[xmlsec] Urgent help needed : Certificate verification failed

Ashish Agrawal meetashish at gmail.com
Thu Jun 4 09:18:33 PDT 2009


I tried the same but for same error :
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto
library function failed:subj=/C=CN/ST=BJ/O=JIL/OU=JIL/CN=JIL EE
demo;err=20;msg=unable to get local issuer certificate
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate
verification failed:err=20;msg=unable to get local issuer certificate
func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec
library function failed:
func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=884:obj=unknown:subj=unknown:error=45:key
is not found:
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=578:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
library function failed:
func=xmlSecDSigCtxVerify:file=xmldsig.c:line=379:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
library function failed:

Is there ny specfic order in which certificates should be present in the
signature file ? can there be problem with the certificate fields ?


Regards,
Ashish

On Thu, Jun 4, 2009 at 9:39 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:

> Try
>
> xmlsec1 --verify \
>        --trusted-pem root.pem \
>        --trusted-pem int.pem  \
>        signature.xml
>
> Aleksey
>
> Ashish Agrawal wrote:
>
>> I have tried with:
>> xmlsec1 --verify --trusted-pem root.pem --untrusted-pem int.pem
>> signature.xml  (removing the intermedaite CA cert from signature file)
>> &
>> xmlsec1 --verify --trusted-pem root.pem signature.xml ( keeping the
>> intermedia CA cert and end certtificate in the signature file)
>>
>> Got same result..
>> Regards,
>> Ashish
>>
>> On Thu, Jun 4, 2009 at 9:25 PM, Aleksey Sanin <aleksey at aleksey.com<mailto:
>> aleksey at aleksey.com>> wrote:
>>
>>    What command line options do you use?
>>
>>    Aleksey
>>
>>    Ashish Agrawal wrote:
>>
>>        Srry, I did not understand your reply completely,
>>        You mean to check the subject field for the certifices:
>>
>>        I see them as :
>>
>>        End Cert: Subject: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL EE demo
>>                        Issuer: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL subCA
>>        demo
>>
>>        Intermediate cert: Subject: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL
>>        subCA demo
>>                                     Issuer: C=CN, ST=BJ, O=JIL, OU=JIL,
>>        CN=JIL Root demo
>>
>>        Root Cert:  Subject: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL Root demo
>>                        Issuer: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL Root
>> demo
>>
>>        So seems like the chain is correct. but verification
>>        fails.strange thing is it passes with openssl but not here.
>>
>>        Regards,
>>        Ashish
>>
>>        On Thu, Jun 4, 2009 at 8:59 PM, Aleksey Sanin
>>        <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>>        <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>> wrote:
>>
>>           No there is no ordering problems. You have the subject
>>           of certificate which is at the end of the chain. Try
>>           to figure out "why?".
>>
>>           Aleksey
>>
>>           Ashish Agrawal wrote:
>>
>>               Yes Aleksey,
>>               I have already tried with the openssl utility,
>>
>>               openssl verify -CAfile root.pem EE.pem
>>               here root.pem is the root ca pem file & EE,pem contains the
>>               intermediate certificate and then the end certificate. and
>> it
>>               passess with no error.
>>
>>               but xmlsec fails :(
>>               Can there be any ordering issue ? shall i send my certs,
>> will
>>               that help in root causing ?
>>
>>               Regards,
>>               Ashish
>>
>>               On Thu, Jun 4, 2009 at 8:53 PM, Aleksey Sanin
>>               <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>>        <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
>>               <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>>        <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>> wrote:
>>
>>                  Try to verify your certs chain using openssl command line
>>               tool directly.
>>
>>                  Aleksey
>>
>>                  Ashish Agrawal wrote:
>>
>>                      Hi Aleksey,
>>
>>                      My signature.xml file has two certificate, one is
>>        the end
>>                      certificate and the other is the intermediate CA.
>>                      In the intermediate certificate also the "CA"
>>        field is true
>>                      .Could this be the root cause of the problem.
>>
>>                      Attaching the intermediate CA pem file
>>
>>                      Thanks for ur help.
>>
>>                      Regards,
>>                      Ashish
>>
>>
>>                      On Thu, Jun 4, 2009 at 8:21 PM, Aleksey Sanin
>>                      <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>>        <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
>>               <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>>        <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>
>>                      <mailto:aleksey at aleksey.com
>>        <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
>>        <mailto:aleksey at aleksey.com>>
>>               <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>>        <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>>>
>> wrote:
>>
>>                         This error means that xmlsec can't build certs
>>        chain
>>               for some
>>                      reasons.
>>
>>                         Aleksey
>>
>>                         Ashish Agrawal wrote:
>>
>>                             Hi Aleksey,
>>
>>                             I ve a problem where i v a root CA and and two
>>                      certificates in
>>                             the chain, when i try to verify the chain
>> using
>>               openssl
>>                      it works :
>>                             openssl verify -CAfile root.pem EE.pem
>>                             but when i to to verify using xmlsec it
>>        fails with the
>>                      error :
>>
>> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto
>>                             library function
>>                      failed:subj=/C=CN/ST=BJ/O=JIL/OU=JIL/CN=JIL EE
>>                             demo;err=20;msg=unable to get local issuer
>>        certificate
>>
>> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate
>>                             verification failed:err=20;msg=unable to
>>        get local
>>               issuer
>>                             certificate
>>
>> func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec
>>                             library function failed:
>>
>> func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=884:obj=unknown:subj=unknown:error=45:key
>>                             is not found:
>>
>> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=578:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
>>                             library function failed:
>>
>> func=xmlSecDSigCtxVerify:file=xmldsig.c:line=379:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
>>                             library function failed:
>>                             Error: signature failed
>>                             ERROR
>>                             SignedInfo References (ok/all): 6/6
>>                             Manifests References (ok/all): 0/0
>>
>>
>>                             Does xmlsec imposes ny additional
>>        constraint on the
>>                      certificate
>>                             validation and if yes what are they ?
>>
>>                             Regards,
>>                             Ashish
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>>
>> _______________________________________________
>>                             xmlsec mailing list
>>                             xmlsec at aleksey.com
>>        <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
>>        <mailto:xmlsec at aleksey.com>>
>>               <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>>        <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>
>>                      <mailto:xmlsec at aleksey.com
>>        <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
>>        <mailto:xmlsec at aleksey.com>>
>>               <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>>        <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>>
>>
>>
>>
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>
>>
>>
>>
>>  ------------------------------------------------------------------------
>>
>>                      _______________________________________________
>>                      xmlsec mailing list
>>                      xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>>        <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
>>               <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>>        <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>
>>                      http://www.aleksey.com/mailman/listinfo/xmlsec
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>>               _______________________________________________
>>               xmlsec mailing list
>>               xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>>        <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
>>               http://www.aleksey.com/mailman/listinfo/xmlsec
>>
>>
>>
>>
>>  ------------------------------------------------------------------------
>>
>>        _______________________________________________
>>        xmlsec mailing list
>>        xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>>        http://www.aleksey.com/mailman/listinfo/xmlsec
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.aleksey.com/pipermail/xmlsec/attachments/20090604/2b250de4/attachment-0001.htm


More information about the xmlsec mailing list