[xmlsec] RES: Trying to check sign

Aleksey Sanin aleksey at aleksey.com
Wed Jun 6 12:15:28 PDT 2012


It's not on the website but it is in the examples folder.

Aleksey

On 6/6/12 4:42 AM, Renato Tegon Forti wrote:
>>> This means that xmlsec (or to be precise, openssl) needs to verify the
> certificate and it can't find the next certificate in the chain.
> 
> Thanks for answer. 
> 
> One more question: what is the example
> (http://www.aleksey.com/xmlsec/api/xmlsec-examples.html) that implement
> "Online XML Digital Signature Verifer"? 
> I want study code implementation of it!
> 
> Thanks
> 
> -----Mensagem original-----
> De: Aleksey Sanin [mailto:aleksey at aleksey.com] 
> Enviada em: terça-feira, 5 de junho de 2012 23:51
> Para: Renato Tegon Forti
> Cc: xmlsec at aleksey.com
> Assunto: Re: [xmlsec] Trying to check sign
> 
> This means that xmlsec (or to be precise, openssl) needs to verify the
> certificate and it can't find the next certificate in the chain.
> 
> Aleksey
> 
> On 6/5/12 1:58 PM, Renato Tegon Forti wrote:
>> Hi,
>>
>>  
>>
>> I have one file that I want check sig (using KEYINFO node), I know 
>> that the signature is valid, but tool returns me:
>>
>>  
>>
>> I use DTD, see xml below, please!
>>
>>  
>>
>> ----------------------------------------------------------------------
>> --------------------------
>>
>>  
>>
>> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-sto
>> re:subj=X509_verify_cert:error=4:crypto
>> library function failed:subj=/C=BR/O=ICP-Brasil/OU=ID - 
>> 1083312/OU=Autenticado por Certisign Certificadora 
>> Digital/OU=Assinatura Tipo A1/OU=(EM BRANCO)/OU=(EM 
>> BRANCO)/CN=MEDIATECH INFORMATICA 
>> LTDA/emailAddress=contato at tecnomidia.com.br;err=20;msg=unable
>> <mailto:LTDA/emailAddress=contato at tecnomidia.com.br;err=20;msg=unable>
>> to get local issuer certificate
>>
>> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-sto
>> re:subj=unknown:error=71:certificate
>> verification failed:err=20;msg=unable to get local issuer certificate
>>
>> func=xmlSecOpenSSLEvpSignatureVerify:file=signatures.c:line=346:obj=rs
>> a-sha1:subj=EVP_VerifyFinal:error=18:data
>> do not match:signature do not match
>>
>> RESULT: Signature is INVALID
>>
>> ---------------------------------------------------
>>
>> = VERIFICATION CONTEXT
>>
>> == Status: invalid
>>
>> == flags: 0x00000000
>>
>> == flags2: 0x00000000
>>
>> == Key Info Read Ctx:
>>
>> = KEY INFO READ CONTEXT
>>
>> == flags: 0x00000000
>>
>> == flags2: 0x00000000
>>
>> == enabled key data: all
>>
>> == RetrievalMethod level (cur/max): 0/1
>>
>> == TRANSFORMS CTX (status=0)
>>
>> == flags: 0x00000000
>>
>> == flags2: 0x00000000
