- XUCERT ;ISD/HGW Kernel PKI Certificate Utilities ;09/13/2019 12:25
- ;;8.0;KERNEL;**659,701**;Jul 10, 1995;Build 0
- ;Per VA Directive 6402, this routine should not be modified.
- ;
- Q
- VALIDATE(DOC,ERR) ;Extrinsic Function.
- ;Validate the signatures in a digitally signed XML document which contains an EncryptedData element and EncryptedKey elements.
- ; Input: DOC = This string is either a closed reference to a global root containing the XML document or a filename
- ; and path reference identifying the XML document on the host system. See the Kernel Developers Guide
- ; documentation on $$EN^MXMLDOM() for detailed requirements for the format of the input global.
- ; Return: Fail = "-1^Error Message"
- ; Success = 1
- ;
- ;ZEXCEPT: %New,%XML,Document,OpenFile,OpenStream,Reader,ValidateDocument,class ;ObjectScript
- N XUREAD,XUSIG,XUSTATUS,XUVER
- S XUREAD=$$READER^XUCERT1(DOC) ;Read XML document
- I $G(XUREAD)["-1^" S ERR("PARSE")="" Q 0
- S XUSIG=$$SGNTR^XUCERT1(XUREAD) ;Find digital signature
- I $G(XUSIG)["-1^" S ERR("NO-SIGNATURE")="" Q 0
- D GETISSUE(XUSIG) ;Save subject of X509 certificate (issuer of signature)
- ;p701;S XUVER=$$VERSION^%ZOSV() S XUVER=$P(XUVER,".",1)_"."_$P(XUVER,".",2)
- S XUSTATUS=$$VAL2^XUCERT1(XUREAD,XUSIG,.ERR)
- Q XUSTATUS
- ;
- GETISSUE(SIG) ;Subroutine. Save X509 Certificate owner to XOBDATA("XOB RPC","SAML",ISSUER")
- ;ZEXCEPT: Encryption,X509GetField,XOBDATA ;ObjectScript and environment variables
- N CERT
- S CERT=$$CERT^XUCERT1(SIG)
- I +CERT=-1 Q ;Cannot get certificate
- S XOBDATA("XOB RPC","SAML","ISSUER")=$System.Encryption.X509GetField(CERT,"Subject")
- Q
- ;
- TEST ;Subroutine. System checks to help with troubleshooting.
- ;Check if Cache version >= 2015.2
- ; 12345678901234567890123456789012345678901234567890123456789012345678901234567890
- W !,"XML digital signature validation is done differently depending on the version"
- W !,"of Cache being used on your system:"
- W !," Versions greater than or equal to 2015.2 use $$VAL1^XUCERT1"
- W !," Versions less than 2015.2 use $$VAL2^XUCERT1"
- W !," Your Cache Version is ",$$VERSION^%ZOSV(),!
- ;
- ;Check if PKI chain of trust to root is available (how?)
- ; ** Apparently Cache uses OpenSSL on underlying server for chain of trust. Check OpenSSL version?
- ;Check if %SuperServer and %TELNET/SSL is available (how? with https?)
- ; ** Is this still needed?
- ;Check if a local X.509 certificate is installed (how? same as %SuperServer check?)
- ; ** Not needed. All sites use SSL, so they have a certificate on the server.
- Q
- ;
- --- Routine Detail --- with STRUCTURED ROUTINE LISTING ---�[H�[J�[2J�[HXUCERT 2636 printed Feb 18, 2025@23:35:27 Page 2
- XUCERT ;ISD/HGW Kernel PKI Certificate Utilities ;09/13/2019 12:25
- +1 ;;8.0;KERNEL;**659,701**;Jul 10, 1995;Build 0
- +2 ;Per VA Directive 6402, this routine should not be modified.
- +3 ;
- +4 QUIT
- VALIDATE(DOC,ERR) ;Extrinsic Function.
- +1 ;Validate the signatures in a digitally signed XML document which contains an EncryptedData element and EncryptedKey elements.
- +2 ; Input: DOC = This string is either a closed reference to a global root containing the XML document or a filename
- +3 ; and path reference identifying the XML document on the host system. See the Kernel Developers Guide
- +4 ; documentation on $$EN^MXMLDOM() for detailed requirements for the format of the input global.
- +5 ; Return: Fail = "-1^Error Message"
- +6 ; Success = 1
- +7 ;
- +8 ;ZEXCEPT: %New,%XML,Document,OpenFile,OpenStream,Reader,ValidateDocument,class ;ObjectScript
- +9 NEW XUREAD,XUSIG,XUSTATUS,XUVER
- +10 ;Read XML document
- SET XUREAD=$$READER^XUCERT1(DOC)
- +11 IF $GET(XUREAD)["-1^"
- SET ERR("PARSE")=""
- QUIT 0
- +12 ;Find digital signature
- SET XUSIG=$$SGNTR^XUCERT1(XUREAD)
- +13 IF $GET(XUSIG)["-1^"
- SET ERR("NO-SIGNATURE")=""
- QUIT 0
- +14 ;Save subject of X509 certificate (issuer of signature)
- DO GETISSUE(XUSIG)
- +15 ;p701;S XUVER=$$VERSION^%ZOSV() S XUVER=$P(XUVER,".",1)_"."_$P(XUVER,".",2)
- +16 SET XUSTATUS=$$VAL2^XUCERT1(XUREAD,XUSIG,.ERR)
- +17 QUIT XUSTATUS
- +18 ;
- GETISSUE(SIG) ;Subroutine. Save X509 Certificate owner to XOBDATA("XOB RPC","SAML",ISSUER")
- +1 ;ZEXCEPT: Encryption,X509GetField,XOBDATA ;ObjectScript and environment variables
- +2 NEW CERT
- +3 SET CERT=$$CERT^XUCERT1(SIG)
- +4 ;Cannot get certificate
- IF +CERT=-1
- QUIT
- +5
- *** ERROR ***
- SET XOBDATA("XOB RPC","SAML","ISSUER")=$System.Encryption.X509GetField(CERT,"Subject")
- +6 QUIT
- +7 ;
- TEST ;Subroutine. System checks to help with troubleshooting.
- +1 ;Check if Cache version >= 2015.2
- +2 ; 12345678901234567890123456789012345678901234567890123456789012345678901234567890
- +3 WRITE !,"XML digital signature validation is done differently depending on the version"
- +4 WRITE !,"of Cache being used on your system:"
- +5 WRITE !," Versions greater than or equal to 2015.2 use $$VAL1^XUCERT1"
- +6 WRITE !," Versions less than 2015.2 use $$VAL2^XUCERT1"
- +7 WRITE !," Your Cache Version is ",$$VERSION^%ZOSV(),!
- +8 ;
- +9 ;Check if PKI chain of trust to root is available (how?)
- +10 ; ** Apparently Cache uses OpenSSL on underlying server for chain of trust. Check OpenSSL version?
- +11 ;Check if %SuperServer and %TELNET/SSL is available (how? with https?)
- +12 ; ** Is this still needed?
- +13 ;Check if a local X.509 certificate is installed (how? same as %SuperServer check?)
- +14 ; ** Not needed. All sites use SSL, so they have a certificate on the server.
- +15 QUIT
- +16 ;
