[xmlsec] Urgent help needed : Certificate verification failed
Ashish Agrawal
meetashish at gmail.com
Thu Jun 4 08:57:51 PDT 2009
I have tried with:
xmlsec1 --verify --trusted-pem root.pem --untrusted-pem int.pem
signature.xml (removing the intermedaite CA cert from signature file)
&
xmlsec1 --verify --trusted-pem root.pem signature.xml ( keeping the
intermedia CA cert and end certtificate in the signature file)
Got same result..
Regards,
Ashish
On Thu, Jun 4, 2009 at 9:25 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:
> What command line options do you use?
>
> Aleksey
>
> Ashish Agrawal wrote:
>
>> Srry, I did not understand your reply completely,
>> You mean to check the subject field for the certifices:
>>
>> I see them as :
>>
>> End Cert: Subject: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL EE demo
>> Issuer: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL subCA demo
>>
>> Intermediate cert: Subject: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL subCA demo
>> Issuer: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL
>> Root demo
>>
>> Root Cert: Subject: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL Root demo
>> Issuer: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL Root demo
>>
>> So seems like the chain is correct. but verification fails.strange thing
>> is it passes with openssl but not here.
>>
>> Regards,
>> Ashish
>>
>> On Thu, Jun 4, 2009 at 8:59 PM, Aleksey Sanin <aleksey at aleksey.com<mailto:
>> aleksey at aleksey.com>> wrote:
>>
>> No there is no ordering problems. You have the subject
>> of certificate which is at the end of the chain. Try
>> to figure out "why?".
>>
>> Aleksey
>>
>> Ashish Agrawal wrote:
>>
>> Yes Aleksey,
>> I have already tried with the openssl utility,
>>
>> openssl verify -CAfile root.pem EE.pem
>> here root.pem is the root ca pem file & EE,pem contains the
>> intermediate certificate and then the end certificate. and it
>> passess with no error.
>>
>> but xmlsec fails :(
>> Can there be any ordering issue ? shall i send my certs, will
>> that help in root causing ?
>>
>> Regards,
>> Ashish
>>
>> On Thu, Jun 4, 2009 at 8:53 PM, Aleksey Sanin
>> <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>> wrote:
>>
>> Try to verify your certs chain using openssl command line
>> tool directly.
>>
>> Aleksey
>>
>> Ashish Agrawal wrote:
>>
>> Hi Aleksey,
>>
>> My signature.xml file has two certificate, one is the end
>> certificate and the other is the intermediate CA.
>> In the intermediate certificate also the "CA" field is true
>> .Could this be the root cause of the problem.
>>
>> Attaching the intermediate CA pem file
>>
>> Thanks for ur help.
>>
>> Regards,
>> Ashish
>>
>>
>> On Thu, Jun 4, 2009 at 8:21 PM, Aleksey Sanin
>> <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>> wrote:
>>
>> This error means that xmlsec can't build certs chain
>> for some
>> reasons.
>>
>> Aleksey
>>
>> Ashish Agrawal wrote:
>>
>> Hi Aleksey,
>>
>> I ve a problem where i v a root CA and and two
>> certificates in
>> the chain, when i try to verify the chain using
>> openssl
>> it works :
>> openssl verify -CAfile root.pem EE.pem
>> but when i to to verify using xmlsec it fails with
>> the
>> error :
>>
>> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto
>> library function
>> failed:subj=/C=CN/ST=BJ/O=JIL/OU=JIL/CN=JIL EE
>> demo;err=20;msg=unable to get local issuer
>> certificate
>>
>> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate
>> verification failed:err=20;msg=unable to get local
>> issuer
>> certificate
>>
>> func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec
>> library function failed:
>>
>> func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=884:obj=unknown:subj=unknown:error=45:key
>> is not found:
>>
>> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=578:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
>> library function failed:
>>
>> func=xmlSecDSigCtxVerify:file=xmldsig.c:line=379:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
>> library function failed:
>> Error: signature failed
>> ERROR
>> SignedInfo References (ok/all): 6/6
>> Manifests References (ok/all): 0/0
>>
>>
>> Does xmlsec imposes ny additional constraint on the
>> certificate
>> validation and if yes what are they ?
>>
>> Regards,
>> Ashish
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>
>>
>>
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.aleksey.com/pipermail/xmlsec/attachments/20090604/5fbd0ad3/attachment-0001.htm
More information about the xmlsec
mailing list