>>
>> == enabled transforms: all
>>
>> === uri: NULL
>>
>> === uri xpointer expr: NULL
>>
>> == EncryptedKey level (cur/max): 0/1
>>
>> === KeyReq:
>>
>> ==== keyId: rsa
>>
>> ==== keyType: 0x00000001
>>
>> ==== keyUsage: 0x00000002
>>
>> ==== keyBitsSize: 0
>>
>> === list size: 0
>>
>> == Key Info Write Ctx:
>>
>> = KEY INFO WRITE CONTEXT
>>
>> == flags: 0x00000000
>>
>> == flags2: 0x00000000
>>
>> == enabled key data: all
>>
>> == RetrievalMethod level (cur/max): 0/1
>>
>> == TRANSFORMS CTX (status=0)
>>
>> == flags: 0x00000000
>>
>> == flags2: 0x00000000
>>
>> == enabled transforms: all
>>
>> === uri: NULL
>>
>> === uri xpointer expr: NULL
>>
>> == EncryptedKey level (cur/max): 0/1
>>
>> === KeyReq:
>>
>> ==== keyId: NULL
>>
>> ==== keyType: 0x00000001
>>
>> ==== keyUsage: 0xffffffff
>>
>> ==== keyBitsSize: 0
>>
>> === list size: 0
>>
>> == Signature Transform Ctx:
>>
>> == TRANSFORMS CTX (status=2)
>>
>> == flags: 0x00000000
>>
>> == flags2: 0x00000000
>>
>> == enabled transforms: all
>>
>> === uri: NULL
>>
>> === uri xpointer expr: NULL
>>
>> === Transform: c14n 
>> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
>>
>> === Transform: rsa-sha1 
>> (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
>>
>> === Transform: membuf-transform (href=NULL)
>>
>> == Signature Method:
>>
>> === Transform: rsa-sha1 
>> (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
>>
>> == Signature Key:
>>
>> == KEY
>>
>> === method: RSAKeyValue
>>
>> === key type: Private
>>
>> === key name: test-rsa
>>
>> === key usage: -1
>>
>> === rsa key: size = 1024
>>
>> == SignedInfo References List:
>>
>> === list size: 1
>>
>> = REFERENCE VERIFICATION CONTEXT
>>
>> == Status: succeeded
>>
>> == URI: "#NFe35101003593968000167550030000101640000000003"
>>
>> == Reference Transform Ctx:
>>
>> == TRANSFORMS CTX (status=2)
>>
>> == flags: 0x00000000
>>
>> == flags2: 0x00000000
>>
>> == enabled transforms: all
>>
>> === uri:
>>
>> === uri xpointer expr: 
>> #NFe35101003593968000167550030000101640000000003
>>
>> === Transform: xpointer 
>> (href=http://www.w3.org/2001/04/xmldsig-more/xptr)
>>
>> === Transform: enveloped-signature
>> (href=http://www.w3.org/2000/09/xmldsig#enveloped-signature)
>>
>> === Transform: c14n 
>> (href=http://www.w3.org/TR/2001/REC-xml-c14n-20010315)
>>
>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>
>> === Transform: membuf-transform (href=NULL)
>>
>> == Digest Method:
>>
>> === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
>>
>> == Manifest References List:
>>
>> === list size: 0
>>
>>  
>>
>> ----------------------------------------------------------------------
>> --------------------------
