The 5 certificates represent a whole certificate chain in order from signer back to self-signed trusted root. If I use the fifth certificate as a trusted root (extract it to file, add the begin/end certificate tags, and use the --trusted-pem option), then my understanding is that I should be able to verify the signature and the entire certificate chain. Surely there should be no failure? Am I missing something here?<br>
<br>Thanks again.<br><br><div class="gmail_quote">On Feb 19, 2008 3:26 PM, Aleksey Sanin <<a href="mailto:aleksey@aleksey.com">aleksey@aleksey.com</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
You have multiple certificates (X509Data) element. The error<br>indicates that verification of one certificate have failed<br>but the other succeeds and the signature is verified.<br><br>Aleksey<br><div class="Ih2E3d"><br>
Paul Keeler wrote:<br>> Looks like the body of my previous message was somehow scrubbed along<br>> with the attachment. Here it is again:<br>><br>> On Feb 19, 2008 11:00 AM, Paul Keeler <<a href="mailto:keelerp@googlemail.com">keelerp@googlemail.com</a><br>
</div><div class="Ih2E3d">> <mailto:<a href="mailto:keelerp@googlemail.com">keelerp@googlemail.com</a>>> wrote:<br>><br>> Ok, I guess it was a bit unreasonable to send you a link - my<br>> apologies! Here's a concrete example. See attached.<br>
><br>> Thanks for your patience.<br>><br>><br>> On Feb 18, 2008 5:08 PM, Aleksey Sanin <<a href="mailto:aleksey@aleksey.com">aleksey@aleksey.com</a><br></div><div class="Ih2E3d">> <mailto:<a href="mailto:aleksey@aleksey.com">aleksey@aleksey.com</a>>> wrote:<br>
><br>> I have no idea what "target kdm certificate" is :) Please, attach<br>> a signed document to the email.<br>><br>> Aleksey<br>><br>> Paul Keeler wrote:<br>
> > Here is a link to an online generator of signed documents<br>> that will<br>> > demonstrate the behaviour I described previously:<br>> ><br>> > <a href="http://www.cinecert.com/dci_ref_01/" target="_blank">http://www.cinecert.com/dci_ref_01/</a><br>
> ><br>> > Is there perhaps something about these documents that means<br>> xmlsec is<br>> > unable to populate a store of untrusted certificates?<br>> ><br>
> > Many thanks for your help already.<br>> ><br>> ><br>> > On Feb 14, 2008 5:29 PM, Aleksey Sanin <<a href="mailto:aleksey@aleksey.com">aleksey@aleksey.com</a><br>
> <mailto:<a href="mailto:aleksey@aleksey.com">aleksey@aleksey.com</a>><br></div><div><div></div><div class="Wj3C7c">> > <mailto:<a href="mailto:aleksey@aleksey.com">aleksey@aleksey.com</a> <mailto:<a href="mailto:aleksey@aleksey.com">aleksey@aleksey.com</a>>>> wrote:<br>
> ><br>> > The error indicates that verification of one of the<br>> certificate<br>> > chains failed but xmlsec was able to extract the key<br>> either from<br>
> > another certificate chain or from some other place. Hard<br>> to say<br>> > more w/o looking at the document.<br>> ><br>> > Aleksey<br>
> ><br>> ><br>> ><br>> > Paul Keeler wrote:<br>> > > I would be grateful if somone could help me with this<br>> problem. I<br>
> > have a<br>> > > signed document which reports that it verifies ok, but<br>> also gives an<br>> > > error message: "unable to get local issuer<br>
> certificate". The<br>> > same thing<br>> > > happens both running from my own application and<br>> calling xmlsec<br>> > from the<br>
> > > command line:<br>> > ><br>> > > xmlsec1 --verify --id-attr:<my_ID_attribute_name><br>> > > <my_node_namespace_uri>:<my_first_node_name><br>
> > > --id-attr:<my_ID_attribute_name><br>> > > <my_node_namespace_uri>:<my_second_node_name><br>> --trusted-pem<br>> > > <my_trusted_root_pem> <my_signed_document><br>
> > ><br>> > > This is the result:<br>> > ><br>> > ><br>> ><br>> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=351:obj=x509-store:subj=unknown:error=71:certificate<br>
> > > verification failed:err=20;msg=unable to get local<br>> issuer certificate<br>> > > OK<br>> > > SignedInfo References (ok/all): 2/2<br>
> > > Manifests References (ok/all): 0/0<br>> > ><br>> > > The verification seems to have been successful<br>> (indicated by<br>> > "OK"), but<br>
> > > clearly an error was also reported.<br>> > ><br>> > > The signed document contains my entire certificate<br>> chain: Signer -><br>> > > Intermediate CA -> Root CA. The Root CA in the chain<br>
> is the same<br>> > as the<br>> > > trusted root pem I pass using the --trusted-pem<br>> option, so I would<br>> > > expect verification to succeed.<br>
> > ><br>> > > Now, I can make the error message go away by<br>> extracting the<br>> > Intermediate<br>> > > CA certificate from the signed document and passing it<br>
> to XMLSEC<br>> > using<br>> > > the --untrusted-pem option:<br>> > ><br>> > > xmlsec1 --verify --id-attr:<my_ID_attribute_name><br>
> > > <my_node_namespace_uri>:<my_first_node_name><br>> > > --id-attr:<my_ID_attribute_name><br>> > > <my_node_namespace_uri>:<my_second_node_name><br>
> --trusted-pem<br>> > > <my_trusted_root_pem> --untrusted-pem<br>> <intermediate_CA_pem><br>> > > <my_signed_document><br>> > ><br>
> > > I did not expect that I would have to explicitly pass a<br>> > certificate from<br>> > > the chain to xmlsec and flag it as being untrusted.<br>> Am I doing<br>
> > > something wrong? Surely xmlsec should assume that all<br>> X509<br>> > certificates<br>> > > in a chain are untrusted by default? Have I missed<br>
> the point<br>> > somewhere?<br>> > ><br>> > > Many thanks in advance.<br>> > ><br>> > ><br>> > ><br>
> ><br>> ------------------------------------------------------------------------<br>> > ><br>> > > _______________________________________________<br>
> > > xmlsec mailing list<br>> > > <a href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a> <mailto:<a href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a>><br></div>
</div>> <mailto:<a href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a> <mailto:<a href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a>>><br><div><div></div><div class="Wj3C7c">> > > <a href="http://www.aleksey.com/mailman/listinfo/xmlsec" target="_blank">http://www.aleksey.com/mailman/listinfo/xmlsec</a><br>
> ><br>> ><br>> ><br>> ><br>> ------------------------------------------------------------------------<br>> ><br>> > _______________________________________________<br>
> > xmlsec mailing list<br>> > <a href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a> <mailto:<a href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a>><br>> > <a href="http://www.aleksey.com/mailman/listinfo/xmlsec" target="_blank">http://www.aleksey.com/mailman/listinfo/xmlsec</a><br>
><br>><br>><br>><br>> ------------------------------------------------------------------------<br>><br>> _______________________________________________<br>> xmlsec mailing list<br>> <a href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a><br>
> <a href="http://www.aleksey.com/mailman/listinfo/xmlsec" target="_blank">http://www.aleksey.com/mailman/listinfo/xmlsec</a><br></div></div></blockquote></div><br>