[xmlsec] multiple signatures
Benjamin Dauvergne
bdauvergne at entrouvert.com
Wed Apr 7 02:43:55 PDT 2010
Roland Hedberg wrote:
> Hi!
>
> I work on a SAML implementation in Python and have stumbled over the following:
Not completely out of context, I would like to adverise the GPL Lasso
library (http://lasso.entrouvert.org) which already supports SAML 1.1,
ID-FF 1.2 and SAML 2.0 using libxmlsec. Every participation is welcome.
> What if a XML file contains several signatures, can I verify them in one go or do I have to do N verifications one per signature ?
> If the later how do I specify which part I want checked ?
You normally give the Signature node as the second argument to
xmlSecDSigCtxVerify.
> So, I may get a signed response which contains one or more signed assertions.
> All of them might or might not be signed with the same key.
> What to do ?
Lookup the Issuer attribute of each assertion, find the public key for
it and check the assertion signature with it. This use case is not
currenlty supported by Lasso (IdP usually send only one assertion in
authentication responses), but all building blocks for it are present.
More information about the xmlsec
mailing list