Hi,<br><br>Its been quite some time i am modifying my code to allow a signed xml document containing the entire chain of certificates from "Local cert" through CAs and ultimately the Root CA. I have debugged the code till the call goes to <b>X509_verify_cert(&xsc)</b>. I have observed that for each <b><X509Certificate> </b>the xmlsec adds the certificate to the X509_STACK. The function call (<b>xmlSecOpenSSLX509FindNextChainCert</b>) inside the <b>for loop</b> inside the function <b>xmlSecOpenSSLX509StoreVerify</b> with the comment [/* get one cert after another and try to verify */] returns NULL only when it finds that the certificate does not extend any other certificates.<br>
<br>I have RootCa.pem > CA1.pem > CA2.pem > signerCert.pem.<br><br>If i simply execute the signeddoc.xml, I am receiving the error [<b>msg=invalid CA certificate</b> for CA2.pem] ... the command used is <b>xmlsec.exe verify --trusted-pem RootCa.pem signeddoc.xml</b><br>
I broke the certificate chain by removing RootCa.pem from the signeddoc.xml and the error i received is same as of the above case <b>xmlsec.exe verify --trusted-pem RootCa.pem signeddoc.xml<br></b>I changed the command for the above file as <b>xmlsec.exe verify --trusted-pem RootCa.pem --trusted-pem CA2.pem signeddoc.xml</b>, still the error was same<br>
I maintained only CA1, CA2 and signerCert.pem in signeddoc.xml and used the command <b>xmlsec.exe verify --trusted-pem RootCa.pem --trusted-pem CA1.pem --trusted-pem CA2.pem signeddoc.xml<br></b>Now I removed CA2 from the signeddoc.xml and kept only CA1 and signerCert.pem, and used the command <b>xmlsec.exe verify --trusted-pem RootCa.pem --trusted-pem CA1.pem
--trusted-pem CA2.pem signeddoc.xml ... </b>i could see that the verification was passing.<br><br>I have deviced another way too to make this work, but i am not sure how good this way is...<br><br>before passing the signeddoc.xml to xmlsec, I load the x509certificate as trusted using the api <b>xmlSecCryptoAppKeysMngrCertLoadMemory</b> but the problem is not solved because the same document continues to be evaluated by xmlsec later and the results produced are same.<br>
<br>Another alternative i thought was once the function <b>xmlSecOpenSSLX509FindNextChainCert </b>returns NULL, I would remove the other certificates from the STACK. That way, i will have trusted certs loaded to the global stack and while signerCert.pem is verified.<br>
<br>Please let me know your suggestions, I will try your suggested methods.<br><br>And thanks a lot for this library, it had done wonders for my work till now :)<br><br>I had read an email from the archive [<b><a href="http://www.aleksey.com/pipermail/xmlsec/2008/008326.html">http://www.aleksey.com/pipermail/xmlsec/2008/008326.html</a></b>], but i could not get the break through yet :(<br clear="all">
<br>Regards,<br>Naval<br>