[xmlsec] Attempting to sign with DSA key

Timothy Legge timlegge at gmail.com
Mon Dec 7 10:02:54 PST 2020


Some background.  I have been updating the perl module XML::Sig and
one of the things I added was the ability to sign any XML nodes that
have ID as an attribute.

I use xmlsec1 as a test case to ensure that my resulting documents can
be validated with xmlsec1 (and vice-versa that XML::Sig can validate
documents signed by xmlsec).

So in this case I wanted a DSA signed XML that has both the
samlp:Response ID=identifier_1" and <saml:Assertion ID="identifier_2"
signed by the same key

Essentially I wanted to see how xmlsec signs multiple parts of the
same XML file.

I notice the spec says that you can use multiple references in a
single signature but it appears the most applications sign the
documents twice,

In the case then, I would sign the XML once for identifier_2 with
xmlsec and then repeat for identifier_1 as it will need to sign the
embedded signature from the first signing.

I thought you might be able to use the two

--id-attr:ID "Response"
--id-attr:ID "Assertion"

at the same time to sign both sections in one pass.


On Mon, Dec 7, 2020 at 1:33 PM Aleksey Sanin <aleksey at aleksey.com> wrote:
> Not sure what do you mean. If you want to sign both signatures, then
> you need to run xmlsec1 tool twice with correct --node-id, --node-xpath,
> or --node-name params:
> https://www.aleksey.com/xmlsec/xmlsec-man.html
> Aleksey
> On 12/7/20 9:27 AM, Timothy Legge wrote:
> > Ah, it will not sign both nodes with an ID?
> >
> > On Mon, Dec 7, 2020 at 1:26 PM Aleksey Sanin <aleksey at aleksey.com> wrote:
> >>
> >> I see two signatures in the document. By default xmlsec1 tool will sign
> >> the first signature it finds.
> >>
> >> Best,
> >>
> >> Aleksey
> >>
> >> On 12/5/20 7:22 PM, Timothy Legge wrote:
> >>> Hi
> >>>
> >>> I am attempting to sign https://pastebin.com/36Nvqdpp with a dsa key:
> >>>
> >>> xmlsec1 --sign --privkey-pem t/dsa.private.key --id-attr:ID "Response"
> >>> --id-attr:ID "Assertion" t/xml-sig-unsigned-dsa-multiple.xml
> >>>
> >>> It does not show any error messages however it does not sign the
> >>> output.  Any ideas what I am doing wrong?
> >>>
> >>> Tim
> >>> _______________________________________________
> >>> xmlsec mailing list
> >>> xmlsec at aleksey.com
> >>> http://www.aleksey.com/mailman/listinfo/xmlsec
> >>>

More information about the xmlsec mailing list