[xmlsec] Urgent help needed : Certificate verification failed
Aleksey Sanin
aleksey at aleksey.com
Thu Jun 4 09:24:47 PDT 2009
No specific order. Sorry, you will need to debug it to see what is
going on.
Aleksey
Ashish Agrawal wrote:
> I tried the same but for same error :
> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto
> library function failed:subj=/C=CN/ST=BJ/O=JIL/OU=JIL/CN=JIL EE
> demo;err=20;msg=unable to get local issuer certificate
> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate
> verification failed:err=20;msg=unable to get local issuer certificate
> func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec
> library function failed:
> func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=884:obj=unknown:subj=unknown:error=45:key
> is not found:
> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=578:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
> library function failed:
> func=xmlSecDSigCtxVerify:file=xmldsig.c:line=379:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
> library function failed:
>
> Is there ny specfic order in which certificates should be present in the
> signature file ? can there be problem with the certificate fields ?
>
>
> Regards,
> Ashish
>
> On Thu, Jun 4, 2009 at 9:39 PM, Aleksey Sanin <aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>> wrote:
>
> Try
>
> xmlsec1 --verify \
> --trusted-pem root.pem \
> --trusted-pem int.pem \
> signature.xml
>
> Aleksey
>
> Ashish Agrawal wrote:
>
> I have tried with:
> xmlsec1 --verify --trusted-pem root.pem --untrusted-pem int.pem
> signature.xml (removing the intermedaite CA cert from signature
> file)
> &
> xmlsec1 --verify --trusted-pem root.pem signature.xml ( keeping
> the intermedia CA cert and end certtificate in the signature file)
>
> Got same result..
> Regards,
> Ashish
>
> On Thu, Jun 4, 2009 at 9:25 PM, Aleksey Sanin
> <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>> wrote:
>
> What command line options do you use?
>
> Aleksey
>
> Ashish Agrawal wrote:
>
> Srry, I did not understand your reply completely,
> You mean to check the subject field for the certifices:
>
> I see them as :
>
> End Cert: Subject: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL EE demo
> Issuer: C=CN, ST=BJ, O=JIL, OU=JIL,
> CN=JIL subCA
> demo
>
> Intermediate cert: Subject: C=CN, ST=BJ, O=JIL, OU=JIL,
> CN=JIL
> subCA demo
> Issuer: C=CN, ST=BJ, O=JIL,
> OU=JIL,
> CN=JIL Root demo
>
> Root Cert: Subject: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL
> Root demo
> Issuer: C=CN, ST=BJ, O=JIL, OU=JIL,
> CN=JIL Root demo
>
> So seems like the chain is correct. but verification
> fails.strange thing is it passes with openssl but not here.
>
> Regards,
> Ashish
>
> On Thu, Jun 4, 2009 at 8:59 PM, Aleksey Sanin
> <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>> wrote:
>
> No there is no ordering problems. You have the subject
> of certificate which is at the end of the chain. Try
> to figure out "why?".
>
> Aleksey
>
> Ashish Agrawal wrote:
>
> Yes Aleksey,
> I have already tried with the openssl utility,
>
> openssl verify -CAfile root.pem EE.pem
> here root.pem is the root ca pem file & EE,pem
> contains the
> intermediate certificate and then the end
> certificate. and it
> passess with no error.
>
> but xmlsec fails :(
> Can there be any ordering issue ? shall i send my
> certs, will
> that help in root causing ?
>
> Regards,
> Ashish
>
> On Thu, Jun 4, 2009 at 8:53 PM, Aleksey Sanin
> <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>
> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>>> wrote:
>
> Try to verify your certs chain using openssl
> command line
> tool directly.
>
> Aleksey
>
> Ashish Agrawal wrote:
>
> Hi Aleksey,
>
> My signature.xml file has two certificate,
> one is
> the end
> certificate and the other is the
> intermediate CA.
> In the intermediate certificate also the "CA"
> field is true
> .Could this be the root cause of the problem.
>
> Attaching the intermediate CA pem file
>
> Thanks for ur help.
>
> Regards,
> Ashish
>
>
> On Thu, Jun 4, 2009 at 8:21 PM, Aleksey Sanin
> <aleksey at aleksey.com
> <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>
> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>>
> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>
> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>>>> wrote:
>
> This error means that xmlsec can't build
> certs
> chain
> for some
> reasons.
>
> Aleksey
>
> Ashish Agrawal wrote:
>
> Hi Aleksey,
>
> I ve a problem where i v a root CA
> and and two
> certificates in
> the chain, when i try to verify the
> chain using
> openssl
> it works :
> openssl verify -CAfile root.pem EE.pem
> but when i to to verify using xmlsec it
> fails with the
> error :
>
> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto
> library function
> failed:subj=/C=CN/ST=BJ/O=JIL/OU=JIL/CN=JIL EE
> demo;err=20;msg=unable to get local
> issuer
> certificate
>
> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate
> verification failed:err=20;msg=unable to
> get local
> issuer
> certificate
>
> func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec
> library function failed:
>
> func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=884:obj=unknown:subj=unknown:error=45:key
> is not found:
>
> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=578:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
> library function failed:
>
> func=xmlSecDSigCtxVerify:file=xmldsig.c:line=379:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
> library function failed:
> Error: signature failed
> ERROR
> SignedInfo References (ok/all): 6/6
> Manifests References (ok/all): 0/0
>
>
> Does xmlsec imposes ny additional
> constraint on the
> certificate
> validation and if yes what are they ?
>
> Regards,
> Ashish
>
>
>
> ------------------------------------------------------------------------
>
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>
> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com>>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>>
> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>
> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com>>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>>>
>
>
>
> http://www.aleksey.com/mailman/listinfo/xmlsec
>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com>>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>
> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
> <mailto:xmlsec at aleksey.com>>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>>
> http://www.aleksey.com/mailman/listinfo/xmlsec
>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>
> http://www.aleksey.com/mailman/listinfo/xmlsec
>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
> http://www.aleksey.com/mailman/listinfo/xmlsec
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> http://www.aleksey.com/mailman/listinfo/xmlsec
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
More information about the xmlsec
mailing list