[xmlsec] Fwd: Verify Sign Issue
Renato Fermi
repiazza at gmail.com
Mon Nov 24 10:54:05 PST 2014
Sorry, the verifying line was :
- xmlsec1 --verify --id-attr:Id infNFe --privkey-pem nfcek.pem,cert.pem
signed.xml
2014-11-24 16:45 GMT-02:00 Renato Fermi <repiazza at gmail.com>:
Hello Aleksey,
>
> I was really using a wrong certificate to sign and check it.
> Now I'm using the same certificate, the one who generated key file.
> So I have 2 files:
> - cert.pem - client certificate, obtained using the following command,
> from the full certificate:
> openssl pkcs12 -in certificate.pfx -out cert.pem -clcerts -nokeys
> -nodes
> - nfcek.pem - key file obtained this way:
> openssl pkcs12 -in certificate.pfx -out nfcek.pem -nocerts -nodes
>
> Im signing using :
> - xmlsec1 --sign --id-attr:Id infNFe --privkey-pem nfcek.pem,cert.pem
> --output signed.xml 0A000U209.xml
> And verifying :
> - xmlsec1 --verify --id-attr:Id infNFe --privkey-pem
> nfcek.pem,certificado.pem signed.xml
>
> So I got an OK, but with errors:
> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto
> library function
> failed:subj=/C=BR/ST=SP/L=BARUERI/O=ICP-Brasil/OU=Secretaria da Receita
> Federal do Brasil - RFB/OU=RFB e-CNPJ A1/OU=AR SERASA/CN=CONECTO SISTEMAS
> LTDA:05113966000159;err=20;msg=unable to get local issuer certificate
> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate
> verification failed:err=20;msg=unable to get local issuer certificate
> OK
> SignedInfo References (ok/all): 1/1
> Manifests References (ok/all): 0/0
>
> Do you have any ideia about it?
>
> Thanks again.
>
> 2014-11-24 16:23 GMT-02:00 Aleksey Sanin <aleksey at aleksey.com>:
>
> Are you sure that the cacert.pem contains the certificate for nfcek.pem
>> key? It looks like you are signing with one key and verifying with
>> another.
>>
>> Aleksey
>>
>> On 11/24/14 10:15 AM, Renato Fermi wrote:
>> > I've added 2 files (inuput) 0AU00209.xml and output.xml.
>> >
>> >
>> >
>> >
>> > 2014-11-24 16:05 GMT-02:00 Aleksey Sanin <aleksey at aleksey.com
>> > <mailto:aleksey at aleksey.com>>:
>> >
>> > How does the input.xml looks like?
>> >
>> > Aleksey
>> >
>> > On 11/24/14 9:58 AM, Renato Fermi wrote:
>> > > Hello Aleksey,
>> > >
>> > > I'm having troubles after sucessfully signing a XML, when
>> > verifying it.
>> > >
>> > > What I've done:
>> > > - Signed XML with my cert key and cacert :
>> > > $ xmlsec1 --sign --id-attr:Id infNFe --privkey-pem
>> > nfcek.pem,cacert.pem
>> > > --output signed.xml input.xml
>> > > - Verified the signature:
>> > > xmlsec1 --verify --id-attr:Id infNFe --privkey-pem
>> > nfcek.pem,cacert.pem
>> > > signed.xml
>> > >
>> > > And received the return:
>> > >
>> >
>> func=xmlSecOpenSSLEvpSignatureVerify:file=signatures.c:line=493:obj=rsa-sha1:subj=EVP_VerifyFinal:error=18:data
>> > > do not match:signature do not match
>> > > FAIL
>> > > SignedInfo References (ok/all): 1/1
>> > > Manifests References (ok/all): 0/0
>> > > Error: failed to verify file "signed.xml"
>> > >
>> > > Am I doing anything wrong?
>> > >
>> > > Thanks in advance.
>> > >
>> > > Renato Fermi
>> > >
>> > >
>> > > _______________________________________________
>> > > xmlsec mailing list
>> > > xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>> > > http://www.aleksey.com/mailman/listinfo/xmlsec
>> > >
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > xmlsec mailing list
>> > xmlsec at aleksey.com
>> > http://www.aleksey.com/mailman/listinfo/xmlsec
>> >
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20141124/bd9ffd99/attachment.html>
More information about the xmlsec
mailing list