%XML.Security.Signature
class %XML.Security.Signature extends %SOAP.Security.Element
For details on using this class, see Signing XML Documents. and Adding Digital Signatures.
XML Signature element.Method Inventory
- AddReference()
- ComputeSha1Digest()
- Create()
- CreateX509()
- SetDigestMethod()
- SetSignatureMethod()
- SignDocument()
- SignStream()
- ValidateDocument()
- XMLNew()
Parameters
NOTE: Direct use of XMLExport method does not support the ELEMENTQUALIFIED. The export must be done using %XML.Writer or SOAP support.
If XMLFORMAT="Literal", then only support for literal format import and export is generated.
If XMLFORMAT="Encoded", then only support for SOAP encoded format import and export is generated.
The default is to generate support for both literal and encoded format.
Methods
- keyElement is the Security element which will supply the symmetric key. keyElement is meaningful only when referenceOption specified. See referenceOption for details.
- The signatureOptions argument specifies the parts of the SOAP message to be signed. The default is to sign all addressing header, body and timestamp. See %soap.inc definitions of $$$SOAPWSInlcude.... for possibilities.
- The referenceOption argument specifies the type of reference which will be in the KeyInfo.
If referenceOption is "" or not specified, no KeyInfo is created. This is the default.
- $$$SOAPWSReferenceEncryptedKey is reference to an EncryptedKey element in this message. The keyElement argument must be specified and is the EncryptedKey element.
- $$$SOAPWSReferenceEncryptedKeySHA1 is reference by the SHA1 hash of the key contained in the EncryptedKey element specified as the first argument. If the keyElement is not specified, the key from the first EncryptedKey element in the received message is used.
- $$$SOAPWSReferenceDerivedKey is reference to a DerivedKeyToken element in this message. The keyElement argument must be specified and is the DerivedKeyToken element.
- $$$SOAPWSReferenceSCT is reference by wsu:Id to a SecurityContextToken element in this message. The keyElement argument must be specified and is the SecurityContextToken element.
- $$$SOAPWSReferenceSCTIdentifier is reference by Identifier and Instance to a SecurityContextToken element not necessarily in this message. The keyElement argument must be specified and is the SecurityContextToken element.
- $$$SOAPWSSAML is reference to SAML Assertion which contains an EncryptedKey or BinarySecret element in the KeyInfo that is in the SubjectConfirmationData. The keyElement argument must be specified and is the SAML Assertion element.
- The first argument can be a %SYS.X509Credentials instance, a %SAML.Assertion instance, or a %SOAP.Security.BinarySecurityToken instance. This argument indicates the X509 certificate to use.
- If this argument is a %SYS.X509Credentials instance, the instance should refer to the X509 certificate to use.
- If this argument is a %SAML.Assertion instance, its SubjectConfirmation should be based on the X.509 credentials to use.
- If this argument is a %SOAP.Security.BinarySecurityToken instance, it should contain the X.509 certificate to use; this is the technique for a direct reference.
- The signatureOptions argument specifies the parts of the SOAP message to be signed. The default is to sign all addressing header, body and timestamp. See %soap.inc definitions of $$$SOAPWSInlcude.... for possibilities.
- The referenceOption argument specifies the type of reference to create. See %soap.inc definitions of $$$SOAPWSReference.... and $$$KeyInfoX509.... The default is to use a direct reference if the first argument is a binary security token or to use the Thumbprint if the first argument is a %SYS.X509Credentials instance.
- If no signature is returned the status argument is set to the error %Status.
If the document is an MTOM document, then the optional mimeAttachments argument contains a single MIME part which has each MIME section as one of its child Parts.
The following example creates a stream which contains an XML document whose root object is is given by the oref obj. This oref is assumed to be an instance of an XML-enabled class that has the following properties:
- A property that is projected to XML as the Id attribute. In this example, this is the Signed.Id property.
