[xmlsec] Applying Multiple Signatures

Thomas Jones securebuddha at gmail.com
Thu Feb 16 23:35:19 PST 2006

On 2/17/06, Aleksey Sanin <aleksey at aleksey.com> wrote:
> > The First signture is appIied without problem. However, upon applying
> > a second signature I can only reapply over the first again. I am
> > attempting to utilize the following command sequence for the second
> > attempt:
> > xmlsec1 --sign --id-attr:Id Signature --node-id Second --privkey-pem
> > rsakey.pem document-template.xml
> $ man xmlsec1
> ...
> --id-attr[:<attr-name>] [<node-namespace-uri>:]<node-name>
> adds attributes <attr-name> (default value "id") from all nodes
> with<node-name> and namespace <node-namespace-uri> to the list of known
> ID attributes; this is a hack and if you can use DTD or schema to
> declare ID attributes instead (see "--dtd-file" option), I don't know
> what else might be broken in your application when you use this hack.
> Thus I would try something like
> $ xmlsec1 --sign
>    --id-attr:Id http://www.w3.org/2000/09/xmldsig#:Signature
>    --node-id Second
>    --privkey-pem rsakey.pem
>    document-template.xml
> Aleksey
That produced an error as such:

library function
library function failed:
library function failed:
library function failed:
library function failed:transform=xpointer
library function failed:
library function failed:
library function failed:node=Reference
library function failed:
library function failed:

I went ahead and altered the XML Digital Signature Standard schema
file - xmldsig-core-schema.xsd. To allow the "xml:id"
namespace-attribute pairing and the second signature is correctly
signed via the following command sequence:
xmlsec1 --sign --node-id Second --privkey-pem rsakey.pem document-template.xml.

However, there seems to be some issue with the Manifest's
identification attribute when utilizing id-attr on the command-line.
Which way should I go with this one? I can write a redeclaration of
the DSS schema for my specification; but it doesn't fix the problem
for others.

Thanks again,

More information about the xmlsec mailing list