[xmlsec] Urgent help needed : Certificate verification failed
Aleksey Sanin
aleksey at aleksey.com
Thu Jun 4 10:14:18 PDT 2009
There are checks for expired certs, etc. Same as openssl.
Aleksey
Ashish Agrawal wrote:
> Hi Aleksey,
>
> i ve a doubt that since this chain was successfully verified by openssl,
> so we put an additional checks in xmlsec which might fail the validation
> interms of the certificate constraints ?
>
> Regards,
> Ashish
>
> On Thu, Jun 4, 2009 at 10:01 PM, Ashish Agrawal <meetashish at gmail.com
> <mailto:meetashish at gmail.com>> wrote:
>
> Yes i am trying to debug simultaneously . Hopefully i will get some
> luck.
>
> I am attaching the certificate chain for ur reference, can u pls
> take a look and see if you can find some thing suspicious.
>
> Your help is deeply appreciated.
>
> Regards,
> Ashish
>
>
>
>
> On Thu, Jun 4, 2009 at 9:54 PM, Aleksey Sanin <aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>> wrote:
>
> No specific order. Sorry, you will need to debug it to see what is
> going on.
>
> Aleksey
>
> Ashish Agrawal wrote:
>
> I tried the same but for same error :
> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto
> library function failed:subj=/C=CN/ST=BJ/O=JIL/OU=JIL/CN=JIL
> EE demo;err=20;msg=unable to get local issuer certificate
> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate
> verification failed:err=20;msg=unable to get local issuer
> certificate
> func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec
> library function failed:
> func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=884:obj=unknown:subj=unknown:error=45:key
> is not found:
> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=578:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
> library function failed:
> func=xmlSecDSigCtxVerify:file=xmldsig.c:line=379:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
> library function failed:
>
> Is there ny specfic order in which certificates should be
> present in the signature file ? can there be problem with
> the certificate fields ?
>
>
> Regards,
> Ashish
>
> On Thu, Jun 4, 2009 at 9:39 PM, Aleksey Sanin
> <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>
> wrote:
>
> Try
>
> xmlsec1 --verify \
> --trusted-pem root.pem \
> --trusted-pem int.pem \
> signature.xml
>
> Aleksey
>
> Ashish Agrawal wrote:
>
> I have tried with:
> xmlsec1 --verify --trusted-pem root.pem
> --untrusted-pem int.pem
> signature.xml (removing the intermedaite CA cert
> from signature
> file)
> &
> xmlsec1 --verify --trusted-pem root.pem signature.xml
> ( keeping
> the intermedia CA cert and end certtificate in the
> signature file)
>
> Got same result..
> Regards,
> Ashish
>
> On Thu, Jun 4, 2009 at 9:25 PM, Aleksey Sanin
> <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>>>> wrote:
>
> What command line options do you use?
>
> Aleksey
>
> Ashish Agrawal wrote:
>
> Srry, I did not understand your reply completely,
> You mean to check the subject field for the
> certifices:
>
> I see them as :
>
> End Cert: Subject: C=CN, ST=BJ, O=JIL, OU=JIL,
> CN=JIL EE demo
> Issuer: C=CN, ST=BJ, O=JIL,
> OU=JIL,
> CN=JIL subCA
> demo
>
> Intermediate cert: Subject: C=CN, ST=BJ,
> O=JIL, OU=JIL,
> CN=JIL
> subCA demo
> Issuer: C=CN,
> ST=BJ, O=JIL,
> OU=JIL,
> CN=JIL Root demo
>
> Root Cert: Subject: C=CN, ST=BJ, O=JIL,
> OU=JIL, CN=JIL
> Root demo
> Issuer: C=CN, ST=BJ, O=JIL,
> OU=JIL,
> CN=JIL Root demo
>
> So seems like the chain is correct. but
> verification
> fails.strange thing is it passes with openssl
> but not here.
>
> Regards,
> Ashish
>
> On Thu, Jun 4, 2009 at 8:59 PM, Aleksey Sanin
> <aleksey at aleksey.com
> <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>>
> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>>>
> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>>
> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>>>>> wrote:
>
> No there is no ordering problems. You have
> the subject
> of certificate which is at the end of the
> chain. Try
> to figure out "why?".
