[xmlsec] Urgent help needed : Certificate verification failed

Ashish Agrawal meetashish at gmail.com
Thu Jun 4 10:48:57 PDT 2009


Hi Aleksey,

I got something interesting now, earlier i said that the certificate chain
was working fine with openssl.

I command i gave was :
openssl verify -CAfile Root.pem EE.pem
where the EE,pem was having the intermediate cert & then the end certificate
and it said OK (passed0
now inside the ee.pem's end certificate if i add some junk characters and
give the same command then also it passes, seems like only one certificate
is getting verified and not the whole chain.

Similarly with xmlsec in the signature file if i only put the intermediate
cert it gets verified, :-(

I am getting this feeeling that there might be a problem with the
certificate chain provided to me, what do u think ..

ny idea how can i confirm the same.

Regards,
Ashish


On Thu, Jun 4, 2009 at 10:44 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:

> There are checks for expired certs, etc. Same as openssl.
>
> Aleksey
>
> Ashish Agrawal wrote:
>
>> Hi Aleksey,
>>
>> i ve a doubt that since this chain was successfully verified by openssl,
>> so we put an additional checks in xmlsec which might fail the validation
>> interms of the certificate constraints ?
>>
>> Regards,
>> Ashish
>>
>> On Thu, Jun 4, 2009 at 10:01 PM, Ashish Agrawal <meetashish at gmail.com<mailto:
>> meetashish at gmail.com>> wrote:
>>
>>    Yes i am trying to debug simultaneously . Hopefully i will get some
>>    luck.
>>
>>    I am attaching the certificate chain for ur reference, can u pls
>>    take a look and see if you can find some thing suspicious.
>>
>>    Your help is deeply appreciated.
>>
>>    Regards,
>>    Ashish
>>
>>
>>
>>
>>    On Thu, Jun 4, 2009 at 9:54 PM, Aleksey Sanin <aleksey at aleksey.com
>>    <mailto:aleksey at aleksey.com>> wrote:
>>
>>        No specific order. Sorry, you will need to debug it to see what is
>>        going on.
>>
>>        Aleksey
>>
>>        Ashish Agrawal wrote:
>>
>>            I tried the same but for same error :
>>
>>  func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto
>>            library function failed:subj=/C=CN/ST=BJ/O=JIL/OU=JIL/CN=JIL
>>            EE demo;err=20;msg=unable to get local issuer certificate
>>
>>  func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate
>>            verification failed:err=20;msg=unable to get local issuer
>>            certificate
>>
>>  func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec
>>            library function failed:
>>
>>  func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=884:obj=unknown:subj=unknown:error=45:key
>>            is not found:
>>
>>  func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=578:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
>>            library function failed:
>>
>>  func=xmlSecDSigCtxVerify:file=xmldsig.c:line=379:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
>>            library function failed:
>>
>>            Is there ny specfic order in which certificates should be
>>            present in the signature file ? can there be problem with
>>            the certificate fields ?
>>
>>
>>            Regards,
>>            Ashish
>>
>>            On Thu, Jun 4, 2009 at 9:39 PM, Aleksey Sanin
>>            <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>>            <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>
>>            wrote:
>>
>>               Try
>>
>>               xmlsec1 --verify \
>>                      --trusted-pem root.pem \
>>                      --trusted-pem int.pem  \
>>                      signature.xml
>>
>>               Aleksey
>>
>>               Ashish Agrawal wrote:
>>
>>                   I have tried with:
>>                   xmlsec1 --verify --trusted-pem root.pem
>>            --untrusted-pem int.pem
>>                   signature.xml  (removing the intermedaite CA cert
>>            from signature
>>                   file)
>>                   &
>>                   xmlsec1 --verify --trusted-pem root.pem signature.xml
>>            ( keeping
>>                   the intermedia CA cert and end certtificate in the
>>            signature file)
>>
>>                   Got same result..
>>                   Regards,
>>                   Ashish
>>
>>                   On Thu, Jun 4, 2009 at 9:25 PM, Aleksey Sanin
>>                   <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>>            <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
>>                   <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com>>>> wrote:
>>
>>                      What command line options do you use?
>>
>>                      Aleksey
>>
>>                      Ashish Agrawal wrote:
>>
>>                          Srry, I did not understand your reply completely,
>>                          You mean to check the subject field for the
>>            certifices:
>>
>>                          I see them as :
>>
>>                          End Cert: Subject: C=CN, ST=BJ, O=JIL, OU=JIL,
>>            CN=JIL EE demo
>>                                          Issuer: C=CN, ST=BJ, O=JIL,
>>            OU=JIL,
>>                   CN=JIL subCA
>>                          demo
>>
>>                          Intermediate cert: Subject: C=CN, ST=BJ,
>>            O=JIL, OU=JIL,
>>                   CN=JIL
>>                          subCA demo
>>                                                       Issuer: C=CN,
>>            ST=BJ, O=JIL,
>>                   OU=JIL,
>>                          CN=JIL Root demo
>>
>>                          Root Cert:  Subject: C=CN, ST=BJ, O=JIL,
>>            OU=JIL, CN=JIL
>>                   Root demo
>>                                          Issuer: C=CN, ST=BJ, O=JIL,
>>            OU=JIL,
>>                   CN=JIL Root demo
>>
>>                          So seems like the chain is correct. but
>>            verification
>>                          fails.strange thing is it passes with openssl
>>            but not here.
>>
>>                          Regards,
>>                          Ashish
>>
>>                          On Thu, Jun 4, 2009 at 8:59 PM, Aleksey Sanin
>>                          <aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com>>
>>                   <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com>>>
>>                          <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com>>
>>                   <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com>>>>> wrote:
>>
>>                             No there is no ordering problems. You have
>>            the subject
>>                             of certificate which is at the end of the
>>            chain. Try
>>                             to figure out "why?".
>>
