[xmlsec] Urgent help needed : Certificate verification failed

Aleksey Sanin aleksey at aleksey.com
Thu Jun 4 08:55:15 PDT 2009


What command line options do you use?

Aleksey

Ashish Agrawal wrote:
> Srry, I did not understand your reply completely,
> You mean to check the subject field for the certifices:
> 
> I see them as :
> 
> End Cert: Subject: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL EE demo
>                  Issuer: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL subCA demo
> 
> Intermediate cert: Subject: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL subCA demo
>                               Issuer: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL 
> Root demo
> 
> Root Cert:  Subject: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL Root demo
>                  Issuer: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL Root demo
> 
> So seems like the chain is correct. but verification fails.strange thing 
> is it passes with openssl but not here.
> 
> Regards,
> Ashish
> 
> On Thu, Jun 4, 2009 at 8:59 PM, Aleksey Sanin <aleksey at aleksey.com 
> <mailto:aleksey at aleksey.com>> wrote:
> 
>     No there is no ordering problems. You have the subject
>     of certificate which is at the end of the chain. Try
>     to figure out "why?".
> 
>     Aleksey
> 
>     Ashish Agrawal wrote:
> 
>         Yes Aleksey,
>         I have already tried with the openssl utility,
> 
>         openssl verify -CAfile root.pem EE.pem
>         here root.pem is the root ca pem file & EE,pem contains the
>         intermediate certificate and then the end certificate. and it
>         passess with no error.
> 
>         but xmlsec fails :(
>         Can there be any ordering issue ? shall i send my certs, will
>         that help in root causing ?
> 
>         Regards,
>         Ashish
> 
>         On Thu, Jun 4, 2009 at 8:53 PM, Aleksey Sanin
>         <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>         <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>> wrote:
> 
>            Try to verify your certs chain using openssl command line
>         tool directly.
> 
>            Aleksey
> 
>            Ashish Agrawal wrote:
> 
>                Hi Aleksey,
> 
>                My signature.xml file has two certificate, one is the end
>                certificate and the other is the intermediate CA.
>                In the intermediate certificate also the "CA" field is true
>                .Could this be the root cause of the problem.
> 
>                Attaching the intermediate CA pem file
> 
>                Thanks for ur help.
> 
>                Regards,
>                Ashish
> 
> 
>                On Thu, Jun 4, 2009 at 8:21 PM, Aleksey Sanin
>                <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>         <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
>                <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>         <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>> wrote:
> 
>                   This error means that xmlsec can't build certs chain
>         for some
>                reasons.
> 
>                   Aleksey
> 
>                   Ashish Agrawal wrote:
> 
>                       Hi Aleksey,
> 
>                       I ve a problem where i v a root CA and and two
>                certificates in
>                       the chain, when i try to verify the chain using
>         openssl
>                it works :
>                       openssl verify -CAfile root.pem EE.pem
>                       but when i to to verify using xmlsec it fails with the
>                error :
>                            
>         func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto
>                       library function
>                failed:subj=/C=CN/ST=BJ/O=JIL/OU=JIL/CN=JIL EE
>                       demo;err=20;msg=unable to get local issuer certificate
>                            
>         func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate
>                       verification failed:err=20;msg=unable to get local
>         issuer
>                       certificate
>                            
>         func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec
>                       library function failed:
>                            
>         func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=884:obj=unknown:subj=unknown:error=45:key
>                       is not found:
>                            
>         func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=578:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
>                       library function failed:
>                            
>         func=xmlSecDSigCtxVerify:file=xmldsig.c:line=379:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
>                       library function failed:
>                       Error: signature failed
>                       ERROR
>                       SignedInfo References (ok/all): 6/6
>                       Manifests References (ok/all): 0/0
> 
> 
>                       Does xmlsec imposes ny additional constraint on the
>                certificate
>                       validation and if yes what are they ?
> 
>                       Regards,
>                       Ashish
> 
> 
>                            
>         ------------------------------------------------------------------------
> 
>                       _______________________________________________
>                       xmlsec mailing list
>                       xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>         <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
>                <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>         <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>
> 
> 
>                       http://www.aleksey.com/mailman/listinfo/xmlsec
> 
> 
> 
>              
>          ------------------------------------------------------------------------
> 
>                _______________________________________________
>                xmlsec mailing list
>                xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>         <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
>                http://www.aleksey.com/mailman/listinfo/xmlsec
> 
> 
> 
>         ------------------------------------------------------------------------
> 
>         _______________________________________________
>         xmlsec mailing list
>         xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>         http://www.aleksey.com/mailman/listinfo/xmlsec
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec


More information about the xmlsec mailing list