[xmlsec] signing failure with 0.0.13 that work with 0.0.10
Aleksey Sanin
aleksey at aleksey.com
Tue Mar 18 16:25:38 PST 2003
Hi, Ferrel!
The error you have says that instead of expected <dsig:Signature> node
in the xmlSecDSigGenerate() function you've got something else. Using
"testXPath" utility from LibXML package I can confirm that:
[aleksey at lsh ferrel]$ ./testXPath --input test-signed.xml "//Contact[1]"
Object is a Node Set :
Set contains 1 nodes:
1 ELEMENT Contact
ATTRIBUTE Id
TEXT
content=f6b1af52-0ba8-11d7-87ec-c3c034e4ae6a
As you can see, you have selected a wrong "start node" (Contact instead of
<dsig:Signature>). Simple changing the xpath expression helps:
[aleksey at lsh ferrel]$ ./testXPath --input test-signed.xml "//Contact/*[6]"
Object is a Node Set :
Set contains 1 nodes:
1 ELEMENT sig:Signature
namespace sig href=http://www.w3.org/2000/09/xmldsig#
[aleksey at lsh ferrel]$ xmlsec sign --node-xpath '//Contact/*[6]'
--privkey rsakey.pem
test-signed.xml
<?xml version="1.0" encoding="UTF-8"?>
<Keys Source="Atlanta"><!-- generated TestKey keygen
--><Contacts><Contact Id="f6b1af52-0ba8-11d7-87ec-c3c034e4ae6a">
....
From my point of view, your original XPath expression to select
<dsig:Signature> node
is incorrect and I am not sure that I understand how it used to work.
May be there was
a bug in LibXML and you got it fixed with new LibXML version.
With best regards,
Aleksey
More information about the xmlsec
mailing list