[xmlsec] Signature Verification Problem Using X509 Certificates

Paul Keeler keelerp at googlemail.com
Thu Feb 21 02:21:16 PST 2008


My understanding (which may be flawed!) is that the following output
represents a single unique chain:

Certificate 1:
subject= /O=.ca.cinecert.com/OU=.ra-
1a.s430-2.ca.cinecert.com/CN=SM.www.cinecert.com/dnQualifier=u87hIANjv9IBkbCXs7JwC6tbEdw=
issuer= /O=.ca.cinecert.com/OU=.ra-
1a.s430-2.ca.cinecert.com/CN=.cc-admin/dnQualifier=CgJP/z2e2mDKEbz8IcZc4gUXyys=

Certificate 2:
subject= /O=.ca.cinecert.com/OU=.ra-
1a.s430-2.ca.cinecert.com/CN=.cc-admin/dnQualifier=CgJP/z2e2mDKEbz8IcZc4gUXyys=
issuer= /O=.ca.cinecert.com/OU=.ra-
1a.s430-2.ca.cinecert.com/CN=.ra-1b/dnQualifier=0CL7D3jfSPtjPGdXcoJVAHUapuE=

Certificate 3:
subject= /O=.ca.cinecert.com/OU=.ra-
1a.s430-2.ca.cinecert.com/CN=.ra-1b/dnQualifier=0CL7D3jfSPtjPGdXcoJVAHUapuE=
issuer= /O=.ca.cinecert.com/OU=.s430-
2.ca.cinecert.com/CN=.ra-1a/dnQualifier=4vFfwIubz4csdEQ4JnkPDa8m9PQ=

Certificate 4:
subject= /O=.ca.cinecert.com/OU=.s430-
2.ca.cinecert.com/CN=.ra-1a/dnQualifier=4vFfwIubz4csdEQ4JnkPDa8m9PQ=
issuer=
/O=.ca.cinecert.com/OU=.ca.cinecert.com/CN=.s430-2/dnQualifier=8O8W8oYHlf97Y8n0kdAgMU7/jUU=

Certificate 5:
subject=
/O=.ca.cinecert.com/OU=.ca.cinecert.com/CN=.s430-2/dnQualifier=8O8W8oYHlf97Y8n0kdAgMU7/jUU=
issuer=
/O=.ca.cinecert.com/OU=.ca.cinecert.com/CN=.s430-2/dnQualifier=8O8W8oYHlf97Y8n0kdAgMU7/jUU=

Thanks once again though!


On Thu, Feb 21, 2008 at 1:52 AM, Aleksey Sanin <aleksey at aleksey.com> wrote:

> Here is my new theory :) You've asked for it ;)
>
> 1) The error appears during certificate chain verification
> and indicates that openssl can not find or verify certificate
> in the chain. There is no easy way to suppress this error
> because it might be a real problem (we don't know this at the
> moment this error is generated).
>
> 2) For some reasons, the certificates you have in the signature
> allow one to construct more than one certificates chain. The first
> one can not be verified. But the second one can.
>
> 3) The certificates chains are constructed using certificates
> issuers/subjects. If you have time and would like to nail it down,
> extract the issuers/subjects from all certificates in the
> signature and see if there is indeed two or more chains.
>
> Aleksey
>
> Paul Keeler wrote:
> > All your ideas are more than welcome!  I tried your suggestion, but the
> > output is exactly the same.  Not sure where that leaves us?
> >
> > Thanks again.
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.aleksey.com/pipermail/xmlsec/attachments/20080221/6a6752d5/attachment-0002.htm


More information about the xmlsec mailing list