Hi Aleksey,<br><br>I got something interesting now, earlier i said that the certificate chain was working fine with openssl.<br><br>I command i gave was :<br>openssl verify -CAfile Root.pem EE.pem<br>where the EE,pem was having the intermediate cert & then the end certificate and it said OK (passed0<br>
now inside the ee.pem's end certificate if i add some junk characters and give the same command then also it passes, seems like only one certificate is getting verified and not the whole chain.<br><br>Similarly with xmlsec in the signature file if i only put the intermediate cert it gets verified, :-(<br>
<br>I am getting this feeeling that there might be a problem with the certificate chain provided to me, what do u think ..<br><br>ny idea how can i confirm the same.<br><br>Regards,<br>Ashish<br><br><br><div class="gmail_quote">
On Thu, Jun 4, 2009 at 10:44 PM, Aleksey Sanin <span dir="ltr"><<a href="mailto:aleksey@aleksey.com">aleksey@aleksey.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
There are checks for expired certs, etc. Same as openssl.<br>
<br>
Aleksey<br>
<br>
Ashish Agrawal wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi Aleksey,<br>
<br><div class="im">
i ve a doubt that since this chain was successfully verified by openssl, so we put an additional checks in xmlsec which might fail the validation interms of the certificate constraints ?<br>
<br>
Regards,<br>
Ashish<br>
<br></div><div class="im">
On Thu, Jun 4, 2009 at 10:01 PM, Ashish Agrawal <<a href="mailto:meetashish@gmail.com" target="_blank">meetashish@gmail.com</a> <mailto:<a href="mailto:meetashish@gmail.com" target="_blank">meetashish@gmail.com</a>>> wrote:<br>
<br>
Yes i am trying to debug simultaneously . Hopefully i will get some<br>
luck.<br>
<br>
I am attaching the certificate chain for ur reference, can u pls<br>
take a look and see if you can find some thing suspicious.<br>
<br>
Your help is deeply appreciated.<br>
<br>
Regards,<br>
Ashish<br>
<br>
<br>
<br>
<br>
On Thu, Jun 4, 2009 at 9:54 PM, Aleksey Sanin <<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br></div><div class="im">
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>>> wrote:<br>
<br></div><div><div></div><div class="h5">
No specific order. Sorry, you will need to debug it to see what is<br>
going on.<br>
<br>
Aleksey<br>
<br>
Ashish Agrawal wrote:<br>
<br>
I tried the same but for same error :<br>
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto<br>
library function failed:subj=/C=CN/ST=BJ/O=JIL/OU=JIL/CN=JIL<br>
EE demo;err=20;msg=unable to get local issuer certificate<br>
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate<br>
verification failed:err=20;msg=unable to get local issuer<br>
certificate<br>
func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec<br>
library function failed:<br>
func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=884:obj=unknown:subj=unknown:error=45:key<br>
is not found:<br>
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=578:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec<br>
library function failed:<br>
func=xmlSecDSigCtxVerify:file=xmldsig.c:line=379:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec<br>
library function failed:<br>
<br>
Is there ny specfic order in which certificates should be<br>
present in the signature file ? can there be problem with<br>
the certificate fields ?<br>
<br>
<br>
Regards,<br>
Ashish<br>
<br>
On Thu, Jun 4, 2009 at 9:39 PM, Aleksey Sanin<br>
<<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a> <mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>><br></div></div><div class="im">
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a> <mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>>>><br>
wrote:<br>
<br>
Try<br>
<br></div><div class="im">
xmlsec1 --verify \<br>
--trusted-pem root.pem \<br>
--trusted-pem int.pem \<br>
signature.xml<br>
<br>
Aleksey<br>
<br>
Ashish Agrawal wrote:<br>
<br>
I have tried with:<br>
xmlsec1 --verify --trusted-pem root.pem<br>
--untrusted-pem int.pem<br>
signature.xml (removing the intermedaite CA cert<br>
from signature<br>
file)<br>
&<br>
xmlsec1 --verify --trusted-pem root.pem signature.xml<br>
( keeping<br>
the intermedia CA cert and end certtificate in the<br>
signature file)<br>
<br>
Got same result..<br>
Regards,<br>
Ashish<br>
<br>
On Thu, Jun 4, 2009 at 9:25 PM, Aleksey Sanin<br>
<<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a> <mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a> <mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>>><br></div><div><div></div>
<div class="h5">
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>> <mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>>>>> wrote:<br>
<br>
What command line options do you use?<br>
<br>
Aleksey<br>
<br>
Ashish Agrawal wrote:<br>
<br>
Srry, I did not understand your reply completely,<br>
You mean to check the subject field for the<br>
certifices:<br>
<br>
I see them as :<br>
<br>
End Cert: Subject: C=CN, ST=BJ, O=JIL, OU=JIL,<br>
CN=JIL EE demo<br>
Issuer: C=CN, ST=BJ, O=JIL,<br>
OU=JIL,<br>
CN=JIL subCA<br>
demo<br>
<br>
Intermediate cert: Subject: C=CN, ST=BJ,<br>
O=JIL, OU=JIL,<br>
CN=JIL<br>
subCA demo<br>
Issuer: C=CN,<br>
ST=BJ, O=JIL,<br>
OU=JIL,<br>
CN=JIL Root demo<br>
<br>
Root Cert: Subject: C=CN, ST=BJ, O=JIL,<br>
OU=JIL, CN=JIL<br>
Root demo<br>
Issuer: C=CN, ST=BJ, O=JIL,<br>
OU=JIL,<br>
CN=JIL Root demo<br>
<br>
So seems like the chain is correct. but<br>
verification<br>
fails.strange thing is it passes with openssl<br>
but not here.<br>
<br>
Regards,<br>
Ashish<br>
<br>
On Thu, Jun 4, 2009 at 8:59 PM, Aleksey Sanin<br>
<<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>> <mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>>><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>> <mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>>>><br></div></div><div><div></div><div class="h5">
