[xmlsec] Re: Verifying an signature ... Problem
Aleksey Sanin
aleksey at aleksey.com
Wed Feb 26 11:33:49 PST 2003
> In the XML-File there were 3 certificates at all included. The first
> certificate you extracted as "a.pem".
> I saved these certificates as b.pem and c.pem too.
Ops.. The line was too long and I missed the last two certs. However, this
changes nothing for me:
[aleksey at lsh]$ openssl verify -CAfile c.pem b.pem
b.pem: OK
[aleksey at lsh]$ openssl verify -CAfile b.pem a.pem
a.pem: /C=US/O=MasterCard International Incorporated Test System
Subordinate/OU=SecureCode Test System Subordinate CA
Certificate/CN=MasterCard SecureCode Test Issuer and Directory Subordinate
error 2 at 1 depth lookup:unable to get issuer certificate
The only idea I have is that you have some cert installed in the default
openssl path
that I don't have (for example, it might be original root cert used for
other certs generation).
And xmlsec does not know about it either. The only suggestion I have is
to run xmlsec or openssl
in the debugger. It should be somewhere in openssl/crypto/x509/x509.c or
openssl/crypto/x509/x509vfy.c
> Does xmlsec uses all these certificates or only get the first one ?!
Yes, of course. It loads everything it can find.
> When I try to load the extracted b.pem and c.pem as trusted
> certificates into xmlsec I get
>
> xmlSecX509StoreLoadPemCert (x509.c:1182): error 3: crypto operation
> failed : X509_LOOKUP_load_file(b.pem) - 0
> Error: unable to load certificate file "b.pem".
>
> What could be the reason for that error ?
>
Have you added magic "----BEGIN CERTIFICATE----" and "-----END
CERTIFICATE-----" to the extracted
certs? xmlsec utility expects certs in PEM files.
Aleksey
More information about the xmlsec
mailing list