[xmlsec] multiple signatures

Benjamin Dauvergne bdauvergne at entrouvert.com
Wed Apr 7 02:43:55 PDT 2010


Roland Hedberg wrote:
> Hi!
> 
> I work on a SAML implementation in Python and have stumbled over the following:
Not completely out of context, I would like to adverise the GPL Lasso 
library (http://lasso.entrouvert.org) which already supports SAML 1.1, 
ID-FF 1.2 and SAML 2.0 using libxmlsec. Every participation is welcome.

> What if a XML file contains several signatures, can I verify them in one go or do I have to do N verifications one per signature ?
> If the later how do I specify which part I want checked ?
You normally give the Signature node as the second argument to 
xmlSecDSigCtxVerify.

> So, I may get a signed response which contains one or more signed assertions.
> All of them might or might not be signed with the same key.
> What to do ?
Lookup the Issuer attribute of each assertion, find the public key for 
it and check the assertion signature with it. This use case is not 
currenlty supported by Lasso (IdP usually send only one assertion in 
authentication responses), but all building blocks for it are present.


More information about the xmlsec mailing list