<div dir="ltr">For my purposes it is to provide tests for Perl's XML::Sig. I have seen several XML files where the Assertion and Response are both signed. I added the ability to sign multiple parts of the XML is a recent release and I want to ensure that I have tests that are reproducible to sign and verify XML files between xmlsec and XML::Sig<div><br></div><div>It seems everyone has a standard that they ignore ...<div><br></div><div>Tim</div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Dec 9, 2020 at 2:39 PM Andrew King <<a href="mailto:aking@pingidentity.com">aking@pingidentity.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Just out of curiosity... WRT SAML, why would you sign both the Assertion and the Response? <div><br clear="all"><div><div dir="ltr"><div dir="ltr"><table style="border-collapse:collapse;padding:0px;margin:0px"><tbody><tr><td style="width:113px"><a href="https://www.pingidentity.com/" target="_blank"></a><a href="https://www.pingidentity.com/" target="_blank"><img alt="Ping Identity" src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/ping-logo.png" width="96" height="96"></a></td><td><table><tbody><tr><td style="vertical-align:top"><span style="color:rgb(230,29,60);display:inline-block;margin-bottom:3px;font-family:arial,helvetica,sans-serif;font-weight:bold;font-size:14px">Andy King</span> <br><span style="color:rgb(0,0,0);display:inline-block;margin-bottom:2px;font-family:arial,helvetica,sans-serif;font-size:14px">Technical Product Manager</span> <span style="color:rgb(0,0,0);display:inline-block;margin-bottom:2px;font-family:arial,helvetica,sans-serif;font-size:14px"><br></span></td></tr></tbody></table></td></tr></tbody></table></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Dec 9, 2020 at 11:24 AM Timothy Legge <<a href="mailto:timlegge@gmail.com" target="_blank">timlegge@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">... I should have noticed that I am dealing with Perl's XML::libXML<br>
where I can register the namespace and use the shortcut .<br>
<br>
Thanks for pointing out the error<br>
<br>
Tim<br>
<br>
On Wed, Dec 9, 2020 at 1:06 PM Aleksey Sanin <<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>> wrote:<br>
><br>
><br>
> --id-attr[:<attr-name>] [<node-namespace-uri>:]<node-name><br>
><br>
> samlp is not the namespace uri<br>
><br>
> Aleksey<br>
><br>
> On 12/8/20 5:38 PM, Timothy Legge wrote:<br>
> > Hi<br>
> ><br>
> > I have <a href="https://pastebin.com/v0PJwQri" rel="noreferrer" target="_blank">https://pastebin.com/v0PJwQri</a> that I signed as follows:<br>
> ><br>
> > xmlsec1 --sign --privkey-pem t/dsa.private.key --id-attr:ID<br>
> > "Assertion" t/unsigned/xml-sig-unsigned-dsa-multiple-1.xml ><br>
> > t/unsigned/xml-sig-unsigned-dsa-multiple-2.xml<br>
> ><br>
> > which resulted in<br>
> ><br>
> > <a href="https://pastebin.com/8qhDhjU9" rel="noreferrer" target="_blank">https://pastebin.com/8qhDhjU9</a> (t/unsigned/xml-sig-unsigned-dsa-multiple-2.xml)<br>
> ><br>
> > I added the second signature section to make<br>
> > t/unsigned/xml-sig-unsigned-dsa-multiple-3.xml<br>
> ><br>
> > <a href="https://pastebin.com/rmfuUtvB" rel="noreferrer" target="_blank">https://pastebin.com/rmfuUtvB</a><br>
> ><br>
> > The goal is to sign the saml:Response with ID="identifier_1" (which<br>
> > has the first signature embedded in the saml:Assertion with<br>
> > ID="identifier_2)<br>
> ><br>
> > I have tried multiple options:<br>
> ><br>
> > Most of which result in: the following that seems to be looking at<br>
> > identifier_2 for some reason (it was already signed above)<br>
> ><br>
> > xmlsec1 --sign --privkey-pem t/dsa.private.key --id-attr:ID "Response"<br>
> > t/unsigned/xml-sig-unsigned-dsa-multiple-3.xml<br>
> ><br>
> > xmlsec1 --sign --privkey-pem t/dsa.private.key --id-attr:ID<br>
> > samlp:Response --node-xpath "/samlp:Response[@ID='identifier_1']"<br>
> > t/unsigned/xml-sig-unsigned-dsa-multiple-3.xml<br>
> ><br>
> ><br>
> > func=xmlSecXPathDataExecute:file=xpath.c:line=246:obj=unknown:subj=xmlXPtrEval:error=5:libxml2<br>
> > library function failed:expr=xpointer(id('identifier_2')); xml error:<br>
> > 0: NULL<br>
> > func=xmlSecXPathDataListExecute:file=xpath.c:line=330:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec<br>
> > library function failed:<br>
> > func=xmlSecTransformXPathExecute:file=xpath.c:line=430:obj=xpointer:subj=xmlSecXPathDataListExecute:error=1:xmlsec<br>
> > library function failed:<br>
> > func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2108:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec<br>
> > library function failed:<br>
> > func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1044:obj=xpointer:subj=xmlSecTransformPushXml:error=1:xmlsec<br>
> > library function failed:<br>
> > func=xmlSecTransformCtxExecute:file=transforms.c:line=1092:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec<br>
> > library function failed:<br>
> > func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1408:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec<br>
> > library function failed:<br>
> > func=xmlSecDSigCtxProcessReferences:file=xmldsig.c:line=752:obj=Reference:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec<br>
> > library function failed:<br>
> > func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=517:obj=unknown:subj=xmlSecDSigCtxProcessReferences:error=1:xmlsec<br>
> > library function failed:<br>
> > func=xmlSecDSigCtxSign:file=xmldsig.c:line=291:obj=unknown:subj=xmlSecDSigCtxProcessSignatureNode:error=1:xmlsec<br>
> > library function failed:<br>
> > Error: signature failed<br>
> > Error: failed to sign file "t/unsigned/xml-sig-unsigned-dsa-multiple-3.xml"<br>
> ><br>
> > I am sure it is something obvious. Any ideas?<br>
> ><br>
> > Tim<br>
> > _______________________________________________<br>
> > xmlsec mailing list<br>
> > <a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
> > <a href="http://www.aleksey.com/mailman/listinfo/xmlsec" rel="noreferrer" target="_blank">http://www.aleksey.com/mailman/listinfo/xmlsec</a><br>
> ><br>
_______________________________________________<br>
xmlsec mailing list<br>
<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<a href="http://www.aleksey.com/mailman/listinfo/xmlsec" rel="noreferrer" target="_blank">http://www.aleksey.com/mailman/listinfo/xmlsec</a><br>
</blockquote></div>
<br>
<i style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:rgb(255,255,255);font-family:proxima-nova-zendesk,system-ui,-apple-system,system-ui,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",Arial,sans-serif;color:rgb(85,85,85)"><span style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:transparent;font-family:proxima-nova-zendesk,system-ui,-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",Arial,sans-serif;font-weight:600"><font size="2">CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.</font></span></i></blockquote></div>