It depends on the certificate or to be precise pkcs12 file you are signing with. Yours contains 3 certs.
Aleksey On 6/11/12 9:03 PM, Giancarlo Piva wrote: > Aleksey > > My crypto knowledge is limited > I am just trying to sign a document from the command line tool xmlsec1 > as proof of concept... > before reading a book on cryptography.... I will better document > myself for sure.. > and eventually read the manual.. and code my client using the xmlsec > library... > I was looking only for a hint as your X509 example on the web site the > output file have only one "X509Certificate" node > when I run the same example the output I get have multiple > "X509Certificate" nodes... I dont understand why? > > anyway thanks for your help > > Carlo > > On Tue, Jun 12, 2012 at 1:52 PM, Aleksey Sanin <[email protected]> wrote: >> X509Certificate nodes do not contain signatures. You might want >> to read a book on cryptography. >> >> Aleksey >> >> >> On 6/11/12 8:50 PM, Giancarlo Piva wrote: >>> Hi Alekey >>> >>> That is right and that is what I am expecting as well.. >>> >>> I tried to run my command using your xml on the web site: >>> >>> xmlsec1 --sign --output test.xml --pkcs12 >>> ./certs/8003620833337558-general.p12 --pwd Password --trusted-pem >>> ./certs/output.pem ./xml/template_test.xml >>> >>> in the output I get multiple <X509Certificate> nodes is that normal?? >>> >>> this is what i get: >>> >>> <?xml version="1.0"?> >>> <References> >>> <Book> >>> <Author> >>> <FirstName>Bruce</FirstName> >>> <LastName>Schneier</LastName> >>> </Author> >>> <Title>Applied Cryptography</Title> >>> </Book> >>> <Web> >>> <Title>XMLSec</Title> >>> <Url>http://www.aleksey.com/xmlsec/</Url> >>> </Web> >>> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";> >>> <SignedInfo> >>> <CanonicalizationMethod >>> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> >>> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> >>> <Reference URI=""> >>> <Transforms> >>> <Transform >>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> >>> </Transforms> >>> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> >>> <DigestValue>o/5EifW/Q4LVtDznvqMgBAAC21M=</DigestValue> >>> </Reference> >>> </SignedInfo> >>> >>> <SignatureValue>jk5S8exrQmxJPwBtz4YsEY3+zhWpAaRYW2rJNRLoo7+Rkq7PWoOAkHki63Gx5BEb >>> CSmk8bQ5jjqDLoxrbFVsYCmKQiiEpq+r8Kup9lyReA9aA4PRu/FpxufkPYqBXpfN >>> YML85F+LCoG44xt4LQMwaZtdE7H1KX3HZ1EX3Q+yIxoVxVp2HQjO9Y+3OJUlXUGk >>> t0yn/q11H/AV4mmZ2CWK+4uUKySYTg0KEhu/Z3RpG/S2VX3zHPUg769bQy/1Bihq >>> 3bwyO4INAHgP3dMjuc+iTJMMLChy/ZA5zahs5npfmWKFyJSw0ggMApZsRN4Mf8s8 >>> oDNtKPTja7/HbFBwdbiSdA==</SignatureValue> >>> <KeyInfo> >>> <X509Data> >>> >>> >>> >>> >>> <X509Certificate>MIIHLDCCBhSgAwIBAgIETXl5dTANBgkqhkiG9w0BAQUFADAyMQswCQYDVQQGEwJB >>> VTESMBAGA1UEChMJTkVIVEFEZW1vMQ8wDQYDVQQLEwZSb290Q0EwHhcNMTEwNjAy >>> MTUyMjQwWhcNMjEwMzExMDA0NjMzWjAxMQswCQYDVQQGEwJBVTESMBAGA1UEChMJ >>> TkVIVEFEZW1vMQ4wDAYDVQQLEwVTdWJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP >>> ADCCAQoCggEBAN9Zc8dkNxg9pEaPRxx9Z5H8Fsxt5G7QTXhuVSqwFsxOJNLiuQq+ >>> Z7q9fr8nry9ulmLj9HgGiPpMqQuFhbRH0aM2kSWhiZtjybVK4d52zwiapa+WcabG >>> djg8ZRZaevV6wRflwESUdyRM0g+Re8Bc+u8vEli7spKJgVNf31hvo3/zmIqiR3Vs >>> YFMeT9NgqWC/rUmguwScS4v5ZLBHaJG3WfPemTvmkd8iKxxTchG0uYhoBYtOd2Gc >>> vcLcj/ZWY3GRcJZIMKTIy34yWhIr1G95ZfdAD5TGfrGrv5WOgTRNGln7Kb00sedZ >>> UpyIfYMeR6X6tbVsqLquS8yPgrKCc+2a9UsCAwEAAaOCBEkwggRFMA4GA1UdDwEB >>> /wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMIICcAYDVR0gBIICZzCCAmMwggHY >>> BgwqJAGPUYdqAQEBAQEwggHGMGgGCCsGAQUFBwIBFlxodHRwOi8vcG9saWN5LnBy >>> b2Ryb290aGlnaDEucGtpLmVsZWN0cm9uaWNoZWFsdGgubmV0LmF1L3Byb2Ryb290 >>> aGlnaDEvcG9saWN5L05BU0hfUkNBX0NQLnBkZjCCAVgGCCsGAQUFBwICMIIBShqC >>> AUZDZXJ0aWZpY2F0ZXMgdW5kZXIgdGhpcyBwb2xpY3kgYXJlIGlzc3VlZCBieSB0 >>> aGUgTkFTSCBSb290IENBIHRvIGl0c2VsZiBhbmQgdG8gQ0FzIHN1Ym9yZGluYXRl >>> IHRvIHRoZSBOQVNIIFJvb3QgQ0EuIFJlZmVyIHRvIGh0dHA6Ly9wcm9kcm9vdGhp >>> Z2gxLnBraS5lbGVjdHJvbmljaGVhbHRoLm5ldC5hdS9wcm9kcm9vdGhpZ2gxLyBm >>> b3IgbW9yZSBpbmZvcm1hdGlvbi4gVXNlIG9mIHRoaXMgQ2VydGlmaWNhdGUgaXMg >>> c3ViamVjdCB0byBBZ3JlZW1lbnRzIGF0IGh0dHA6Ly9wcm9kcm9vdGhpZ2gxLnBr >>> aS5lbGVjdHJvbmljaGVhbHRoLm5ldC5hdS9wcm9kcm9vdGhpZ2gxLzAqBgkqJAGP >>> UYdqBQIwHTAbBggrBgEFBQcCAjAPGg1Mb3cgQXNzdXJhbmNlMC8GCSokAY9Rh2oF >>> AzAiMCAGCCsGAQUFBwICMBQaEk1vZGVyYXRlIEFzc3VyYW5jZTAoBgoqJAGPUYdq >>> BgQAMBowGAYIKwYBBQUHAgIwDBoKSXNzdWluZyBDQTCBswYIKwYBBQUHAQEEgaYw >>> gaMwVQYIKwYBBQUHMAKGSWh0dHA6Ly9uZWh0YWRlbW8ubWFuYWdlZC5lbnRydXN0 >>> LmNvbS9BSUEvQ2VydHNJc3N1ZWR0b05FSFRBRGVtb1Jvb3RDQS5wN2MwSgYIKwYB >>> BQUHMAGGPmh0dHA6Ly9uZWh0YWRlbW8ubWFuYWdlZC5lbnRydXN0LmNvbS9PQ1NQ >>> L05FSFRBUm9vdENBUmVzcG9uZGVyMIGZBgNVHR8EgZEwgY4wQaA/oD2GO2h0dHA6 >>> Ly9uZWh0YWRlbW8ubWFuYWdlZC5lbnRydXN0LmNvbS9DUkxzL05FSFRBREVNT1Jv >>> b3QuY3JsMEmgR6BFpEMwQTELMAkGA1UEBhMCQVUxEjAQBgNVBAoTCU5FSFRBRGVt >>> bzEPMA0GA1UECxMGUm9vdENBMQ0wCwYDVQQDEwRDUkwxMB8GA1UdIwQYMBaAFBDg >>> Yh+sUVo0ZnLXWMH0NWk/6JFbMB0GA1UdDgQWBBRaPSKrShmC/GJzkLtwm/s56ZsS >>> rDAZBgkqhkiG9n0HQQAEDDAKGwRWOC4xAwIAgTANBgkqhkiG9w0BAQUFAAOCAQEA >>> XQTFvV+bBpJshxlfy9bm1gq2ZALukwYPkVB8GhKM43yqT+ZbxwC0im8PYNhbvzRB >>> lzo5b50mfZcYaC97Ey5zs511qvyFAiJuZdtPTtmrEw10G+uyGqdLjL+OZTcyVwk3 >>> 8KAYAaSxc7BhBGxsnLf01bKUmK1HSj2anrKk/81PLIaJId2L7IfcrZFi+OlUZfAK >>> THa5ayk8fxu/pI1WjHQy6+HW1IfDmKQJz+uVbTIq03XmuCW4Bwd3U2qjFhtVuQd3 >>> TjWcRm05d+1p/LSAKFH+jSzorewiG+URvef8Lznwbg/ChbNSaRnlLV9WQqBMsELZ >>> 54vPc3pZhOkfrthJYni8jA==</X509Certificate> >>> <X509SubjectName>OU=SubCA,O=NEHTADemo,C=AU</X509SubjectName> >>> <X509IssuerSerial> >>> <X509IssuerName>OU=RootCA,O=NEHTADemo,C=AU</X509IssuerName> >>> <X509SerialNumber>1299806581</X509SerialNumber> >>> </X509IssuerSerial> >>> <X509Certificate>MIIDJDCCAgygAwIBAgIETXlw6TANBgkqhkiG9w0BAQUFADAyMQswCQYDVQQGEwJB >>> VTESMBAGA1UEChMJTkVIVEFEZW1vMQ8wDQYDVQQLEwZSb290Q0EwHhcNMTEwMzEx >>> MDAxNjMzWhcNMjEwMzExMDA0NjMzWjAyMQswCQYDVQQGEwJBVTESMBAGA1UEChMJ >>> TkVIVEFEZW1vMQ8wDQYDVQQLEwZSb290Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB >>> DwAwggEKAoIBAQCz3qq/Tw5CkP+gQl+uhyislJauKGzJS/uyTveAjnuqzdTR4+bC >>> MFeMjIH3da770r2n52MtLgYxhCo50YJzaAKAchV2+GDK0q+KRnut7d+obSamr9Vp >>> fMFtYctNvZFaRpPKCOqyz7WfOleOmtaNLv26CUnszM4/nZBcD7CNuoItyX81e4a0 >>> edMFvg3rqIv7OPg+NSDNYpnBB9rdmbSe1FCLBERon5gsdPGFzh8x5DLtMpZZCwL6 >>> Q1srclXWLMpnfMAgXDcH8FaLGHVYSfsrHQh9uCCuoV602eic+SgE66/xQ5Uy/OHV >>> oZJeB1bLzAk2OxIo8pHuVCMeH178xCI1tAGdAgMBAAGjQjBAMA4GA1UdDwEB/wQE >>> AwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQQ4GIfrFFaNGZy11jB9DVp >>> P+iRWzANBgkqhkiG9w0BAQUFAAOCAQEAcMwGYh5iXTWjYev2+Mmm5IIUD9xRntah >>> qWo/lNsWP/Lb3dVpdyxQ5hQt/nFmER7SkXHZT394/deWCdh3E2LE6AE2cIZuQYr+ >>> 1aHbKWYeAkCnHUjdzszuZ2bEp9FW4Y0+dlH4V71LnobHwWQre/PZFTFNlZjf1xYF >>> giI5YK2MeOSsWaB2ACPkq4gDY4JnsNKK3QCX2xR/zeSG1l3Zjp8A07Z0ldvUiwfa >>> IFGo8rkHkbbNifCco7d8+6NPiy0qwTG5/Htt9hb7pJ5IStoLSX6AAzKevt/GaRga >>> xChYv35zMQF6Bgjkk8LXsQiA2oi8r995oFTKCDbDMYdksyK7FyoFHQ==</X509Certificate> >>> <X509SubjectName>OU=RootCA,O=NEHTADemo,C=AU</X509SubjectName> >>> <X509IssuerSerial> >>> <X509IssuerName>OU=RootCA,O=NEHTADemo,C=AU</X509IssuerName> >>> <X509SerialNumber>1299804393</X509SerialNumber> >>> </X509IssuerSerial> >>> <X509Certificate>MIIIvjCCB6agAwIBAgIETXqLsTANBgkqhkiG9w0BAQUFADAxMQswCQYDVQQGEwJB >>> VTESMBAGA1UEChMJTkVIVEFEZW1vMQ4wDAYDVQQLEwVTdWJDQTAeFw0xMjAzMDUw >>> MTQyNDlaFw0xMzAzMDUwMDAwMDBaMIGfMRIwEAYKCZImiZPyLGQBGRYCQVUxEzAR >>> BgoJkiaJk/IsZAEZFgNORVQxIDAeBgoJkiaJk/IsZAEZFhBFTEVDVFJPTklDSEVB >>> TFRIMRQwEgYDVQQKEwtNZWRpY2FyZTMwNTE8MDoGA1UEAxMzZ2VuZXJhbC44MDAz >>> NjIwODMzMzM3NTU4LmlkLmVsZWN0cm9uaWNoZWFsdGgubmV0LmF1MIIBIjANBgkq >>> hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA21303diBXMqVg0Z366xYZc4qCTeHd9zf >>> oHWJRAd7/YQlfMu3q21sb7MqQI3N88bmQxICn2tg5HRPKh8rB9RqGT8gzGpKiMbz >>> KFxz81dzzj87gkYkLF57WiuKARKqp98nx2mTIELKcN1ahejHbo2cVjHpkQ+m17Dt >>> TZJ5sUxna2OT6+qTWEBlilnjsiit2M96iNs1/Y4eySRRCDKNXF2virN/5cqzjfRk >>> iKTwfgKNQ09MNeCN+wl588JKuGmIzZ8kKQveXzHEvS9eUFQid1ZOVy8x+0jeoUHO >>> YTNoRb1wckdtV7eFFx5fERE/KuTvjvMchCBezZWYz0WwUXiSKX0/qQIDAQABo4IF >>> bTCCBWkwDgYDVR0PAQH/BAQDAgSwMIIBMAYIKwYBBQUHAQEEggEiMIIBHjBJBggr >>> BgEFBQcwAYY9aHR0cDovL25laHRhZGVtby5tYW5hZ2VkLmVudHJ1c3QuY29tL09D >>> U1AvTkVIVEFTdWJDQVJlc3BvbmRlcjBUBggrBgEFBQcwAoZIaHR0cDovL25laHRh >>> ZGVtby5tYW5hZ2VkLmVudHJ1c3QuY29tL0FJQS9DZXJ0c0lzc3VlZHRvTkVIVEFE >>> ZW1vU3ViQ0EucDdjMHsGCCsGAQUFBzAChm9sZGFwOi8vbmVodGFkZW1vLm1hbmFn >>> ZWQuZW50cnVzdC5jb20vb3U9U3ViQ0Esbz1ORUhUQURlbW8sYz1BVT9jQUNlcnRp >>> ZmljYXRlO2JpbmFyeSxjcm9zc0NlcnRpZmljYXRlUGFpcjtiaW5hcnkwHQYDVR0l >>> BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwggIyBgNVHSAE >>> ggIpMIICJTCCAcQGDCokAY9Rh2oBAwEEAzCCAbIwZQYIKwYBBQUHAgEWWWh0dHA6 >>> Ly9wb2xpY3kudGVzdHN1Ym1vZDEucGtpLmVsZWN0cm9uaWNoZWFsdGgubmV0LmF1 >>> L3Rlc3RzdWJtb2QxL3BvbGljeS9OQVNIX0hQSU9fQ1AucGRmMIIBRwYIKwYBBQUH >>> AgIwggE5GoIBNUNlcnRpZmljYXRlcyB1bmRlciB0aGlzIHBvbGljeSBhcmUgaXNz >>> dWVkIGJ5IHRoZSBOQVNIIFN1Ym9yZGluYXRlIENBIHRvIEhlYWx0aGNhcmUgUHJv >>> dmlkZXIgT3JnYW5pc2F0aW9ucy4gUmVmZXIgdG8gaHR0cDovL3Rlc3RzdWJtb2Qx >>> LnBraS5lbGVjdHJvbmljaGVhbHRoLm5ldC5hdS90ZXN0c3VibW9kMS8gZm9yIG1v >>> cmUgaW5mb3JtYXRpb24uIFVzZSBvZiB0aGlzIENlcnRpZmljYXRlIGlzIHN1Ympl >>> Y3QgdG8gQWdyZWVtZW50cyBhdCBodHRwOi8vdGVzdHN1Ym1vZDEucGtpLmVsZWN0 >>> cm9uaWNoZWFsdGgubmV0LmF1L3Rlc3RzdWJtb2QxLzAqBgkqJAGPUYdqBQIwHTAb >>> BggrBgEFBQcCAjAPGg1Mb3cgQXNzdXJhbmNlMC8GCiokAY9Rh2oGBwMwITAfBggr >>> BgEFBQcCAjATGhFXZWJTZXJ2aWNlIERldmljZTCBgQYDVR0RBHoweIIzZ2VuZXJh >>> bC44MDAzNjIwODMzMzM3NTU4LmlkLmVsZWN0cm9uaWNoZWFsdGgubmV0LmF1hkFo >>> dHRwOi8vbnMuZWxlY3Ryb25pY2hlYWx0aC5uZXQuYXUvaWQvaGkvaHBpby8xLjAv >>> ODAwMzYyMDgzMzMzNzU1ODCB+wYDVR0fBIHzMIHwMIGjoIGgoIGdhjpodHRwOi8v >>> bmVodGFkZW1vLm1hbmFnZWQuZW50cnVzdC5jb20vQ1JMcy9ORUhUQURFTU9TdWIu >>> Y3Jshl9sZGFwOi8vbmVodGFkZW1vLm1hbmFnZWQuZW50cnVzdC5jb20vb3U9U3Vi >>> Q0Esbz1ORUhUQURlbW8sYz1BVT9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0O2Jp >>> bmFyeTBIoEagRKRCMEAxCzAJBgNVBAYTAkFVMRIwEAYDVQQKEwlORUhUQURlbW8x >>> DjAMBgNVBAsTBVN1YkNBMQ0wCwYDVQQDEwRDUkw4MB8GA1UdIwQYMBaAFFo9IqtK >>> GYL8YnOQu3Cb+znpmxKsMB0GA1UdDgQWBBTJ0D/1ayPl4d+NQZLxTUdJVGr/ZDAN >>> BgkqhkiG9w0BAQUFAAOCAQEAEFvbTBlGeI1rj8mNZDQtoNN7pFdR1WH3N1Exbcez >>> +zoUncZXAIqmvVG/pTxuDpaLx2Kg+JIBbYZSvFp/RRiea3DuV416c7yqcsbfBhMO >>> pwqZs8e0UUKKMugrSy7Z2DXCTjGlxNw9gR8QDdz+ddn98dRqAlh/UV289sFBNEbK >>> 5PLtjgtUxhqzn9CKmxgLO2RUkIJvWmVDRF+SvOzb8/QcGk3OX3YlWFlMeTsaHMyK >>> KKnbmkrGRlj1sfK4OUWmdaLKWbIhvA2eBf5iHlwSiZ0I2LuXp2TI29KCPmCaHmkd >>> h1AZzEQWh1sXCpUScS+dNkKaJiqMvuPRVBFniv5W/XZjNg==</X509Certificate> >>> <X509SubjectName>CN=general.8003620833337558.id.electronichealth.net.au,O=Medicare305,DC=ELECTRONICHEALTH,DC=NET,DC=AU</X509SubjectName> >>> <X509IssuerSerial> >>> <X509IssuerName>OU=SubCA,O=NEHTADemo,C=AU</X509IssuerName> >>> <X509SerialNumber>1299876785</X509SerialNumber> >>> </X509IssuerSerial> >>> </X509Data> >>> <KeyValue> >>> <RSAKeyValue> >>> <Modulus> >>> 21303diBXMqVg0Z366xYZc4qCTeHd9zfoHWJRAd7/YQlfMu3q21sb7MqQI3N88bm >>> QxICn2tg5HRPKh8rB9RqGT8gzGpKiMbzKFxz81dzzj87gkYkLF57WiuKARKqp98n >>> x2mTIELKcN1ahejHbo2cVjHpkQ+m17DtTZJ5sUxna2OT6+qTWEBlilnjsiit2M96 >>> iNs1/Y4eySRRCDKNXF2virN/5cqzjfRkiKTwfgKNQ09MNeCN+wl588JKuGmIzZ8k >>> KQveXzHEvS9eUFQid1ZOVy8x+0jeoUHOYTNoRb1wckdtV7eFFx5fERE/KuTvjvMc >>> hCBezZWYz0WwUXiSKX0/qQ== >>> </Modulus> >>> <Exponent> >>> AQAB >>> </Exponent> >>> </RSAKeyValue> >>> </KeyValue> >>> </KeyInfo> >>> </Signature> >>> </References> >>> >>> >>> >>> On Tue, Jun 12, 2012 at 12:53 PM, Aleksey Sanin <[email protected]> wrote: >>>> Not sure what do you mean. There should be 3 digests and one signature. >>>> >>>> Aleksey >>>> >>>> >>>> On 6/11/12 6:58 PM, Giancarlo Piva wrote: >>>>> Hi Aleksey, >>>>> >>>>> I am tring to use xmlsec1 in linux to sign multiple parts of an xml >>>>> document (header, body, timestamp) >>>>> in my template i have 3 digests with 3 uris >>>>> xmlsec works fine but I end up with three signature instead of one in >>>>> the output file >>>>> >>>>> I am using xmlsec1 --sign --output test.xml --pkcs12 ./certs/cert.p12 >>>>> --pwd Password --trusted-pem ./certs/RootCA.crt ./xml/template.xml >>>>> >>>>> is there an option to sign multiple part of a doc via command line? >>>>> >>>>> Kind Regards, >>>>> >>>>> Carlo >>>>> >>>> >> _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
