[xmlsec] Applying Multiple Signatures
Thomas Jones
securebuddha at gmail.com
Thu Feb 16 23:35:19 PST 2006
On 2/17/06, Aleksey Sanin <aleksey at aleksey.com> wrote:
> > The First signture is appIied without problem. However, upon applying
> > a second signature I can only reapply over the first again. I am
> > attempting to utilize the following command sequence for the second
> > attempt:
> > xmlsec1 --sign --id-attr:Id Signature --node-id Second --privkey-pem
> > rsakey.pem document-template.xml
>
> $ man xmlsec1
> ...
>
> --id-attr[:<attr-name>] [<node-namespace-uri>:]<node-name>
>
> adds attributes <attr-name> (default value "id") from all nodes
> with<node-name> and namespace <node-namespace-uri> to the list of known
> ID attributes; this is a hack and if you can use DTD or schema to
> declare ID attributes instead (see "--dtd-file" option), I don't know
> what else might be broken in your application when you use this hack.
>
>
> Thus I would try something like
> $ xmlsec1 --sign
> --id-attr:Id http://www.w3.org/2000/09/xmldsig#:Signature
> --node-id Second
> --privkey-pem rsakey.pem
> document-template.xml
>
> Aleksey
>
That produced an error as such:
func=xmlSecXPathDataExecute:file=xpath.c:line=273:obj=unknown:subj=xmlXPtrEval:error=5:libxml2
library function
failed:expr=xpointer(id('xsdlIsecomOsstmmLcTemplateManifest'))
func=xmlSecXPathDataListExecute:file=xpath.c:line=356:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec
library function failed:
func=xmlSecTransformXPathExecute:file=xpath.c:line=466:obj=xpointer:subj=xmlSecXPathDataExecute:error=1:xmlsec
library function failed:
func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2371:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec
library function failed:
func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1207:obj=unknown:subj=xmlSecTransformPushXml:error=1:xmlsec
library function failed:transform=xpointer
func=xmlSecTransformCtxExecute:file=transforms.c:line=1267:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec
library function failed:
func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1568:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec
library function failed:
func=xmlSecDSigCtxProcessSignedInfoNode:file=xmldsig.c:line=804:obj=unknown:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec
library function failed:node=Reference
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=547:obj=unknown:subj=xmlSecDSigCtxProcessSignedInfoNode:error=1:xmlsec
library function failed:
func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
library function failed:
I went ahead and altered the XML Digital Signature Standard schema
file - xmldsig-core-schema.xsd. To allow the "xml:id"
namespace-attribute pairing and the second signature is correctly
signed via the following command sequence:
xmlsec1 --sign --node-id Second --privkey-pem rsakey.pem document-template.xml.
However, there seems to be some issue with the Manifest's
identification attribute when utilizing id-attr on the command-line.
Which way should I go with this one? I can write a redeclaration of
the DSS schema for my specification; but it doesn't fix the problem
for others.
Thanks again,
Thomas
More information about the xmlsec
mailing list