[xmlsec] Fwd: Verify Sign Issue

Aleksey Sanin aleksey at aleksey.com
Mon Nov 24 11:04:04 PST 2014 

You are not verifying the signature correctly. Please read about
certificates verification, trusted certificates,etc.

Aleksey

On 11/24/14 10:54 AM, Renato Fermi wrote:
> Sorry, the verifying line was :
>   - xmlsec1 --verify --id-attr:Id infNFe --privkey-pem
> nfcek.pem,cert.pem signed.xml
> 
> 2014-11-24 16:45 GMT-02:00 Renato Fermi <repiazza at gmail.com
> <mailto:repiazza at gmail.com>>:
> 
>     Hello Aleksey,
> 
>     I was really using a wrong certificate to sign and check it.
>     Now I'm using the same certificate, the one who generated key file.
>     So I have 2 files:
>      - cert.pem - client certificate, obtained using the following
>     command, from the full certificate:
>          openssl pkcs12 -in certificate.pfx -out cert.pem -clcerts
>     -nokeys -nodes
>     - nfcek.pem - key file obtained this way:
>          openssl pkcs12 -in certificate.pfx -out nfcek.pem -nocerts -nodes
> 
>     Im signing using :
>       - xmlsec1 --sign --id-attr:Id infNFe --privkey-pem
>     nfcek.pem,cert.pem --output signed.xml 0A000U209.xml
>     And verifying :
>       - xmlsec1 --verify --id-attr:Id infNFe --privkey-pem
>     nfcek.pem,certificado.pem signed.xml
> 
>     So I got an OK, but with errors:
>     func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto
>     library function
>     failed:subj=/C=BR/ST=SP/L=BARUERI/O=ICP-Brasil/OU=Secretaria da
>     Receita Federal do Brasil - RFB/OU=RFB e-CNPJ A1/OU=AR
>     SERASA/CN=CONECTO SISTEMAS LTDA:05113966000159;err=20;msg=unable to
>     get local issuer certificate
>     func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate
>     verification failed:err=20;msg=unable to get local issuer certificate
>     OK
>     SignedInfo References (ok/all): 1/1
>     Manifests References (ok/all): 0/0
> 
>     Do you have any ideia about it?
> 
>     Thanks again.
> 
>     2014-11-24 16:23 GMT-02:00 Aleksey Sanin <aleksey at aleksey.com
>     <mailto:aleksey at aleksey.com>>:
> 
>         Are you sure that the cacert.pem contains the certificate for
>         nfcek.pem
>         key? It looks like you are signing with one key and verifying
>         with another.
> 
>         Aleksey
> 
>         On 11/24/14 10:15 AM, Renato Fermi wrote:
>         > I've added 2 files (inuput) 0AU00209.xml and output.xml.
>         >
>         >
>         >
>         >
>         > 2014-11-24 16:05 GMT-02:00 Aleksey Sanin <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>         > <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>:
>         >
>         >     How does the input.xml looks like?
>         >
>         >     Aleksey
>         >
>         >     On 11/24/14 9:58 AM, Renato Fermi wrote:
>         >     > Hello Aleksey,
>         >     >
>         >     > I'm having troubles after sucessfully signing a XML, when
>         >     verifying it.
>         >     >
>         >     > What I've done:
>         >     >  - Signed XML with my cert key and cacert :
>         >     >  $ xmlsec1 --sign --id-attr:Id infNFe --privkey-pem
>         >     nfcek.pem,cacert.pem
>         >     > --output signed.xml input.xml
>         >     >  - Verified the signature:
>         >     > xmlsec1 --verify --id-attr:Id infNFe --privkey-pem
>         >     nfcek.pem,cacert.pem
>         >     > signed.xml
>         >     >
>         >     > And received the return:
>         >     >
>         >   
>          func=xmlSecOpenSSLEvpSignatureVerify:file=signatures.c:line=493:obj=rsa-sha1:subj=EVP_VerifyFinal:error=18:data
>         >     > do not match:signature do not match
>         >     > FAIL
>         >     > SignedInfo References (ok/all): 1/1
>         >     > Manifests References (ok/all): 0/0
>         >     > Error: failed to verify file "signed.xml"
>         >     >
>         >     > Am I doing anything wrong?
>         >     >
>         >     > Thanks in advance.
>         >     >
>         >     > Renato Fermi
>         >     >
>         >     >
>         >     > _______________________________________________
>         >     > xmlsec mailing list
>         >     > xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>         <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
>         >     > http://www.aleksey.com/mailman/listinfo/xmlsec
>         >     >
>         >
>         >
>         >
>         >
>         > _______________________________________________
>         > xmlsec mailing list
>         > xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>         > http://www.aleksey.com/mailman/listinfo/xmlsec
>         >
> 
> 
> 
> 
> 
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
>

More information about the xmlsec mailing list