Just out of curiosity... WRT SAML, why would you sign both the Assertion and the Response?
<https://www.pingidentity.com/>[image: Ping Identity] <https://www.pingidentity.com/> Andy King Technical Product Manager On Wed, Dec 9, 2020 at 11:24 AM Timothy Legge <[email protected]> wrote: > ... I should have noticed that I am dealing with Perl's XML::libXML > where I can register the namespace and use the shortcut . > > Thanks for pointing out the error > > Tim > > On Wed, Dec 9, 2020 at 1:06 PM Aleksey Sanin <[email protected]> wrote: > > > > > > --id-attr[:<attr-name>] [<node-namespace-uri>:]<node-name> > > > > samlp is not the namespace uri > > > > Aleksey > > > > On 12/8/20 5:38 PM, Timothy Legge wrote: > > > Hi > > > > > > I have https://pastebin.com/v0PJwQri that I signed as follows: > > > > > > xmlsec1 --sign --privkey-pem t/dsa.private.key --id-attr:ID > > > "Assertion" t/unsigned/xml-sig-unsigned-dsa-multiple-1.xml > > > > t/unsigned/xml-sig-unsigned-dsa-multiple-2.xml > > > > > > which resulted in > > > > > > https://pastebin.com/8qhDhjU9 > (t/unsigned/xml-sig-unsigned-dsa-multiple-2.xml) > > > > > > I added the second signature section to make > > > t/unsigned/xml-sig-unsigned-dsa-multiple-3.xml > > > > > > https://pastebin.com/rmfuUtvB > > > > > > The goal is to sign the saml:Response with ID="identifier_1" (which > > > has the first signature embedded in the saml:Assertion with > > > ID="identifier_2) > > > > > > I have tried multiple options: > > > > > > Most of which result in: the following that seems to be looking at > > > identifier_2 for some reason (it was already signed above) > > > > > > xmlsec1 --sign --privkey-pem t/dsa.private.key --id-attr:ID "Response" > > > t/unsigned/xml-sig-unsigned-dsa-multiple-3.xml > > > > > > xmlsec1 --sign --privkey-pem t/dsa.private.key --id-attr:ID > > > samlp:Response --node-xpath "/samlp:Response[@ID='identifier_1']" > > > t/unsigned/xml-sig-unsigned-dsa-multiple-3.xml > > > > > > > > > > func=xmlSecXPathDataExecute:file=xpath.c:line=246:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 > > > library function failed:expr=xpointer(id('identifier_2')); xml error: > > > 0: NULL > > > > func=xmlSecXPathDataListExecute:file=xpath.c:line=330:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec > > > library function failed: > > > > func=xmlSecTransformXPathExecute:file=xpath.c:line=430:obj=xpointer:subj=xmlSecXPathDataListExecute:error=1:xmlsec > > > library function failed: > > > > func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2108:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec > > > library function failed: > > > > func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1044:obj=xpointer:subj=xmlSecTransformPushXml:error=1:xmlsec > > > library function failed: > > > > func=xmlSecTransformCtxExecute:file=transforms.c:line=1092:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec > > > library function failed: > > > > func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1408:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec > > > library function failed: > > > > func=xmlSecDSigCtxProcessReferences:file=xmldsig.c:line=752:obj=Reference:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec > > > library function failed: > > > > func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=517:obj=unknown:subj=xmlSecDSigCtxProcessReferences:error=1:xmlsec > > > library function failed: > > > > func=xmlSecDSigCtxSign:file=xmldsig.c:line=291:obj=unknown:subj=xmlSecDSigCtxProcessSignatureNode:error=1:xmlsec > > > library function failed: > > > Error: signature failed > > > Error: failed to sign file > "t/unsigned/xml-sig-unsigned-dsa-multiple-3.xml" > > > > > > I am sure it is something obvious. Any ideas? > > > > > > Tim > > > _______________________________________________ > > > xmlsec mailing list > > > [email protected] > > > http://www.aleksey.com/mailman/listinfo/xmlsec > > > > _______________________________________________ > xmlsec mailing list > [email protected] > http://www.aleksey.com/mailman/listinfo/xmlsec > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
