[xmlsec] Verifying signature for enveloped signature with multiple signatures

Magnus R magnus_qwerty at hotmail.com
Wed Dec 19 02:25:09 PST 2012

Thanks a lot Aleksey, now I got the command line verification to work as excpected.

The solution was to use several --id-attr parameters to xmlsec1.

This is the command line I used:
xmlsec1 --verify --id-attr:ID 'http://www.mycompany.com/myapp:Routing' --id-attr:ID 'http://www.w3.org/2001/12/soap-envelope:Body' signedmod.xml

The command invocation adds the ID:s for both the "Routing" and the "Body" tag.

When called with the XML I provided below, xmlsec1 will correctly come to the conclusion that the signature of that document does not match - since I have modified it.

This is the output I get:
func=xmlSecOpenSSLEvpDigestVerify:file=digests.c:line=229:obj=sha1:subj=unknown:error=12:invalid data:data and digest do not match
SignedInfo References (ok/all): 0/1
Manifests References (ok/all): 0/0
Error: failed to verify file "signedmod.xml"

When used with a document with a signature that does match I get:

SignedInfo References (ok/all): 2/2
Manifests References (ok/all): 0/0

Now the command line is up and running, so then I should be able to do the same in code using xmlAddID().

Many thanks.


> Date: Tue, 18 Dec 2012 08:10:54 -0800
> From: aleksey at aleksey.com
> To: magnus_qwerty at hotmail.com
> CC: xmlsec at aleksey.com
> Subject: Re: [xmlsec] Verifying signature for enveloped signature with multiple signatures
> Section 3.2 in the FAQ
> http://www.aleksey.com/xmlsec/faq.html
> Aleksey

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20121219/511d8b04/attachment.html>

More information about the xmlsec mailing list