[xmlsec] xmlsec1 command

Aleksey Sanin aleksey at aleksey.com
Mon Jun 11 21:05:00 PDT 2012


It depends on the certificate or to be precise pkcs12 file
you are signing with. Yours contains 3 certs.

Aleksey


On 6/11/12 9:03 PM, Giancarlo Piva wrote:
> Aleksey
> 
> My crypto knowledge is limited
> I am just trying to sign a document from the command line tool xmlsec1
> as proof of concept...
> before reading a book on cryptography.... I will better document
> myself for sure..
> and eventually read the manual.. and code my client using the xmlsec library...
> I was looking only for a hint as your X509 example on the web site the
> output file have only one "X509Certificate" node
> when I run the same example the output I get have multiple
> "X509Certificate" nodes... I dont understand why?
> 
> anyway thanks for your help
> 
> Carlo
> 
> On Tue, Jun 12, 2012 at 1:52 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:
>> X509Certificate nodes do not contain signatures. You might want
>> to read a book on cryptography.
>>
>> Aleksey
>>
>>
>> On 6/11/12 8:50 PM, Giancarlo Piva wrote:
>>> Hi Alekey
>>>
>>> That is right and that is what I am expecting as well..
>>>
>>> I tried to run my command using your xml on the web site:
>>>
>>> xmlsec1 --sign --output test.xml --pkcs12
>>> ./certs/8003620833337558-general.p12 --pwd Password --trusted-pem
>>> ./certs/output.pem ./xml/template_test.xml
>>>
>>> in the output I get multiple <X509Certificate> nodes is that normal??
>>>
>>> this is what i get:
>>>
>>> <?xml version="1.0"?>
>>> <References>
>>>  <Book>
>>>   <Author>
>>>    <FirstName>Bruce</FirstName>
>>>    <LastName>Schneier</LastName>
>>>   </Author>
>>>   <Title>Applied Cryptography</Title>
>>>  </Book>
>>>  <Web>
>>>   <Title>XMLSec</Title>
>>>   <Url>http://www.aleksey.com/xmlsec/</Url>
>>>  </Web>
>>>  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>>>   <SignedInfo>
>>>    <CanonicalizationMethod
>>> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
>>>    <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>>>    <Reference URI="">
