The xmlsec1 command line tool can use xpath to *select* the start signature node.
Aleksey On 2/27/13 4:45 PM, Gpe. Raquel Toledo wrote: > Thxs Aleksey. I use XPath with intersect, but still is not verified. I > have a question: of signature1 the digest is from the object, but from > the signature2 what info i use to make the digest? I want that > signature2 is a counter signature of signature1. This is my XMLDSig: > > <?xml version="1.0" encoding="ISO-8859-1"?> > <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"; Id="Firma002"> > <SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#";> > <CanonicalizationMethod > Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315";></CanonicalizationMethod> > <SignatureMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></SignatureMethod> > <Reference URI=""> > <Transforms> > <Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2";> > <XPath xmlns="http://www.w3.org/2002/06/xmldsig-filter2"; > Filter="intersect"> > id("Firma001") > </XPath> > </Transform> > </Transforms> > <DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod> > <DigestValue>wSJWq+4S+GFwlGn+gcspjdQVWko=</DigestValue> > </Reference> > <Reference URI="#InfoCertificado002"> > <DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod> > <DigestValue>E5SGuZOQnDUVoN9TUpghuR0LbSc=</DigestValue> > </Reference> > </SignedInfo> > <SignatureValue > Id="Id_Signature002">Yu8By7Gv4qkXd9WRdB2bJuJeovs9qxIimwhUp0tQQiWKEVv+YGpf4YSoe6fHFpmXSCAiD2Lh/g67rmM6kNKdsw5z2mgdfZ/lCEVpfRNcjucGaAd+iUPqZev6V4NeoEvNOBWZz9mggwL2Xw1g+OTr+X6f4mvKIhsVfpiTInFJs6Q=</SignatureValue> > <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"; Id="InfoCertificado002"> > <KeyValue> > > > <RSAKeyValue><Modulus>AKs56bGj9Kz3weX274lEa+Yf2IoOr4mOTZUAX8Pyigp1rMUOLSXIq2ozPtT94czrA+msnshsAZ0tBNwLbEH6tVBUFEFLU3T1NGNsiDrKWruFd5VI6CBmnUAUR6bLngDJvkh8ib3AwED6WPZN9In2JgCQAYo2pRta+mELOGTuJfDN</Modulus> > <Exponent>AQAB</Exponent></RSAKeyValue> > </KeyValue> > <X509Data> > > > <X509Certificate>MIIEkDCCA3igAwIBAgIUMDAwMDEwMDAwMDAyMDA4NzQyNTUwDQYJKoZIhvcNAQEFBQAwggGVMTgwNgYDVQQDDC9BLkMuIGRlbCBTZXJ2aWNpbyBkZSBBZG1pbmlzdHJhY2nDs24gVHJpYnV0YXJpYTEvMC0GA1UECgwmU2VydmljaW8gZGUgQWRtaW5pc3RyYWNpw7NuIFRyaWJ1dGFyaWExODA2BgNVBAsML0FkbWluaXN0cmFjacOzbiBkZSBTZWd1cmlkYWQgZGUgbGEgSW5mb3JtYWNpw7NuMSEwHwYJKoZIhvcNAQkBFhJhc2lzbmV0QHNhdC5nb2IubXgxJjAkBgNVBAkMHUF2LiBIaWRhbGdvIDc3LCBDb2wuIEd1ZXJyZXJvMQ4wDAYDVQQRDAUwNjMwMDELMAkGA1UEBhMCTVgxGTAXBgNVBAgMEERpc3RyaXRvIEZlZGVyYWwxFDASBgNVBAcMC0N1YXVodMOpbW9jMRUwEwYDVQQtEwxTQVQ5NzA3MDFOTjMxPjA8BgkqhkiG9w0BCQIML1Jlc3BvbnNhYmxlOiBDZWNpbGlhIEd1aWxsZXJtaW5hIEdhcmPDrWEgR3VlcnJhMB4XDTEyMDQyMTE4NTY1MloXDTE2MDQyMTE4NTczMlowgZ8xHTAbBgNVBAMTFFNJTFZJQSBSQU1JUkVaIERVUkFOMR0wGwYDVQQpExRTSUxWSUEgUkFNSVJFWiBEVVJBTjEdMBsGA1UEChMUU0lMVklBIFJBTUlSRVogRFVSQU4xCzAJBgNVBAYTAk1YMRYwFAYDVQQtEw1SQURTODIxMTEwUjU1MRswGQYDVQQFExJSQURTODIxMTEwTURGTVJMMDAwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKs56bGj9Kz3weX274lEa+Yf2IoOr4mOTZUAX8Pyigp1rMUOLSXIq2ozPtT94czrA+msns