[xmlsec] Urgent help needed : Certificate verification failed

Ashish Agrawal meetashish at gmail.com
Thu Jun 4 08:27:31 PDT 2009


Yes Aleksey,
I have already tried with the openssl utility,

openssl verify -CAfile root.pem EE.pem

here root.pem is the root ca pem file & EE,pem contains the intermediate
certificate and then the end certificate. and it passess with no error.

but xmlsec fails :(
Can there be any ordering issue ? shall i send my certs, will that help in
root causing ?

Regards,
Ashish

On Thu, Jun 4, 2009 at 8:53 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:

> Try to verify your certs chain using openssl command line tool directly.
>
> Aleksey
>
> Ashish Agrawal wrote:
>
>> Hi Aleksey,
>>
>> My signature.xml file has two certificate, one is the end certificate and
>> the other is the intermediate CA.
>> In the intermediate certificate also the "CA" field is true .Could this be
>> the root cause of the problem.
>>
>> Attaching the intermediate CA pem file
>>
>> Thanks for ur help.
>>
>> Regards,
>> Ashish
>>
>>
>> On Thu, Jun 4, 2009 at 8:21 PM, Aleksey Sanin <aleksey at aleksey.com<mailto:
>> aleksey at aleksey.com>> wrote:
>>
>>    This error means that xmlsec can't build certs chain for some reasons.
>>
>>    Aleksey
>>
>>    Ashish Agrawal wrote:
>>
>>        Hi Aleksey,
>>
>>        I ve a problem where i v a root CA and and two certificates in
>>        the chain, when i try to verify the chain using openssl it works :
>>        openssl verify -CAfile root.pem EE.pem
>>        but when i to to verify using xmlsec it fails with the error :
>>
>>  func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto
>>        library function failed:subj=/C=CN/ST=BJ/O=JIL/OU=JIL/CN=JIL EE
>>        demo;err=20;msg=unable to get local issuer certificate
>>
>>  func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate
>>        verification failed:err=20;msg=unable to get local issuer
>>        certificate
>>
>>  func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec
>>        library function failed:
>>
>>  func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=884:obj=unknown:subj=unknown:error=45:key
>>        is not found:
>>
>>  func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=578:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
>>        library function failed:
>>
>>  func=xmlSecDSigCtxVerify:file=xmldsig.c:line=379:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
>>        library function failed:
>>        Error: signature failed
>>        ERROR
>>        SignedInfo References (ok/all): 6/6
>>        Manifests References (ok/all): 0/0
>>
>>
>>        Does xmlsec imposes ny additional constraint on the certificate
>>        validation and if yes what are they ?
>>
>>        Regards,
>>        Ashish
>>
>>
>>
>>  ------------------------------------------------------------------------
>>
>>        _______________________________________________
>>        xmlsec mailing list
>>        xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>>        http://www.aleksey.com/mailman/listinfo/xmlsec
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.aleksey.com/pipermail/xmlsec/attachments/20090604/1989915b/attachment.htm


More information about the xmlsec mailing list