>>>     <Transforms>
>>>      <Transform
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
>>>     </Transforms>
>>>     <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>>>     <DigestValue>o/5EifW/Q4LVtDznvqMgBAAC21M=</DigestValue>
>>>    </Reference>
>>>   </SignedInfo>
>>>   <SignatureValue>jk5S8exrQmxJPwBtz4YsEY3+zhWpAaRYW2rJNRLoo7+Rkq7PWoOAkHki63Gx5BEb
>>> CSmk8bQ5jjqDLoxrbFVsYCmKQiiEpq+r8Kup9lyReA9aA4PRu/FpxufkPYqBXpfN
>>> YML85F+LCoG44xt4LQMwaZtdE7H1KX3HZ1EX3Q+yIxoVxVp2HQjO9Y+3OJUlXUGk
>>> t0yn/q11H/AV4mmZ2CWK+4uUKySYTg0KEhu/Z3RpG/S2VX3zHPUg769bQy/1Bihq
>>> 3bwyO4INAHgP3dMjuc+iTJMMLChy/ZA5zahs5npfmWKFyJSw0ggMApZsRN4Mf8s8
>>> oDNtKPTja7/HbFBwdbiSdA==</SignatureValue>
>>>   <KeyInfo>
>>>    <X509Data>
>>>
>>>
>>>
>>>    <X509Certificate>MIIHLDCCBhSgAwIBAgIETXl5dTANBgkqhkiG9w0BAQUFADAyMQswCQYDVQQGEwJB
>>> VTESMBAGA1UEChMJTkVIVEFEZW1vMQ8wDQYDVQQLEwZSb290Q0EwHhcNMTEwNjAy
>>> MTUyMjQwWhcNMjEwMzExMDA0NjMzWjAxMQswCQYDVQQGEwJBVTESMBAGA1UEChMJ
>>> TkVIVEFEZW1vMQ4wDAYDVQQLEwVTdWJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
>>> ADCCAQoCggEBAN9Zc8dkNxg9pEaPRxx9Z5H8Fsxt5G7QTXhuVSqwFsxOJNLiuQq+
>>> Z7q9fr8nry9ulmLj9HgGiPpMqQuFhbRH0aM2kSWhiZtjybVK4d52zwiapa+WcabG
>>> djg8ZRZaevV6wRflwESUdyRM0g+Re8Bc+u8vEli7spKJgVNf31hvo3/zmIqiR3Vs
>>> YFMeT9NgqWC/rUmguwScS4v5ZLBHaJG3WfPemTvmkd8iKxxTchG0uYhoBYtOd2Gc
>>> vcLcj/ZWY3GRcJZIMKTIy34yWhIr1G95ZfdAD5TGfrGrv5WOgTRNGln7Kb00sedZ
>>> UpyIfYMeR6X6tbVsqLquS8yPgrKCc+2a9UsCAwEAAaOCBEkwggRFMA4GA1UdDwEB
>>> /wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMIICcAYDVR0gBIICZzCCAmMwggHY
>>> BgwqJAGPUYdqAQEBAQEwggHGMGgGCCsGAQUFBwIBFlxodHRwOi8vcG9saWN5LnBy
>>> b2Ryb290aGlnaDEucGtpLmVsZWN0cm9uaWNoZWFsdGgubmV0LmF1L3Byb2Ryb290
>>> aGlnaDEvcG9saWN5L05BU0hfUkNBX0NQLnBkZjCCAVgGCCsGAQUFBwICMIIBShqC
>>> AUZDZXJ0aWZpY2F0ZXMgdW5kZXIgdGhpcyBwb2xpY3kgYXJlIGlzc3VlZCBieSB0
>>> aGUgTkFTSCBSb290IENBIHRvIGl0c2VsZiBhbmQgdG8gQ0FzIHN1Ym9yZGluYXRl
>>> IHRvIHRoZSBOQVNIIFJvb3QgQ0EuIFJlZmVyIHRvIGh0dHA6Ly9wcm9kcm9vdGhp
>>> Z2gxLnBraS5lbGVjdHJvbmljaGVhbHRoLm5ldC5hdS9wcm9kcm9vdGhpZ2gxLyBm