>>
>>  
>>
>> Anyone can help-me to understand what I make wrong!
>>
>> What this exactly can mean: “unable to get local issuer certificate”
>>
>>  
>>
>> This is my xml file ( the DTD is correct?):
>>
>>  
>>
>> ----------------------------------------------------------------------
>> --------------------------
>>
>>  
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>>
>> <!DOCTYPE test [
>>
>> <!ATTLIST infNFe Id ID #IMPLIED>
>>
>> ]>
>>
>> <nfeProc xmlns="http://www.portalfiscal.inf.br/nfe" versao="1.10">
>>
>> <NFe xmlns="http://www.portalfiscal.inf.br/nfe"><infNFe
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> Id="NFe35101003593968000167550030000101640000000003"
>> versao="1.10"><ide><cUF>35</cUF><cNF>000000000</cNF><natOp>VENDA MERC 
>> C/ PGTO ST C/ 
>> SUBSTITUIDO</natOp><indPag>1</indPag><mod>55</mod><serie>3</serie><nNF
>>> 10164</nNF><dEmi>2010-10-20</dEmi><dSaiEnt>2010-10-20</dSaiEnt><tpNF>
>> 1</tpNF><cMunFG>3550308</cMunFG><tpImp>1</tpImp><tpEmis>1</tpEmis><cDV
>>> 3</cDV><tpAmb>1</tpAmb><finNFe>1</finNFe><procEmi>0</procEmi><verProc
>>> 1.4.0</verProc></ide><emit><CNPJ>03593968000167</CNPJ><xNome>Mediatec
>> h Informatica LTDA</xNome><xFant>Mediatech Informatica 
>> LTDA</xFant><enderEmit><xLgr>CORREIA DE 
>> MELO</xLgr><nro>085</nro><xBairro>BOM
>> RETIRO</xBairro><cMun>3550308</cMun><xMun>SAO
>> PAULO</xMun><UF>SP</UF><CEP>01123020</CEP><cPais>1058</cPais><xPais>BR
>> ASIL</xPais><fone>1133521199</fone></enderEmit><IE>115633812110</IE></
>> emit><dest><CNPJ>11253910000100</CNPJ><xNome>AYSSO
>> SYSTEMS LTDA EPP</xNome><enderDest><xLgr>RUA DOZE DE 
>> NOVEMBRO</xLgr><nro>180</nro><xCpl>APT
>> 183</xCpl><xBairro>CENTRO</xBairro><cMun>3501608</cMun><xMun>AMERICANA
>> </xMun><UF>SP</UF><CEP>13465490</CEP><cPais>1058</cPais><xPais>BRASIL<
>> /xPais><fone>1936459994</fone></enderDest><IE/></dest><det
>> nItem="1"><prod><cProd>1160900000000001720000</cProd><cEAN/><xProd>MID
>> IA
>> DIGITAL
>> CD/DVD</xProd><NCM>85234011</NCM><CFOP>5405</CFOP><uCom>PC.</uCom><qCo
>> m>100.0000</qCom><vUnCom>2.1500</vUnCom><vProd>215.00</vProd><cEANTrib
>> /><uTrib>PC.</uTrib><qTrib>100.0000</qTrib><vUnTrib>2.1500</vUnTrib><v
>> Frete>20.00</vFrete></prod><imposto><ICMS><ICMS60><orig>0</orig><CST>6
>> 0</CST><vBCST>215.00</vBCST><vICMSST>0.00</vICMSST></ICMS60></ICMS><IP
>> I><cEnq>999</cEnq><IPINT><CST>53</CST></IPINT></IPI><PIS><PISAliq><CST
>>> 01</CST><vBC>215.00</vBC><pPIS>0.65</pPIS><vPIS>1.40</vPIS></PISAliq>
>> </PIS><COFINS><COFINSAliq><CST>01</CST><vBC>215.00</vBC><pCOFINS>3.00<
>> /pCOFINS><vCOFINS>6.45</vCOFINS></COFINSAliq></COFINS></imposto></det>
>> <total><ICMSTot><vBC>20.00</vBC><vICMS>0.00</vICMS><vBCST>0.00</vBCST>
