[xmlsec] xmlsec1 signing wrong when a child has Signature node

Aleksey Sanin aleksey at aleksey.com
Thu Nov 26 10:44:01 PST 2009 

No, I didn't try it. However, now I did and I see a problem with
the template. "--node-id" parameter should point to the "Signature"
element itself or the parent node of the "Signature" element.

Try something like this

# xmlsec1 sign --privkey-pem rsakey.pem --node-id "Signature1" xml1_tmpl.xml

# xmlsec1 sign --privkey-pem rsakey.pem --node-id "Signature2" 
xml1_tmpl.xml

<?xml version="1.0"?>
<Family>
  <Parent xml:id="Parent1">
    <ParentData>I am the first Dad</ParentData>
    <Childs>
      <Child xml:id="Child1">
        <ChildData>I am the first Child</ChildData>
      </Child>
      <Signature xml:id="Signature1" 
xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
          <CanonicalizationMethod 
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
          <SignatureMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
          <Reference URI="#Child1">
            <Transforms>
              <Transform 
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
            </Transforms>
            <DigestMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <DigestValue/>
          </Reference>
        </SignedInfo>
        <SignatureValue/>
      </Signature>
    </Childs>
  </Parent>
  <Signature xml:id="Signature2" xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
      <CanonicalizationMethod 
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
      <SignatureMethod 
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
      <Reference URI="#Parent1">
        <Transforms>
          <Transform 
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <DigestValue/>
      </Reference>
    </SignedInfo>
    <SignatureValue/>
  </Signature>
</Family>


Aleksey


Marcus Pereira wrote:
> Hi Aleksey,
>  yes my libxml2 is a recent version (2.7.6). I put xml:id on this 
> example, but with a normal Id property and using "--id-attr" option I 
> have the same problem.
> 
>  Have you tried this tamplate example and commands?
> 
> Marcus
> 
> 
> Aleksey Sanin wrote:
>> Please make sure that libxml2 library you use supports "xml:id"
>>
>> Aleksey
>>
>> Marcus Pereira wrote:
>>> At a file like the one below xmlsec1 is signing the wrong Signature 
>>> template when I command to sign the Parent node.
>>>
>>> # xmlsec1 sign --privkey-pem rsakey.pem --node-id "Child1" xml1_tmpl.xml
>>> OK! it is signing the URI="#Chil1" Signature node.
>>>
>>> # xmlsec1 sign --privkey-pem rsakey.pem --node-id "Parent1" 
>>> xml1_tmpl.xml
>>> NOT OK! it is still signing the URI="#Child1" node not the 
>>> URI="#Parent1".
>>>
>>> Marcus Pereira
>>>
>>>
>>> ============================================
>>> <?xml version="1.0"?>
>>> <Family>
>>>  <Parent xml:id="Parent1">
>>>    <ParentData>I am the first Dad</ParentData>
>>>    <Childs>
>>>      <Child xml:id="Child1">
>>>        <ChildData>I am the first Child</ChildData>
>>>      </Child>
>>>      <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>>>        <SignedInfo>
>>>          <CanonicalizationMethod 
>>> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
>>>          <SignatureMethod 
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>>>          <Reference URI="#Child1">
>>>            <Transforms>
>>>              <Transform 
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>>>            </Transforms>
>>>            <DigestMethod 
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>>>            <DigestValue/>
>>>          </Reference>
>>>        </SignedInfo>
>>>        <SignatureValue/>
>>>      </Signature>
>>>    </Childs>
>>>  </Parent>
>>>  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>>>    <SignedInfo>
>>>      <CanonicalizationMethod 
>>> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
>>>      <SignatureMethod 
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>>>      <Reference URI="#Parent1">
>>>        <Transforms>
>>>          <Transform 
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>>>        </Transforms>
>>>        <DigestMethod 
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>>>        <DigestValue/>
>>>      </Reference>
>>>    </SignedInfo>
>>>    <SignatureValue/>
>>>  </Signature>
>>> </Family>
>>>
>>> _______________________________________________
>>> xmlsec mailing list
>>> xmlsec at aleksey.com
>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>
>>
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec

More information about the xmlsec mailing list