of the key contained in the EncryptedKey element specified as the first argument. If the keyElement is not specified, the key from the first EncryptedKey element in the received message is used.
    • $$$SOAPWSReferenceDerivedKey is reference to a DerivedKeyToken element in this message. The keyElement argument must be specified and is the DerivedKeyToken element.
    • $$$SOAPWSReferenceSCT is reference by wsu:Id to a SecurityContextToken element in this message. The keyElement argument must be specified and is the SecurityContextToken element.
    • $$$SOAPWSReferenceSCTIdentifier is reference by Identifier and Instance to a SecurityContextToken element not necessarily in this message. The keyElement argument must be specified and is the SecurityContextToken element.
    • $$$SOAPWSSAML is reference to SAML Assertion which contains an EncryptedKey or BinarySecret element in the KeyInfo that is in the SubjectConfirmationData. The keyElement argument must be specified and is the SAML Assertion element.

GetDefaultMethods

ClassMethod GetDefaultMethods(Output digest As %String, Output signature As %String, Output hmac As %String) [ Internal ]

Get default digest, signature and hmac methods

SetDigestMethod

Method SetDigestMethod(algorithm As %String)

Set the digest method algorithm to be used for signing. The algorithm is reflected in the Algorithm attribute of the DigestMethod element of each Reference element of the SignedInfo element of the Signature element. Possible values for algortihm are $$$SOAPWSsha1, $$$SOAPWSsha256, $$$SOAPWSsha384 and $$$SOAPWSsha512.

SetSignatureMethod

Method SetSignatureMethod(algorithm As %String)

Set the signature method algorithm to be used for signing. The algorithm is reflected in the Algorithm attribute of the SignatureMethod element the SignedInfo element of the Signature element. Possible values for algortihm are $$$SOAPWSrsasha1, $$$SOAPWSrsasha256, $$$SOAPWSrsasha384 and $$$SOAPWSrsasha512.

SignStream

Method SignStream(messageStream As %BinaryStream, mimeAttachments As %Net.MIMEPart = "") As %Status

SignStream completes the Signature element by adding the SignedInfo based on X509Credentials and computes the signature value for the XML stream to be signed. messageStream is a stream containing the XML to be signed.

If the document is an MTOM document, then the optional mimeAttachments argument contains a single MIME part which has each MIME section as one of its child Parts.

The following example creates a stream which contains an XML document whose root object is is given by the oref obj. This oref is assumed to be an instance of an XML-enabled class that has the following properties:

  • A property that is projected to XML as the Id attribute. In this example, this is the Signed.Id property. property that is intended to contain the signature itself and that is projected to XML as the element. In this example, this is the Signature property. set writer=##class(%XML.Writer).%New() set stream=##class(%FileBinaryStream).%New() set status=writer.OutputToStream(stream) if $$$ISERR(status) do $system.OBJ.DisplayError(status) quit set status=writer.RootObject(obj) if $$$ISERR(status) do $system.OBJ.DisplayError(status) quit set x509 = ##class(%SYS.X509Credentials).GetByAlias("MyCredentials") set signature=##class(%XML.Security.Signature).CreateX509( x509,$$$SOAPWSIncludeNone,$$$KeyInfoX509Certificate) // Signature based on id of contained Signed element // Note that the name Signed is arbitrary. do signature.AddReference( ##class(%XML.Security.Reference).Create(obj.Signed.id)) set status=signature.SignStream(stream) if $$$ISERR(status) do $system.OBJ.DisplayError(status) quit // Signature element is property of any name // Signature is an arbitrary property name set obj.Signature=signature // Output the signed stream now that the signature is computed. set stream=##class(%FileBinaryStream).%New() set status=writer.OutputToStream(stream) if $$$ISERR(status) do $system.OBJ.DisplayError(status) quit set status=writer.RootObject(obj) if $$$ISERR(status) do $system.OBJ.DisplayError(status) quit

SignDocument

Method SignDocument(document As %XML.Document, mimeAttachments As %Net.MIMEPart = "") As %Status

SignDocument completes the Signature element by adding the SignedInfo based on X509Credentials and computes the signature value for the parsed XML document to be signed. document is an %XML.Document obtained by parsing the stream ot be signed.

If the document is an MTOM document, then the optional mimeAttachments argument contains a single MIME part which has each MIME section as one of its child Parts.

