[xmlsec] Signature Verification Problem Using X509 Certificates
Paul Keeler
keelerp at googlemail.com
Tue Feb 19 07:49:09 PST 2008
The 5 certificates represent a whole certificate chain in order from signer
back to self-signed trusted root. If I use the fifth certificate as a
trusted root (extract it to file, add the begin/end certificate tags, and
use the --trusted-pem option), then my understanding is that I should be
able to verify the signature and the entire certificate chain. Surely there
should be no failure? Am I missing something here?
Thanks again.
On Feb 19, 2008 3:26 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:
> You have multiple certificates (X509Data) element. The error
> indicates that verification of one certificate have failed
> but the other succeeds and the signature is verified.
>
> Aleksey
>
> Paul Keeler wrote:
> > Looks like the body of my previous message was somehow scrubbed along
> > with the attachment. Here it is again:
> >
> > On Feb 19, 2008 11:00 AM, Paul Keeler <keelerp at googlemail.com
> > <mailto:keelerp at googlemail.com>> wrote:
> >
> > Ok, I guess it was a bit unreasonable to send you a link - my
> > apologies! Here's a concrete example. See attached.
> >
> > Thanks for your patience.
> >
> >
> > On Feb 18, 2008 5:08 PM, Aleksey Sanin <aleksey at aleksey.com
> > <mailto:aleksey at aleksey.com>> wrote:
> >
> > I have no idea what "target kdm certificate" is :) Please,
> attach
> > a signed document to the email.
> >
> > Aleksey
> >
> > Paul Keeler wrote:
> > > Here is a link to an online generator of signed documents
> > that will
> > > demonstrate the behaviour I described previously:
> > >
> > > http://www.cinecert.com/dci_ref_01/
> > >
> > > Is there perhaps something about these documents that means
> > xmlsec is
> > > unable to populate a store of untrusted certificates?
> > >
> > > Many thanks for your help already.
> > >
> > >
> > > On Feb 14, 2008 5:29 PM, Aleksey Sanin <aleksey at aleksey.com
> > <mailto:aleksey at aleksey.com>
> > > <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>
> wrote:
> > >
> > > The error indicates that verification of one of the
> > certificate
> > > chains failed but xmlsec was able to extract the key
> > either from
> > > another certificate chain or from some other place. Hard
> > to say
> > > more w/o looking at the document.
> > >
> > > Aleksey
> > >
> > >
> > >
> > > Paul Keeler wrote:
> > > > I would be grateful if somone could help me with this
> > problem. I
> > > have a
> > > > signed document which reports that it verifies ok, but
> > also gives an
> > > > error message: "unable to get local issuer
> > certificate". The
> > > same thing
> > > > happens both running from my own application and
> > calling xmlsec
> > > from the
> > > > command line:
> > > >
> > > > xmlsec1 --verify --id-attr:<my_ID_attribute_name>
> > > > <my_node_namespace_uri>:<my_first_node_name>
> > > > --id-attr:<my_ID_attribute_name>
> > > > <my_node_namespace_uri>:<my_second_node_name>
> > --trusted-pem
> > > > <my_trusted_root_pem> <my_signed_document>
> > > >
> > > > This is the result:
> > > >
> > > >
> > >
> > func=xmlSecOpenSSLX509StoreVerify:file=
> x509vfy.c:line=351:obj=x509-store:subj=unknown:error=71:certificate
> > > > verification failed:err=20;msg=unable to get local
> > issuer certificate
> > > > OK
> > > > SignedInfo References (ok/all): 2/2
> > > > Manifests References (ok/all): 0/0
> > > >
> > > > The verification seems to have been successful
> > (indicated by
> > > "OK"), but
> > > > clearly an error was also reported.
> > > >
> > > > The signed document contains my entire certificate
> > chain: Signer ->
> > > > Intermediate CA -> Root CA. The Root CA in the chain
> > is the same
> > > as the
> > > > trusted root pem I pass using the --trusted-pem
> > option, so I would
> > > > expect verification to succeed.
> > > >
> > > > Now, I can make the error message go away by
> > extracting the
> > > Intermediate
> > > > CA certificate from the signed document and passing it
> > to XMLSEC
> > > using
> > > > the --untrusted-pem option:
> > > >
> > > > xmlsec1 --verify --id-attr:<my_ID_attribute_name>
> > > > <my_node_namespace_uri>:<my_first_node_name>
> > > > --id-attr:<my_ID_attribute_name>
> > > > <my_node_namespace_uri>:<my_second_node_name>
> > --trusted-pem
> > > > <my_trusted_root_pem> --untrusted-pem
> > <intermediate_CA_pem>
> > > > <my_signed_document>
> > > >
> > > > I did not expect that I would have to explicitly pass
> a
> > > certificate from
> > > > the chain to xmlsec and flag it as being untrusted.
> > Am I doing
> > > > something wrong? Surely xmlsec should assume that all
> > X509
> > > certificates
> > > > in a chain are untrusted by default? Have I missed
> > the point
> > > somewhere?
> > > >
> > > > Many thanks in advance.
> > > >
> > > >
> > > >
> > >
> >
> ------------------------------------------------------------------------
> > > >
> > > > _______________________________________________
> > > > xmlsec mailing list
> > > > xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> > <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
> > > > http://www.aleksey.com/mailman/listinfo/xmlsec
> > >
> > >
> > >
> > >
> >
> ------------------------------------------------------------------------
> > >
> > > _______________________________________________
> > > xmlsec mailing list
> > > xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> > > http://www.aleksey.com/mailman/listinfo/xmlsec
> >
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > xmlsec mailing list
> > xmlsec at aleksey.com
> > http://www.aleksey.com/mailman/listinfo/xmlsec
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.aleksey.com/pipermail/xmlsec/attachments/20080219/2a763b40/attachment-0002.htm
More information about the xmlsec
mailing list