[xmlsec] Multiple signatures

Aleksey Sanin aleksey at aleksey.com
Wed Feb 27 16:49:56 PST 2013


The xmlsec1 command line tool can use xpath to *select* the start
signature node.

Aleksey

On 2/27/13 4:45 PM, Gpe. Raquel Toledo wrote:
> Thxs Aleksey. I use XPath with intersect, but still is not verified. I
> have a question:  of signature1 the digest is from the object, but from
> the signature2 what info i use to make the digest? I want that
> signature2  is a counter signature of signature1.  This is my XMLDSig:
> 
> <?xml version="1.0" encoding="ISO-8859-1"?>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#" Id="Firma002">
> <SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
>   <CanonicalizationMethod
> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></CanonicalizationMethod>
>   <SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
>   <Reference URI="">
>     <Transforms>
>       <Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2">
>         <XPath xmlns="http://www.w3.org/2002/06/xmldsig-filter2"
> Filter="intersect">
>         id("Firma001")
>         </XPath>
>       </Transform>
>     </Transforms>
>     <DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
>     <DigestValue>wSJWq+4S+GFwlGn+gcspjdQVWko=</DigestValue>
>   </Reference>
>   <Reference URI="#InfoCertificado002">
>     <DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
>     <DigestValue>E5SGuZOQnDUVoN9TUpghuR0LbSc=</DigestValue>
>   </Reference>
> </SignedInfo>
> <SignatureValue
> Id="Id_Signature002">Yu8By7Gv4qkXd9WRdB2bJuJeovs9qxIimwhUp0tQQiWKEVv+YGpf4YSoe6fHFpmXSCAiD2Lh/g67rmM6kNKdsw5z2mgdfZ/lCEVpfRNcjucGaAd+iUPqZev6V4NeoEvNOBWZz9mggwL2Xw1g+OTr+X6f4mvKIhsVfpiTInFJs6Q=</SignatureValue>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#" Id="InfoCertificado002">
>   <KeyValue>
>    
>  <RSAKeyValue><Modulus>AKs56bGj9Kz3weX274lEa+Yf2IoOr4mOTZUAX8Pyigp1rMUOLSXIq2ozPtT94czrA+msnshsAZ0tBNwLbEH6tVBUFEFLU3T1NGNsiDrKWruFd5VI6CBmnUAUR6bLngDJvkh8ib3AwED6WPZN9In2JgCQAYo2pRta+mELOGTuJfDN</Modulus>
>      <Exponent>AQAB</Exponent></RSAKeyValue>
>   </KeyValue>
>   <X509Data>
>    
>  <X509Certificate>MIIEkDCCA3igAwIBAgIUMDAwMDEwMDAwMDAyMDA4NzQyNTUwDQYJKoZIhvcNAQEFBQAwggGVMTgwNgYDVQQDDC9BLkMuIGRlbCBTZXJ2aWNpbyBkZSBBZG1pbmlzdHJhY2nDs24gVHJpYnV0YXJpYTEvMC0GA1UECgwmU2VydmljaW8gZGUgQWRtaW5pc3RyYWNpw7NuIFRyaWJ1dGFyaWExODA2BgNVBAsML0FkbWluaXN0cmFjacOzbiBkZSBTZWd1cmlkYWQgZGUgbGEgSW5mb3JtYWNpw7NuMSEwHwYJKoZIhvcNAQkBFhJhc2lzbmV0QHNhdC5nb2IubXgxJjAkBgNVBAkMHUF2LiBIaWRhbGdvIDc3LCBDb2wuIEd1ZXJyZXJvMQ4wDAYDVQQRDAUwNjMwMDELMAkGA1UEBhMCTVgxGTAXBgNVBAgMEERpc3RyaXRvIEZlZGVyYWwxFDASBgNVBAcMC0N1YXVodMOpbW9jMRUwEwYDVQQtEwxTQVQ5NzA3MDFOTjMxPjA8BgkqhkiG9w0BCQIML1Jlc3BvbnNhYmxlOiBDZWNpbGlhIEd1aWxsZXJtaW5hIEdhcmPDrWEgR3VlcnJhMB4XDTEyMDQyMTE4NTY1MloXDTE2MDQyMTE4NTczMlowgZ8xHTAbBgNVBAMTFFNJTFZJQSBSQU1JUkVaIERVUkFOMR0wGwYDVQQpExRTSUxWSUEgUkFNSVJFWiBEVVJBTjEdMBsGA1UEChMUU0lMVklBIFJBTUlSRVogRFVSQU4xCzAJBgNVBAYTAk1YMRYwFAYDVQQtEw1SQURTODIxMTEwUjU1MRswGQYDVQQFExJSQURTODIxMTEwTURGTVJMMDAwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKs56bGj9Kz3weX274lEa+Yf2IoOr4mOTZUAX8Pyigp1rMUOLSXIq2ozPtT94czrA+msnsh
sAZ0tBNwLbEH6tVBUFEFLU3T1NGNsiDrKWruFd5VI6CBmnUAUR6bLngDJvkh8ib3AwED6WPZN9In2JgCQAYo2pRta+mELOGTuJfDNAgMBAAGjTzBNMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgPYMBEGCWCGSAGG+EIBAQQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADggEBAEi5xlPUJUOlKuEVf8m0U3PMG0XbrZbTpXCQ6GWVbyBJHBC+/fxFR6MU30FSzrXvbW7M0BwRLuBgsrR2TY6u03fy4pkNU3A/Dc6ep6M4NzALXR6Poc0/elWxdPRkfwPO2kMA4JuOTTyeOH/YVEAGsNJWlPTAAlSLQ6BfSAotnarnRLOJ+sE6K4mUXxeeCDafV9evbj+aiE8X7HfDFPkTyGZ2vHz4SlZaWgQWEvYjbL1/p+fiMh29CrDsFCPY1Qy59hs1bXSJqfQrkoN6ZbThb788qxKvOi/r+X3JFJfiIJ0Qsqw3htbbCYv7kX19dgHVEUzsLNcKBmmQWDhV85OyXFQ=</X509Certificate>
>   </X509Data>
> </KeyInfo>
> <Object>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#" Id="Firma001">
> <SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
>   <CanonicalizationMethod
> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></CanonicalizationMethod>
>   <SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
>   <Reference URI="#TramiteAdministrativo001">
>     <Transforms>
>       <Transform
> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></Transform>
>     </Transforms>
>     <DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
>     <DigestValue>uQCQOWuUbJat+zUVfAFj0HitSjw=</DigestValue>
>   </Reference>
>   <Reference URI="#InfoCertificado001">
>     <DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
>     <DigestValue>RDROSy4xBg7nI5k9934BSsLSOt8=</DigestValue>
>   </Reference>
> </SignedInfo>
> <SignatureValue
> Id="Id_Signature001">QvktnGYWXnkxVIh1IBAdh9LywhBf7ppDCg/Z+4+jGm2FHutU4+zECT5/KW41tRRInbmE2Rqbm/SDvfgcsEhqoYZHiDIMwQytASTy3NMlD5uiUx+j8GLuw98iJ+iV7WkSIDIJ8wYw93Tu9XJGEAdnZe0KdxN0bMSA4n4QnuitEuQ=</SignatureValue>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#" Id="InfoCertificado001">
>   <KeyValue>
>    
>  <RSAKeyValue><Modulus>AKs56bGj9Kz3weX274lEa+Yf2IoOr4mOTZUAX8Pyigp1rMUOLSXIq2ozPtT94czrA+msnshsAZ0tBNwLbEH6tVBUFEFLU3T1NGNsiDrKWruFd5VI6CBmnUAUR6bLngDJvkh8ib3AwED6WPZN9In2JgCQAYo2pRta+mELOGTuJfDN</Modulus>
