For my purposes it is to provide tests for Perl's XML::Sig. I have seen several XML files where the Assertion and Response are both signed. I added the ability to sign multiple parts of the XML is a recent release and I want to ensure that I have tests that are reproducible to sign and verify XML files between xmlsec and XML::Sig
It seems everyone has a standard that they ignore ... Tim On Wed, Dec 9, 2020 at 2:39 PM Andrew King <[email protected]> wrote: > Just out of curiosity... WRT SAML, why would you sign both the Assertion > and the Response? > > <https://www.pingidentity.com/>[image: Ping Identity] > <https://www.pingidentity.com/> > Andy King > Technical Product Manager > > > On Wed, Dec 9, 2020 at 11:24 AM Timothy Legge <[email protected]> wrote: > >> ... I should have noticed that I am dealing with Perl's XML::libXML >> where I can register the namespace and use the shortcut . >> >> Thanks for pointing out the error >> >> Tim >> >> On Wed, Dec 9, 2020 at 1:06 PM Aleksey Sanin <[email protected]> wrote: >> > >> > >> > --id-attr[:<attr-name>] [<node-namespace-uri>:]<node-name> >> > >> > samlp is not the namespace uri >> > >> > Aleksey >> > >> > On 12/8/20 5:38 PM, Timothy Legge wrote: >> > > Hi >> > > >> > > I have https://pastebin.com/v0PJwQri that I signed as follows: >> > > >> > > xmlsec1 --sign --privkey-pem t/dsa.private.key --id-attr:ID >> > > "Assertion" t/unsigned/xml-sig-unsigned-dsa-multiple-1.xml > >> > > t/unsigned/xml-sig-unsigned-dsa-multiple-2.xml >> > > >> > > which resulted in >> > > >> > > https://pastebin.com/8qhDhjU9 >> (t/unsigned/xml-sig-unsigned-dsa-multiple-2.xml) >> > > >> > > I added the second signature section to make >> > > t/unsigned/xml-sig-unsigned-dsa-multiple-3.xml >> > > >> > > https://pastebin.com/rmfuUtvB >> > > >> > > The goal is to sign the saml:Response with ID="identifier_1" (which >> > > has the first signature embedded in the saml:Assertion with >> > > ID="identifier_2) >> > > >> > > I have tried multiple options: >> > > >> > > Most of which result in: the following that seems to be looking at >> > > identifier_2 for some reason (it was already signed above) >> > > >> > > xmlsec1 --sign --privkey-pem t/dsa.private.key --id-attr:ID "Response" >> > > t/unsigned/xml-sig-unsigned-dsa-multiple-3.xml >> > > >> > > xmlsec1 --sign --privkey-pem t/dsa.private.key --id-attr:ID >> > > samlp:Response --node-xpath "/samlp:Response[@ID='identifier_1']" >> > > t/unsigned/xml-sig-unsigned-dsa-multiple-3.xml >> > > >> > > >> > > >> func=xmlSecXPathDataExecute:file=xpath.c:line=246:obj=unknown:subj=xmlXPtrEval:error=5:libxml2 >> > > library function failed:expr=xpointer(id('identifier_2')); xml error: >> > > 0: NULL >> > > >> func=xmlSecXPathDataListExecute:file=xpath.c:line=330:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec >> > > library function failed: >> > > >> func=xmlSecTransformXPathExecute:file=xpath.c:line=430:obj=xpointer:subj=xmlSecXPathDataListExecute:error=1:xmlsec >> > > library function failed: >> > > >> func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2108:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec >> > > library function failed: >> > > >> func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1044:obj=xpointer:subj=xmlSecTransformPushXml:error=1:xmlsec >> > > library function failed: >> > > >> func=xmlSecTransformCtxExecute:file=transforms.c:line=1092:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec >> > > library function failed: >> > > >> func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1408:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec >> > > library function failed: >> > > >> func=xmlSecDSigCtxProcessReferences:file=xmldsig.c:line=752:obj=Reference:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec >> > > library function failed: >> > > >> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=517:obj=unknown:subj=xmlSecDSigCtxProcessReferences:error=1:xmlsec >> > > library function failed: >> > > >> func=xmlSecDSigCtxSign:file=xmldsig.c:line=291:obj=unknown:subj=xmlSecDSigCtxProcessSignatureNode:error=1:xmlsec >> > > library function failed: >> > > Error: signature failed >> > > Error: failed to sign file >> "t/unsigned/xml-sig-unsigned-dsa-multiple-3.xml" >> > > >> > > I am sure it is something obvious. Any ideas? >> > > >> > > Tim >> > > _______________________________________________ >> > > xmlsec mailing list >> > > [email protected] >> > > http://www.aleksey.com/mailman/listinfo/xmlsec >> > > >> _______________________________________________ >> xmlsec mailing list >> [email protected] >> http://www.aleksey.com/mailman/listinfo/xmlsec >> > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.*
_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