>> <vST>0.00</vST><vProd>215.00</vProd><vFrete>20.00</vFrete><vSeg>0.00</
>> vSeg><vDesc>0.00</vDesc><vII>0.00</vII><vIPI>0.00</vIPI><vPIS>1.40</vP
>> IS><vCOFINS>6.45</vCOFINS><vOutro>0.00</vOutro><vNF>235.00</vNF></ICMS
>> Tot></total><transp><modFrete>0</modFrete><transporta><CNPJ>0728188600
>> 0138</CNPJ><xNom
>  e
>> Correio
>> - Sedex</xNome><IE>ISENTO</IE><xEnder>Rua Correia de Melo,  
>> 111</xEnder><xMun>Sao
>>
> Paulo</xMun><UF>SP</UF></transporta><vol><qVol>1</qVol><esp>CX.</esp><pesoL>
> 1.000</pesoL><pesoB>1.000</pesoB></vol></transp><cobr><fat><nFat>10164</nFat
>> <vOrig>235.00</vOrig><vLiq>235.00</vLiq></fat><dup><nDup>001</nDup><dVenc>2
> 010-10-20</dVenc><vDup>235.00</vDup></dup></cobr><infAdic><infCpl>Pedidos:
>> 48033</infCpl></infAdic></infNFe><Signature
>>
>> xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><Canonicalizatio
>> nMethod  
>> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/><Signature
>> Method  
>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><Reference
>>
>> URI="#NFe35101003593968000167550030000101640000000003"><Transforms><Tra
>> nsform  
>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Tra
>> nsform  
>> Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/></Transfor
>> ms><DigestMethod  
>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>vj4p6F
>> tqkZen6fsHlcyag8R2hF0=</DigestValue></Reference></SignedInfo><Signature
>> Value>Jymbikn/5F8aUYQA6CaZmLYY9plO4KNfyu/M4TZP5l+3fy/pjwpkIsaeV1LXXyo7n
>> WLdpvruhCXy
>>
>> ID2ptAjzIWOJ/vp1YW94e0Yy7yfBijQNkew+FI1G7GKKt7T/UUIPRrXqWwo7EA8ZpCYSoW
>> ktWqHZ
>>
>> iU7j7iJone1nLdNJNjY=</SignatureValue><KeyInfo><X509Data><X509Certifica
>> te>MIIGuzCCBaOgAwIBAgIQCbCeZ64fHJPeNqAkc06I8TANBgkqhkiG9w0BAQUFADB0MQs
>> wCQYDVQQG
>>
>> EwJCUjETMBEGA1UEChMKSUNQLUJyYXNpbDEtMCsGA1UECxMkQ2VydGlzaWduIENlcnRpZm
>> ljYWRv
>>
>> cmEgRGlnaXRhbCBTLkEuMSEwHwYDVQQDExhBQyBDZXJ0aXNpZ24gTXVsdGlwbGEgRzMwHh
>> cNMTAw
>>
>> NzI5MDAwMDAwWhcNMTEwNzI4MjM1OTU5WjCCAQsxCzAJBgNVBAYTAkJSMRMwEQYDVQQKFA
>> pJQ1At
>>
>> QnJhc2lsMRUwEwYDVQQLFAxJRCAtIDEwODMzMTIxODA2BgNVBAsUL0F1dGVudGljYWRvIH
>> BvciBD
>>
>> ZXJ0aXNpZ24gQ2VydGlmaWNhZG9yYSBEaWdpdGFsMRswGQYDVQQLFBJBc3NpbmF0dXJhIF
>> RpcG8g
>>
>> QTExFDASBgNVBAsUCyhFTSBCUkFOQ08pMRQwEgYDVQQLFAsoRU0gQlJBTkNPKTEjMCEGA1
>> UEAxMa
>>
>> TUVESUFURUNIIElORk9STUFUSUNBIExUREExKDAmBgkqhkiG9w0BCQEWGWNvbnRhdG9AdG
>> Vjbm9t
>>
>> aWRpYS5jb20uYnIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM8txkPNL6gjEjSW4T
>> umyO0w
>>
>> zBGmxNtCqU9DFNWQD1TWIbXaYduxoxnYEwNXrehla2YDslXUiM45SWvlmjlWoVV9T7F07a
>> OGGysP
>>
>> aNLJW/y3CMq7Qrvsh+h30INqV8WWYXKHlmfLz4eNf8Di4xQvgm+7yxvkGHXXjxkWn6utBW
>> tJAgMB