>
> Aleksey
>
> Ashish Agrawal wrote:
>
> Yes Aleksey,
> I have already tried with the openssl
> utility,
>
> openssl verify -CAfile root.pem EE.pem
> here root.pem is the root ca pem file &
> EE,pem
> contains the
> intermediate certificate and then the end
> certificate. and it
> passess with no error.
>
> but xmlsec fails :(
> Can there be any ordering issue ? shall
> i send my
> certs, will
> that help in root causing ?
>
> Regards,
> Ashish
>
> On Thu, Jun 4, 2009 at 8:53 PM, Aleksey
> Sanin
> <aleksey at aleksey.com
> <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>>
> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>>>
> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>>
> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>>>>
> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>>>
> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>>
> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>>>>>> wrote:
>
> Try to verify your certs chain using
> openssl
> command line
> tool directly.
>
> Aleksey
>
> Ashish Agrawal wrote:
>
> Hi Aleksey,
>
> My signature.xml file has two
> certificate,
> one is
> the end
> certificate and the other is the
> intermediate CA.
> In the intermediate certificate
> also the "CA"
> field is true
> .Could this be the root cause of
> the problem.
>
> Attaching the intermediate CA
> pem file
>
> Thanks for ur help.
>
> Regards,
> Ashish
>
>
> On Thu, Jun 4, 2009 at 8:21 PM,
> Aleksey Sanin
> <aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>>>
> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>>
> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>>>>
> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>>>
> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>>
> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>>>>>
> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>>>
> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>>
> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>>>>
> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>>>
> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>>
> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>>>>>>> wrote:
>
> This error means that xmlsec
> can't build
> certs
> chain
> for some
> reasons.
>
> Aleksey
>
> Ashish Agrawal wrote:
>
> Hi Aleksey,
>
> I ve a problem where i v
> a root CA
> and and two
> certificates in
> the chain, when i try to
> verify the
> chain using
> openssl
> it works :
> openssl verify -CAfile
> root.pem EE.pem
> but when i to to verify
> using xmlsec it
> fails with the
> error :
>
> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto
> library function
>
> failed:subj=/C=CN/ST=BJ/O=JIL/OU=JIL/CN=JIL EE
> demo;err=20;msg=unable to
> get local
> issuer
> certificate
>
> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate
> verification
> failed:err=20;msg=unable to
> get local
> issuer
> certificate
>
> func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec
> library function failed:
>
> func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=884:obj=unknown:subj=unknown:error=45:key
> is not found:
>
> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=578:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
> library function failed:
>
> func=xmlSecDSigCtxVerify:file=xmldsig.c:line=379:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
> library function failed:
> Error: signature failed
> ERROR
> SignedInfo References
> (ok/all): 6/6
> Manifests References
> (ok/all): 0/0
>
>
> Does xmlsec imposes ny
> additional
> constraint on the
> certificate
> validation and if yes
> what are they ?
>
> Regards,
> Ashish
>
>
>
> ------------------------------------------------------------------------
>
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com>>>
> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com>>
> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com>>>>
> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com>
> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com>> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>
> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com>>
> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com>>>>>
> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com>>>
> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com>>
> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com>>>>
> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com>
> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com>> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>
> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com>>
> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com>>>>>>
>
>
>
> http://www.aleksey.com/mailman/listinfo/xmlsec
>
>
>
>
> ------------------------------------------------------------------------
>
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com>
> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com>> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>
> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com>>
> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com>>>>
> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com>
> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com>> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>
> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com>>
> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com>>>>>
>
> http://www.aleksey.com/mailman/listinfo/xmlsec
>
>
>
>
> ------------------------------------------------------------------------
>
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com>>
> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com>>>
> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com>>
> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com>>>>
>
> http://www.aleksey.com/mailman/listinfo/xmlsec
>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com>>>
> http://www.aleksey.com/mailman/listinfo/xmlsec
>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
> http://www.aleksey.com/mailman/listinfo/xmlsec
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> http://www.aleksey.com/mailman/listinfo/xmlsec
>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
More information about the xmlsec
mailing list