[xmlsec] Verify document with multiple signatures

Aleksey Sanin aleksey at aleksey.com
Sat Jan 7 18:44:17 PST 2012


You can definitely do it with the library itself. The xmlsec
command line tool is somewhat limited. You can try to use
--node-xpath option though.

Aleksey

On 1/7/12 6:39 PM, Leonardo Herrera wrote:
> Hello,
>
> I'm trying to verify a document that contains multiple signatures; I
> cannot modify the structure of the document.
>
> Searching through the archives, I found the following response from
> Aleksey regarding this very same problem (this format is used for
> electronic invoicing in Chile):
>
>> The xmlsec1 utility tries to find the ds:Signature element
>> in the sub-tree specified by --node-id or --node-name
>> parameter. The document you have looks as follows (irrelevant
>> pieces are removed):
>>
>> <EnvioDTE>
>> 	<SetDTE ID="DTE1272374641984">
>> 	 	<DTE>
>> 			<Documento ID="F185T33">
>> 			</Document>
>> 			<ds:Signature>
>> 			</ds:SignedInfo>
>> 		</DTE>
>> 	</SetDTE>
>> 	<ds:Signature>
>> 	</ds:Signature>
>> </EnvioDTE>
>>
>> I am not exactly sure why the first command verified something
>> (I would expect it to do nothing since there are no signature nodes
>> in the subtree). But the second command correctly finds the
>> first signature element in the subtree specified by the --node-id
>> or --node-name parameter (BTW, you just need one parameter :) ).
>>
>> For documents with multiple signatures, I strongly recommend to
>> put ID attribute directly into<ds:Signature>  node. This way you
>> can easily specify the right signature node to sign or verify.
>>
>> Regarding the error about xpointer(), please read section 3.4
>> from FAQ
>>
>> http://www.aleksey.com/xmlsec/faq.html
>>
>> Aleksey
>
>  From what Aleksey wrote, it appears that xmlsec cannot verify the
> signature directly under SetDTE because it will find the one under
> DTE first. Is possible to ignore the first signature and make
> xmlsec read the second one when verifying? I'm currently using
>
> 	xmlsec --verify \
> 	--id-attr:ID http://www.sii.cl/SiiDte:SetDTE \
> 	dte_set.xml
>
> Regards,


More information about the xmlsec mailing list