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>> <mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>>><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>> <mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>>>>>> wrote:<br>
<br>
No there is no ordering problems. You have<br>
the subject<br>
of certificate which is at the end of the<br>
chain. Try<br>
to figure out "why?".<br>
<br>
Aleksey<br>
<br>
Ashish Agrawal wrote:<br>
<br>
Yes Aleksey,<br>
I have already tried with the openssl<br>
utility,<br>
<br>
openssl verify -CAfile root.pem EE.pem<br>
here root.pem is the root ca pem file &<br>
EE,pem<br>
contains the<br>
intermediate certificate and then the end<br>
certificate. and it<br>
passess with no error.<br>
<br>
but xmlsec fails :(<br>
Can there be any ordering issue ? shall<br>
i send my<br>
certs, will<br>
that help in root causing ?<br>
<br>
Regards,<br>
Ashish<br>
<br>
On Thu, Jun 4, 2009 at 8:53 PM, Aleksey<br>
Sanin<br>
<<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>> <mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>>><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>> <mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>>>><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>> <mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>>><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>> <mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>>>>><br></div></div><div><div></div><div class="h5">
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>>> <mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>>>><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>> <mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>>><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>> <mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>>>>>>> wrote:<br>
<br>
Try to verify your certs chain using<br>
openssl<br>
command line<br>
tool directly.<br>
<br>
Aleksey<br>
<br>
Ashish Agrawal wrote:<br>
<br>
Hi Aleksey,<br>
<br>
My signature.xml file has two<br>
certificate,<br>
one is<br>
the end<br>
certificate and the other is the<br>
intermediate CA.<br>
In the intermediate certificate<br>
also the "CA"<br>
field is true<br>
.Could this be the root cause of<br>
the problem.<br>
<br>
Attaching the intermediate CA<br>
pem file<br>
<br>
Thanks for ur help.<br>
<br>
Regards,<br>
Ashish<br>
<br>
<br>
On Thu, Jun 4, 2009 at 8:21 PM,<br>
Aleksey Sanin<br>
<<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>>> <mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>>>><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>> <mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>>><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>> <mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>>>>><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>>> <mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>>>><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>> <mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>>><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>> <mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>>>>>><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a> <mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>>><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>> <mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>>>><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>> <mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>>><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>> <mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>>>>><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>>> <mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>>>><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>> <mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>>><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>> <mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a><br>
<mailto:<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>>>>>>>> wrote:<br>
<br>
This error means that xmlsec<br>
can't build<br>
certs<br>
chain<br>
for some<br>
reasons.<br>
<br>
Aleksey<br>
<br>
Ashish Agrawal wrote:<br>
<br>
Hi Aleksey,<br>
<br>
I ve a problem where i v<br>
a root CA<br>
and and two<br>
certificates in<br>
the chain, when i try to<br>
verify the<br>
chain using<br>
openssl<br>
it works :<br>
openssl verify -CAfile<br>
root.pem EE.pem<br>
but when i to to verify<br>
using xmlsec it<br>
fails with the<br>
error :<br>
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto<br>
library function<br>
failed:subj=/C=CN/ST=BJ/O=JIL/OU=JIL/CN=JIL EE<br>
demo;err=20;msg=unable to<br>
get local<br>
issuer<br>
certificate<br>
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate<br>
verification<br>
failed:err=20;msg=unable to<br>
get local<br>
issuer<br>
certificate<br>
func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec<br>
library function failed:<br>
func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=884:obj=unknown:subj=unknown:error=45:key<br>
is not found:<br>
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=578:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec<br>
library function failed:<br>
func=xmlSecDSigCtxVerify:file=xmldsig.c:line=379:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec<br>
library function failed:<br>
Error: signature failed<br>
ERROR<br>
SignedInfo References<br>
(ok/all): 6/6<br>
Manifests References<br>
(ok/all): 0/0<br>
<br>
<br>
Does xmlsec imposes ny<br>
additional<br>
constraint on the<br>
certificate<br>
validation and if yes<br>
what are they ?<br>
<br>
Regards,<br>
Ashish<br>
<br>
<br>
------------------------------------------------------------------------<br>
