[xmlsec] Signature Verification Problem Using X509 Certificates

Paul Keeler keelerp at googlemail.com
Sun Feb 24 04:02:22 PST 2008


Ok, understood.  What you are saying is also consistent with my observation
that adding the certificates to the untrusted store silences the errors.
I'll look into attaching my own error handler when I call the C API (I
assume there's an example somewhere - I've not looked yet).

However, I'm still intrigued as to why the xmlsec certificate chain tests in
tests/aleksey-xmldsig-01 don't show similar behaviour.  Roumen, I suspect
you understand more than I do about this based on what you said in your
previous message regarding
tests/aleksey-xmldsig-01/enveloping-rsa-x509chain.  I'm guessing that it's
the pathlen constraint that is significant here, but I need to learn more
about that in order to comment further.  I tried the obvious and changed the
order of the certificates in enveloping-rsa-x509chain in the hope that the
signer certificate would be found first and so cause the error to be
reported, but that didn't happen.  As I understand it, the standards allow
any certificate ordering so I guess that's a good thing.  But it does mean
that there's still something else going on that is currently beyond me!  Any
further thoughts?

Thanks again to you both for your efforts.

On Sat, Feb 23, 2008 at 9:16 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:

> I got to the bottom of it. Here is what is happening:
> - xmlsec reads the first x509data node and immediately tries to
>   verify and extract the key, there is no full chain yet so
>   we fail with the error;
> - xmlsec goes to the next node, immediately tries to
>   verify and extract the key, there is no full chain yet so
>   we fail with the error;
> - repeat the previous step several times;
> - finally we got to the 4th certificate that can be verified
>
> The bottom line is that the error is harmless. If you are using
> the xmlsec via C API, then you can install your own error handler
> callbacks, accumulate all the errors/warnings and then print
> them at the very end *if and only if* signature verification fails.
> Otherwise, just ignore all the errors.
>
> If you use command line tool, then you can do a similar trick
> with redirecting stderr to a temp file and checking the xmlsec
> command line tool return code.
>
> Best,
> Aleksey
>
> Aleksey Sanin wrote:
> > Mostly likely you need to debug openssl :) I'll try to take a look at
> > it over weekend but no promises....
> >
> > Aleksey
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.aleksey.com/pipermail/xmlsec/attachments/20080224/8dbbc244/attachment-0002.htm


More information about the xmlsec mailing list