I tried the same but for same error :<br>func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto library function failed:subj=/C=CN/ST=BJ/O=JIL/OU=JIL/CN=JIL EE demo;err=20;msg=unable to get local issuer certificate<br>
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate verification failed:err=20;msg=unable to get local issuer certificate<br>func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec library function failed: <br>
func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=884:obj=unknown:subj=unknown:error=45:key is not found: <br>func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=578:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function failed: <br>
func=xmlSecDSigCtxVerify:file=xmldsig.c:line=379:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec library function failed: <br><br>Is there ny specfic order in which certificates should be present in the signature file ? can there be problem with the certificate fields ?<br>
<br><br>Regards,<br>Ashish<br><br><div class="gmail_quote">On Thu, Jun 4, 2009 at 9:39 PM, Aleksey Sanin <span dir="ltr">&lt;<a href="mailto:aleksey@aleksey.com">aleksey@aleksey.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Try<br>
<br>
xmlsec1 --verify \<br>
        --trusted-pem root.pem \<br>
        --trusted-pem int.pem  \<br>
        signature.xml<br>
<br>
Aleksey<br>
<br>
Ashish Agrawal wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="im">
I have tried with:<br>
xmlsec1 --verify --trusted-pem root.pem --untrusted-pem int.pem signature.xml  (removing the intermedaite CA cert from signature file)<br>
&amp;<br>
xmlsec1 --verify --trusted-pem root.pem signature.xml ( keeping the intermedia CA cert and end certtificate in the signature file)<br>
<br>
Got same result..<br>
Regards,<br>
Ashish<br>
<br></div><div class="im">
On Thu, Jun 4, 2009 at 9:25 PM, Aleksey Sanin &lt;<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a> &lt;mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>&gt;&gt; wrote:<br>

<br>
    What command line options do you use?<br>
<br>
    Aleksey<br>
<br>
    Ashish Agrawal wrote:<br>
<br>
        Srry, I did not understand your reply completely,<br>
        You mean to check the subject field for the certifices:<br>
<br>
        I see them as :<br>
<br>
        End Cert: Subject: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL EE demo<br>
                        Issuer: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL subCA<br>
        demo<br>
<br>
        Intermediate cert: Subject: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL<br>
        subCA demo<br>
                                     Issuer: C=CN, ST=BJ, O=JIL, OU=JIL,<br>
        CN=JIL Root demo<br>
<br>
        Root Cert:  Subject: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL Root demo<br>
                        Issuer: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL Root demo<br>
<br>
        So seems like the chain is correct. but verification<br>
        fails.strange thing is it passes with openssl but not here.<br>
<br>
        Regards,<br>
        Ashish<br>
<br>
        On Thu, Jun 4, 2009 at 8:59 PM, Aleksey Sanin<br>
        &lt;<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a> &lt;mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>&gt;<br></div><div class="im">
        &lt;mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a> &lt;mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>&gt;&gt;&gt; wrote:<br>
<br>
           No there is no ordering problems. You have the subject<br>
           of certificate which is at the end of the chain. Try<br>
           to figure out &quot;why?&quot;.<br>
<br>
           Aleksey<br>
<br>
           Ashish Agrawal wrote:<br>
<br>
               Yes Aleksey,<br>
               I have already tried with the openssl utility,<br>
<br>
               openssl verify -CAfile root.pem EE.pem<br>
               here root.pem is the root ca pem file &amp; EE,pem contains the<br>
               intermediate certificate and then the end certificate. and it<br>
               passess with no error.<br>
<br>
               but xmlsec fails :(<br>
               Can there be any ordering issue ? shall i send my certs, will<br>
               that help in root causing ?<br>
<br>
               Regards,<br>
               Ashish<br>
<br>
               On Thu, Jun 4, 2009 at 8:53 PM, Aleksey Sanin<br>
               &lt;<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a> &lt;mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>&gt;<br>
        &lt;mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a> &lt;mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>&gt;&gt;<br></div><div><div></div><div class="h5">

               &lt;mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a> &lt;mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>&gt;<br>
        &lt;mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a> &lt;mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>&gt;&gt;&gt;&gt; wrote:<br>
<br>
                  Try to verify your certs chain using openssl command line<br>
               tool directly.<br>
<br>
                  Aleksey<br>
<br>
                  Ashish Agrawal wrote:<br>
<br>
                      Hi Aleksey,<br>
<br>
                      My signature.xml file has two certificate, one is<br>
        the end<br>
                      certificate and the other is the intermediate CA.<br>
                      In the intermediate certificate also the &quot;CA&quot;<br>
        field is true<br>
                      .Could this be the root cause of the problem.<br>
<br>
                      Attaching the intermediate CA pem file<br>
<br>
                      Thanks for ur help.<br>
<br>
                      Regards,<br>
                      Ashish<br>
<br>
<br>
                      On Thu, Jun 4, 2009 at 8:21 PM, Aleksey Sanin<br>
                      &lt;<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a> &lt;mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>&gt;<br>
        &lt;mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a> &lt;mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>&gt;&gt;<br>
               &lt;mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a> &lt;mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>&gt;<br>
        &lt;mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a> &lt;mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>&gt;&gt;&gt;<br>
                      &lt;mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
        &lt;mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>&gt; &lt;mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
        &lt;mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>&gt;&gt;<br>
               &lt;mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a> &lt;mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>&gt;<br>
