[xmlsec] Attempting to sign with DSA key

Aleksey Sanin aleksey at aleksey.com
Mon Dec 7 10:09:01 PST 2020

"--id-attr" just defines an ID attribute (like DTD or schema).


On 12/7/20 10:02 AM, Timothy Legge wrote:
> Hi
> Some background.  I have been updating the perl module XML::Sig and
> one of the things I added was the ability to sign any XML nodes that
> have ID as an attribute.
> I use xmlsec1 as a test case to ensure that my resulting documents can
> be validated with xmlsec1 (and vice-versa that XML::Sig can validate
> documents signed by xmlsec).
> So in this case I wanted a DSA signed XML that has both the
> samlp:Response ID=identifier_1" and <saml:Assertion ID="identifier_2"
> signed by the same key
> Essentially I wanted to see how xmlsec signs multiple parts of the
> same XML file.
> I notice the spec says that you can use multiple references in a
> single signature but it appears the most applications sign the
> documents twice,
> In the case then, I would sign the XML once for identifier_2 with
> xmlsec and then repeat for identifier_1 as it will need to sign the
> embedded signature from the first signing.
> I thought you might be able to use the two
> --id-attr:ID "Response"
> --id-attr:ID "Assertion"
> at the same time to sign both sections in one pass.
> TIm
> On Mon, Dec 7, 2020 at 1:33 PM Aleksey Sanin <aleksey at aleksey.com> wrote:
>> Not sure what do you mean. If you want to sign both signatures, then
>> you need to run xmlsec1 tool twice with correct --node-id, --node-xpath,
>> or --node-name params:
>> https://www.aleksey.com/xmlsec/xmlsec-man.html
>> Aleksey
>> On 12/7/20 9:27 AM, Timothy Legge wrote:
>>> Ah, it will not sign both nodes with an ID?
>>> On Mon, Dec 7, 2020 at 1:26 PM Aleksey Sanin <aleksey at aleksey.com> wrote:
>>>> I see two signatures in the document. By default xmlsec1 tool will sign
>>>> the first signature it finds.
>>>> Best,
>>>> Aleksey
>>>> On 12/5/20 7:22 PM, Timothy Legge wrote:
>>>>> Hi
>>>>> I am attempting to sign https://pastebin.com/36Nvqdpp with a dsa key:
>>>>> xmlsec1 --sign --privkey-pem t/dsa.private.key --id-attr:ID "Response"
>>>>> --id-attr:ID "Assertion" t/xml-sig-unsigned-dsa-multiple.xml
>>>>> It does not show any error messages however it does not sign the
>>>>> output.  Any ideas what I am doing wrong?
>>>>> Tim
>>>>> _______________________________________________
>>>>> xmlsec mailing list
>>>>> xmlsec at aleksey.com
>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec

More information about the xmlsec mailing list