>>> b3IgbW9yZSBpbmZvcm1hdGlvbi4gVXNlIG9mIHRoaXMgQ2VydGlmaWNhdGUgaXMg
>>> c3ViamVjdCB0byBBZ3JlZW1lbnRzIGF0IGh0dHA6Ly9wcm9kcm9vdGhpZ2gxLnBr
>>> aS5lbGVjdHJvbmljaGVhbHRoLm5ldC5hdS9wcm9kcm9vdGhpZ2gxLzAqBgkqJAGP
>>> UYdqBQIwHTAbBggrBgEFBQcCAjAPGg1Mb3cgQXNzdXJhbmNlMC8GCSokAY9Rh2oF
>>> AzAiMCAGCCsGAQUFBwICMBQaEk1vZGVyYXRlIEFzc3VyYW5jZTAoBgoqJAGPUYdq
>>> BgQAMBowGAYIKwYBBQUHAgIwDBoKSXNzdWluZyBDQTCBswYIKwYBBQUHAQEEgaYw
>>> gaMwVQYIKwYBBQUHMAKGSWh0dHA6Ly9uZWh0YWRlbW8ubWFuYWdlZC5lbnRydXN0
>>> LmNvbS9BSUEvQ2VydHNJc3N1ZWR0b05FSFRBRGVtb1Jvb3RDQS5wN2MwSgYIKwYB
>>> BQUHMAGGPmh0dHA6Ly9uZWh0YWRlbW8ubWFuYWdlZC5lbnRydXN0LmNvbS9PQ1NQ
>>> L05FSFRBUm9vdENBUmVzcG9uZGVyMIGZBgNVHR8EgZEwgY4wQaA/oD2GO2h0dHA6
>>> Ly9uZWh0YWRlbW8ubWFuYWdlZC5lbnRydXN0LmNvbS9DUkxzL05FSFRBREVNT1Jv
>>> b3QuY3JsMEmgR6BFpEMwQTELMAkGA1UEBhMCQVUxEjAQBgNVBAoTCU5FSFRBRGVt
>>> bzEPMA0GA1UECxMGUm9vdENBMQ0wCwYDVQQDEwRDUkwxMB8GA1UdIwQYMBaAFBDg
>>> Yh+sUVo0ZnLXWMH0NWk/6JFbMB0GA1UdDgQWBBRaPSKrShmC/GJzkLtwm/s56ZsS
>>> rDAZBgkqhkiG9n0HQQAEDDAKGwRWOC4xAwIAgTANBgkqhkiG9w0BAQUFAAOCAQEA
>>> XQTFvV+bBpJshxlfy9bm1gq2ZALukwYPkVB8GhKM43yqT+ZbxwC0im8PYNhbvzRB
>>> lzo5b50mfZcYaC97Ey5zs511qvyFAiJuZdtPTtmrEw10G+uyGqdLjL+OZTcyVwk3
>>> 8KAYAaSxc7BhBGxsnLf01bKUmK1HSj2anrKk/81PLIaJId2L7IfcrZFi+OlUZfAK
>>> THa5ayk8fxu/pI1WjHQy6+HW1IfDmKQJz+uVbTIq03XmuCW4Bwd3U2qjFhtVuQd3
>>> TjWcRm05d+1p/LSAKFH+jSzorewiG+URvef8Lznwbg/ChbNSaRnlLV9WQqBMsELZ
>>> 54vPc3pZhOkfrthJYni8jA==</X509Certificate>
>>> <X509SubjectName>OU=SubCA,O=NEHTADemo,C=AU</X509SubjectName>
>>> <X509IssuerSerial>
>>> <X509IssuerName>OU=RootCA,O=NEHTADemo,C=AU</X509IssuerName>
>>> <X509SerialNumber>1299806581</X509SerialNumber>
>>> </X509IssuerSerial>
>>> <X509Certificate>MIIDJDCCAgygAwIBAgIETXlw6TANBgkqhkiG9w0BAQUFADAyMQswCQYDVQQGEwJB
>>> VTESMBAGA1UEChMJTkVIVEFEZW1vMQ8wDQYDVQQLEwZSb290Q0EwHhcNMTEwMzEx
>>> MDAxNjMzWhcNMjEwMzExMDA0NjMzWjAyMQswCQYDVQQGEwJBVTESMBAGA1UEChMJ
>>> TkVIVEFEZW1vMQ8wDQYDVQQLEwZSb290Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
>>> DwAwggEKAoIBAQCz3qq/Tw5CkP+gQl+uhyislJauKGzJS/uyTveAjnuqzdTR4+bC
