<div dir="ltr">Thanks,<br>Do you have any tips what kind of mistake am I doing?<br><br><div>I'll learn more about this subjects that you suggested.</div><div><br></div><div>Att.</div></div><div class="gmail_extra"><br><div class="gmail_quote">2014-11-24 17:04 GMT-02:00 Aleksey Sanin <span dir="ltr"><<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">You are not verifying the signature correctly. Please read about<br>
certificates verification, trusted certificates,etc.<br>
<br>
Aleksey<br>
<span class=""><br>
On 11/24/14 10:54 AM, Renato Fermi wrote:<br>
> Sorry, the verifying line was :<br>
> - xmlsec1 --verify --id-attr:Id infNFe --privkey-pem<br>
> nfcek.pem,cert.pem signed.xml<br>
><br>
> 2014-11-24 16:45 GMT-02:00 Renato Fermi <<a href="mailto:repiazza@gmail.com">repiazza@gmail.com</a><br>
</span>> <mailto:<a href="mailto:repiazza@gmail.com">repiazza@gmail.com</a>>>:<br>
<div><div class="h5">><br>
> Hello Aleksey,<br>
><br>
> I was really using a wrong certificate to sign and check it.<br>
> Now I'm using the same certificate, the one who generated key file.<br>
> So I have 2 files:<br>
> - cert.pem - client certificate, obtained using the following<br>
> command, from the full certificate:<br>
> openssl pkcs12 -in certificate.pfx -out cert.pem -clcerts<br>
> -nokeys -nodes<br>
> - nfcek.pem - key file obtained this way:<br>
> openssl pkcs12 -in certificate.pfx -out nfcek.pem -nocerts -nodes<br>
><br>
> Im signing using :<br>
> - xmlsec1 --sign --id-attr:Id infNFe --privkey-pem<br>
> nfcek.pem,cert.pem --output signed.xml 0A000U209.xml<br>
> And verifying :<br>
> - xmlsec1 --verify --id-attr:Id infNFe --privkey-pem<br>
> nfcek.pem,certificado.pem signed.xml<br>
><br>
> So I got an OK, but with errors:<br>
> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto<br>
> library function<br>
> failed:subj=/C=BR/ST=SP/L=BARUERI/O=ICP-Brasil/OU=Secretaria da<br>
> Receita Federal do Brasil - RFB/OU=RFB e-CNPJ A1/OU=AR<br>
> SERASA/CN=CONECTO SISTEMAS LTDA:05113966000159;err=20;msg=unable to<br>
> get local issuer certificate<br>
> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate<br>
> verification failed:err=20;msg=unable to get local issuer certificate<br>
> OK<br>
> SignedInfo References (ok/all): 1/1<br>
> Manifests References (ok/all): 0/0<br>
><br>
> Do you have any ideia about it?<br>
><br>
> Thanks again.<br>
><br>
> 2014-11-24 16:23 GMT-02:00 Aleksey Sanin <<a href="mailto:aleksey@aleksey.com">aleksey@aleksey.com</a><br>
</div></div>> <mailto:<a href="mailto:aleksey@aleksey.com">aleksey@aleksey.com</a>>>:<br>
<span class="">><br>
> Are you sure that the cacert.pem contains the certificate for<br>
> nfcek.pem<br>
> key? It looks like you are signing with one key and verifying<br>
> with another.<br>
><br>
> Aleksey<br>
><br>
> On 11/24/14 10:15 AM, Renato Fermi wrote:<br>
> > I've added 2 files (inuput) 0AU00209.xml and output.xml.<br>
> ><br>
> ><br>
> ><br>
> ><br>
> > 2014-11-24 16:05 GMT-02:00 Aleksey Sanin <<a href="mailto:aleksey@aleksey.com">aleksey@aleksey.com</a> <mailto:<a href="mailto:aleksey@aleksey.com">aleksey@aleksey.com</a>><br>
</span>> > <mailto:<a href="mailto:aleksey@aleksey.com">aleksey@aleksey.com</a> <mailto:<a href="mailto:aleksey@aleksey.com">aleksey@aleksey.com</a>>>>:<br>
<div><div class="h5">> ><br>
> > How does the input.xml looks like?<br>
> ><br>
> > Aleksey<br>
> ><br>
> > On 11/24/14 9:58 AM, Renato Fermi wrote:<br>
> > > Hello Aleksey,<br>
> > ><br>
> > > I'm having troubles after sucessfully signing a XML, when<br>
> > verifying it.<br>
> > ><br>
> > > What I've done:<br>
> > > - Signed XML with my cert key and cacert :<br>
> > > $ xmlsec1 --sign --id-attr:Id infNFe --privkey-pem<br>
> > nfcek.pem,cacert.pem<br>
> > > --output signed.xml input.xml<br>
> > > - Verified the signature:<br>
> > > xmlsec1 --verify --id-attr:Id infNFe --privkey-pem<br>
> > nfcek.pem,cacert.pem<br>
> > > signed.xml<br>
> > ><br>
> > > And received the return:<br>
> > ><br>
> ><br>
> func=xmlSecOpenSSLEvpSignatureVerify:file=signatures.c:line=493:obj=rsa-sha1:subj=EVP_VerifyFinal:error=18:data<br>
> > > do not match:signature do not match<br>
> > > FAIL<br>
> > > SignedInfo References (ok/all): 1/1<br>
> > > Manifests References (ok/all): 0/0<br>
> > > Error: failed to verify file "signed.xml"<br>
> > ><br>
> > > Am I doing anything wrong?<br>
> > ><br>
> > > Thanks in advance.<br>
> > ><br>
> > > Renato Fermi<br>
> > ><br>
> > ><br>
> > > _______________________________________________<br>
> > > xmlsec mailing list<br>
> > > <a href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a> <mailto:<a href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a>><br>
</div></div>> <mailto:<a href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a> <mailto:<a href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a>>><br>
<div class="HOEnZb"><div class="h5">> > > <a href="http://www.aleksey.com/mailman/listinfo/xmlsec" target="_blank">http://www.aleksey.com/mailman/listinfo/xmlsec</a><br>
> > ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> > _______________________________________________<br>
> > xmlsec mailing list<br>
> > <a href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a> <mailto:<a href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a>><br>
> > <a href="http://www.aleksey.com/mailman/listinfo/xmlsec" target="_blank">http://www.aleksey.com/mailman/listinfo/xmlsec</a><br>
> ><br>
><br>
><br>
><br>
><br>
><br>
><br>
> _______________________________________________<br>
> xmlsec mailing list<br>
> <a href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a><br>
> <a href="http://www.aleksey.com/mailman/listinfo/xmlsec" target="_blank">http://www.aleksey.com/mailman/listinfo/xmlsec</a><br>
><br>
</div></div></blockquote></div><br></div>