The following example creates a stream which contains an XML document whose root object is is given by the oref obj. This oref is assumed to be an instance of an XML-enabled class that has the following properties:

  • A property that is projected to XML as the Id attribute. In this example, this is the Signed.Id property. property that is intended to contain the signature itself and that is projected to XML as the element. In this example, this is the Signature property. set writer=##class(%XML.Writer).%New() set stream=##class(%FileBinaryStream).%New() set status=writer.OutputToStream(stream) if $$$ISERR(status) do $system.OBJ.DisplayError(status) quit set status=writer.RootObject(obj) if $$$ISERR(status) do $system.OBJ.DisplayError(status) quit set x509=##class(%SYS.X509Credentials).GetByAlias("MyCredentials") set signature=##class(%XML.Security.Signature).CreateX509( x509,$$$SOAPWSIncludeNone,$$$KeyInfoX509Certificate) // Signature based on id of contained Signed element // Note that name Signed is arbitrary. do signature.AddReference( ##class(%XML.Security.Reference).Create(obj.Signed.id)) // We parse the stream to create a document which we will sign. set status= ##class(%XML.Document).GetDocumentFromStream(stream,.document) if $$$ISERR(status) do $system.OBJ.DisplayError(status) quit set status=signature.SignDocument(document) if $$$ISERR(status) do $system.OBJ.DisplayError(status) quit // Signature element is property of any name // Signature is arbitrary property name set obj.Signature=signature // Output the signed stream now that the signature is computed. set stream=##class(%FileBinaryStream).%New() set status=writer.OutputToStream(stream) if $$$ISERR(status) do $system.OBJ.DisplayError(status) quit set status=writer.RootObject(obj) if $$$ISERR(status) do $system.OBJ.DisplayError(status) quit

ValidateDocument

Method ValidateDocument(document As %XML.Document, mimeAttachments As %Net.MIMEPart = "", CAFile As %String = "") As %Status

Validate a %XML.Document containing a parsed XML document which contains a signature. The %XML.Signature element must be obtained from the same instance of %XML.Document that you are validating. If invalid return an error %Status.

If the document is an MTOM document, then the optional mimeAttachments argument contains a single MIME part which has each MIME section as one of its child Parts.

The CAFile argument is the full path of file which contains the certificate authority certificates which are to be used to validate the signing certificate.

The following example assumes a single argument web service method with the argument named arg. This will usually be the case with an entire message being the argument since Parameter ARGUMENTSTYLE = "message". The document to validate is the SOAP message whose %XML.Document is contained in the ImportHandler property of the service. Also exclusive canonicalization must be used because the entire SOAP envelope is represented in ..Importhandler. If inclusive canonicalization needs to be used, then the ProcessBody or ProcessBodyNode methods must be used which allows access to just the Body contents as a document. // Signature element is property of any name. // Signature is arbitrary property name set signature=arg.Signature set status=signature.ValidateDocument(..ImportHandler) if $$$ISERR(status) do $system.OBJ.DisplayError(status) quit

InitializeForService

Method InitializeForService(service As %SOAP.WebBase, header As %SOAP.Security.Header = "") As %Status [ Internal ]

Initialize the signature based on the SignatureOptions of a web client or service. %XML.Security.Signature may be initialized directly by using calls to AddReference.

AddRM

Method AddRM(service As %SOAP.WebBase) [ Internal ]

Add reference to WS-ReliableMessaging headers

InitializeValue

Method InitializeValue(service As %SOAP.WebBase) As %Status [ Internal, Private ]

Validate correct size to the Signature element

AddReference

Method AddReference(reference As %XML.Security.Reference, doNotReuse As %Boolean = 0)

Add a reference to XML element using an %XML.Security.Reference. The reference may be created by using the ##class(%XML.Security.Reference).Create method. If doNotReuse is true, then this reference will be removed during Reset

Perform

Method Perform(messageStream As %BinaryStream, header As %SOAP.Security.Header) As %Status [ Internal ]

Complete the Signature element and update the message stream with the new SignatureValue

Sign

Method Sign(document As %XML.Document, header As %SOAP.Security.Header, mimeAttachments As %Net.MIMEPart) As %Status [ Internal ]

Complete the Signature element by adding the SignedInfo based on X509Credentials and compute the signature value.

GetNodeById

Method GetNodeById(uri As %String, document As %XML.Document, node As %XML.Node) As %String [ Internal, Private ]

Get node based on id from URI. Return nodeId

Reset

Method Reset() [ Internal ]

Reset the Signature element.

ValidateElement

Method ValidateElement(document As %XML.Document, service As %SOAP.WebBase = "", mimeAttachments As %Net.MIMEPart = "", CAFile As %String = "") As %String [ Internal ]

Validate the security header element. If invalid return an error code.

If the document is an MTOM document, then the optional mimeAttachments argument contains a single MIME part which has each MIME section as one of its child Parts.

The CAFile argument is the full path of file which contains the certificate authority certificates which are to be used to validate the signing certificate.

ComputeSha1Digest

Method ComputeSha1Digest(node As %XML.Node, signNodeId As %String, writer As %XML.Writer, prefixList As %String, bitlength As %Integer, isSTR As %Boolean, ByRef text As %FileBinaryStream, mimeAttachments As %Net.MIMEPart) As %xsd.base64Binary

Compute SHA1 digest of an element