[xmlsec] Re: Verifying an signature ... Problem

Ingo Fischer apollon@schlund.de
Wed Feb 26 19:46:38 PST 2003 

Hello !
> 
> Ops.. The line was too long and I missed the last two certs. However, this
> changes nothing for me:
> 
>        [aleksey@lsh]$ openssl verify -CAfile c.pem b.pem
>        b.pem: OK
> 
>        [aleksey@lsh]$ openssl verify -CAfile b.pem a.pem
>        a.pem: /C=US/O=MasterCard International Incorporated Test System 
> Subordinate/OU=SecureCode Test System         Subordinate CA 
> Certificate/CN=MasterCard SecureCode Test Issuer and Directory Subordinate
>        error 2 at 1 depth lookup:unable to get issuer certificate
> 
> The only idea I have is that you have some cert installed in the default 
> openssl path
> that I don't have (for example, it might be original root cert used for 
> other certs generation).
> And xmlsec does not know about it either. The only suggestion I have is 
> to run xmlsec or openssl
> in the debugger. It should be somewhere in openssl/crypto/x509/x509.c or 
> openssl/crypto/x509/x509vfy.c

To verify a you need to have b AND c loaded because it's an "certificate-hierarchy".

c -> b -> a

That's why I used the CAPath-feature from openssl because it is only possible to use 
cafile one time. put b and c in an directory, run "c_rehash ." to prepare it and then 
you can use that using openssl ... and then it should be possible to verify a.pem 
with that.

>> Does xmlsec uses all these certificates or only get the first one ?!
> 
> 
> Yes, of course. It loads everything it can find.

hm ...

>> When I try to load the extracted b.pem and c.pem as trusted 
>> certificates into xmlsec I get
>>
>> xmlSecX509StoreLoadPemCert (x509.c:1182): error 3: crypto operation 
>> failed : X509_LOOKUP_load_file(b.pem) - 0
>> Error: unable to load certificate file "b.pem".
>>
>> What could be the reason for that error ?
>>
> Have you added magic "----BEGIN CERTIFICATE----" and "-----END 
> CERTIFICATE-----" to the extracted
> certs? xmlsec utility expects certs in PEM files.

Yes I added that - openssl accepts it ...

Any other ideas?

Ingo F

> Aleksey
> 
> 
> 
> 
>

More information about the xmlsec mailing list