Looks like the body of my previous message was somehow scrubbed along with the attachment. Here it is again:<br><br><div class="gmail_quote">On Feb 19, 2008 11:00 AM, Paul Keeler <<a href="mailto:keelerp@googlemail.com">keelerp@googlemail.com</a>> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Ok, I guess it was a bit unreasonable to send you a link - my apologies! Here's a concrete example. See attached.<br>
<br>Thanks for your patience.<div><div></div><div class="Wj3C7c"><br><br><div class="gmail_quote">On Feb 18, 2008 5:08 PM, Aleksey Sanin <<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">I have no idea what "target kdm certificate" is :) Please, attach<br>a signed document to the email.<br>
<br>Aleksey<br><div><br>Paul Keeler wrote:<br>> Here is a link to an online generator of signed documents that will<br>> demonstrate the behaviour I described previously:<br>><br>> <a href="http://www.cinecert.com/dci_ref_01/" target="_blank">http://www.cinecert.com/dci_ref_01/</a><br>
><br>> Is there perhaps something about these documents that means xmlsec is<br>> unable to populate a store of untrusted certificates?<br>><br>> Many thanks for your help already.<br>><br>><br>> On Feb 14, 2008 5:29 PM, Aleksey Sanin <<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
</div><div><div></div><div>> <mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>>> wrote:<br>><br>> The error indicates that verification of one of the certificate<br>
> chains failed but xmlsec was able to extract the key either from<br>> another certificate chain or from some other place. Hard to say<br>> more w/o looking at the document.<br>><br>> Aleksey<br>
><br>><br>><br>> Paul Keeler wrote:<br>> > I would be grateful if somone could help me with this problem. I<br>> have a<br>> > signed document which reports that it verifies ok, but also gives an<br>
> > error message: "unable to get local issuer certificate". The<br>> same thing<br>> > happens both running from my own application and calling xmlsec<br>> from the<br>> > command line:<br>
> ><br>> > xmlsec1 --verify --id-attr:<my_ID_attribute_name><br>> > <my_node_namespace_uri>:<my_first_node_name><br>> > --id-attr:<my_ID_attribute_name><br>
> > <my_node_namespace_uri>:<my_second_node_name> --trusted-pem<br>> > <my_trusted_root_pem> <my_signed_document><br>> ><br>> > This is the result:<br>
> ><br>
> ><br>> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=351:obj=x509-store:subj=unknown:error=71:certificate<br>> > verification failed:err=20;msg=unable to get local issuer certificate<br>
> > OK<br>> > SignedInfo References (ok/all): 2/2<br>> > Manifests References (ok/all): 0/0<br>> ><br>> > The verification seems to have been successful (indicated by<br>
> "OK"), but<br>> > clearly an error was also reported.<br>> ><br>> > The signed document contains my entire certificate chain: Signer -><br>> > Intermediate CA -> Root CA. The Root CA in the chain is the same<br>
> as the<br>> > trusted root pem I pass using the --trusted-pem option, so I would<br>> > expect verification to succeed.<br>> ><br>> > Now, I can make the error message go away by extracting the<br>
> Intermediate<br>> > CA certificate from the signed document and passing it to XMLSEC<br>> using<br>> > the --untrusted-pem option:<br>> ><br>> > xmlsec1 --verify --id-attr:<my_ID_attribute_name><br>
> > <my_node_namespace_uri>:<my_first_node_name><br>> > --id-attr:<my_ID_attribute_name><br>> > <my_node_namespace_uri>:<my_second_node_name> --trusted-pem<br>
> > <my_trusted_root_pem> --untrusted-pem <intermediate_CA_pem><br>> > <my_signed_document><br>> ><br>> > I did not expect that I would have to explicitly pass a<br>
> certificate from<br>> > the chain to xmlsec and flag it as being untrusted. Am I doing<br>> > something wrong? Surely xmlsec should assume that all X509<br>> certificates<br>> > in a chain are untrusted by default? Have I missed the point<br>
> somewhere?<br>> ><br>> > Many thanks in advance.<br>> ><br>> ><br>> ><br>> ------------------------------------------------------------------------<br>
> ><br>> > _______________________________________________<br>> > xmlsec mailing list<br></div></div>> > <a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a> <mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>><br>
<div><div></div><div>> > <a href="http://www.aleksey.com/mailman/listinfo/xmlsec" target="_blank">http://www.aleksey.com/mailman/listinfo/xmlsec</a><br>><br>><br>><br>> ------------------------------------------------------------------------<br>
><br>> _______________________________________________<br>> xmlsec mailing list<br>> <a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>> <a href="http://www.aleksey.com/mailman/listinfo/xmlsec" target="_blank">http://www.aleksey.com/mailman/listinfo/xmlsec</a><br>
</div></div></blockquote></div><br>
</div></div></blockquote></div><br>