Thanks for that. Here are a couple of observations:<br><br>1. If I add the root certificate to the openssl installation's own store in addition to using --trusted-pem on the command line I still get the error. (I've checked that the certificate is installed correctly by using it with "openssl verify ...")<br>
<br>2. Without adding the certificate to the openssl installation, the error can be avoided using the --untrusted-pem option on the command line to identify all of the appropriate intermediate certificates. From what you have said I would still expect the openssl verification route to result in failure.<br>
<br>So, something still doesn't really make sense. However, as you say, ultimately verification has been successful so perhaps there is no significant problem. In that case, is there a way to suppress these types of error? I am worried that users of my application may be worried by these errors being printed to the console.<br>
<br>Many thanks again for your thoughts.<br><br><div class="gmail_quote">On Feb 19, 2008 8:03 PM, Aleksey Sanin <<a href="mailto:aleksey@aleksey.com">aleksey@aleksey.com</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
There is no failure. This error just indicates that one of the<br>attempts to verify the certificates chain failed. xmlsec-openssl<br>performs certification against different sets of trusted certs:<br>1) ones from the openssl installation<br>
2) ones you specify in the command line<br><br>One of the attempts failed. That's it. You can safely ignore this error.<br><br>Aleksey<br><div class="Ih2E3d"><br>Paul Keeler wrote:<br>> The 5 certificates represent a whole certificate chain in order from<br>
> signer back to self-signed trusted root. If I use the fifth certificate<br>> as a trusted root (extract it to file, add the begin/end certificate<br>> tags, and use the --trusted-pem option), then my understanding is that I<br>
> should be able to verify the signature and the entire certificate<br>> chain. Surely there should be no failure? Am I missing something here?<br>><br>> Thanks again.<br>><br>> On Feb 19, 2008 3:26 PM, Aleksey Sanin <<a href="mailto:aleksey@aleksey.com">aleksey@aleksey.com</a><br>
</div><div class="Ih2E3d">> <mailto:<a href="mailto:aleksey@aleksey.com">aleksey@aleksey.com</a>>> wrote:<br>><br></div><div class="Ih2E3d">> You have multiple certificates (X509Data) element. The error<br>
> indicates that verification of one certificate have failed<br>> but the other succeeds and the signature is verified.<br>><br>> Aleksey<br>><br>> Paul Keeler wrote:<br>> > Looks like the body of my previous message was somehow scrubbed along<br>
> > with the attachment. Here it is again:<br>> ><br>> > On Feb 19, 2008 11:00 AM, Paul Keeler <<a href="mailto:keelerp@googlemail.com">keelerp@googlemail.com</a><br>> <mailto:<a href="mailto:keelerp@googlemail.com">keelerp@googlemail.com</a>><br>
</div>> > <mailto:<a href="mailto:keelerp@googlemail.com">keelerp@googlemail.com</a> <mailto:<a href="mailto:keelerp@googlemail.com">keelerp@googlemail.com</a>>>><br><div class="Ih2E3d">> wrote:<br>
> ><br>> > Ok, I guess it was a bit unreasonable to send you a link - my<br>> > apologies! Here's a concrete example. See attached.<br>> ><br>> > Thanks for your patience.<br>
> ><br>> ><br>> > On Feb 18, 2008 5:08 PM, Aleksey Sanin <<a href="mailto:aleksey@aleksey.com">aleksey@aleksey.com</a><br>> <mailto:<a href="mailto:aleksey@aleksey.com">aleksey@aleksey.com</a>><br>
</div><div><div></div><div class="Wj3C7c">> > <mailto:<a href="mailto:aleksey@aleksey.com">aleksey@aleksey.com</a> <mailto:<a href="mailto:aleksey@aleksey.com">aleksey@aleksey.com</a>>>> wrote:<br>
> ><br>> > I have no idea what "target kdm certificate" is :)<br>> Please, attach<br>> > a signed document to the email.<br>> ><br>> > Aleksey<br>
> ><br>> > Paul Keeler wrote:<br>> > > Here is a link to an online generator of signed documents<br>> > that will<br>> > > demonstrate the behaviour I described previously:<br>
> > ><br>> > > <a href="http://www.cinecert.com/dci_ref_01/" target="_blank">http://www.cinecert.com/dci_ref_01/</a><br>> > ><br>> > > Is there perhaps something about these documents that<br>
> means<br>> > xmlsec is<br>> > > unable to populate a store of untrusted certificates?<br>> > ><br>> > > Many thanks for your help already.<br>
> > ><br>> > ><br>> > > On Feb 14, 2008 5:29 PM, Aleksey Sanin<br>> <<a href="mailto:aleksey@aleksey.com">aleksey@aleksey.com</a> <mailto:<a href="mailto:aleksey@aleksey.com">aleksey@aleksey.com</a>><br>
> > <mailto:<a href="mailto:aleksey@aleksey.com">aleksey@aleksey.com</a> <mailto:<a href="mailto:aleksey@aleksey.com">aleksey@aleksey.com</a>>><br>> > > <mailto:<a href="mailto:aleksey@aleksey.com">aleksey@aleksey.com</a><br>
> <mailto:<a href="mailto:aleksey@aleksey.com">aleksey@aleksey.com</a>> <mailto:<a href="mailto:aleksey@aleksey.com">aleksey@aleksey.com</a><br>> <mailto:<a href="mailto:aleksey@aleksey.com">aleksey@aleksey.com</a>>>>> wrote:<br>
> > ><br>> > > The error indicates that verification of one of the<br>> > certificate<br>> > > chains failed but xmlsec was able to extract the key<br>
> > either from<br>> > > another certificate chain or from some other<br>> place. Hard<br>> > to say<br>> > > more w/o looking at the document.<br>
