[xmlsec] Re: x509
Aleksey Sanin
aleksey@aleksey.com
Mon, 20 May 2002 12:57:50 -0700
>
>
>More questions:
>- I think that isn't required that appear in xml signed file the key value(DSAKeyValue, RSAKeyValue) but i like that this appear. How i can make this?
>
Put the <KeyValue> node in the template or add it dynamically. The correct
sub-nodes for your key will be added automatically.
>-In the xml file, must appear the x509Data of the CA ?
>
Not sure I understand your question. You can put the X509 cert in the
xml keys file and then
it'll be loaded with the key. For example, following command will create
a new XML keys file
with and RSA key and a certificate that signs this key:
xmlsec keys --privkey:test-rsa
./test/keys/rsakey.pem,./tests/keys/rsacert.pem test.xml
Later you can have something like this in the template to put
certificate in the signature:
<KeyInfo>
<KeyName>test-rsa</KeyName>
<X509Data/>
</KeyInfo>
>- I will sign with two signatures a xml file, I must add a new signature node and identify with id's attribute ,Is this correct?
>How I make this?
>
I suspect that the real question is: how to sign the same file using two
different
keys. I am not sure why will you need this but you are right, you need
to put two <Signature>
nodes in the file. However, there is a problem: you must correctly
create References
so the Reference from <Signature> node 1 will not incude <Signature>
node 2 and vice versa
(otherwise you'll have problems with the order of calculation). The
simplest way
to do it is to use XPath expression to sign everythign but Signature nodes.
There is new XPath filter2 transform
http://www.w3.org/Signature/Drafts/xmldsig-filter2/Overview.html
which easily can do this:
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2002/04/xmldsig-filter2">
<XPath Filter="subtract" xmlns="http://www.w3.org/2002/04/xmldsig-xfilter2" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
//ds:Signature
</XPath>
</Transform>
</Transforms>
</Reference>
Aleksey.