[xmlsec] Signature Verification Problem Using X509 Certificates
Paul Keeler
keelerp at googlemail.com
Wed Feb 20 11:38:11 PST 2008
Thanks for that. Here are a couple of observations:
1. If I add the root certificate to the openssl installation's own store in
addition to using --trusted-pem on the command line I still get the error.
(I've checked that the certificate is installed correctly by using it with
"openssl verify ...")
2. Without adding the certificate to the openssl installation, the error can
be avoided using the --untrusted-pem option on the command line to identify
all of the appropriate intermediate certificates. From what you have said I
would still expect the openssl verification route to result in failure.
So, something still doesn't really make sense. However, as you say,
ultimately verification has been successful so perhaps there is no
significant problem. In that case, is there a way to suppress these types
of error? I am worried that users of my application may be worried by these
errors being printed to the console.
Many thanks again for your thoughts.
On Feb 19, 2008 8:03 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:
> There is no failure. This error just indicates that one of the
> attempts to verify the certificates chain failed. xmlsec-openssl
> performs certification against different sets of trusted certs:
> 1) ones from the openssl installation
> 2) ones you specify in the command line
>
> One of the attempts failed. That's it. You can safely ignore this error.
>
> Aleksey
>
> Paul Keeler wrote:
> > The 5 certificates represent a whole certificate chain in order from
> > signer back to self-signed trusted root. If I use the fifth certificate
> > as a trusted root (extract it to file, add the begin/end certificate
> > tags, and use the --trusted-pem option), then my understanding is that I
> > should be able to verify the signature and the entire certificate
> > chain. Surely there should be no failure? Am I missing something here?
> >
> > Thanks again.
> >
> > On Feb 19, 2008 3:26 PM, Aleksey Sanin <aleksey at aleksey.com
> > <mailto:aleksey at aleksey.com>> wrote:
> >
> > You have multiple certificates (X509Data) element. The error
> > indicates that verification of one certificate have failed
> > but the other succeeds and the signature is verified.
> >
> > Aleksey
> >
> > Paul Keeler wrote:
> > > Looks like the body of my previous message was somehow scrubbed
> along
> > > with the attachment. Here it is again:
> > >
> > > On Feb 19, 2008 11:00 AM, Paul Keeler <keelerp at googlemail.com
> > <mailto:keelerp at googlemail.com>
> > > <mailto:keelerp at googlemail.com <mailto:keelerp at googlemail.com>>>
> > wrote:
> > >
> > > Ok, I guess it was a bit unreasonable to send you a link - my
> > > apologies! Here's a concrete example. See attached.
> > >
> > > Thanks for your patience.
> > >
> > >
> > > On Feb 18, 2008 5:08 PM, Aleksey Sanin <aleksey at aleksey.com
> > <mailto:aleksey at aleksey.com>
> > > <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>
> wrote:
> > >
> > > I have no idea what "target kdm certificate" is :)
> > Please, attach
> > > a signed document to the email.
> > >
> > > Aleksey
> > >
> > > Paul Keeler wrote:
> > > > Here is a link to an online generator of signed
> documents
> > > that will
> > > > demonstrate the behaviour I described previously:
> > > >
> > > > http://www.cinecert.com/dci_ref_01/
> > > >
> > > > Is there perhaps something about these documents that
> > means
> > > xmlsec is
> > > > unable to populate a store of untrusted certificates?
> > > >
> > > > Many thanks for your help already.
> > > >
> > > >
> > > > On Feb 14, 2008 5:29 PM, Aleksey Sanin
> > <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> > > <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
> > > > <mailto:aleksey at aleksey.com
> > <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
> > <mailto:aleksey at aleksey.com>>>> wrote:
> > > >
> > > > The error indicates that verification of one of
> the
> > > certificate
> > > > chains failed but xmlsec was able to extract the
> key
> > > either from
> > > > another certificate chain or from some other
> > place. Hard
> > > to say
> > > > more w/o looking at the document.
> > > >
> > > > Aleksey
> > > >
> > > >
> > > >
> > > > Paul Keeler wrote:
> > > > > I would be grateful if somone could help me
> > with this
> > > problem. I
> > > > have a
> > > > > signed document which reports that it verifies
> > ok, but
> > > also gives an
> > > > > error message: "unable to get local issuer
> > > certificate". The
> > > > same thing
> > > > > happens both running from my own application
> and
> > > calling xmlsec
> > > > from the
> > > > > command line:
> > > > >
> > > > > xmlsec1 --verify
> --id-attr:<my_ID_attribute_name>
> > > > > <my_node_namespace_uri>:<my_first_node_name>
> > > > > --id-attr:<my_ID_attribute_name>
> > > > > <my_node_namespace_uri>:<my_second_node_name>
> > > --trusted-pem
> > > > > <my_trusted_root_pem> <my_signed_document>
> > > > >
> > > > > This is the result:
> > > > >
> > > > >
> > > >
> > >
> > func=xmlSecOpenSSLX509StoreVerify:file=
> x509vfy.c:line=351:obj=x509-store:subj=unknown:error=71:certificate
> > > > > verification failed:err=20;msg=unable to get
> local
> > > issuer certificate
> > > > > OK
> > > > > SignedInfo References (ok/all): 2/2
> > > > > Manifests References (ok/all): 0/0
> > > > >
> > > > > The verification seems to have been successful
> > > (indicated by
> > > > "OK"), but
> > > > > clearly an error was also reported.
> > > > >
> > > > > The signed document contains my entire
> certificate
> > > chain: Signer ->
> > > > > Intermediate CA -> Root CA. The Root CA in the
> > chain
> > > is the same
> > > > as the
> > > > > trusted root pem I pass using the --trusted-pem
> > > option, so I would
> > > > > expect verification to succeed.
> > > > >
> > > > > Now, I can make the error message go away by
> > > extracting the
> > > > Intermediate
> > > > > CA certificate from the signed document and
> > passing it
> > > to XMLSEC
> > > > using
> > > > > the --untrusted-pem option:
> > > > >
> > > > > xmlsec1 --verify
> --id-attr:<my_ID_attribute_name>
> > > > > <my_node_namespace_uri>:<my_first_node_name>
> > > > > --id-attr:<my_ID_attribute_name>
> > > > > <my_node_namespace_uri>:<my_second_node_name>
> > > --trusted-pem
> > > > > <my_trusted_root_pem> --untrusted-pem
> > > <intermediate_CA_pem>
> > > > > <my_signed_document>
> > > > >
> > > > > I did not expect that I would have to
> > explicitly pass a
> > > > certificate from
> > > > > the chain to xmlsec and flag it as being
> untrusted.
> > > Am I doing
> > > > > something wrong? Surely xmlsec should assume
> > that all
> > > X509
> > > > certificates
> > > > > in a chain are untrusted by default? Have I
> missed
> > > the point
> > > > somewhere?
> > > > >
> > > > > Many thanks in advance.
> > > > >
> > > > >
> > > > >
> > > >
> > >
> >
> ------------------------------------------------------------------------
> > > > >
> > > > > _______________________________________________
> > > > > xmlsec mailing list
> > > > > xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> > <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
> > > <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> > <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>
> > > > > http://www.aleksey.com/mailman/listinfo/xmlsec
> > > >
> > > >
> > > >
> > > >
> > >
> >
> ------------------------------------------------------------------------
> > > >
> > > > _______________________________________________
> > > > xmlsec mailing list
> > > > xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> > <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
> > > > http://www.aleksey.com/mailman/listinfo/xmlsec
> > >
> > >
> > >
> > >
> > >
> >
> ------------------------------------------------------------------------
> > >
> > > _______________________________________________
> > > xmlsec mailing list
> > > xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> > > http://www.aleksey.com/mailman/listinfo/xmlsec
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > xmlsec mailing list
> > xmlsec at aleksey.com
> > http://www.aleksey.com/mailman/listinfo/xmlsec
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.aleksey.com/pipermail/xmlsec/attachments/20080220/ec30a5b7/attachment-0002.htm
More information about the xmlsec
mailing list