[xmlsec] Attempting to sign with DSA key
Aleksey Sanin
aleksey at aleksey.com
Mon Dec 7 10:09:01 PST 2020
"--id-attr" just defines an ID attribute (like DTD or schema).
Aleksey
On 12/7/20 10:02 AM, Timothy Legge wrote:
> Hi
>
> Some background. I have been updating the perl module XML::Sig and
> one of the things I added was the ability to sign any XML nodes that
> have ID as an attribute.
>
> I use xmlsec1 as a test case to ensure that my resulting documents can
> be validated with xmlsec1 (and vice-versa that XML::Sig can validate
> documents signed by xmlsec).
>
> So in this case I wanted a DSA signed XML that has both the
> samlp:Response ID=identifier_1" and <saml:Assertion ID="identifier_2"
> signed by the same key
>
> Essentially I wanted to see how xmlsec signs multiple parts of the
> same XML file.
>
> I notice the spec says that you can use multiple references in a
> single signature but it appears the most applications sign the
> documents twice,
>
> In the case then, I would sign the XML once for identifier_2 with
> xmlsec and then repeat for identifier_1 as it will need to sign the
> embedded signature from the first signing.
>
> I thought you might be able to use the two
>
> --id-attr:ID "Response"
> --id-attr:ID "Assertion"
>
> at the same time to sign both sections in one pass.
>
> TIm
>
> On Mon, Dec 7, 2020 at 1:33 PM Aleksey Sanin <aleksey at aleksey.com> wrote:
>>
>> Not sure what do you mean. If you want to sign both signatures, then
>> you need to run xmlsec1 tool twice with correct --node-id, --node-xpath,
>> or --node-name params:
>>
>> https://www.aleksey.com/xmlsec/xmlsec-man.html
>>
>> Aleksey
>>
>> On 12/7/20 9:27 AM, Timothy Legge wrote:
>>> Ah, it will not sign both nodes with an ID?
>>>
>>> On Mon, Dec 7, 2020 at 1:26 PM Aleksey Sanin <aleksey at aleksey.com> wrote:
>>>>
>>>> I see two signatures in the document. By default xmlsec1 tool will sign
>>>> the first signature it finds.
>>>>
>>>> Best,
>>>>
>>>> Aleksey
>>>>
>>>> On 12/5/20 7:22 PM, Timothy Legge wrote:
>>>>> Hi
>>>>>
>>>>> I am attempting to sign https://pastebin.com/36Nvqdpp with a dsa key:
>>>>>
>>>>> xmlsec1 --sign --privkey-pem t/dsa.private.key --id-attr:ID "Response"
>>>>> --id-attr:ID "Assertion" t/xml-sig-unsigned-dsa-multiple.xml
>>>>>
>>>>> It does not show any error messages however it does not sign the
>>>>> output. Any ideas what I am doing wrong?
>>>>>
>>>>> Tim
>>>>> _______________________________________________
>>>>> xmlsec mailing list
>>>>> xmlsec at aleksey.com
>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>>>
More information about the xmlsec
mailing list