Aleksey, Thanks for your hints. The following works fine. 2 points of notice.
1) In the Pre-Digest buffer (see below) I will get extra white space and/or CRLFs for every "subtract" I add in the transform chain. Do I need to do another Canonicalization after the set of filters ? Can this be expressed as a transform ? 2) Is there any way to do a "wildcard" type thing with the "subtract" so I might use only a single filter instead of one for every //SignatureN ? Like a sort of //Signature(*) or something ? Thanks, Ed <?xml version="1.0"?> <Document> <ToBeSigned> <Data>We must sign this.</Data> <Signature1>1st exclude</Signature1> <Signature2>2nd exclude</Signature2> </ToBeSigned> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#" xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <Reference URI=""> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2"> <dsig-xpath:XPath Filter="intersect"> //Document </dsig-xpath:XPath> <dsig-xpath:XPath Filter="subtract"> //Signature1 </dsig-xpath:XPath> <dsig-xpath:XPath Filter="subtract"> //Signature2 </dsig-xpath:XPath> </Transform> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue></DigestValue> </Reference> </SignedInfo> <SignatureValue> </SignatureValue> <KeyInfo> <X509Data> <X509SubjectName></X509SubjectName> <X509IssuerSerial></X509IssuerSerial> <X509Certificate></X509Certificate> </X509Data> </KeyInfo> </Signature> </Document> == PreDigest data - start buffer: <Document> <ToBeSigned> <Data>We must sign this.</Data> </ToBeSigned> </Document> == PreDigest data - end buffer -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey Sanin Sent: September 23, 2003 11:55 PM To: Edward Shallow Cc: [EMAIL PROTECTED] Subject: Re: [xmlsec] Emailing: EdTestFormNoMSO.zip >Secondly but related, how would one create parallel signatures over the >same data using XMLSec ? Using 2 successive sign operations ? > Yes. >Assuming one is using a template, what would it look like for the 2nd sign operation ? > Template is just an XML file, remember :) >For this 2nd pass, does the enveloped-signature transform only exclude >the signature being applied (i.e. the 2nd) ? > > Enveloped transform by definition excludes only the current signature (see XMLDSig spec for details). It does not matter is it first or second signature. >If so, what is the best way to exclude the 1st ? > XInclude, XPath, XPath2 or XSLT transofrms are probably the simplest ways (you might have interop problems with XPath2). But probably I wouldn't use XSLT just for that task. Aleksey _______________________________________________ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec _______________________________________________ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec