[xmlsec] Urgent help needed : Certificate verification failed

Aleksey Sanin aleksey at aleksey.com
Thu Jun 4 08:23:16 PDT 2009 

Try to verify your certs chain using openssl command line tool directly.

Aleksey

Ashish Agrawal wrote:
> Hi Aleksey,
> 
> My signature.xml file has two certificate, one is the end certificate 
> and the other is the intermediate CA.
> In the intermediate certificate also the "CA" field is true .Could this 
> be the root cause of the problem.
> 
> Attaching the intermediate CA pem file
> 
> Thanks for ur help.
> 
> Regards,
> Ashish
> 
> 
> On Thu, Jun 4, 2009 at 8:21 PM, Aleksey Sanin <aleksey at aleksey.com 
> <mailto:aleksey at aleksey.com>> wrote:
> 
>     This error means that xmlsec can't build certs chain for some reasons.
> 
>     Aleksey
> 
>     Ashish Agrawal wrote:
> 
>         Hi Aleksey,
> 
>         I ve a problem where i v a root CA and and two certificates in
>         the chain, when i try to verify the chain using openssl it works :
>         openssl verify -CAfile root.pem EE.pem
>         but when i to to verify using xmlsec it fails with the error :
>         func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto
>         library function failed:subj=/C=CN/ST=BJ/O=JIL/OU=JIL/CN=JIL EE
>         demo;err=20;msg=unable to get local issuer certificate
>         func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate
>         verification failed:err=20;msg=unable to get local issuer
>         certificate
>         func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec
>         library function failed:
>         func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=884:obj=unknown:subj=unknown:error=45:key
>         is not found:
>         func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=578:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
>         library function failed:
>         func=xmlSecDSigCtxVerify:file=xmldsig.c:line=379:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
>         library function failed:
>         Error: signature failed
>         ERROR
>         SignedInfo References (ok/all): 6/6
>         Manifests References (ok/all): 0/0
> 
> 
>         Does xmlsec imposes ny additional constraint on the certificate
>         validation and if yes what are they ?
> 
>         Regards,
>         Ashish
> 
> 
>         ------------------------------------------------------------------------
> 
>         _______________________________________________
>         xmlsec mailing list
>         xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>         http://www.aleksey.com/mailman/listinfo/xmlsec
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec

More information about the xmlsec mailing list