>>> MFeMjIH3da770r2n52MtLgYxhCo50YJzaAKAchV2+GDK0q+KRnut7d+obSamr9Vp
>>> fMFtYctNvZFaRpPKCOqyz7WfOleOmtaNLv26CUnszM4/nZBcD7CNuoItyX81e4a0
>>> edMFvg3rqIv7OPg+NSDNYpnBB9rdmbSe1FCLBERon5gsdPGFzh8x5DLtMpZZCwL6
>>> Q1srclXWLMpnfMAgXDcH8FaLGHVYSfsrHQh9uCCuoV602eic+SgE66/xQ5Uy/OHV
>>> oZJeB1bLzAk2OxIo8pHuVCMeH178xCI1tAGdAgMBAAGjQjBAMA4GA1UdDwEB/wQE
>>> AwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQQ4GIfrFFaNGZy11jB9DVp
>>> P+iRWzANBgkqhkiG9w0BAQUFAAOCAQEAcMwGYh5iXTWjYev2+Mmm5IIUD9xRntah
>>> qWo/lNsWP/Lb3dVpdyxQ5hQt/nFmER7SkXHZT394/deWCdh3E2LE6AE2cIZuQYr+
>>> 1aHbKWYeAkCnHUjdzszuZ2bEp9FW4Y0+dlH4V71LnobHwWQre/PZFTFNlZjf1xYF
>>> giI5YK2MeOSsWaB2ACPkq4gDY4JnsNKK3QCX2xR/zeSG1l3Zjp8A07Z0ldvUiwfa
>>> IFGo8rkHkbbNifCco7d8+6NPiy0qwTG5/Htt9hb7pJ5IStoLSX6AAzKevt/GaRga
>>> xChYv35zMQF6Bgjkk8LXsQiA2oi8r995oFTKCDbDMYdksyK7FyoFHQ==</X509Certificate>
>>> <X509SubjectName>OU=RootCA,O=NEHTADemo,C=AU</X509SubjectName>
>>> <X509IssuerSerial>
>>> <X509IssuerName>OU=RootCA,O=NEHTADemo,C=AU</X509IssuerName>
>>> <X509SerialNumber>1299804393</X509SerialNumber>
>>> </X509IssuerSerial>
>>> <X509Certificate>MIIIvjCCB6agAwIBAgIETXqLsTANBgkqhkiG9w0BAQUFADAxMQswCQYDVQQGEwJB
>>> VTESMBAGA1UEChMJTkVIVEFEZW1vMQ4wDAYDVQQLEwVTdWJDQTAeFw0xMjAzMDUw
>>> MTQyNDlaFw0xMzAzMDUwMDAwMDBaMIGfMRIwEAYKCZImiZPyLGQBGRYCQVUxEzAR
>>> BgoJkiaJk/IsZAEZFgNORVQxIDAeBgoJkiaJk/IsZAEZFhBFTEVDVFJPTklDSEVB
>>> TFRIMRQwEgYDVQQKEwtNZWRpY2FyZTMwNTE8MDoGA1UEAxMzZ2VuZXJhbC44MDAz
>>> NjIwODMzMzM3NTU4LmlkLmVsZWN0cm9uaWNoZWFsdGgubmV0LmF1MIIBIjANBgkq
>>> hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA21303diBXMqVg0Z366xYZc4qCTeHd9zf
>>> oHWJRAd7/YQlfMu3q21sb7MqQI3N88bmQxICn2tg5HRPKh8rB9RqGT8gzGpKiMbz
>>> KFxz81dzzj87gkYkLF57WiuKARKqp98nx2mTIELKcN1ahejHbo2cVjHpkQ+m17Dt
>>> TZJ5sUxna2OT6+qTWEBlilnjsiit2M96iNs1/Y4eySRRCDKNXF2virN/5cqzjfRk
>>> iKTwfgKNQ09MNeCN+wl588JKuGmIzZ8kKQveXzHEvS9eUFQid1ZOVy8x+0jeoUHO
>>> YTNoRb1wckdtV7eFFx5fERE/KuTvjvMchCBezZWYz0WwUXiSKX0/qQIDAQABo4IF
>>> bTCCBWkwDgYDVR0PAQH/BAQDAgSwMIIBMAYIKwYBBQUHAQEEggEiMIIBHjBJBggr
