[xmlsec] Signing a batch of signed elements

Marcus Pereira marcus at task.com.br
Mon Nov 16 07:13:22 PST 2009 

I need to feed a government system that requires a signed xml that 
contains a batch of signed xml elements.

After signing the elements and building the final batch file xmlsec1 
fails to sign it.

It seems xmlsec1 is getting confused about the many "<Signature>" 
elements in the xml. Although I think I am telling it what is the right 
chain to sign the error shows a xpointer to the first signature element 
and not the last one (the one the node-id refers).

How can I solve this?

Thanks for any help.
  Marcus Pereira

My command:
---------------------------------------
$ xmlsec1 sign --pwd "xxxxxx" --id-attr:Id BatchObjects --node-id 
"batch1" --privkey-pem mykey.pem batch_obj_tmpl.xml
func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 
library function failed:expr=xpointer(id('1'))
func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec 
library function failed:
func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec 
library function failed:
func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2371:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec 
library function failed:
func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1207:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec 
library function failed:transform=xpointer
func=xmlSecTransformCtxExecute:file=transforms.c:line=1267:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec 
library function failed:
func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1571:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec 
library function failed:
func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec 
library function failed:node=Reference
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec 
library function failed:
func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec 
library function failed:
Error: signature failed
Error: failed to sign file "batch_obj_tmpl.xml"
---------------------------------------

My Template:
---------------------------------------
<?xml version="1.0"?>
<SendBatch xmlns="http://www.somelink.org/xsdlink.xsd">
 <BatchObjects Id="batch1" version="1.00">
  <BatchNumber>1</BatchNumber>
  <SenderId>09812</SenderId>
  <ObjectsCount>2</ObjectsCount>
  <ObjectsList>
    <Object>
     <InfObject Id="1">
      <Name>Object Example 1</Name>
      <Status>1</Status>
      <ObjectData>
       <ObjDat1>
        <MoreData>Test 1 Test 1 Test 1</MoreData>
       </ObjDat1>
      </ObjectData>
     </InfObject>
     <Signature xmlns="http://www.w3.org/2000/09/xmldsig#" 
Id="Sig_Object:1">
      <SignedInfo>
        <CanonicalizationMethod 
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
        <SignatureMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
        <Reference URI="#1">
          <Transforms>
            <Transform 
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
          </Transforms>
          <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
          <DigestValue>/xxx...DigestData2...xxx</DigestValue>
        </Reference>
      </SignedInfo>
      <SignatureValue>/xxx...SignatureData2...xxx</SignatureValue>
      <KeyInfo>
        <X509Data>
          <X509Certificate>MIIX509CertificateData</X509Certificate>
        </X509Data>
      </KeyInfo>
     </Signature>
    </Object>
    <Object>
     <InfObject Id="2">
      <Name>Object Example 2</Name>
      <ObjectData>
       <ObjDat1>
        <MoreData>Test 2 Test 2 Test 2</MoreData>
       </ObjDat1>
      </ObjectData>
     </InfObject>
     <Signature xmlns="http://www.w3.org/2000/09/xmldsig#" 
Id="Sig_Object:2">
      <SignedInfo>
        <CanonicalizationMethod 
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
        <SignatureMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
        <Reference URI="#2">
          <Transforms>
            <Transform 
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
          </Transforms>
          <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
          <DigestValue>/xxx...DigestData2...xxx</DigestValue>
        </Reference>
       </SignedInfo>
      <SignatureValue>/xxx...SignatureData2...xxx</SignatureValue>
      <KeyInfo>
        <X509Data>
          <X509Certificate>MIIX509CertificateData</X509Certificate>
        </X509Data>
      </KeyInfo>
     </Signature>
    </Object>
  </ObjectsList>
 </BatchObjects>
 <Signature xmlns="http://www.w3.org/2000/09/xmldsig#" Id="Sig_Batch1">
  <SignedInfo>
    <CanonicalizationMethod 
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
    <SignatureMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
    <Reference URI="#batch1">
      <Transforms>
        <Transform 
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
      </Transforms>
      <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
      <DigestValue/>
    </Reference>
  </SignedInfo>
  <SignatureValue/>
  <KeyInfo>
    <X509Data>
      <X509Certificate>MIIX509CertificateData</X509Certificate>
    </X509Data>
  </KeyInfo>
 </Signature>
</SendBatch>
---------------------------------------

More information about the xmlsec mailing list