- property that is intended to contain the signature itself and that is
projected to XML as the
element. In this example, this is the Signature property.
set writer=##class(%XML.Writer).%New() set stream=##class(%FileBinaryStream).%New() set status=writer.OutputToStream(stream) if $$$ISERR(status) do $system.OBJ.DisplayError(status) quit set status=writer.RootObject(obj) if $$$ISERR(status) do $system.OBJ.DisplayError(status) quit set x509=##class(%SYS.X509Credentials).GetByAlias("MyCredentials") set signature=##class(%XML.Security.Signature).CreateX509( x509,$$$SOAPWSIncludeNone,$$$KeyInfoX509Certificate) // Signature based on id of contained Signed element // Note that name Signed is arbitrary. do signature.AddReference( ##class(%XML.Security.Reference).Create(obj.Signed.id)) // We parse the stream to create a document which we will sign. set status= ##class(%XML.Document).GetDocumentFromStream(stream,.document) if $$$ISERR(status) do $system.OBJ.DisplayError(status) quit set status=signature.SignDocument(document) if $$$ISERR(status) do $system.OBJ.DisplayError(status) quit // Signature element is property of any name // Signature is arbitrary property name set obj.Signature=signature // Output the signed stream now that the signature is computed. set stream=##class(%FileBinaryStream).%New() set status=writer.OutputToStream(stream) if $$$ISERR(status) do $system.OBJ.DisplayError(status) quit set status=writer.RootObject(obj) if $$$ISERR(status) do $system.OBJ.DisplayError(status) quit
If the document is an MTOM document, then the optional mimeAttachments argument contains a single MIME part which has each MIME section as one of its child Parts.
The following example creates a stream which contains an XML document whose root object is is given by the oref obj. This oref is assumed to be an instance of an XML-enabled class that has the following properties:
- A property that is projected to XML as the Id attribute. In this example, this is the Signed.Id property.
- property that is intended to contain the signature itself and that is
projected to XML as the
element. In this example, this is the Signature property.
set writer=##class(%XML.Writer).%New() set stream=##class(%FileBinaryStream).%New() set status=writer.OutputToStream(stream) if $$$ISERR(status) do $system.OBJ.DisplayError(status) quit set status=writer.RootObject(obj) if $$$ISERR(status) do $system.OBJ.DisplayError(status) quit set x509 = ##class(%SYS.X509Credentials).GetByAlias("MyCredentials") set signature=##class(%XML.Security.Signature).CreateX509( x509,$$$SOAPWSIncludeNone,$$$KeyInfoX509Certificate) // Signature based on id of contained Signed element // Note that the name Signed is arbitrary. do signature.AddReference( ##class(%XML.Security.Reference).Create(obj.Signed.id)) set status=signature.SignStream(stream) if $$$ISERR(status) do $system.OBJ.DisplayError(status) quit // Signature element is property of any name // Signature is an arbitrary property name set obj.Signature=signature // Output the signed stream now that the signature is computed. set stream=##class(%FileBinaryStream).%New() set status=writer.OutputToStream(stream) if $$$ISERR(status) do $system.OBJ.DisplayError(status) quit set status=writer.RootObject(obj) if $$$ISERR(status) do $system.OBJ.DisplayError(status) quit
If the document is an MTOM document, then the optional mimeAttachments argument contains a single MIME part which has each MIME section as one of its child Parts.
The CAFile argument is the full path of file which contains the certificate authority certificates which are to be used to validate the signing certificate.
The following example assumes a single argument web service method with the argument named arg. This will usually be the case with an entire message being the argument since Parameter ARGUMENTSTYLE = "message". The document to validate is the SOAP message whose %XML.Document is contained in the ImportHandler property of the service. Also exclusive canonicalization must be used because the entire SOAP envelope is represented in ..Importhandler. If inclusive canonicalization needs to be used, then the ProcessBody or ProcessBodyNode methods must be used which allows access to just the Body contents as a document.
// Signature element is property of any name. // Signature is arbitrary property name set signature=arg.Signature set status=signature.ValidateDocument(..ImportHandler) if $$$ISERR(status) do $system.OBJ.DisplayError(status) quit
Inherited Members
Inherited Methods
- %AddToSaveSet()
- %ClassIsLatestVersion()
- %ClassName()
- %ConstructClone()
- %DispatchClassMethod()
- %DispatchGetModified()
- %DispatchGetProperty()
- %DispatchMethod()
- %DispatchSetModified()
- %DispatchSetMultidimProperty()
- %DispatchSetProperty()
- %Extends()
- %GetParameter()
- %IsA()
- %IsModified()
- %New()
- %NormalizeObject()
- %ObjectModified()
- %OriginalNamespace()
- %PackageName()
- %RemoveFromSaveSet()
- %SerializeObject()
- %SetModified()
- %ValidateObject()
- XMLDTD()
- XMLExport()
- XMLExportToStream()
- XMLExportToString()
- XMLSchema()
- XMLSchemaNamespace()
- XMLSchemaType()