[xmlsec] Signature Verification Problem Using X509 Certificates

Aleksey Sanin aleksey at aleksey.com
Wed Feb 20 17:52:01 PST 2008


Here is my new theory :) You've asked for it ;)

1) The error appears during certificate chain verification
and indicates that openssl can not find or verify certificate
in the chain. There is no easy way to suppress this error
because it might be a real problem (we don't know this at the
moment this error is generated).

2) For some reasons, the certificates you have in the signature
allow one to construct more than one certificates chain. The first
one can not be verified. But the second one can.

3) The certificates chains are constructed using certificates
issuers/subjects. If you have time and would like to nail it down,
extract the issuers/subjects from all certificates in the
signature and see if there is indeed two or more chains.

Aleksey

Paul Keeler wrote:
> All your ideas are more than welcome!  I tried your suggestion, but the 
> output is exactly the same.  Not sure where that leaves us?
> 
> Thanks again.
> 




More information about the xmlsec mailing list