Srry, I did not understand your reply completely, <br>You mean to check the subject field for the certifices:<br><br>I see them as :<br><br>End Cert: Subject: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL EE demo<br> Issuer: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL subCA demo<br>
<br>Intermediate cert: Subject: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL subCA demo<br> Issuer: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL Root demo<br><br>Root Cert: Subject: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL Root demo<br>
Issuer: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL Root demo<br><br>So seems like the chain is correct. but verification fails.strange thing is it passes with openssl but not here.<br><br>Regards,<br><font color="#888888">Ashish</font><br>
<br><div class="gmail_quote">On Thu, Jun 4, 2009 at 8:59 PM, Aleksey Sanin <span dir="ltr"><<a href="mailto:aleksey@aleksey.com">aleksey@aleksey.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
No there is no ordering problems. You have the subject<br>
of certificate which is at the end of the chain. Try<br>
to figure out "why?".<br>
<br>
Aleksey<br>
<br>
Ashish Agrawal wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="im">
Yes Aleksey,<br>
I have already tried with the openssl utility,<br>
<br>
openssl verify -CAfile root.pem EE.pem <br>
here root.pem is the root ca pem file & EE,pem contains the intermediate certificate and then the end certificate. and it passess with no error.<br>
<br>
but xmlsec fails :(<br>
Can there be any ordering issue ? shall i send my certs, will that help in root causing ?<br>
<br>
Regards,<br>
Ashish<br>
<br></div><div class="im">
On Thu, Jun 4, 2009 at 8:53 PM, Aleksey Sanin <<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a> <mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>>> wrote:<br>
<br>
Try to verify your certs chain using openssl command line tool directly.<br>
<br>
Aleksey<br>
<br>
Ashish Agrawal wrote:<br>
<br>
Hi Aleksey,<br>
<br>
My signature.xml file has two certificate, one is the end<br>
certificate and the other is the intermediate CA.<br>
In the intermediate certificate also the "CA" field is true<br>
.Could this be the root cause of the problem.<br>
<br>
Attaching the intermediate CA pem file<br>
<br>
Thanks for ur help.<br>
<br>
Regards,<br>
Ashish<br>
<br>
<br>
On Thu, Jun 4, 2009 at 8:21 PM, Aleksey Sanin<br>
<<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a> <mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>><br></div><div><div></div><div class="h5">
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a> <mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>>>> wrote:<br>
<br>
This error means that xmlsec can't build certs chain for some<br>
reasons.<br>
<br>
Aleksey<br>
<br>
Ashish Agrawal wrote:<br>
<br>
Hi Aleksey,<br>
<br>
I ve a problem where i v a root CA and and two<br>
certificates in<br>
the chain, when i try to verify the chain using openssl<br>
it works :<br>
openssl verify -CAfile root.pem EE.pem<br>
but when i to to verify using xmlsec it fails with the<br>
error :<br>
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto<br>
library function<br>
failed:subj=/C=CN/ST=BJ/O=JIL/OU=JIL/CN=JIL EE<br>
demo;err=20;msg=unable to get local issuer certificate<br>
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate<br>
verification failed:err=20;msg=unable to get local issuer<br>
certificate<br>
func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec<br>
library function failed:<br>
func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=884:obj=unknown:subj=unknown:error=45:key<br>
is not found:<br>
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=578:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec<br>
library function failed:<br>
func=xmlSecDSigCtxVerify:file=xmldsig.c:line=379:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec<br>
library function failed:<br>
Error: signature failed<br>
ERROR<br>
SignedInfo References (ok/all): 6/6<br>
Manifests References (ok/all): 0/0<br>
<br>
<br>
Does xmlsec imposes ny additional constraint on the<br>
certificate<br>
validation and if yes what are they ?<br>
<br>
Regards,<br>
Ashish<br>
<br>
<br>
------------------------------------------------------------------------<br>
<br>
_______________________________________________<br>
xmlsec mailing list<br>
<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a> <mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>><br></div></div>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a> <mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>>><div class="im"><br>
<br>
<a href="http://www.aleksey.com/mailman/listinfo/xmlsec" target="_blank">http://www.aleksey.com/mailman/listinfo/xmlsec</a><br>
<br>
<br>
<br>
------------------------------------------------------------------------<br>
<br>
_______________________________________________<br>
xmlsec mailing list<br>
<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a> <mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>><br>
<a href="http://www.aleksey.com/mailman/listinfo/xmlsec" target="_blank">http://www.aleksey.com/mailman/listinfo/xmlsec</a><br>
<br>
<br>
<br>
------------------------------------------------------------------------<br>
<br>
_______________________________________________<br>
xmlsec mailing list<br>
<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<a href="http://www.aleksey.com/mailman/listinfo/xmlsec" target="_blank">http://www.aleksey.com/mailman/listinfo/xmlsec</a><br>
</div></blockquote>
</blockquote></div><br>