[xmlsec] Signature Verification Problem Using X509 Certificates

Aleksey Sanin aleksey at aleksey.com
Tue Feb 19 07:26:57 PST 2008


You have multiple certificates (X509Data) element. The error
indicates that verification of one certificate have failed
but the other succeeds and the signature is verified.

Aleksey

Paul Keeler wrote:
> Looks like the body of my previous message was somehow scrubbed along 
> with the attachment.  Here it is again:
> 
> On Feb 19, 2008 11:00 AM, Paul Keeler <keelerp at googlemail.com 
> <mailto:keelerp at googlemail.com>> wrote:
> 
>     Ok, I guess it was a bit unreasonable to send you a link - my
>     apologies!  Here's a concrete example.  See attached.
> 
>     Thanks for your patience.
> 
> 
>     On Feb 18, 2008 5:08 PM, Aleksey Sanin <aleksey at aleksey.com
>     <mailto:aleksey at aleksey.com>> wrote:
> 
>         I have no idea what "target kdm certificate" is :) Please, attach
>         a signed document to the email.
> 
>         Aleksey
> 
>         Paul Keeler wrote:
>          > Here is a link to an online generator of signed documents
>         that will
>          > demonstrate the behaviour I described previously:
>          >
>          > http://www.cinecert.com/dci_ref_01/
>          >
>          > Is there perhaps something about these documents that means
>         xmlsec is
>          > unable to populate a store of untrusted certificates?
>          >
>          > Many thanks for your help already.
>          >
>          >
>          > On Feb 14, 2008 5:29 PM, Aleksey Sanin <aleksey at aleksey.com
>         <mailto:aleksey at aleksey.com>
>          > <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>> wrote:
>          >
>          >     The error indicates that verification of one of the
>         certificate
>          >     chains failed but xmlsec was able to extract the key
>         either from
>          >     another certificate chain or from some other place. Hard
>         to say
>          >     more w/o looking at the document.
>          >
>          >     Aleksey
>          >
>          >
>          >
>          >     Paul Keeler wrote:
>          >      > I would be grateful if somone could help me with this
>         problem.  I
>          >     have a
>          >      > signed document which reports that it verifies ok, but
>         also gives an
>          >      > error message: "unable to get local issuer
>         certificate".  The
>          >     same thing
>          >      > happens both running from my own application and
>         calling xmlsec
>          >     from the
>          >      > command line:
>          >      >
>          >      > xmlsec1 --verify --id-attr:<my_ID_attribute_name>
>          >      > <my_node_namespace_uri>:<my_first_node_name>
>          >      > --id-attr:<my_ID_attribute_name>
>          >      > <my_node_namespace_uri>:<my_second_node_name>
>         --trusted-pem
>          >      > <my_trusted_root_pem>  <my_signed_document>
>          >      >
>          >      > This is the result:
>          >      >
>          >      >
>          >    
>         func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=351:obj=x509-store:subj=unknown:error=71:certificate
>          >      > verification failed:err=20;msg=unable to get local
>         issuer certificate
>          >      > OK
>          >      > SignedInfo References (ok/all): 2/2
>          >      > Manifests References (ok/all): 0/0
>          >      >
>          >      > The verification seems to have been successful
>         (indicated by
>          >     "OK"), but
>          >      > clearly an error was also reported.
>          >      >
>          >      > The signed document contains my entire certificate
>         chain: Signer ->
>          >      > Intermediate CA -> Root CA.  The Root CA in the chain
>         is the same
>          >     as the
>          >      > trusted root pem I pass using the --trusted-pem
>         option, so I would
>          >      > expect verification to succeed.
>          >      >
>          >      > Now, I can make the error message go away by
>         extracting the
>          >     Intermediate
>          >      > CA certificate from the signed document and passing it
>         to XMLSEC
>          >     using
>          >      > the --untrusted-pem option:
>          >      >
>          >      > xmlsec1 --verify --id-attr:<my_ID_attribute_name>
>          >      > <my_node_namespace_uri>:<my_first_node_name>
>          >      > --id-attr:<my_ID_attribute_name>
>          >      > <my_node_namespace_uri>:<my_second_node_name>
>         --trusted-pem
>          >      > <my_trusted_root_pem> --untrusted-pem
>         <intermediate_CA_pem>
>          >      > <my_signed_document>
>          >      >
>          >      > I did not expect that I would have to explicitly pass a
>          >     certificate from
>          >      > the chain to xmlsec and flag it as being untrusted.
>          Am I doing
>          >      > something wrong?  Surely xmlsec should assume that all
>         X509
>          >     certificates
>          >      > in a chain are untrusted by default?  Have I missed
>         the point
>          >     somewhere?
>          >      >
>          >      > Many thanks in advance.
>          >      >
>          >      >
>          >      >
>          >    
>         ------------------------------------------------------------------------
>          >      >
>          >      > _______________________________________________
>          >      > xmlsec mailing list
>          >      > xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>         <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
>          >      > http://www.aleksey.com/mailman/listinfo/xmlsec
>          >
>          >
>          >
>          >
>         ------------------------------------------------------------------------
>          >
>          > _______________________________________________
>          > xmlsec mailing list
>          > xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>          > http://www.aleksey.com/mailman/listinfo/xmlsec
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec



More information about the xmlsec mailing list