[xmlsec] Urgent help needed : Certificate verification failed

Aleksey Sanin aleksey at aleksey.com
Thu Jun 4 09:24:47 PDT 2009


No specific order. Sorry, you will need to debug it to see what is
going on.

Aleksey

Ashish Agrawal wrote:
> I tried the same but for same error :
> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto 
> library function failed:subj=/C=CN/ST=BJ/O=JIL/OU=JIL/CN=JIL EE 
> demo;err=20;msg=unable to get local issuer certificate
> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate 
> verification failed:err=20;msg=unable to get local issuer certificate
> func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec 
> library function failed:
> func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=884:obj=unknown:subj=unknown:error=45:key 
> is not found:
> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=578:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec 
> library function failed:
> func=xmlSecDSigCtxVerify:file=xmldsig.c:line=379:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec 
> library function failed:
> 
> Is there ny specfic order in which certificates should be present in the 
> signature file ? can there be problem with the certificate fields ?
> 
> 
> Regards,
> Ashish
> 
> On Thu, Jun 4, 2009 at 9:39 PM, Aleksey Sanin <aleksey at aleksey.com 
> <mailto:aleksey at aleksey.com>> wrote:
> 
>     Try
> 
>     xmlsec1 --verify \
>            --trusted-pem root.pem \
>            --trusted-pem int.pem  \
>            signature.xml
> 
>     Aleksey
> 
>     Ashish Agrawal wrote:
> 
>         I have tried with:
>         xmlsec1 --verify --trusted-pem root.pem --untrusted-pem int.pem
>         signature.xml  (removing the intermedaite CA cert from signature
>         file)
>         &
>         xmlsec1 --verify --trusted-pem root.pem signature.xml ( keeping
>         the intermedia CA cert and end certtificate in the signature file)
> 
>         Got same result..
>         Regards,
>         Ashish
> 
>         On Thu, Jun 4, 2009 at 9:25 PM, Aleksey Sanin
>         <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>         <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>> wrote:
> 
>            What command line options do you use?
> 
>            Aleksey
> 
>            Ashish Agrawal wrote:
> 
>                Srry, I did not understand your reply completely,
>                You mean to check the subject field for the certifices:
> 
>                I see them as :
> 
>                End Cert: Subject: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL EE demo
>                                Issuer: C=CN, ST=BJ, O=JIL, OU=JIL,
>         CN=JIL subCA
>                demo
> 
>                Intermediate cert: Subject: C=CN, ST=BJ, O=JIL, OU=JIL,
>         CN=JIL
>                subCA demo
>                                             Issuer: C=CN, ST=BJ, O=JIL,
>         OU=JIL,
>                CN=JIL Root demo
> 
>                Root Cert:  Subject: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL
>         Root demo
>                                Issuer: C=CN, ST=BJ, O=JIL, OU=JIL,
>         CN=JIL Root demo
> 
>                So seems like the chain is correct. but verification
>                fails.strange thing is it passes with openssl but not here.
> 
>                Regards,
>                Ashish
> 
>                On Thu, Jun 4, 2009 at 8:59 PM, Aleksey Sanin
>                <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>         <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
>                <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>         <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>> wrote:
> 
>                   No there is no ordering problems. You have the subject
>                   of certificate which is at the end of the chain. Try
>                   to figure out "why?".
> 
>                   Aleksey
> 
>                   Ashish Agrawal wrote:
> 
>                       Yes Aleksey,
>                       I have already tried with the openssl utility,
> 
>                       openssl verify -CAfile root.pem EE.pem
>                       here root.pem is the root ca pem file & EE,pem
>         contains the
>                       intermediate certificate and then the end
>         certificate. and it
>                       passess with no error.
> 
>                       but xmlsec fails :(
>                       Can there be any ordering issue ? shall i send my
>         certs, will
>                       that help in root causing ?
> 
>                       Regards,
>                       Ashish
> 
>                       On Thu, Jun 4, 2009 at 8:53 PM, Aleksey Sanin
>                       <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>         <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
>                <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>         <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>
>                       <mailto:aleksey at aleksey.com
>         <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
>         <mailto:aleksey at aleksey.com>>
>                <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>         <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>>> wrote:
> 
>                          Try to verify your certs chain using openssl
>         command line
>                       tool directly.
> 
>                          Aleksey
> 
>                          Ashish Agrawal wrote:
> 
>                              Hi Aleksey,
> 
>                              My signature.xml file has two certificate,
>         one is
>                the end
>                              certificate and the other is the
>         intermediate CA.
>                              In the intermediate certificate also the "CA"
>                field is true
>                              .Could this be the root cause of the problem.
> 
>                              Attaching the intermediate CA pem file
> 
>                              Thanks for ur help.
> 
>                              Regards,
>                              Ashish
> 
> 
>                              On Thu, Jun 4, 2009 at 8:21 PM, Aleksey Sanin
>                              <aleksey at aleksey.com
>         <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
>         <mailto:aleksey at aleksey.com>>
>                <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>         <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>
>                       <mailto:aleksey at aleksey.com
>         <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
>         <mailto:aleksey at aleksey.com>>
>                <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>         <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>>
>                              <mailto:aleksey at aleksey.com
>         <mailto:aleksey at aleksey.com>
>                <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
>         <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>                <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>
>                       <mailto:aleksey at aleksey.com