>>
>> AAGjggMyMIIDLjCBrQYDVR0RBIGlMIGioDgGBWBMAQMEoC8ELTE5MDExOTY3MTEyMDk3Mz
>> g4MDUw
>>
>> MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMKAXBgVgTAEDAqAOBAxKQUlSIFNaQVBJUk+gGQ
>> MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMKAXBgVgTAEDAqAOBAxKQUlSIFNaQVBJUk+YFY
>> MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMKAXBgVgTAEDAqAOBAxKQUlSIFNaQVBJUk+EwB
>>
>> AwOgEAQOMDM1OTM5NjgwMDAxNjegFwYFYEwBAwegDgQMMDAwMDAwMDAwMDAwgRljb250YX
>> RvQHRl
>>
>>
> Y25vbWlkaWEuY29tLmJyMAkGA1UdEwQCMAAwHwYDVR0jBBgwFoAUhLBCMzSjQiWlKJc+g+t38OhP
>>
>> wlQwDgYDVR0PAQH/BAQDAgXgMFUGA1UdIAROMEwwSgYGYEwBAgELMEAwPgYIKwYBBQUHAg
>> EWMmh0
>>
>> dHA6Ly9pY3AtYnJhc2lsLmNlcnRpc2lnbi5jb20uYnIvcmVwb3NpdG9yaW8vZHBjMIIBJQ
>> YDVR0f
>>
>> BIIBHDCCARgwXKBaoFiGVmh0dHA6Ly9pY3AtYnJhc2lsLmNlcnRpc2lnbi5jb20uYnIvcm
>> Vwb3Np
>>
>> dG9yaW8vbGNyL0FDQ2VydGlzaWduTXVsdGlwbGFHMy9MYXRlc3RDUkwuY3JsMFugWaBXhl
>> VodHRw
>>
>> Oi8vaWNwLWJyYXNpbC5vdXRyYWxjci5jb20uYnIvcmVwb3NpdG9yaW8vbGNyL0FDQ2VydG
>> lzaWdu
>>
>> TXVsdGlwbGFHMy9MYXRlc3RDUkwuY3JsMFugWaBXhlVodHRwOi8vcmVwb3NpdG9yaW8uaW
>> NwYnJh
>>
>> c2lsLmdvdi5ici9sY3IvQ2VydGlzaWduL0FDQ2VydGlzaWduTXVsdGlwbGFHMy9MYXRlc3
>> RDUkwu
>>
>> Y3JsMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcDAjCBoAYIKwYBBQUHAQEEgZMwgZ
>> AwKAYI
>>
>> KwYBBQUHMAGGHGh0dHA6Ly9vY3NwLmNlcnRpc2lnbi5jb20uYnIwZAYIKwYBBQUHMAKGWG
>> h0dHA6
>>
>> Ly9pY3AtYnJhc2lsLmNlcnRpc2lnbi5jb20uYnIvcmVwb3NpdG9yaW8vY2VydGlmaWNhZG
>> 9zL0FD
>>
>> X0NlcnRpc2lnbl9NdWx0aXBsYV9HMy5wN2MwDQYJKoZIhvcNAQEFBQADggEBAGI9MCc6WV
>> mz919C
>>
>> QLDB8E0R8HxfGyiz2uB14lPBDsueTJmJmlykQdnboMiyMGTocprEGsQxeI7a57BEUDVc0f
>> SzNCCb
>>
>> SOnQOp9Uswri8pTw8fQG9OAkh1LCC9haTsNNMKbTHCciO7MUh34XkHuj4A0NIWG1aCynws
>> tRFWb8
>>
>> 97OZJJCc0IRvDs7yDJhgOwPmv3trFmwlfMU7n20pXtM9hKiI8o6h/0GwR6SyA1Yj4fZXfX
>> xVENH4
>>
>> EjhIHR8Yrmre2JE2I+hFjyQaNPnAEztQEa0Cae2l3O0Q0tkM1x8EkiKFrnDggpc7gSwtLC
>> EjhIHR8Yrmre2JE2I+wrkQBu
>>
>> jhie131VyDTuXLx9k082PLs=</X509Certificate></X509Data></KeyInfo></Signa
>> ture></NFe>
>>
>>  
>>
>> <protNFe
>> versao="1.10"><infProt><tpAmb>1</tpAmb><verAplic>SP_NFE_PL_005e</verAp
>> lic><chNFe>35101003593968000167550030000101640000000003</chNFe><dhRecb
>> to>2010-10-20T17:48:15</dhRecbto><nProt>135100546996360</nProt><digVal
>>> vj4p6FtqkZen6fsHlcyag8R2hF0=</digVal><cStat>100</cStat><xMotivo>Autor
>> izado o uso da NF-e</xMotivo></infProt></protNFe>
>>
>> </nfeProc>
>>
>>  
>>
>> ----------------------------------------------------------------------
>> --------------------------
>>
>>  
>>
>> Thanks a lot
>>
>>  
>>
>>  
>>
>>  
>>
>>  
>>
>>
>>
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec


More information about the xmlsec mailing list