I would be grateful if somone could help me with this problem. I have a signed document which reports that it verifies ok, but also gives an error message: "unable to get local issuer certificate". The same thing happens both running from my own application and calling xmlsec from the command line:<br>
<br>xmlsec1 --verify --id-attr:<my_ID_attribute_name> <my_node_namespace_uri>:<my_first_node_name> --id-attr:<my_ID_attribute_name> <my_node_namespace_uri>:<my_second_node_name> --trusted-pem <my_trusted_root_pem> <my_signed_document><br>
<br>This is the result:<br><br>func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=351:obj=x509-store:subj=unknown:error=71:certificate verification failed:err=20;msg=unable to get local issuer certificate<br>OK<br>SignedInfo References (ok/all): 2/2<br>
Manifests References (ok/all): 0/0<br><br>The verification seems to have been successful (indicated by "OK"), but clearly an error was also reported.<br><br>The signed document contains my entire certificate chain: Signer -> Intermediate CA -> Root CA. The Root CA in the chain is the same as the trusted root pem I pass using the --trusted-pem option, so I would expect verification to succeed.<br>
<br>Now, I can make the error message go away by extracting the Intermediate CA certificate from the signed document and passing it to XMLSEC using the --untrusted-pem option: <br><br>xmlsec1 --verify --id-attr:<my_ID_attribute_name> <my_node_namespace_uri>:<my_first_node_name> --id-attr:<my_ID_attribute_name> <my_node_namespace_uri>:<my_second_node_name> --trusted-pem <my_trusted_root_pem> --untrusted-pem <intermediate_CA_pem> <my_signed_document><br>
<br>I did not expect that I would have to explicitly pass a certificate from the chain to xmlsec and flag it as being untrusted. Am I doing something wrong? Surely xmlsec should assume that all X509 certificates in a chain are untrusted by default? Have I missed the point somewhere?<br>
<br>Many thanks in advance.<br>