You can definitely do it with the library itself. The xmlsec command line tool is somewhat limited. You can try to use --node-xpath option though.
Aleksey On 1/7/12 6:39 PM, Leonardo Herrera wrote:
Hello, I'm trying to verify a document that contains multiple signatures; I cannot modify the structure of the document. Searching through the archives, I found the following response from Aleksey regarding this very same problem (this format is used for electronic invoicing in Chile):The xmlsec1 utility tries to find the ds:Signature element in the sub-tree specified by --node-id or --node-name parameter. The document you have looks as follows (irrelevant pieces are removed): <EnvioDTE> <SetDTE ID="DTE1272374641984"> <DTE> <Documento ID="F185T33"> </Document> <ds:Signature> </ds:SignedInfo> </DTE> </SetDTE> <ds:Signature> </ds:Signature> </EnvioDTE> I am not exactly sure why the first command verified something (I would expect it to do nothing since there are no signature nodes in the subtree). But the second command correctly finds the first signature element in the subtree specified by the --node-id or --node-name parameter (BTW, you just need one parameter :) ). For documents with multiple signatures, I strongly recommend to put ID attribute directly into<ds:Signature> node. This way you can easily specify the right signature node to sign or verify. Regarding the error about xpointer(), please read section 3.4 from FAQ http://www.aleksey.com/xmlsec/faq.html AlekseyFrom what Aleksey wrote, it appears that xmlsec cannot verify the signature directly under SetDTE because it will find the one under DTE first. Is possible to ignore the first signature and make xmlsec read the second one when verifying? I'm currently using xmlsec --verify \ --id-attr:ID http://www.sii.cl/SiiDte:SetDTE \ dte_set.xml Regards,
_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
