[xmlsec] Signature Verification Problem Using X509 Certificates

Aleksey Sanin aleksey at aleksey.com
Thu Feb 14 09:29:12 PST 2008


The error indicates that verification of one of the certificate
chains failed but xmlsec was able to extract the key either from
another certificate chain or from some other place. Hard to say
more w/o looking at the document.

Aleksey



Paul Keeler wrote:
> I would be grateful if somone could help me with this problem.  I have a 
> signed document which reports that it verifies ok, but also gives an 
> error message: "unable to get local issuer certificate".  The same thing 
> happens both running from my own application and calling xmlsec from the 
> command line:
> 
> xmlsec1 --verify --id-attr:<my_ID_attribute_name> 
> <my_node_namespace_uri>:<my_first_node_name> 
> --id-attr:<my_ID_attribute_name> 
> <my_node_namespace_uri>:<my_second_node_name> --trusted-pem 
> <my_trusted_root_pem>  <my_signed_document>
> 
> This is the result:
> 
> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=351:obj=x509-store:subj=unknown:error=71:certificate 
> verification failed:err=20;msg=unable to get local issuer certificate
> OK
> SignedInfo References (ok/all): 2/2
> Manifests References (ok/all): 0/0
> 
> The verification seems to have been successful (indicated by "OK"), but 
> clearly an error was also reported.
> 
> The signed document contains my entire certificate chain: Signer -> 
> Intermediate CA -> Root CA.  The Root CA in the chain is the same as the 
> trusted root pem I pass using the --trusted-pem option, so I would 
> expect verification to succeed.
> 
> Now, I can make the error message go away by extracting the Intermediate 
> CA certificate from the signed document and passing it to XMLSEC using 
> the --untrusted-pem option:
> 
> xmlsec1 --verify --id-attr:<my_ID_attribute_name> 
> <my_node_namespace_uri>:<my_first_node_name> 
> --id-attr:<my_ID_attribute_name> 
> <my_node_namespace_uri>:<my_second_node_name> --trusted-pem 
> <my_trusted_root_pem> --untrusted-pem <intermediate_CA_pem> 
> <my_signed_document>
> 
> I did not expect that I would have to explicitly pass a certificate from 
> the chain to xmlsec and flag it as being untrusted.  Am I doing 
> something wrong?  Surely xmlsec should assume that all X509 certificates 
> in a chain are untrusted by default?  Have I missed the point somewhere?
> 
> Many thanks in advance.
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec



More information about the xmlsec mailing list