Got it, thanks!
On Mon, Dec 7, 2020 at 2:09 PM Aleksey Sanin <[email protected]> wrote: > > "--id-attr" just defines an ID attribute (like DTD or schema). > > Aleksey > > On 12/7/20 10:02 AM, Timothy Legge wrote: > > Hi > > > > Some background. I have been updating the perl module XML::Sig and > > one of the things I added was the ability to sign any XML nodes that > > have ID as an attribute. > > > > I use xmlsec1 as a test case to ensure that my resulting documents can > > be validated with xmlsec1 (and vice-versa that XML::Sig can validate > > documents signed by xmlsec). > > > > So in this case I wanted a DSA signed XML that has both the > > samlp:Response ID=identifier_1" and <saml:Assertion ID="identifier_2" > > signed by the same key > > > > Essentially I wanted to see how xmlsec signs multiple parts of the > > same XML file. > > > > I notice the spec says that you can use multiple references in a > > single signature but it appears the most applications sign the > > documents twice, > > > > In the case then, I would sign the XML once for identifier_2 with > > xmlsec and then repeat for identifier_1 as it will need to sign the > > embedded signature from the first signing. > > > > I thought you might be able to use the two > > > > --id-attr:ID "Response" > > --id-attr:ID "Assertion" > > > > at the same time to sign both sections in one pass. > > > > TIm > > > > On Mon, Dec 7, 2020 at 1:33 PM Aleksey Sanin <[email protected]> wrote: > >> > >> Not sure what do you mean. If you want to sign both signatures, then > >> you need to run xmlsec1 tool twice with correct --node-id, --node-xpath, > >> or --node-name params: > >> > >> https://www.aleksey.com/xmlsec/xmlsec-man.html > >> > >> Aleksey > >> > >> On 12/7/20 9:27 AM, Timothy Legge wrote: > >>> Ah, it will not sign both nodes with an ID? > >>> > >>> On Mon, Dec 7, 2020 at 1:26 PM Aleksey Sanin <[email protected]> wrote: > >>>> > >>>> I see two signatures in the document. By default xmlsec1 tool will sign > >>>> the first signature it finds. > >>>> > >>>> Best, > >>>> > >>>> Aleksey > >>>> > >>>> On 12/5/20 7:22 PM, Timothy Legge wrote: > >>>>> Hi > >>>>> > >>>>> I am attempting to sign https://pastebin.com/36Nvqdpp with a dsa key: > >>>>> > >>>>> xmlsec1 --sign --privkey-pem t/dsa.private.key --id-attr:ID "Response" > >>>>> --id-attr:ID "Assertion" t/xml-sig-unsigned-dsa-multiple.xml > >>>>> > >>>>> It does not show any error messages however it does not sign the > >>>>> output. Any ideas what I am doing wrong? > >>>>> > >>>>> Tim > >>>>> _______________________________________________ > >>>>> xmlsec mailing list > >>>>> [email protected] > >>>>> http://www.aleksey.com/mailman/listinfo/xmlsec > >>>>> _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