h sAZ0tBNwLbEH6tVBUFEFLU3T1NGNsiDrKWruFd5VI6CBmnUAUR6bLngDJvkh8ib3AwED6WPZN9In2JgCQAYo2pRta+mELOGTuJfDNAgMBAAGjTzBNMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgPYMBEGCWCGSAGG+EIBAQQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADggEBAEi5xlPUJUOlKuEVf8m0U3PMG0XbrZbTpXCQ6GWVbyBJHBC+/fxFR6MU30FSzrXvbW7M0BwRLuBgsrR2TY6u03fy4pkNU3A/Dc6ep6M4NzALXR6Poc0/elWxdPRkfwPO2kMA4JuOTTyeOH/YVEAGsNJWlPTAAlSLQ6BfSAotnarnRLOJ+sE6K4mUXxeeCDafV9evbj+aiE8X7HfDFPkTyGZ2vHz4SlZaWgQWEvYjbL1/p+fiMh29CrDsFCPY1Qy59hs1bXSJqfQrkoN6ZbThb788qxKvOi/r+X3JFJfiIJ0Qsqw3htbbCYv7kX19dgHVEUzsLNcKBmmQWDhV85OyXFQ=</X509Certificate> > </X509Data> > </KeyInfo> > <Object> > <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"; Id="Firma001"> > <SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#";> > <CanonicalizationMethod > Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315";></CanonicalizationMethod> > <SignatureMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></SignatureMethod> > <Reference URI="#TramiteAdministrativo001"> > <Transforms> > <Transform > Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315";></Transform> > </Transforms> > <DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod> > <DigestValue>uQCQOWuUbJat+zUVfAFj0HitSjw=</DigestValue> > </Reference> > <Reference URI="#InfoCertificado001"> > <DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod> > <DigestValue>RDROSy4xBg7nI5k9934BSsLSOt8=</DigestValue> > </Reference> > </SignedInfo> > <SignatureValue > Id="Id_Signature001">QvktnGYWXnkxVIh1IBAdh9LywhBf7ppDCg/Z+4+jGm2FHutU4+zECT5/KW41tRRInbmE2Rqbm/SDvfgcsEhqoYZHiDIMwQytASTy3NMlD5uiUx+j8GLuw98iJ+iV7WkSIDIJ8wYw93Tu9XJGEAdnZe0KdxN0bMSA4n4QnuitEuQ=</SignatureValue> > <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"; Id="InfoCertificado001"> > <KeyValue> > > > <RSAKeyValue><Modulus>AKs56bGj9Kz3weX274lEa+Yf2IoOr4mOTZUAX8Pyigp1rMUOLSXIq2ozPtT94czrA+msnshsAZ0tBNwLbEH6tVBUFEFLU3T1NGNsiDrKWruFd5VI6CBmnUAUR6bLngDJvkh8ib3AwED6WPZN9In2JgCQAYo2pRta+mELOGTuJfDN</Modulus> > <Exponent>AQAB</Exponent></RSAKeyValue> > </KeyValue> > <X509Data> > > > <X509Certificate>MIIEkDCCA3igAwIBAgIUMDAwMDEwMDAwMDAyMDA4NzQyNTUwDQYJKoZIhvcNAQEFBQAwggGVMTgwNgYDVQQDDC9BLkMuIGRlbCBTZXJ2aWNpbyBkZSBBZG1pbmlzdHJhY2nDs24gVHJpYnV0YXJpYTEvMC0GA1UECgwmU2VydmljaW8gZGUgQWRtaW5pc3RyYWNpw7NuIFRyaWJ1dGFyaWExODA2BgNVBAsML0FkbWluaXN0cmFjacOzbiBkZSBTZWd1cmlkYWQgZGUgbGEgSW5mb3JtYWNpw7NuMSEwHwYJKoZIhvcNAQkBFhJhc2lzbmV0QHNhdC5nb2IubXgxJjAkBgNVBAkMHUF2LiBIaWRhbGdvIDc3LCBDb2wuIEd1ZXJyZXJvMQ4wDAYDVQQRDAUwNjMwMDELMAkGA1UEBhMCTVgxGTAXBgNVBAgMEERpc3RyaXRvIEZlZGVyYWwxFDASBgNVBAcMC0N1YXVodMOpbW9jMRUwEwYDVQQtEwxTQVQ5NzA3MDFOTjMxPjA8BgkqhkiG9w0BCQIML1Jlc3BvbnNhYmxlOiBDZWNpbGlhIEd1aWxsZXJtaW5hIEdhcmPDrWEgR3VlcnJhMB4XDTEyMDQyMTE4NTY1MloXDTE2MDQyMTE4NTczMlowgZ8xHTAbBgNVBAMTFFNJTFZJQSBSQU1JUkVaIERVUkFOMR0wGwYDVQQpExRTSUxWSUEgUkFNSVJFWiBEVVJBTjEdMBsGA1UEChMUU0lMVklBIFJBTUlSRVogRFVSQU4xCzAJBgNVBAYTAk1YMRYwFAYDVQQtEw1SQURTODIxMTEwUjU1MRswGQYDVQQFExJSQURTODIxMTEwTURGTVJMMDAwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKs56bGj9Kz3weX274lEa+Yf2IoOr4mOTZUAX8Pyigp1rMUOLSXIq2ozPtT94czrA+msns h sAZ0tBNwLbEH6tVBUFEFLU3T1NGNsiDrKWruFd5VI6CBmnUAUR6bLngDJvkh8ib3AwED6WPZN9In2JgCQAYo2pRta+mELOGTuJfDNAgMBAAGjTzBNMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgPYMBEGCWCGSAGG+EIBAQQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADggEBAEi5xlPUJUOlKuEVf8m0U3PMG0XbrZbTpXCQ6GWVbyBJHBC+/fxFR6MU30FSzrXvbW7M0BwRLuBgsrR2TY6u03fy4pkNU3A/Dc6ep6M4NzALXR6Poc0/elWxdPRkfwPO2kMA4JuOTTyeOH/YVEAGsNJWlPTAAlSLQ6BfSAotnarnRLOJ+sE6K4mUXxeeCDafV9evbj+aiE8X7HfDFPkTyGZ2vHz4SlZaWgQWEvYjbL1/p+fiMh29CrDsFCPY1Qy59hs1bXSJqfQrkoN6ZbThb788qxKvOi/r+X3JFJfiIJ0Qsqw3htbbCYv7kX19dgHVEUzsLNcKBmmQWDhV85OyXFQ=</X509Certificate> > </X509Data> > </KeyInfo> > <Object xmlns="http://www.w3.org/2000/09/xmldsig#"; > Id="TramiteAdministrativo001"> > <DatosTramite> > <Tipo>3</Tipo> > <Folio>77777</Folio> > <FechaHora>06/02/2013 14:15:18 p.m.</FechaHora> > <Expediente>55537</Expediente> > > <Informacion>||CASTRO|kiki|1|13|39|01/09/2010|$20000|USA|masParametros||</Informacion> > <Archivos Id="ArchivosAdjuntos001"> > <Ruta>C:\ConstanciasPruebas16\docto_respaldo\13100_ceaj_.PDF</Ruta> > <Archivo>y3odd16AD9HuQEn33KngQeuboIM=</Archivo> > <Ruta>C:\ConstanciasPruebas16\docto_respaldo\13100_ceaj_.PDF</Ruta> > <Archivo>y3odd16AD9HuQEn33Kn/QenuoIM=</Archivo> > </Archivos> > </DatosTramite> > </Object> > </Signature> > </Object> > </Signature> > > Thxs on advanced. > >> Date: Tue, 26 Feb 2013 17:33:55 -0800 >> From: [email protected] >> To: [email protected] >> CC: [email protected] >> Subject: Re: [xmlsec] Multiple signatures >> >> Verifier is pretty stupid and can't do multiple signatures. With xmlsec1 >> command line tool you can specify the Signature node you want to verify >> using xpath >> >> Aleksey >> >> On 2/26/13 8:57 AM, Gpe. Raquel Toledo wrote: >> > Right now i have a project includes 2 or many signatures, but i cant >> > found any example that is valid for verifier >> > (http://www.aleksey.com/xmlsec/xmldsig-verifier.html) with 2 signatures. >> > >> > Thanks on advanced. >> > >> > >> > <?xml version="1.0" encoding="ISO-8859-1"?