>>                             Aleksey
>>
>>                             Ashish Agrawal wrote:
>>
>>                                 Yes Aleksey,
>>                                 I have already tried with the openssl
>>            utility,
>>
>>                                 openssl verify -CAfile root.pem EE.pem
>>                                 here root.pem is the root ca pem file &
>>            EE,pem
>>                   contains the
>>                                 intermediate certificate and then the end
>>                   certificate. and it
>>                                 passess with no error.
>>
>>                                 but xmlsec fails :(
>>                                 Can there be any ordering issue ? shall
>>            i send my
>>                   certs, will
>>                                 that help in root causing ?
>>
>>                                 Regards,
>>                                 Ashish
>>
>>                                 On Thu, Jun 4, 2009 at 8:53 PM, Aleksey
>>            Sanin
>>                                 <aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com>>
>>                   <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com>>>
>>                          <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com>>
>>                   <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com>>>>
>>                                 <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com>
>>                   <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com>> <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com>
>>                   <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com>>>
>>                          <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com>>
>>                   <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com>>>>>> wrote:
>>
>>                                    Try to verify your certs chain using
>>            openssl
>>                   command line
>>                                 tool directly.
>>
>>                                    Aleksey
>>
>>                                    Ashish Agrawal wrote:
>>
>>                                        Hi Aleksey,
>>
>>                                        My signature.xml file has two
>>            certificate,
>>                   one is
>>                          the end
>>                                        certificate and the other is the
>>                   intermediate CA.
>>                                        In the intermediate certificate
>>            also the "CA"
>>                          field is true
>>                                        .Could this be the root cause of
>>            the problem.
>>
>>                                        Attaching the intermediate CA
>>            pem file
>>
>>                                        Thanks for ur help.
>>
>>                                        Regards,
>>                                        Ashish
>>
>>
>>                                        On Thu, Jun 4, 2009 at 8:21 PM,
>>            Aleksey Sanin
>>                                        <aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com>
>>                   <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com>> <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com>
>>                   <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com>>>
>>                          <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com>>
>>                   <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com>>>>
>>                                 <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com>
>>                   <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com>> <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com>
>>                   <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com>>>
>>                          <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com>>
>>                   <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com>>>>>
>>                                        <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com>
>>                   <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com
>> >>
>>                          <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com>>>
>>                   <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com>>
>>                          <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com>>>>
>>                                 <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com>
>>                   <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com>> <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com>
>>                   <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com>>>
>>                          <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com>>
>>                   <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
>>            <mailto:aleksey at aleksey.com>>>>>>> wrote:
>>
>>                                           This error means that xmlsec
>>            can't build
>>                   certs
>>                          chain
>>                                 for some
>>                                        reasons.
>>
>>                                           Aleksey
>>
>>                                           Ashish Agrawal wrote:
>>
>>                                               Hi Aleksey,
>>
>>                                               I ve a problem where i v
>>            a root CA
>>                   and and two
>>                                        certificates in
>>                                               the chain, when i try to
>>            verify the
>>                   chain using
>>                                 openssl
>>                                        it works :
>>                                               openssl verify -CAfile
>>            root.pem EE.pem
>>                                               but when i to to verify
>>            using xmlsec it
>>                          fails with the
>>                                        error :
>>
>>
>> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto
>>                                               library function
>>
>>  failed:subj=/C=CN/ST=BJ/O=JIL/OU=JIL/CN=JIL EE
>>                                               demo;err=20;msg=unable to
>>            get local
>>                   issuer
>>                          certificate
>>
>>
>> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate
>>                                               verification
>>            failed:err=20;msg=unable to
>>                          get local
