[xmlsec] Re: Verifying an signature ... Problem

Ingo Fischer apollon at schlund.de
Wed Feb 26 10:39:23 PST 2003 

Hello Aleskey,

In the XML-File there were 3 certificates at all included. The first certificate 
you extracted as "a.pem".
I saved these certificates as b.pem and c.pem too.

when I run verify that with openssl I get an success for a.pem.
So you need all certificates which are presented in the XML when you verify the 
signature. Does xmlsec uses all these certificates or only get the first one ?!

When I try to load the extracted b.pem and c.pem as trusted certificates into 
xmlsec I get

xmlSecX509StoreLoadPemCert (x509.c:1182): error 3: crypto operation failed : 
X509_LOOKUP_load_file(b.pem) - 0
Error: unable to load certificate file "b.pem".

What could be the reason for that error ?

Ingo Fischer

Aleksey Sanin wrote:
> The issuer of the certificate in the signature
> 
> C=US, O=MasterCard International Incorporated Test System Subordinate,
> OU=SecureCode Test System Subordinate CA Certificate,
> CN=MasterCard SecureCode Test Issuer and Directory Subordinate
> 
> match none of the subjects of the certificates you sent to me.  You might
> use "openssl x509" and "openssl verify" commands to verify "plain" certs
> w/o XML stuff around. For example,  I've saved cert from the signature
> to a.pem file, put all your certs in the same dir and executed the 
> following
> command (added lines formatting):
> 
>    [aleksey at lsh]$ openssl verify -CAfile mctestRootCA.pem *.pem
> 
>    a.pem: /C=US/O=MasterCard International Inc Test System Subordinate
>                /OU=SecureCode Test System Subordinate CA Stage 2
>               /CN=MasterCard SecureCode Issuer Test1 Signing Stage
>    error 20 at 0 depth lookup:unable to get local issuer certificate
>    mctestRoot_2.pem: OK
>    mctestRootCA.pem: OK
>    mctestSubcCA.pem: OK
> 
> And I have the same results with "- CAfile mctestRoot_2.pem".
> 
> 
> 
> Also, as you probably know I prefer to answer xmlsec questions in the
> mailing list.
> 
> Aleksey
> 
> 
> Ingo Fischer wrote:
> 
>> Hello !
>>
>> We had contact some time ago.
>>
>> Now I have another problem. I have an XML-Signature which I need to 
>> verify.
>>
>> When I try that with:
>>
>> > xmlsec verify --trusted 
>> /home/ipayment/doc_root/../certs/3dsecure/mctestRoot_2.pem 
>> /tmp/3dsec_xmldsig_verify_3006.xml
>>
>> xmlSecX509StoreVerify (x509.c:1090): error 41: cert verification 
>> failed : error=19 (self signed certificate in certificate chain)
>> xmlSecX509DataNodeRead (keyinfo.c:1196): error 41: cert verification 
>> failed :
>> xmlSecKeysMngrGetKey (keys.c:518): error 17: key not found :
>> xmlSecSignedInfoRead (xmldsig.c:1437): error 17: key not found :
>> xmlSecSignatureRead (xmldsig.c:1175): error 2: xmlsec operation failed 
>> : xmlSecSignedInfoRead - -1
>> xmlSecDSigValidate (xmldsig.c:733): error 2: xmlsec operation failed : 
>> xmlSecSignatureRead - -1
>> ERROR
>> Error: operation failed
>>
>> That's correct that way because the Root-Certificate is selfsigned by 
>> Mastercard. Now I have the CA-Certificates as two .pem-files too (they 
>> have an hierarchy of an Master-CA and an Sub-CA which are both needed)
>>
>> So I tried to set the as --trusted too:
>>
>> > xmlsec verify --trusted 
>> /home/ipayment/doc_root/../certs/3dsecure/mctestRoot_2.pem --trusted 
>> /home/ipayment/doc_root/../certs/3dsecure/mctest/mctestRootCA.pem 
>> --trusted 
>> /home/ipayment/doc_root/../certs/3dsecure/mctest/mctestSubcCA.pem 
>> /tmp/3dsec_xmldsig_verify_3006.xml
>>
>> xmlSecX509StoreLoadPemCert (x509.c:1182): error 3: crypto operation 
>> failed : 
>> X509_LOOKUP_load_file(/home/ipayment/doc_root/../certs/3dsecure/mctest/mctestSubcCA.pem) 
>> - 0
>> Error: unable to load certificate file 
>> "/home/ipayment/doc_root/../certs/3dsecure/mctest/mctestSubcCA.pem".
>> Usage: xmlsec verify [<options>] <file> [<file> [ ... ]]
>> ...
>>
>> I attached all the files referenced (packed as ZIP) and it would be 
>> great if you could give me a hint what goes wrong there.
>>
>> Hoping for a fast answer ;-))
>>
>> Ingo Fischer
>>
> 
> 
> 
> 
> 

-- 
Ingo Fischer
_____________________________________________________________________

Ingo Fischer
Schlund + Partner AG           NOF-Components : http://www.apollon.de
Karlsruhe                      ICQ-Number     : 3183043
Tel.: 0721/91374-0
http://www.schlund.de
_____________________________________________________________________

More information about the xmlsec mailing list