>>> BgEFBQcwAYY9aHR0cDovL25laHRhZGVtby5tYW5hZ2VkLmVudHJ1c3QuY29tL09D
>>> U1AvTkVIVEFTdWJDQVJlc3BvbmRlcjBUBggrBgEFBQcwAoZIaHR0cDovL25laHRh
>>> ZGVtby5tYW5hZ2VkLmVudHJ1c3QuY29tL0FJQS9DZXJ0c0lzc3VlZHRvTkVIVEFE
>>> ZW1vU3ViQ0EucDdjMHsGCCsGAQUFBzAChm9sZGFwOi8vbmVodGFkZW1vLm1hbmFn
>>> ZWQuZW50cnVzdC5jb20vb3U9U3ViQ0Esbz1ORUhUQURlbW8sYz1BVT9jQUNlcnRp
>>> ZmljYXRlO2JpbmFyeSxjcm9zc0NlcnRpZmljYXRlUGFpcjtiaW5hcnkwHQYDVR0l
>>> BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwggIyBgNVHSAE
>>> ggIpMIICJTCCAcQGDCokAY9Rh2oBAwEEAzCCAbIwZQYIKwYBBQUHAgEWWWh0dHA6
>>> Ly9wb2xpY3kudGVzdHN1Ym1vZDEucGtpLmVsZWN0cm9uaWNoZWFsdGgubmV0LmF1
>>> L3Rlc3RzdWJtb2QxL3BvbGljeS9OQVNIX0hQSU9fQ1AucGRmMIIBRwYIKwYBBQUH
>>> AgIwggE5GoIBNUNlcnRpZmljYXRlcyB1bmRlciB0aGlzIHBvbGljeSBhcmUgaXNz
>>> dWVkIGJ5IHRoZSBOQVNIIFN1Ym9yZGluYXRlIENBIHRvIEhlYWx0aGNhcmUgUHJv
>>> dmlkZXIgT3JnYW5pc2F0aW9ucy4gUmVmZXIgdG8gaHR0cDovL3Rlc3RzdWJtb2Qx
>>> LnBraS5lbGVjdHJvbmljaGVhbHRoLm5ldC5hdS90ZXN0c3VibW9kMS8gZm9yIG1v
>>> cmUgaW5mb3JtYXRpb24uIFVzZSBvZiB0aGlzIENlcnRpZmljYXRlIGlzIHN1Ympl
>>> Y3QgdG8gQWdyZWVtZW50cyBhdCBodHRwOi8vdGVzdHN1Ym1vZDEucGtpLmVsZWN0
>>> cm9uaWNoZWFsdGgubmV0LmF1L3Rlc3RzdWJtb2QxLzAqBgkqJAGPUYdqBQIwHTAb
>>> BggrBgEFBQcCAjAPGg1Mb3cgQXNzdXJhbmNlMC8GCiokAY9Rh2oGBwMwITAfBggr
>>> BgEFBQcCAjATGhFXZWJTZXJ2aWNlIERldmljZTCBgQYDVR0RBHoweIIzZ2VuZXJh
>>> bC44MDAzNjIwODMzMzM3NTU4LmlkLmVsZWN0cm9uaWNoZWFsdGgubmV0LmF1hkFo
>>> dHRwOi8vbnMuZWxlY3Ryb25pY2hlYWx0aC5uZXQuYXUvaWQvaGkvaHBpby8xLjAv
>>> ODAwMzYyMDgzMzMzNzU1ODCB+wYDVR0fBIHzMIHwMIGjoIGgoIGdhjpodHRwOi8v
>>> bmVodGFkZW1vLm1hbmFnZWQuZW50cnVzdC5jb20vQ1JMcy9ORUhUQURFTU9TdWIu
>>> Y3Jshl9sZGFwOi8vbmVodGFkZW1vLm1hbmFnZWQuZW50cnVzdC5jb20vb3U9U3Vi
>>> Q0Esbz1ORUhUQURlbW8sYz1BVT9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0O2Jp
>>> bmFyeTBIoEagRKRCMEAxCzAJBgNVBAYTAkFVMRIwEAYDVQQKEwlORUhUQURlbW8x
>>> DjAMBgNVBAsTBVN1YkNBMQ0wCwYDVQQDEwRDUkw4MB8GA1UdIwQYMBaAFFo9IqtK
>>> GYL8YnOQu3Cb+znpmxKsMB0GA1UdDgQWBBTJ0D/1ayPl4d+NQZLxTUdJVGr/ZDAN
>>> BgkqhkiG9w0BAQUFAAOCAQEAEFvbTBlGeI1rj8mNZDQtoNN7pFdR1WH3N1Exbcez
>>> +zoUncZXAIqmvVG/pTxuDpaLx2Kg+JIBbYZSvFp/RRiea3DuV416c7yqcsbfBhMO
