[xmlsec] Verify document with multiple signatures

Leonardo Herrera leonardo.herrera at gmail.com
Sat Jan 7 18:39:36 PST 2012


I'm trying to verify a document that contains multiple signatures; I
cannot modify the structure of the document.

Searching through the archives, I found the following response from
Aleksey regarding this very same problem (this format is used for
electronic invoicing in Chile):

> The xmlsec1 utility tries to find the ds:Signature element
> in the sub-tree specified by --node-id or --node-name
> parameter. The document you have looks as follows (irrelevant
> pieces are removed):
> <EnvioDTE>
> 	<SetDTE ID="DTE1272374641984">
> 	 	<DTE>
> 			<Documento ID="F185T33">
> 			</Document>
> 			<ds:Signature>
> 			</ds:SignedInfo>
> 		</DTE>
> 	</SetDTE>
> 	<ds:Signature>
> 	</ds:Signature>
> </EnvioDTE>
> I am not exactly sure why the first command verified something
> (I would expect it to do nothing since there are no signature nodes
> in the subtree). But the second command correctly finds the
> first signature element in the subtree specified by the --node-id
> or --node-name parameter (BTW, you just need one parameter :) ).
> For documents with multiple signatures, I strongly recommend to
> put ID attribute directly into <ds:Signature> node. This way you
> can easily specify the right signature node to sign or verify.
> Regarding the error about xpointer(), please read section 3.4
> from FAQ
> http://www.aleksey.com/xmlsec/faq.html
> Aleksey

>From what Aleksey wrote, it appears that xmlsec cannot verify the
signature directly under SetDTE because it will find the one under
DTE first. Is possible to ignore the first signature and make
xmlsec read the second one when verifying? I'm currently using

	xmlsec --verify \
	--id-attr:ID http://www.sii.cl/SiiDte:SetDTE \

Leonardo Herrera

More information about the xmlsec mailing list