[xmlsec] Re: x509
aleksey at aleksey.com
Mon May 20 12:57:50 PDT 2002
>- I think that isn't required that appear in xml signed file the key value(DSAKeyValue, RSAKeyValue) but i like that this appear. How i can make this?
Put the <KeyValue> node in the template or add it dynamically. The correct
sub-nodes for your key will be added automatically.
>-In the xml file, must appear the x509Data of the CA ?
Not sure I understand your question. You can put the X509 cert in the
xml keys file and then
it'll be loaded with the key. For example, following command will create
a new XML keys file
with and RSA key and a certificate that signs this key:
xmlsec keys --privkey:test-rsa
Later you can have something like this in the template to put
certificate in the signature:
>- I will sign with two signatures a xml file, I must add a new signature node and identify with id's attribute ,Is this correct?
>How I make this?
I suspect that the real question is: how to sign the same file using two
keys. I am not sure why will you need this but you are right, you need
to put two <Signature>
nodes in the file. However, there is a problem: you must correctly
so the Reference from <Signature> node 1 will not incude <Signature>
node 2 and vice versa
(otherwise you'll have problems with the order of calculation). The
to do it is to use XPath expression to sign everythign but Signature nodes.
There is new XPath filter2 transform
which easily can do this:
<XPath Filter="subtract" xmlns="http://www.w3.org/2002/04/xmldsig-xfilter2" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
More information about the xmlsec