>>> pwqZs8e0UUKKMugrSy7Z2DXCTjGlxNw9gR8QDdz+ddn98dRqAlh/UV289sFBNEbK
>>> 5PLtjgtUxhqzn9CKmxgLO2RUkIJvWmVDRF+SvOzb8/QcGk3OX3YlWFlMeTsaHMyK
>>> KKnbmkrGRlj1sfK4OUWmdaLKWbIhvA2eBf5iHlwSiZ0I2LuXp2TI29KCPmCaHmkd
>>> h1AZzEQWh1sXCpUScS+dNkKaJiqMvuPRVBFniv5W/XZjNg==</X509Certificate>
>>> <X509SubjectName>CN=general.8003620833337558.id.electronichealth.net.au,O=Medicare305,DC=ELECTRONICHEALTH,DC=NET,DC=AU</X509SubjectName>
>>> <X509IssuerSerial>
>>> <X509IssuerName>OU=SubCA,O=NEHTADemo,C=AU</X509IssuerName>
>>> <X509SerialNumber>1299876785</X509SerialNumber>
>>> </X509IssuerSerial>
>>> </X509Data>
>>>    <KeyValue>
>>> <RSAKeyValue>
>>> <Modulus>
>>> 21303diBXMqVg0Z366xYZc4qCTeHd9zfoHWJRAd7/YQlfMu3q21sb7MqQI3N88bm
>>> QxICn2tg5HRPKh8rB9RqGT8gzGpKiMbzKFxz81dzzj87gkYkLF57WiuKARKqp98n
>>> x2mTIELKcN1ahejHbo2cVjHpkQ+m17DtTZJ5sUxna2OT6+qTWEBlilnjsiit2M96
>>> iNs1/Y4eySRRCDKNXF2virN/5cqzjfRkiKTwfgKNQ09MNeCN+wl588JKuGmIzZ8k
>>> KQveXzHEvS9eUFQid1ZOVy8x+0jeoUHOYTNoRb1wckdtV7eFFx5fERE/KuTvjvMc
>>> hCBezZWYz0WwUXiSKX0/qQ==
>>> </Modulus>
>>> <Exponent>
>>> AQAB
>>> </Exponent>
>>> </RSAKeyValue>
>>> </KeyValue>
>>>   </KeyInfo>
>>>  </Signature>
>>> </References>
>>>
>>>
>>>
>>> On Tue, Jun 12, 2012 at 12:53 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:
>>>> Not sure what do you mean. There should be 3 digests and one signature.
>>>>
>>>> Aleksey
>>>>
>>>>
>>>> On 6/11/12 6:58 PM, Giancarlo Piva wrote:
>>>>> Hi Aleksey,
>>>>>
>>>>> I am tring to use xmlsec1 in linux to sign multiple parts of an xml
>>>>> document (header, body, timestamp)
>>>>> in my template i have 3 digests with 3 uris
>>>>> xmlsec works fine but I end up with three signature instead of one in
>>>>> the output file
>>>>>
>>>>> I am using xmlsec1 --sign --output test.xml --pkcs12 ./certs/cert.p12
>>>>> --pwd Password --trusted-pem ./certs/RootCA.crt ./xml/template.xml
>>>>>
>>>>> is there an option to sign multiple part of a doc via command line?
>>>>>
>>>>> Kind Regards,
>>>>>
>>>>> Carlo
>>>>>
>>>>
>>



More information about the xmlsec mailing list