[xmlsec] Verify invalid certificate chain

Roman Khlystik dont.avt at gmail.com
Wed Aug 15 01:21:59 PDT 2012


Thanks for your answer, Aleksey.

I think I've understood behaviour of xmlsec in this situation.
And according to this logic I assume (and actually I checked it) that when
there isn't any
valid certificate chain result code of signature verification is still
succeeded. Why?

Here is example using command-line tool.
ca.crt isn't related to the certificate in license-signed-ca1-server1.xml.
So, there isn't any valid certificate chain. Why verification status is OK?

> #xmlsec1 --verify --trusted-pem cas/ca2/ca/certs/ca.crt
> license-signed-ca1-server1.xml



> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto
> library function failed:subj=/C=UA/ST=Kyiv region/L=Kyiv/O=test/OU=Ukraine
> Department/CN=server1/emailAddress=support at test.com;err=20;msg=unable to
> get local issuer certificate
> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate
> verification failed:err=20;msg=unable to get local issuer certificate
> OK
> SignedInfo References (ok/all): 1/1
> Manifests References (ok/all): 0/0



So, I have another question: Is it possibe to detect with xmlsec that there
is no one valid certificate chain up to the one of the trusted
certificates? I want to reject signed xml file if there isn't any valid
vertificate chain.

Thanks.

2012/8/14 Aleksey Sanin <aleksey at aleksey.com>

> Roman,
>
> During the verification, xmlsec tries to verify the signature using
> all possible certificate chains. It is enough to have one of them
> succeed. The errors you see are from ones that failed. Safe to ignore
> as long, just check the result code.
>
> Aleksey
>
> On 8/14/12 8:38 AM, Roman Khlystik wrote:
> > Hi Aleksey!
> >
> > I'm trying to develop simple license system using xmlsec library.
> > My idea was to build simple private PKI with one CA key pair and
> > separate key-pair for each customer.
> > Then I planned to sign xml license file with client certificate for each
> > client.
> >
> > I decided to embbed CA certificate in our app and verify certificate
> > chain from xml file up to CA certificate.
> > But I have a problem with xmlsec library. I can't find how to verify
> > full certificate chain with it.
> > I used example from here
> > http://www.aleksey.com/xmlsec/api/xmlsec-verify-with-x509.html·
> > <http://www.aleksey.com/xmlsec/api/xmlsec-verify-with-x509.html%C2%B7>
> > and I have a problem when certificate chain is invalid.
> > I got error to console:
> >
> >
> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto
> > library function failed:subj=/C=UA/ST=Kyiv
> > region/L=Kyiv/O=test/OU=test/CN=server1/emailAddress=s
> >
> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate
> > verification failed:err=20;msg=unable to get local issuer certificate
> > OK
> > SignedInfo References (ok/all): 1/1·
> > Manifests References (ok/all): 0/0·
> >
> > but verification result dsigCtx->status has xmlSecDSigStatusSucceeded
> value.
> >
> > Can you tell me how can I verify that certificate chain is invalid with
> > xmlsec api?
> >
> >
> > _______________________________________________
> > xmlsec mailing list
> > xmlsec at aleksey.com
> > http://www.aleksey.com/mailman/listinfo/xmlsec
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20120815/66a43e5c/attachment.html>


More information about the xmlsec mailing list