>         <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
>         <mailto:aleksey at aleksey.com>>
>                <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>         <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>>>> wrote:
> 
>                                 This error means that xmlsec can't build
>         certs
>                chain
>                       for some
>                              reasons.
> 
>                                 Aleksey
> 
>                                 Ashish Agrawal wrote:
> 
>                                     Hi Aleksey,
> 
>                                     I ve a problem where i v a root CA
>         and and two
>                              certificates in
>                                     the chain, when i try to verify the
>         chain using
>                       openssl
>                              it works :
>                                     openssl verify -CAfile root.pem EE.pem
>                                     but when i to to verify using xmlsec it
>                fails with the
>                              error :
>                                                      
>         func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto
>                                     library function
>                              failed:subj=/C=CN/ST=BJ/O=JIL/OU=JIL/CN=JIL EE
>                                     demo;err=20;msg=unable to get local
>         issuer
>                certificate
>                                                      
>         func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate
>                                     verification failed:err=20;msg=unable to
>                get local
>                       issuer
>                                     certificate
>                                                      
>         func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec
>                                     library function failed:
>                                                      
>         func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=884:obj=unknown:subj=unknown:error=45:key
>                                     is not found:
>                                                      
>         func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=578:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
>                                     library function failed:
>                                                      
>         func=xmlSecDSigCtxVerify:file=xmldsig.c:line=379:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
>                                     library function failed:
>                                     Error: signature failed
>                                     ERROR
>                                     SignedInfo References (ok/all): 6/6
>                                     Manifests References (ok/all): 0/0
> 
> 
>                                     Does xmlsec imposes ny additional
>                constraint on the
>                              certificate
>                                     validation and if yes what are they ?
> 
>                                     Regards,
>                                     Ashish
> 
> 
>                                                      
>         ------------------------------------------------------------------------
> 
>                                    
>         _______________________________________________
>                                     xmlsec mailing list
>                                     xmlsec at aleksey.com
>         <mailto:xmlsec at aleksey.com>
>                <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
>         <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>                <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>
>                       <mailto:xmlsec at aleksey.com
>         <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
>         <mailto:xmlsec at aleksey.com>>
>                <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>         <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>>
>                              <mailto:xmlsec at aleksey.com
>         <mailto:xmlsec at aleksey.com>
>                <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
>         <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>                <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>
>                       <mailto:xmlsec at aleksey.com
>         <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
>         <mailto:xmlsec at aleksey.com>>
>                <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>         <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>>>
> 
> 
>                                    
>         http://www.aleksey.com/mailman/listinfo/xmlsec
> 
> 
> 
>                                        
>          ------------------------------------------------------------------------
> 
>                              _______________________________________________
>                              xmlsec mailing list
>                              xmlsec at aleksey.com
>         <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
>         <mailto:xmlsec at aleksey.com>>
>                <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>         <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>
>                       <mailto:xmlsec at aleksey.com
>         <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
>         <mailto:xmlsec at aleksey.com>>
>                <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>         <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>>
>                              http://www.aleksey.com/mailman/listinfo/xmlsec
> 
> 
> 
>                            
>         ------------------------------------------------------------------------
> 
>                       _______________________________________________
>                       xmlsec mailing list
>                       xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>         <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
>                <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>         <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>
>                       http://www.aleksey.com/mailman/listinfo/xmlsec
> 
> 
> 
>              
>          ------------------------------------------------------------------------
> 
>                _______________________________________________
>                xmlsec mailing list
>                xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>         <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
>                http://www.aleksey.com/mailman/listinfo/xmlsec
> 
> 
> 
>         ------------------------------------------------------------------------
> 
>         _______________________________________________
>         xmlsec mailing list
>         xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>         http://www.aleksey.com/mailman/listinfo/xmlsec
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec


More information about the xmlsec mailing list