[xmlsec] Enveloped signing with multiple signatures

Aleksey Sanin aleksey at aleksey.com
Mon Oct 4 08:38:21 PDT 2004


This is a good question :) By definition, enveloped transform removes
only the *current* <Signature> element. Suppose you have two <Signature>
elements in the document and both use enveloped transform. When you sign
the first <Signature>, the second one has no values yet. And it will be
signed without values. Thus when you'll sign the second <Signature> and
try to verify the first one, you'll get an error because now second
<Signature> has all values set.

This means that if you have multiple signatures in the document then
you need to make sure that first signature excludes all others, second
signature exclude all others but may be the first one, etc. For example,
the following XPath transform will exclude all the <Signature> elements

	not(ancestor-or-self::dsig:Signature)

In some case, you may also need to include enveloped transform first
because of protocol requirements (for example, I believe ebxml requires
this).

Finaly note, that unless every signature in the document excludes all
others the order of signatures is *very* important in the case of
multiple signatures.

Best,
Aleksey



More information about the xmlsec mailing list