> > ><br>> > > Aleksey<br>> > ><br>> > ><br>> > ><br>> > > Paul Keeler wrote:<br>
> > > > I would be grateful if somone could help me<br>> with this<br>> > problem. I<br>> > > have a<br>> > > > signed document which reports that it verifies<br>
> ok, but<br>> > also gives an<br>> > > > error message: "unable to get local issuer<br>> > certificate". The<br>> > > same thing<br>
> > > > happens both running from my own application and<br>> > calling xmlsec<br>> > > from the<br>> > > > command line:<br>
> > > ><br>> > > > xmlsec1 --verify --id-attr:<my_ID_attribute_name><br>> > > > <my_node_namespace_uri>:<my_first_node_name><br>
> > > > --id-attr:<my_ID_attribute_name><br>> > > > <my_node_namespace_uri>:<my_second_node_name><br>> > --trusted-pem<br>
> > > > <my_trusted_root_pem> <my_signed_document><br>> > > ><br>> > > > This is the result:<br>> > > ><br>
> > > ><br>> > ><br>> ><br>> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=351:obj=x509-store:subj=unknown:error=71:certificate<br>> > > > verification failed:err=20;msg=unable to get local<br>
> > issuer certificate<br>> > > > OK<br>> > > > SignedInfo References (ok/all): 2/2<br>> > > > Manifests References (ok/all): 0/0<br>
> > > ><br>> > > > The verification seems to have been successful<br>> > (indicated by<br>> > > "OK"), but<br>
> > > > clearly an error was also reported.<br>> > > ><br>> > > > The signed document contains my entire certificate<br>> > chain: Signer -><br>
> > > > Intermediate CA -> Root CA. The Root CA in the<br>> chain<br>> > is the same<br>> > > as the<br>> > > > trusted root pem I pass using the --trusted-pem<br>
> > option, so I would<br>> > > > expect verification to succeed.<br>> > > ><br>> > > > Now, I can make the error message go away by<br>
> > extracting the<br>> > > Intermediate<br>> > > > CA certificate from the signed document and<br>> passing it<br>> > to XMLSEC<br>
> > > using<br>> > > > the --untrusted-pem option:<br>> > > ><br>> > > > xmlsec1 --verify --id-attr:<my_ID_attribute_name><br>
> > > > <my_node_namespace_uri>:<my_first_node_name><br>> > > > --id-attr:<my_ID_attribute_name><br>> > > > <my_node_namespace_uri>:<my_second_node_name><br>
> > --trusted-pem<br>> > > > <my_trusted_root_pem> --untrusted-pem<br>> > <intermediate_CA_pem><br>> > > > <my_signed_document><br>
> > > ><br>> > > > I did not expect that I would have to<br>> explicitly pass a<br>> > > certificate from<br>> > > > the chain to xmlsec and flag it as being untrusted.<br>
> > Am I doing<br>> > > > something wrong? Surely xmlsec should assume<br>> that all<br>> > X509<br>> > > certificates<br>
> > > > in a chain are untrusted by default? Have I missed<br>> > the point<br>> > > somewhere?<br>> > > ><br>> > > > Many thanks in advance.<br>
> > > ><br>> > > ><br>> > > ><br>> > ><br>> ><br>> ------------------------------------------------------------------------<br>
> > > ><br>> > > > _______________________________________________<br>> > > > xmlsec mailing list<br>> > > > <a href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a> <mailto:<a href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a>><br>
> <mailto:<a href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a> <mailto:<a href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a>>><br>> > <mailto:<a href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a> <mailto:<a href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a>><br>
> <mailto:<a href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a> <mailto:<a href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a>>>><br>> > > > <a href="http://www.aleksey.com/mailman/listinfo/xmlsec" target="_blank">http://www.aleksey.com/mailman/listinfo/xmlsec</a><br>
> > ><br>> > ><br>> > ><br>> > ><br>> ><br>> ------------------------------------------------------------------------<br>
> > ><br>> > > _______________________________________________<br>> > > xmlsec mailing list<br>> > > <a href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a> <mailto:<a href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a>><br>
> <mailto:<a href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a> <mailto:<a href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a>>><br>> > > <a href="http://www.aleksey.com/mailman/listinfo/xmlsec" target="_blank">http://www.aleksey.com/mailman/listinfo/xmlsec</a><br>
> ><br>> ><br>> ><br>> ><br>> ><br>> ------------------------------------------------------------------------<br>> ><br>> > _______________________________________________<br>
> > xmlsec mailing list<br>> > <a href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a> <mailto:<a href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a>><br>> > <a href="http://www.aleksey.com/mailman/listinfo/xmlsec" target="_blank">http://www.aleksey.com/mailman/listinfo/xmlsec</a><br>
><br>><br>><br>> ------------------------------------------------------------------------<br>><br>> _______________________________________________<br>> xmlsec mailing list<br>> <a href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a><br>
> <a href="http://www.aleksey.com/mailman/listinfo/xmlsec" target="_blank">http://www.aleksey.com/mailman/listinfo/xmlsec</a><br></div></div></blockquote></div><br>