Pseudocode: How IRBXmlSignatureService Signs UBL XML for IRBM Submission #irbxml #irbsigning #signature

Load PEM certificate
Load PEM private key
Load .p12 path and passphrase

If PEM or key is missing → throw exception

Function signAndInject(xml):

  issuerName = fixed IRBM issuer string
  digestData = hashDocument(xml) // C14N + SHA256
  certDigest = hashRawCert()     // For SignedProperties
  serialNum  = extractCertSerial() // Decimal serial from PEM
  base64Cert = extractCertDER() // base64-encoded cert
  signingTime = now + 5s

  signedPropsDigest = digestSignedProperties(certDigest, serialNum, issuerName, signingTime)

  signatureValue = signDigest(raw minified XML without signature, using .p12 private key)

  Build:
    - <cac:Signature> chunk
    - <UBLExtensions> with <ds:Signature> structure using all above values

  Insert:
    - <cac:Signature> before <cac:AccountingSupplierParty>
    - <UBLExtensions> after <Invoice>

  Minify XML (remove extra whitespace)

  Return final signed XML

Function hashDocument(xml):

  Load into DOMDocument
  Apply Exclusive C14N to <Invoice>
  SHA256 hash it (raw + base64)
  Return digest and canonicalized XML

Function signDigest(rawXML):

  Load .p12
  Extract private key
  openssl_sign(SHA256 hash of digest)
  Return base64 signature

Build <xades:SignedProperties> XML
Inject: certDigest, issuer, serial number, signingTime
Minify XML (no whitespace between tags)
SHA256 hash and return base64

Function buildSignedInfoXml():

  Reference 1: full document (URI="")
    - with XPath transforms to exclude UBLExtensions and Signature
    - SHA256 digest

  Reference 2: SignedProperties (URI="#id-xades-signed-props")
    - SHA256 digest

  CanonicalizationMethod: Exclusive C14N
  SignatureMethod: RSA-SHA256

Insert <cac:Signature> tag before supplier section
Insert full <UBLExtensions> after <Invoice>
Return minified, signed XML string