[xmlsec] signing failure with 0.0.13 that work with 0.0.10

Aleksey Sanin aleksey at aleksey.com
Tue Mar 18 16:25:38 PST 2003


Hi, Ferrel!

The error you have says that instead of expected <dsig:Signature> node
in the xmlSecDSigGenerate() function you've got something else. Using
"testXPath" utility from LibXML package I can confirm that:

[aleksey at lsh ferrel]$ ./testXPath  --input test-signed.xml "//Contact[1]"
Object is a Node Set :
Set contains 1 nodes:
1  ELEMENT Contact
    ATTRIBUTE Id
      TEXT
        content=f6b1af52-0ba8-11d7-87ec-c3c034e4ae6a

As you can see, you have selected a wrong "start node" (Contact instead of
<dsig:Signature>). Simple changing the xpath expression helps:

 [aleksey at lsh ferrel]$ ./testXPath  --input test-signed.xml "//Contact/*[6]"
Object is a Node Set :
Set contains 1 nodes:
1  ELEMENT sig:Signature
    namespace sig href=http://www.w3.org/2000/09/xmldsig#
[aleksey at lsh ferrel]$ xmlsec sign --node-xpath '//Contact/*[6]' 
--privkey rsakey.pem
test-signed.xml
<?xml version="1.0" encoding="UTF-8"?>
<Keys Source="Atlanta"><!-- generated TestKey keygen 
--><Contacts><Contact Id="f6b1af52-0ba8-11d7-87ec-c3c034e4ae6a">
....

 From my point of view, your original XPath expression to select 
<dsig:Signature> node
is incorrect and I am not sure that I understand how it used to work. 
May be there was
a bug in LibXML and you got it fixed with new LibXML version.


With best regards,
Aleksey





More information about the xmlsec mailing list