>      <Exponent>AQAB</Exponent></RSAKeyValue>
>   </KeyValue>
>   <X509Data>
>    
>  <X509Certificate>MIIEkDCCA3igAwIBAgIUMDAwMDEwMDAwMDAyMDA4NzQyNTUwDQYJKoZIhvcNAQEFBQAwggGVMTgwNgYDVQQDDC9BLkMuIGRlbCBTZXJ2aWNpbyBkZSBBZG1pbmlzdHJhY2nDs24gVHJpYnV0YXJpYTEvMC0GA1UECgwmU2VydmljaW8gZGUgQWRtaW5pc3RyYWNpw7NuIFRyaWJ1dGFyaWExODA2BgNVBAsML0FkbWluaXN0cmFjacOzbiBkZSBTZWd1cmlkYWQgZGUgbGEgSW5mb3JtYWNpw7NuMSEwHwYJKoZIhvcNAQkBFhJhc2lzbmV0QHNhdC5nb2IubXgxJjAkBgNVBAkMHUF2LiBIaWRhbGdvIDc3LCBDb2wuIEd1ZXJyZXJvMQ4wDAYDVQQRDAUwNjMwMDELMAkGA1UEBhMCTVgxGTAXBgNVBAgMEERpc3RyaXRvIEZlZGVyYWwxFDASBgNVBAcMC0N1YXVodMOpbW9jMRUwEwYDVQQtEwxTQVQ5NzA3MDFOTjMxPjA8BgkqhkiG9w0BCQIML1Jlc3BvbnNhYmxlOiBDZWNpbGlhIEd1aWxsZXJtaW5hIEdhcmPDrWEgR3VlcnJhMB4XDTEyMDQyMTE4NTY1MloXDTE2MDQyMTE4NTczMlowgZ8xHTAbBgNVBAMTFFNJTFZJQSBSQU1JUkVaIERVUkFOMR0wGwYDVQQpExRTSUxWSUEgUkFNSVJFWiBEVVJBTjEdMBsGA1UEChMUU0lMVklBIFJBTUlSRVogRFVSQU4xCzAJBgNVBAYTAk1YMRYwFAYDVQQtEw1SQURTODIxMTEwUjU1MRswGQYDVQQFExJSQURTODIxMTEwTURGTVJMMDAwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKs56bGj9Kz3weX274lEa+Yf2IoOr4mOTZUAX8Pyigp1rMUOLSXIq2ozPtT94czrA+msnsh
sAZ0tBNwLbEH6tVBUFEFLU3T1NGNsiDrKWruFd5VI6CBmnUAUR6bLngDJvkh8ib3AwED6WPZN9In2JgCQAYo2pRta+mELOGTuJfDNAgMBAAGjTzBNMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgPYMBEGCWCGSAGG+EIBAQQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADggEBAEi5xlPUJUOlKuEVf8m0U3PMG0XbrZbTpXCQ6GWVbyBJHBC+/fxFR6MU30FSzrXvbW7M0BwRLuBgsrR2TY6u03fy4pkNU3A/Dc6ep6M4NzALXR6Poc0/elWxdPRkfwPO2kMA4JuOTTyeOH/YVEAGsNJWlPTAAlSLQ6BfSAotnarnRLOJ+sE6K4mUXxeeCDafV9evbj+aiE8X7HfDFPkTyGZ2vHz4SlZaWgQWEvYjbL1/p+fiMh29CrDsFCPY1Qy59hs1bXSJqfQrkoN6ZbThb788qxKvOi/r+X3JFJfiIJ0Qsqw3htbbCYv7kX19dgHVEUzsLNcKBmmQWDhV85OyXFQ=</X509Certificate>
>   </X509Data>
> </KeyInfo>
> <Object xmlns="http://www.w3.org/2000/09/xmldsig#"
> Id="TramiteAdministrativo001">
>   <DatosTramite>
>     <Tipo>3</Tipo>
>     <Folio>77777</Folio>
>     <FechaHora>06/02/2013 14:15:18 p.m.</FechaHora>
>     <Expediente>55537</Expediente>
>    
> <Informacion>||CASTRO|kiki|1|13|39|01/09/2010|$20000|USA|masParametros||</Informacion>
>   <Archivos Id="ArchivosAdjuntos001">
>    <Ruta>C:\ConstanciasPruebas16\docto_respaldo\13100_ceaj_.PDF</Ruta>
>    <Archivo>y3odd16AD9HuQEn33KngQeuboIM=</Archivo>
>    <Ruta>C:\ConstanciasPruebas16\docto_respaldo\13100_ceaj_.PDF</Ruta>
>    <Archivo>y3odd16AD9HuQEn33Kn/QenuoIM=</Archivo>
>   </Archivos>
>   </DatosTramite>
> </Object>
> </Signature>
> </Object>
> </Signature>
> 
> Thxs on advanced.
