Here is a link to an online generator of signed documents that will demonstrate the behaviour I described previously:<br><br><a href="http://www.cinecert.com/dci_ref_01/">http://www.cinecert.com/dci_ref_01/</a><br><br>Is there perhaps something about these documents that means xmlsec is unable to populate a store of untrusted certificates?<br>
<br>Many thanks for your help already.<br><br><br><div class="gmail_quote">On Feb 14, 2008 5:29 PM, Aleksey Sanin <<a href="mailto:aleksey@aleksey.com">aleksey@aleksey.com</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
The error indicates that verification of one of the certificate<br>chains failed but xmlsec was able to extract the key either from<br>another certificate chain or from some other place. Hard to say<br>more w/o looking at the document.<br>
<br>Aleksey<br><div><div></div><div class="Wj3C7c"><br><br><br>Paul Keeler wrote:<br>> I would be grateful if somone could help me with this problem. I have a<br>> signed document which reports that it verifies ok, but also gives an<br>
> error message: "unable to get local issuer certificate". The same thing<br>> happens both running from my own application and calling xmlsec from the<br>> command line:<br>><br>> xmlsec1 --verify --id-attr:<my_ID_attribute_name><br>
> <my_node_namespace_uri>:<my_first_node_name><br>> --id-attr:<my_ID_attribute_name><br>> <my_node_namespace_uri>:<my_second_node_name> --trusted-pem<br>> <my_trusted_root_pem> <my_signed_document><br>
><br>> This is the result:<br>><br>> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=351:obj=x509-store:subj=unknown:error=71:certificate<br>> verification failed:err=20;msg=unable to get local issuer certificate<br>
> OK<br>> SignedInfo References (ok/all): 2/2<br>> Manifests References (ok/all): 0/0<br>><br>> The verification seems to have been successful (indicated by "OK"), but<br>> clearly an error was also reported.<br>
><br>> The signed document contains my entire certificate chain: Signer -><br>> Intermediate CA -> Root CA. The Root CA in the chain is the same as the<br>> trusted root pem I pass using the --trusted-pem option, so I would<br>
> expect verification to succeed.<br>><br>> Now, I can make the error message go away by extracting the Intermediate<br>> CA certificate from the signed document and passing it to XMLSEC using<br>> the --untrusted-pem option:<br>
><br>> xmlsec1 --verify --id-attr:<my_ID_attribute_name><br>> <my_node_namespace_uri>:<my_first_node_name><br>> --id-attr:<my_ID_attribute_name><br>> <my_node_namespace_uri>:<my_second_node_name> --trusted-pem<br>
> <my_trusted_root_pem> --untrusted-pem <intermediate_CA_pem><br>> <my_signed_document><br>><br>> I did not expect that I would have to explicitly pass a certificate from<br>> the chain to xmlsec and flag it as being untrusted. Am I doing<br>
> something wrong? Surely xmlsec should assume that all X509 certificates<br>> in a chain are untrusted by default? Have I missed the point somewhere?<br>><br>> Many thanks in advance.<br>><br>><br></div>
</div>> ------------------------------------------------------------------------<br>><br>> _______________________________________________<br>> xmlsec mailing list<br>> <a href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a><br>
> <a href="http://www.aleksey.com/mailman/listinfo/xmlsec" target="_blank">http://www.aleksey.com/mailman/listinfo/xmlsec</a><br></blockquote></div><br>