Hello, I'm trying to verify a document that contains multiple signatures; I cannot modify the structure of the document.
Searching through the archives, I found the following response from Aleksey regarding this very same problem (this format is used for electronic invoicing in Chile): > The xmlsec1 utility tries to find the ds:Signature element > in the sub-tree specified by --node-id or --node-name > parameter. The document you have looks as follows (irrelevant > pieces are removed): > > <EnvioDTE> > <SetDTE ID="DTE1272374641984"> > <DTE> > <Documento ID="F185T33"> > </Document> > <ds:Signature> > </ds:SignedInfo> > </DTE> > </SetDTE> > <ds:Signature> > </ds:Signature> > </EnvioDTE> > > I am not exactly sure why the first command verified something > (I would expect it to do nothing since there are no signature nodes > in the subtree). But the second command correctly finds the > first signature element in the subtree specified by the --node-id > or --node-name parameter (BTW, you just need one parameter :) ). > > For documents with multiple signatures, I strongly recommend to > put ID attribute directly into <ds:Signature> node. This way you > can easily specify the right signature node to sign or verify. > > Regarding the error about xpointer(), please read section 3.4 > from FAQ > > http://www.aleksey.com/xmlsec/faq.html > > Aleksey >From what Aleksey wrote, it appears that xmlsec cannot verify the signature directly under SetDTE because it will find the one under DTE first. Is possible to ignore the first signature and make xmlsec read the second one when verifying? I'm currently using xmlsec --verify \ --id-attr:ID http://www.sii.cl/SiiDte:SetDTE \ dte_set.xml Regards, -- Leonardo Herrera http://pipes.epublish.cl/ _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