        &lt;mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a> &lt;mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>&gt;&gt;&gt;&gt;&gt; wrote:<br>
<br>
                         This error means that xmlsec can&#39;t build certs<br>
        chain<br>
               for some<br>
                      reasons.<br>
<br>
                         Aleksey<br>
<br>
                         Ashish Agrawal wrote:<br>
<br>
                             Hi Aleksey,<br>
<br>
                             I ve a problem where i v a root CA and and two<br>
                      certificates in<br>
                             the chain, when i try to verify the chain using<br>
               openssl<br>
                      it works :<br>
                             openssl verify -CAfile root.pem EE.pem<br>
                             but when i to to verify using xmlsec it<br>
        fails with the<br>
                      error :<br>
                                                func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto<br>
                             library function<br>
                      failed:subj=/C=CN/ST=BJ/O=JIL/OU=JIL/CN=JIL EE<br>
                             demo;err=20;msg=unable to get local issuer<br>
        certificate<br>
                                                func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate<br>
                             verification failed:err=20;msg=unable to<br>
        get local<br>
               issuer<br>
                             certificate<br>
                                                func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec<br>
                             library function failed:<br>
                                                func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=884:obj=unknown:subj=unknown:error=45:key<br>
                             is not found:<br>
                                                func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=578:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec<br>
                             library function failed:<br>
                                                func=xmlSecDSigCtxVerify:file=xmldsig.c:line=379:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec<br>
                             library function failed:<br>
                             Error: signature failed<br>
                             ERROR<br>
                             SignedInfo References (ok/all): 6/6<br>
                             Manifests References (ok/all): 0/0<br>
<br>
<br>
                             Does xmlsec imposes ny additional<br>
        constraint on the<br>
                      certificate<br>
                             validation and if yes what are they ?<br>
<br>
                             Regards,<br>
                             Ashish<br>
<br>
<br>
                                                ------------------------------------------------------------------------<br>
<br>
                             _______________________________________________<br>
                             xmlsec mailing list<br>
                             <a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
        &lt;mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>&gt; &lt;mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
        &lt;mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>&gt;&gt;<br>
               &lt;mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a> &lt;mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>&gt;<br>
        &lt;mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a> &lt;mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>&gt;&gt;&gt;<br>
                      &lt;mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
        &lt;mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>&gt; &lt;mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
        &lt;mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>&gt;&gt;<br>
               &lt;mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a> &lt;mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>&gt;<br>
        &lt;mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a> &lt;mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>&gt;&gt;&gt;&gt;<br>
<br>
<br>
                             <a href="http://www.aleksey.com/mailman/listinfo/xmlsec" target="_blank">http://www.aleksey.com/mailman/listinfo/xmlsec</a><br>
<br>
<br>
<br>
                                   ------------------------------------------------------------------------<br>
<br>
                      _______________________________________________<br>
                      xmlsec mailing list<br>
                      <a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a> &lt;mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>&gt;<br>
        &lt;mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a> &lt;mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>&gt;&gt;<br>
               &lt;mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a> &lt;mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>&gt;<br>
        &lt;mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a> &lt;mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>&gt;&gt;&gt;<br>
                      <a href="http://www.aleksey.com/mailman/listinfo/xmlsec" target="_blank">http://www.aleksey.com/mailman/listinfo/xmlsec</a><br>
<br>
<br>
<br>
                      ------------------------------------------------------------------------<br>
<br>
               _______________________________________________<br>
               xmlsec mailing list<br>
               <a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a> &lt;mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>&gt;<br>
        &lt;mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a> &lt;mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>&gt;&gt;<br>
               <a href="http://www.aleksey.com/mailman/listinfo/xmlsec" target="_blank">http://www.aleksey.com/mailman/listinfo/xmlsec</a><br>
<br>
<br>
<br>
        ------------------------------------------------------------------------<br>
<br>
        _______________________________________________<br>
        xmlsec mailing list<br>
        <a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a> &lt;mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>&gt;<br>
        <a href="http://www.aleksey.com/mailman/listinfo/xmlsec" target="_blank">http://www.aleksey.com/mailman/listinfo/xmlsec</a><br>
<br>
<br>
<br>
------------------------------------------------------------------------<br>
<br>
_______________________________________________<br>
xmlsec mailing list<br>
<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<a href="http://www.aleksey.com/mailman/listinfo/xmlsec" target="_blank">http://www.aleksey.com/mailman/listinfo/xmlsec</a><br>
</div></div></blockquote>
</blockquote></div><br>