Re: [xmlsec] Attempting to sign with DSA key

Mon, 07 Dec 2020 10:09:18 -0800 

"--id-attr" just defines an ID attribute (like DTD or schema).

Aleksey

On 12/7/20 10:02 AM, Timothy Legge wrote:

Hi

Some background.  I have been updating the perl module XML::Sig and
one of the things I added was the ability to sign any XML nodes that
have ID as an attribute.

I use xmlsec1 as a test case to ensure that my resulting documents can
be validated with xmlsec1 (and vice-versa that XML::Sig can validate
documents signed by xmlsec).

So in this case I wanted a DSA signed XML that has both the
samlp:Response ID=identifier_1" and <saml:Assertion ID="identifier_2"
signed by the same key

Essentially I wanted to see how xmlsec signs multiple parts of the
same XML file.

I notice the spec says that you can use multiple references in a
single signature but it appears the most applications sign the
documents twice,

In the case then, I would sign the XML once for identifier_2 with
xmlsec and then repeat for identifier_1 as it will need to sign the
embedded signature from the first signing.

I thought you might be able to use the two

--id-attr:ID "Response"
--id-attr:ID "Assertion"

at the same time to sign both sections in one pass.

TIm

On Mon, Dec 7, 2020 at 1:33 PM Aleksey Sanin <[email protected]> wrote:


Not sure what do you mean. If you want to sign both signatures, then
you need to run xmlsec1 tool twice with correct --node-id, --node-xpath,
or --node-name params:

https://www.aleksey.com/xmlsec/xmlsec-man.html

Aleksey

On 12/7/20 9:27 AM, Timothy Legge wrote:

Ah, it will not sign both nodes with an ID?

On Mon, Dec 7, 2020 at 1:26 PM Aleksey Sanin <[email protected]> wrote:


I see two signatures in the document. By default xmlsec1 tool will sign
the first signature it finds.

Best,

Aleksey

On 12/5/20 7:22 PM, Timothy Legge wrote:

Hi

I am attempting to sign https://pastebin.com/36Nvqdpp with a dsa key:

xmlsec1 --sign --privkey-pem t/dsa.private.key --id-attr:ID "Response"
--id-attr:ID "Assertion" t/xml-sig-unsigned-dsa-multiple.xml

It does not show any error messages however it does not sign the
output.  Any ideas what I am doing wrong?

Tim
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec


_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec

Reply via email to