[xmlsec] Re: Verifying an signature ... Problem
Wed Feb 26 19:46:38 PST 2003
> Ops.. The line was too long and I missed the last two certs. However, this
> changes nothing for me:
> [aleksey@lsh]$ openssl verify -CAfile c.pem b.pem
> b.pem: OK
> [aleksey@lsh]$ openssl verify -CAfile b.pem a.pem
> a.pem: /C=US/O=MasterCard International Incorporated Test System
> Subordinate/OU=SecureCode Test System Subordinate CA
> Certificate/CN=MasterCard SecureCode Test Issuer and Directory Subordinate
> error 2 at 1 depth lookup:unable to get issuer certificate
> The only idea I have is that you have some cert installed in the default
> openssl path
> that I don't have (for example, it might be original root cert used for
> other certs generation).
> And xmlsec does not know about it either. The only suggestion I have is
> to run xmlsec or openssl
> in the debugger. It should be somewhere in openssl/crypto/x509/x509.c or
To verify a you need to have b AND c loaded because it's an "certificate-hierarchy".
c -> b -> a
That's why I used the CAPath-feature from openssl because it is only possible to use
cafile one time. put b and c in an directory, run "c_rehash ." to prepare it and then
you can use that using openssl ... and then it should be possible to verify a.pem
>> Does xmlsec uses all these certificates or only get the first one ?!
> Yes, of course. It loads everything it can find.
>> When I try to load the extracted b.pem and c.pem as trusted
>> certificates into xmlsec I get
>> xmlSecX509StoreLoadPemCert (x509.c:1182): error 3: crypto operation
>> failed : X509_LOOKUP_load_file(b.pem) - 0
>> Error: unable to load certificate file "b.pem".
>> What could be the reason for that error ?
> Have you added magic "----BEGIN CERTIFICATE----" and "-----END
> CERTIFICATE-----" to the extracted
> certs? xmlsec utility expects certs in PEM files.
Yes I added that - openssl accepts it ...
Any other ideas?
More information about the xmlsec