[xmlsec] Fwd: Verify Sign Issue

Renato Fermi repiazza at gmail.com
Mon Nov 24 10:53:37 PST 2014 

Hello Aleksey,

I was really using a wrong certificate to sign and check it.
Now I'm using the same certificate, the one who generated key file.
So I have 2 files:
 - cert.pem - client certificate, obtained using the following command,
from the full certificate:
     openssl pkcs12 -in certificate.pfx -out cert.pem -clcerts -nokeys
-nodes
- nfcek.pem - key file obtained this way:
     openssl pkcs12 -in certificate.pfx -out nfcek.pem -nocerts -nodes

Im signing using :
  - xmlsec1 --sign --id-attr:Id infNFe --privkey-pem nfcek.pem,cert.pem
--output signed.xml 0A000U209.xml
And verifying :
  - xmlsec1 --verify --id-attr:Id infNFe --privkey-pem
nfcek.pem,certificado.pem signed.xml

So I got an OK, but with errors:
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto
library function
failed:subj=/C=BR/ST=SP/L=BARUERI/O=ICP-Brasil/OU=Secretaria da Receita
Federal do Brasil - RFB/OU=RFB e-CNPJ A1/OU=AR SERASA/CN=CONECTO SISTEMAS
LTDA:05113966000159;err=20;msg=unable to get local issuer certificate
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate
verification failed:err=20;msg=unable to get local issuer certificate
OK
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0

Do you have any ideia about it?

Thanks again.

2014-11-24 16:23 GMT-02:00 Aleksey Sanin <aleksey at aleksey.com>:

Are you sure that the cacert.pem contains the certificate for nfcek.pem
> key? It looks like you are signing with one key and verifying with another.
>
> Aleksey
>
> On 11/24/14 10:15 AM, Renato Fermi wrote:
> > I've added 2 files (inuput) 0AU00209.xml and output.xml.
> >
> >
> >
> >
> > 2014-11-24 16:05 GMT-02:00 Aleksey Sanin <aleksey at aleksey.com
> > <mailto:aleksey at aleksey.com>>:
> >
> >     How does the input.xml looks like?
> >
> >     Aleksey
> >
> >     On 11/24/14 9:58 AM, Renato Fermi wrote:
> >     > Hello Aleksey,
> >     >
> >     > I'm having troubles after sucessfully signing a XML, when
> >     verifying it.
> >     >
> >     > What I've done:
> >     >  - Signed XML with my cert key and cacert :
> >     >  $ xmlsec1 --sign --id-attr:Id infNFe --privkey-pem
> >     nfcek.pem,cacert.pem
> >     > --output signed.xml input.xml
> >     >  - Verified the signature:
> >     > xmlsec1 --verify --id-attr:Id infNFe --privkey-pem
> >     nfcek.pem,cacert.pem
> >     > signed.xml
> >     >
> >     > And received the return:
> >     >
> >
>  func=xmlSecOpenSSLEvpSignatureVerify:file=signatures.c:line=493:obj=rsa-sha1:subj=EVP_VerifyFinal:error=18:data
> >     > do not match:signature do not match
> >     > FAIL
> >     > SignedInfo References (ok/all): 1/1
> >     > Manifests References (ok/all): 0/0
> >     > Error: failed to verify file "signed.xml"
> >     >
> >     > Am I doing anything wrong?
> >     >
> >     > Thanks in advance.
> >     >
> >     > Renato Fermi
> >     >
> >     >
> >     > _______________________________________________
> >     > xmlsec mailing list
> >     > xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> >     > http://www.aleksey.com/mailman/listinfo/xmlsec
> >     >
> >
> >
> >
> >
> > _______________________________________________
> > xmlsec mailing list
> > xmlsec at aleksey.com
> > http://www.aleksey.com/mailman/listinfo/xmlsec
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20141124/e2f2e4cc/attachment.html>

More information about the xmlsec mailing list