[xmlsec] Verifying signature for enveloped signature with multiple signatures
Magnus R
magnus_qwerty at hotmail.com
Wed Dec 19 02:25:09 PST 2012
Thanks a lot Aleksey, now I got the command line verification to work as excpected.
The solution was to use several --id-attr parameters to xmlsec1.
This is the command line I used:
xmlsec1 --verify --id-attr:ID 'http://www.mycompany.com/myapp:Routing' --id-attr:ID 'http://www.w3.org/2001/12/soap-envelope:Body' signedmod.xml
The command invocation adds the ID:s for both the "Routing" and the "Body" tag.
When called with the XML I provided below, xmlsec1 will correctly come to the conclusion that the signature of that document does not match - since I have modified it.
This is the output I get:
=============================
func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=229:obj=sha1:subj=unknown:error=12:invalid data:data and digest do not match
FAIL
SignedInfo References (ok/all): 0/1
Manifests References (ok/all): 0/0
Error: failed to verify file "signedmod.xml"
=============================
When used with a document with a signature that does match I get:
=============================
OK
SignedInfo References (ok/all): 2/2
Manifests References (ok/all): 0/0
=============================
Now the command line is up and running, so then I should be able to do the same in code using xmlAddID().
Many thanks.
Regards
/Magnus
> Date: Tue, 18 Dec 2012 08:10:54 -0800
> From: aleksey at aleksey.com
> To: magnus_qwerty at hotmail.com
> CC: xmlsec at aleksey.com
> Subject: Re: [xmlsec] Verifying signature for enveloped signature with multiple signatures
>
> Section 3.2 in the FAQ
>
> http://www.aleksey.com/xmlsec/faq.html
>
> Aleksey
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20121219/511d8b04/attachment.html>
More information about the xmlsec
mailing list