>>                                 issuer
>>                                               certificate
>>
>>
>> func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec
>>                                               library function failed:
>>
>>
>> func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=884:obj=unknown:subj=unknown:error=45:key
>>                                               is not found:
>>
>>
>> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=578:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
>>                                               library function failed:
>>
>>
>> func=xmlSecDSigCtxVerify:file=xmldsig.c:line=379:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
>>                                               library function failed:
>>                                               Error: signature failed
>>                                               ERROR
>>                                               SignedInfo References
>>            (ok/all): 6/6
>>                                               Manifests References
>>            (ok/all): 0/0
>>
>>
>>                                               Does xmlsec imposes ny
>>            additional
>>                          constraint on the
>>                                        certificate
>>                                               validation and if yes
>>            what are they ?
>>
>>                                               Regards,
>>                                               Ashish
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>>
>> _______________________________________________
>>                                               xmlsec mailing list
>>                                               xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com>
>>                   <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
>>                          <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com>>>
>>                   <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com>>
>>                          <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com>>>>
>>                                 <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com>
>>                   <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com>> <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com>
>>                   <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com
>> >>>
>>                          <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com>>
>>                   <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com>>>>>
>>                                        <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com>
>>                   <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
>>                          <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com>>>
>>                   <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com>>
>>                          <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com>>>>
>>                                 <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com>
>>                   <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com>> <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com>
>>                   <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com
>> >>>
>>                          <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com>>
>>                   <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com>>>>>>
>>
>>
>>
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>
>>
>>
>>
>>  ------------------------------------------------------------------------
>>
>>
>>  _______________________________________________
>>                                        xmlsec mailing list
>>                                        xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com>
>>                   <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com>> <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com>
>>                   <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com
>> >>>
>>                          <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com>>
>>                   <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com>>>>
>>                                 <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com>
>>                   <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com>> <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com>
>>                   <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com
>> >>>
>>                          <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com>>
>>                   <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com>>>>>
>>
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>>
>> _______________________________________________
>>                                 xmlsec mailing list
>>                                 xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com>>
>>                   <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com>>>
>>                          <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com>>
>>                   <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com>>>>
>>
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>
>>
>>
>>
>>  ------------------------------------------------------------------------
>>
>>                          _______________________________________________
>>                          xmlsec mailing list
>>                          xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>>            <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
>>                   <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
>>            <mailto:xmlsec at aleksey.com>>>
>>                          http://www.aleksey.com/mailman/listinfo/xmlsec
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>>                   _______________________________________________
>>                   xmlsec mailing list
>>                   xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>>            <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
>>                   http://www.aleksey.com/mailman/listinfo/xmlsec
>>
>>
>>
>>
>>  ------------------------------------------------------------------------
>>
>>            _______________________________________________
>>            xmlsec mailing list
>>            xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>>            http://www.aleksey.com/mailman/listinfo/xmlsec
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.aleksey.com/pipermail/xmlsec/attachments/20090604/606bd4df/attachment-0001.htm


More information about the xmlsec mailing list