[xmlsec] Signing Second time with DSA key

Andrew King aking at pingidentity.com
Wed Dec 9 10:39:22 PST 2020 

Just out of curiosity... WRT SAML, why would you sign both the Assertion
and the Response?

<https://www.pingidentity.com/>[image: Ping Identity]
<https://www.pingidentity.com/>
Andy King
Technical Product Manager


On Wed, Dec 9, 2020 at 11:24 AM Timothy Legge <timlegge at gmail.com> wrote:

> ...  I should have noticed that I am dealing with Perl's XML::libXML
> where I can register the namespace and use the shortcut .
>
> Thanks for pointing out the error
>
> Tim
>
> On Wed, Dec 9, 2020 at 1:06 PM Aleksey Sanin <aleksey at aleksey.com> wrote:
> >
> >
> > --id-attr[:<attr-name>] [<node-namespace-uri>:]<node-name>
> >
> > samlp is not the namespace uri
> >
> > Aleksey
> >
> > On 12/8/20 5:38 PM, Timothy Legge wrote:
> > > Hi
> > >
> > > I have https://pastebin.com/v0PJwQri that I signed as follows:
> > >
> > > xmlsec1 --sign --privkey-pem t/dsa.private.key --id-attr:ID
> > > "Assertion" t/unsigned/xml-sig-unsigned-dsa-multiple-1.xml >
> > > t/unsigned/xml-sig-unsigned-dsa-multiple-2.xml
> > >
> > > which resulted in
> > >
> > > https://pastebin.com/8qhDhjU9
> (t/unsigned/xml-sig-unsigned-dsa-multiple-2.xml)
> > >
> > > I added the second signature section to make
> > > t/unsigned/xml-sig-unsigned-dsa-multiple-3.xml
> > >
> > > https://pastebin.com/rmfuUtvB
> > >
> > > The goal is to sign the saml:Response with ID="identifier_1" (which
> > > has the first signature embedded in the saml:Assertion with
> > > ID="identifier_2)
> > >
> > > I have tried multiple options:
> > >
> > > Most of which result in: the following that seems to be looking at
> > > identifier_2 for some reason (it was already signed above)
> > >
> > > xmlsec1 --sign --privkey-pem t/dsa.private.key --id-attr:ID "Response"
> > > t/unsigned/xml-sig-unsigned-dsa-multiple-3.xml
> > >
> > > xmlsec1 --sign --privkey-pem t/dsa.private.key --id-attr:ID
> > > samlp:Response --node-xpath "/samlp:Response[@ID='identifier_1']"
> > > t/unsigned/xml-sig-unsigned-dsa-multiple-3.xml
> > >
> > >
> > >
> func=xmlSecXPathDataExecute:file=xpath.c:line=246:obj=unknown:subj=xmlXPtrEval:error=5:libxml2
> > > library function failed:expr=xpointer(id('identifier_2')); xml error:
> > > 0: NULL
> > >
> func=xmlSecXPathDataListExecute:file=xpath.c:line=330:obj=unknown:subj=xmlSecXPathDataExecute:error=1:xmlsec
> > > library function failed:
> > >
> func=xmlSecTransformXPathExecute:file=xpath.c:line=430:obj=xpointer:subj=xmlSecXPathDataListExecute:error=1:xmlsec
> > > library function failed:
> > >
> func=xmlSecTransformDefaultPushXml:file=transforms.c:line=2108:obj=xpointer:subj=xmlSecTransformExecute:error=1:xmlsec
> > > library function failed:
> > >
> func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1044:obj=xpointer:subj=xmlSecTransformPushXml:error=1:xmlsec
> > > library function failed:
> > >
> func=xmlSecTransformCtxExecute:file=transforms.c:line=1092:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec
> > > library function failed:
> > >
> func=xmlSecDSigReferenceCtxProcessNode:file=xmldsig.c:line=1408:obj=unknown:subj=xmlSecTransformCtxExecute:error=1:xmlsec
> > > library function failed:
> > >
> func=xmlSecDSigCtxProcessReferences:file=xmldsig.c:line=752:obj=Reference:subj=xmlSecDSigReferenceCtxProcessNode:error=1:xmlsec
> > > library function failed:
> > >
> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=517:obj=unknown:subj=xmlSecDSigCtxProcessReferences:error=1:xmlsec
> > > library function failed:
> > >
> func=xmlSecDSigCtxSign:file=xmldsig.c:line=291:obj=unknown:subj=xmlSecDSigCtxProcessSignatureNode:error=1:xmlsec
> > > library function failed:
> > > Error: signature failed
> > > Error: failed to sign file
> "t/unsigned/xml-sig-unsigned-dsa-multiple-3.xml"
> > >
> > > I am sure it is something obvious.  Any ideas?
> > >
> > > Tim
> > > _______________________________________________
> > > xmlsec mailing list
> > > xmlsec at aleksey.com
> > > http://www.aleksey.com/mailman/listinfo/xmlsec
> > >
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20201209/26c8016f/attachment-0001.htm>

More information about the xmlsec mailing list