> 
>> Date: Tue, 26 Feb 2013 17:33:55 -0800
>> From: aleksey at aleksey.com
>> To: lupita_toledo at hotmail.com
>> CC: xmlsec at aleksey.com
>> Subject: Re: [xmlsec] Multiple signatures
>>
>> Verifier is pretty stupid and can't do multiple signatures. With xmlsec1
>> command line tool you can specify the Signature node you want to verify
>> using xpath
>>
>> Aleksey
>>
>> On 2/26/13 8:57 AM, Gpe. Raquel Toledo wrote:
>> > Right now i have a project includes 2 or many signatures, but i cant
>> > found any example that is valid for verifier
>> > (http://www.aleksey.com/xmlsec/xmldsig-verifier.html) with 2 signatures.
>> >
>> > Thanks on advanced.
>> >
>> >
>> > <?xml version="1.0" encoding="ISO-8859-1"?>
>> > <Signature xmlns="http://www.w3.org/2000/09/xmldsig#" id="F01">
>> > <SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
>> > <CanonicalizationMethod
>> >
> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></CanonicalizationMethod>
>> > <SignatureMethod
>> >
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
>> > <Reference URI="#TA01">
>> > <DigestMethod
>> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
>> > <DigestValue>...mAPUI=</DigestValue>
>> > </Reference>
>> > <Reference URI="#IC01">
>> > <DigestMethod
>> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
>> > <DigestValue>.../wQ=</DigestValue>
>> > </Reference>
>> > </SignedInfo>
>> > <SignatureValue>...tlwyE=</SignatureValue>
>> > <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#" Id="IC01">
>> > <KeyValue>
>> > <RSAKeyValue><Modulus>...</Modulus>
>> > <Exponent>AQAB</Exponent></RSAKeyValue>
>> > </KeyValue><X509Data>
>> > <X509Certificate>...ORnQBO5A=</X509Certificate>
>> > </X509Data>
>> > </KeyInfo>
>> > <Object xmlns="http://www.w3.org/2000/09/xmldsig#" Id="TA01">
>> > <DatosTramite>
>> > <Informacion>...</Informacion>
>> > </DatosTramite>
>> > </Object>
>> > </Signature>
>> > <Signature xmlns="http://www.w3.org/2000/09/xmldsig#" ID="F02">
>> > <SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
>> > <CanonicalizationMethod
>> >
> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></CanonicalizationMethod>
>> > <SignatureMethod
>> >
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
>> > <Reference ID="Id_Referencia002" URI="#F01"
>> > TYPE="http://uri.etsi.org/01903#CountersignedSignature">
>> > <DigestMethod
>> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
>> > <DigestValue>...</DigestValue>
>> > </Reference>
>> > <Reference URI="#IC02">
>> > <DigestMethod
>> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
>> > <DigestValue>...</DigestValue>
>> > </Reference>
>> > </SignedInfo>
>> > <SignatureValue ID="IS02">...</SignatureValue>
>> > <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#" Id="IC02">
>> > <KeyValue>
>> > <RSAKeyValue><Modulus>...</Modulus>
>> > <Exponent>AQAB</Exponent></RSAKeyValue>
>> > </KeyValue>
>> > <X509Data>
>> > <X509Certificate>..RnQBO5A=</X509Certificate>
>> > </X509Data>
>> > </KeyInfo>
>> > </Signature>
>> >
>> >
>> > _______________________________________________
>> > xmlsec mailing list
>> > xmlsec at aleksey.com
>> > http://www.aleksey.com/mailman/listinfo/xmlsec
>> >


More information about the xmlsec mailing list