<br>
_______________________________________________<br>
xmlsec mailing list<br>
<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a> <mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>>><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>> <mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>>>><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>> <mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>>><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>> <mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>>>>><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>>> <mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a> <mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>>>><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>> <mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>>><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>> <mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>>>>>><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a> <mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>>><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>> <mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>>>><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>> <mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>>><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>> <mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>>>>><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>>> <mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a> <mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>>>><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>> <mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>>><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>> <mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>>>>>>><br>
<br>
<br>
<a href="http://www.aleksey.com/mailman/listinfo/xmlsec" target="_blank">http://www.aleksey.com/mailman/listinfo/xmlsec</a><br>
<br>
<br>
<br>
------------------------------------------------------------------------<br>
<br>
_______________________________________________<br>
xmlsec mailing list<br>
<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>>> <mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a> <mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>>>><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>> <mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>>><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>> <mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>>>>><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>>> <mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a> <mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>>>><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>> <mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>>><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>> <mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>>>>>><br>
<a href="http://www.aleksey.com/mailman/listinfo/xmlsec" target="_blank">http://www.aleksey.com/mailman/listinfo/xmlsec</a><br>
<br>
<br>
<br>
------------------------------------------------------------------------<br>
<br>
_______________________________________________<br>
xmlsec mailing list<br>
<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>> <mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>>><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>> <mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>>>><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>> <mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>>><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>> <mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>>>>><br>
<a href="http://www.aleksey.com/mailman/listinfo/xmlsec" target="_blank">http://www.aleksey.com/mailman/listinfo/xmlsec</a><br>
<br>
<br>
<br>
------------------------------------------------------------------------<br>
<br>
_______________________________________________<br>
xmlsec mailing list<br>
<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a> <mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a> <mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>>><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>> <mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>>>><br>
<a href="http://www.aleksey.com/mailman/listinfo/xmlsec" target="_blank">http://www.aleksey.com/mailman/listinfo/xmlsec</a><br>
<br>
<br>
<br>
------------------------------------------------------------------------<br>
<br>
_______________________________________________<br>
xmlsec mailing list<br>
<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a> <mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>><br>
<mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a> <mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>>><br>
<a href="http://www.aleksey.com/mailman/listinfo/xmlsec" target="_blank">http://www.aleksey.com/mailman/listinfo/xmlsec</a><br>
<br>
<br>
<br>
------------------------------------------------------------------------<br>
<br>
_______________________________________________<br>
xmlsec mailing list<br>
<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a> <mailto:<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a>><br>
<a href="http://www.aleksey.com/mailman/listinfo/xmlsec" target="_blank">http://www.aleksey.com/mailman/listinfo/xmlsec</a><br>
<br>
<br>
<br>
<br>
------------------------------------------------------------------------<br>
<br>
_______________________________________________<br>
xmlsec mailing list<br>
<a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
<a href="http://www.aleksey.com/mailman/listinfo/xmlsec" target="_blank">http://www.aleksey.com/mailman/listinfo/xmlsec</a><br>
</div></div></blockquote>
</blockquote></div><br>