> >> > <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"; id="F01"> >> > <SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#";> >> > <CanonicalizationMethod >> > > Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315";></CanonicalizationMethod> >> > <SignatureMethod >> > > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></SignatureMethod> >> > <Reference URI="#TA01"> >> > <DigestMethod >> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod> >> > <DigestValue>...mAPUI=</DigestValue> >> > </Reference> >> > <Reference URI="#IC01"> >> > <DigestMethod >> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod> >> > <DigestValue>.../wQ=</DigestValue> >> > </Reference> >> > </SignedInfo> >> > <SignatureValue>...tlwyE=</SignatureValue> >> > <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"; Id="IC01"> >> > <KeyValue> >> > <RSAKeyValue><Modulus>...</Modulus> >> > <Exponent>AQAB</Exponent></RSAKeyValue> >> > </KeyValue><X509Data> >> > <X509Certificate>...ORnQBO5A=</X509Certificate> >> > </X509Data> >> > </KeyInfo> >> > <Object xmlns="http://www.w3.org/2000/09/xmldsig#"; Id="TA01"> >> > <DatosTramite> >> > <Informacion>...</Informacion> >> > </DatosTramite> >> > </Object> >> > </Signature> >> > <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"; ID="F02"> >> > <SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#";> >> > <CanonicalizationMethod >> > > Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315";></CanonicalizationMethod> >> > <SignatureMethod >> > > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1";></SignatureMethod> >> > <Reference ID="Id_Referencia002" URI="#F01" >> > TYPE="http://uri.etsi.org/01903#CountersignedSignature";> >> > <DigestMethod >> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod> >> > <DigestValue>...</DigestValue> >> > </Reference> >> > <Reference URI="#IC02"> >> > <DigestMethod >> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod> >> > <DigestValue>...</DigestValue> >> > </Reference> >> > </SignedInfo> >> > <SignatureValue ID="IS02">...</SignatureValue> >> > <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"; Id="IC02"> >> > <KeyValue> >> > <RSAKeyValue><Modulus>...</Modulus> >> > <Exponent>AQAB</Exponent></RSAKeyValue> >> > </KeyValue> >> > <X509Data> >> > <X509Certificate>..RnQBO5A=</X509Certificate> >> > </X509Data> >> > </KeyInfo> >> > </Signature> >> > >> > >> > _______________________________________________ >> > xmlsec mailing list >> > [email protected] >> > http://www.aleksey.com/mailman/listinfo/xmlsec >> > _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
