[xmlsec] Urgent help needed : Certificate verification failed
Aleksey Sanin
aleksey at aleksey.com
Thu Jun 4 08:29:37 PDT 2009
No there is no ordering problems. You have the subject
of certificate which is at the end of the chain. Try
to figure out "why?".
Aleksey
Ashish Agrawal wrote:
> Yes Aleksey,
> I have already tried with the openssl utility,
>
> openssl verify -CAfile root.pem EE.pem
>
> here root.pem is the root ca pem file & EE,pem contains the intermediate
> certificate and then the end certificate. and it passess with no error.
>
> but xmlsec fails :(
> Can there be any ordering issue ? shall i send my certs, will that help
> in root causing ?
>
> Regards,
> Ashish
>
> On Thu, Jun 4, 2009 at 8:53 PM, Aleksey Sanin <aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>> wrote:
>
> Try to verify your certs chain using openssl command line tool directly.
>
> Aleksey
>
> Ashish Agrawal wrote:
>
> Hi Aleksey,
>
> My signature.xml file has two certificate, one is the end
> certificate and the other is the intermediate CA.
> In the intermediate certificate also the "CA" field is true
> .Could this be the root cause of the problem.
>
> Attaching the intermediate CA pem file
>
> Thanks for ur help.
>
> Regards,
> Ashish
>
>
> On Thu, Jun 4, 2009 at 8:21 PM, Aleksey Sanin
> <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>> wrote:
>
> This error means that xmlsec can't build certs chain for some
> reasons.
>
> Aleksey
>
> Ashish Agrawal wrote:
>
> Hi Aleksey,
>
> I ve a problem where i v a root CA and and two
> certificates in
> the chain, when i try to verify the chain using openssl
> it works :
> openssl verify -CAfile root.pem EE.pem
> but when i to to verify using xmlsec it fails with the
> error :
>
> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto
> library function
> failed:subj=/C=CN/ST=BJ/O=JIL/OU=JIL/CN=JIL EE
> demo;err=20;msg=unable to get local issuer certificate
>
> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate
> verification failed:err=20;msg=unable to get local issuer
> certificate
>
> func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec
> library function failed:
>
> func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=884:obj=unknown:subj=unknown:error=45:key
> is not found:
>
> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=578:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
> library function failed:
>
> func=xmlSecDSigCtxVerify:file=xmldsig.c:line=379:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
> library function failed:
> Error: signature failed
> ERROR
> SignedInfo References (ok/all): 6/6
> Manifests References (ok/all): 0/0
>
>
> Does xmlsec imposes ny additional constraint on the
> certificate
> validation and if yes what are they ?
>
> Regards,
> Ashish
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
>
> http://www.aleksey.com/mailman/listinfo/xmlsec
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> http://www.aleksey.com/mailman/listinfo/xmlsec
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
More information about the xmlsec
mailing list