[xmlsec] Attempting to sign with DSA key

Timothy Legge timlegge at gmail.com
Mon Dec 7 10:10:49 PST 2020


Got it, thanks!

On Mon, Dec 7, 2020 at 2:09 PM Aleksey Sanin <aleksey at aleksey.com> wrote:
>
> "--id-attr" just defines an ID attribute (like DTD or schema).
>
> Aleksey
>
> On 12/7/20 10:02 AM, Timothy Legge wrote:
> > Hi
> >
> > Some background.  I have been updating the perl module XML::Sig and
> > one of the things I added was the ability to sign any XML nodes that
> > have ID as an attribute.
> >
> > I use xmlsec1 as a test case to ensure that my resulting documents can
> > be validated with xmlsec1 (and vice-versa that XML::Sig can validate
> > documents signed by xmlsec).
> >
> > So in this case I wanted a DSA signed XML that has both the
> > samlp:Response ID=identifier_1" and <saml:Assertion ID="identifier_2"
> > signed by the same key
> >
> > Essentially I wanted to see how xmlsec signs multiple parts of the
> > same XML file.
> >
> > I notice the spec says that you can use multiple references in a
> > single signature but it appears the most applications sign the
> > documents twice,
> >
> > In the case then, I would sign the XML once for identifier_2 with
> > xmlsec and then repeat for identifier_1 as it will need to sign the
> > embedded signature from the first signing.
> >
> > I thought you might be able to use the two
> >
> > --id-attr:ID "Response"
> > --id-attr:ID "Assertion"
> >
> > at the same time to sign both sections in one pass.
> >
> > TIm
> >
> > On Mon, Dec 7, 2020 at 1:33 PM Aleksey Sanin <aleksey at aleksey.com> wrote:
> >>
> >> Not sure what do you mean. If you want to sign both signatures, then
> >> you need to run xmlsec1 tool twice with correct --node-id, --node-xpath,
> >> or --node-name params:
> >>
> >> https://www.aleksey.com/xmlsec/xmlsec-man.html
> >>
> >> Aleksey
> >>
> >> On 12/7/20 9:27 AM, Timothy Legge wrote:
> >>> Ah, it will not sign both nodes with an ID?
> >>>
> >>> On Mon, Dec 7, 2020 at 1:26 PM Aleksey Sanin <aleksey at aleksey.com> wrote:
> >>>>
> >>>> I see two signatures in the document. By default xmlsec1 tool will sign
> >>>> the first signature it finds.
> >>>>
> >>>> Best,
> >>>>
> >>>> Aleksey
> >>>>
> >>>> On 12/5/20 7:22 PM, Timothy Legge wrote:
> >>>>> Hi
> >>>>>
> >>>>> I am attempting to sign https://pastebin.com/36Nvqdpp with a dsa key:
> >>>>>
> >>>>> xmlsec1 --sign --privkey-pem t/dsa.private.key --id-attr:ID "Response"
> >>>>> --id-attr:ID "Assertion" t/xml-sig-unsigned-dsa-multiple.xml
> >>>>>
> >>>>> It does not show any error messages however it does not sign the
> >>>>> output.  Any ideas what I am doing wrong?
> >>>>>
> >>>>> Tim
> >>>>> _______________________________________________
> >>>>> xmlsec mailing list
> >>>>> xmlsec at aleksey.com
> >>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
> >>>>>


More information about the xmlsec mailing list