[xmlsec] Signing Second time with DSA key

Timothy Legge timlegge at gmail.com
Wed Dec 9 10:52:40 PST 2020


For my purposes it is to provide tests for Perl's XML::Sig.  I have seen
several XML files where the Assertion and Response are both signed.  I
added the ability to sign multiple parts of the XML is a recent release and
I want to ensure that I have tests that are reproducible to sign and verify
XML files between xmlsec and XML::Sig

It seems everyone has a standard that they ignore ...

Tim

On Wed, Dec 9, 2020 at 2:39 PM Andrew King <aking at pingidentity.com> wrote:

> Just out of curiosity... WRT SAML, why would you sign both the Assertion
> and the Response?
>
> <https://www.pingidentity.com/>[image: Ping Identity]
> <https://www.pingidentity.com/>
> Andy King
> Technical Product Manager
>
>
> On Wed, Dec 9, 2020 at 11:24 AM Timothy Legge <timlegge at gmail.com> wrote:
>
>> ...  I should have noticed that I am dealing with Perl's XML::libXML
>> where I can register the namespace and use the shortcut .
>>
>> Thanks for pointing out the error
>>
>> Tim
>>
>> On Wed, Dec 9, 2020 at 1:06 PM Aleksey Sanin <aleksey at aleksey.com> wrote:
>> >
>> >
>> > --id-attr[:<attr-name>] [<node-namespace-uri>:]<node-name>
>> >
>> > samlp is not the namespace uri
>> >
>> > Aleksey
>> >
>> > On 12/8/20 5:38 PM, Timothy Legge wrote:
>> > > Hi
>> > >
>> > > I have https://pastebin.com/v0PJwQri that I signed as follows:
>> > >
>> > > xmlsec1 --sign --privkey-pem t/dsa.private.key --id-attr:ID
>> > > "Assertion" t/unsigned/xml-sig-unsigned-dsa-multiple-1.xml >
>> > > t/unsigned/xml-sig-unsigned-dsa-multiple-2.xml
>> > >
>> > > which resulted in
>> > >
>> > > https://pastebin.com/8qhDhjU9
>> (t/unsigned/xml-sig-unsigned-dsa-multiple-2.xml)
>> > >
>> > > I added the second signature section to make
>> > > t/unsigned/xml-sig-unsigned-dsa-multiple-3.xml
>> > >
>> > > https://pastebin.com/rmfuUtvB
>> > >
>> > > The goal is to sign the saml:Response with ID="identifier_1" (which
>> > > has the first signature embedded in the saml:Assertion with
>> > > ID="identifier_2)
>> > >
>> > > I have tried multiple options:
>> > >
>> > > Most of which result in: the following that seems to be looking at
>> > > identifier_2 for some reason (it was already signed above)
>> > >
>> > > xmlsec1 --sign --privkey-pem t/dsa.private.key --id-attr:ID "Response"
>> > > t/unsigned/xml-sig-unsigned-dsa-multiple-3.xml
>> > >
>> > > xmlsec1 --sign --privkey-pem t/dsa.private.key --id-attr:ID
>> > > samlp:Response --node-xpath "/samlp:Response[@ID='identifier_1']"
>> > > t/unsigned/xml-sig-unsigned-dsa-multiple-3.xml
>> > >
>> > >
>> > >
>> func=xmlSecXPathDataExecute:file=xpath.c:line=246:obj=unknown:subj=xmlXPtrEval:error=5:libxml2
>> > > library function failed:expr=xpointer(id('identifier_2')); xml error:
>> > > 0: NULL
>> > >
>> func=xmlSecXPathDataListExecute:file=xpath.c:line=330:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec
>> > > library function failed:
>> > >
>> func=xmlSecTransformXPathExecute:file=xpath.c:line=430:obj=xpointer:subj=xmlSecXPathDataListExecute:error=1:xmlsec
>> > > library function failed:
>> > >
>> func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2108:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec
>> > > library function failed:
>> > >
>> func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1044:obj=xpointer:subj=xmlSecTransformPushXml:error=1:xmlsec
>> > > library function failed:
>> > >
>> func=xmlSecTransformCtxExecute:file=transforms.c:line=1092:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec
>> > > library function failed:
>> > >
>> func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1408:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec
>> > > library function failed:
>> > >
>> func=xmlSecDSigCtxProcessReferences:file=xmldsig.c:line=752:obj=Reference:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec
>> > > library function failed:
>> > >
>> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=517:obj=unknown:subj=xmlSecDSigCtxProcessReferences:error=1:xmlsec
>> > > library function failed:
>> > >
>> func=xmlSecDSigCtxSign:file=xmldsig.c:line=291:obj=unknown:subj=xmlSecDSigCtxProcessSignatureNode:error=1:xmlsec
>> > > library function failed:
>> > > Error: signature failed
>> > > Error: failed to sign file
>> "t/unsigned/xml-sig-unsigned-dsa-multiple-3.xml"
>> > >
>> > > I am sure it is something obvious.  Any ideas?
>> > >
>> > > Tim
>> > > _______________________________________________
>> > > xmlsec mailing list
>> > > xmlsec at aleksey.com
>> > > http://www.aleksey.com/mailman/listinfo/xmlsec
>> > >
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20201209/3cc6a301/attachment.htm>


More information about the xmlsec mailing list