[xmlsec] Re: Verifying an signature ... Problem

Aleksey Sanin aleksey at aleksey.com
Mon Feb 24 07:54:44 PST 2003 

The issuer of the certificate in the signature

C=US, O=MasterCard International Incorporated Test System Subordinate,
OU=SecureCode Test System Subordinate CA Certificate,
CN=MasterCard SecureCode Test Issuer and Directory Subordinate

match none of the subjects of the certificates you sent to me.  You might
use "openssl x509" and "openssl verify" commands to verify "plain" certs
w/o XML stuff around. For example,  I've saved cert from the signature
to a.pem file, put all your certs in the same dir and executed the 
following
command (added lines formatting):

    [aleksey at lsh]$ openssl verify -CAfile mctestRootCA.pem *.pem

    a.pem: /C=US/O=MasterCard International Inc Test System Subordinate
                /OU=SecureCode Test System Subordinate CA Stage 2
               /CN=MasterCard SecureCode Issuer Test1 Signing Stage
    error 20 at 0 depth lookup:unable to get local issuer certificate
    mctestRoot_2.pem: OK
    mctestRootCA.pem: OK
    mctestSubcCA.pem: OK

And I have the same results with "- CAfile mctestRoot_2.pem".



Also, as you probably know I prefer to answer xmlsec questions in the
mailing list.

Aleksey


Ingo Fischer wrote:

> Hello !
>
> We had contact some time ago.
>
> Now I have another problem. I have an XML-Signature which I need to 
> verify.
>
> When I try that with:
>
> > xmlsec verify --trusted 
> /home/ipayment/doc_root/../certs/3dsecure/mctestRoot_2.pem 
> /tmp/3dsec_xmldsig_verify_3006.xml
>
> xmlSecX509StoreVerify (x509.c:1090): error 41: cert verification 
> failed : error=19 (self signed certificate in certificate chain)
> xmlSecX509DataNodeRead (keyinfo.c:1196): error 41: cert verification 
> failed :
> xmlSecKeysMngrGetKey (keys.c:518): error 17: key not found :
> xmlSecSignedInfoRead (xmldsig.c:1437): error 17: key not found :
> xmlSecSignatureRead (xmldsig.c:1175): error 2: xmlsec operation failed 
> : xmlSecSignedInfoRead - -1
> xmlSecDSigValidate (xmldsig.c:733): error 2: xmlsec operation failed : 
> xmlSecSignatureRead - -1
> ERROR
> Error: operation failed
>
> That's correct that way because the Root-Certificate is selfsigned by 
> Mastercard. Now I have the CA-Certificates as two .pem-files too (they 
> have an hierarchy of an Master-CA and an Sub-CA which are both needed)
>
> So I tried to set the as --trusted too:
>
> > xmlsec verify --trusted 
> /home/ipayment/doc_root/../certs/3dsecure/mctestRoot_2.pem --trusted 
> /home/ipayment/doc_root/../certs/3dsecure/mctest/mctestRootCA.pem 
> --trusted 
> /home/ipayment/doc_root/../certs/3dsecure/mctest/mctestSubcCA.pem 
> /tmp/3dsec_xmldsig_verify_3006.xml
>
> xmlSecX509StoreLoadPemCert (x509.c:1182): error 3: crypto operation 
> failed : 
> X509_LOOKUP_load_file(/home/ipayment/doc_root/../certs/3dsecure/mctest/mctestSubcCA.pem) 
> - 0
> Error: unable to load certificate file 
> "/home/ipayment/doc_root/../certs/3dsecure/mctest/mctestSubcCA.pem".
> Usage: xmlsec verify [<options>] <file> [<file> [ ... ]]
> ...
>
> I attached all the files referenced (packed as ZIP) and it would be 
> great if you could give me a hint what goes wrong there.
>
> Hoping for a fast answer ;-))
>
> Ingo Fischer
>

More information about the xmlsec mailing list