[xmlsec] Re: Verifying an signature ... Problem

Aleksey Sanin aleksey at aleksey.com
Wed Feb 26 11:33:49 PST 2003

> In the XML-File there were 3 certificates at all included. The first 
> certificate you extracted as "a.pem".
> I saved these certificates as b.pem and c.pem too.

Ops.. The line was too long and I missed the last two certs. However, this
changes nothing for me:

        [aleksey at lsh]$ openssl verify -CAfile c.pem b.pem
        b.pem: OK

        [aleksey at lsh]$ openssl verify -CAfile b.pem a.pem
        a.pem: /C=US/O=MasterCard International Incorporated Test System 
Subordinate/OU=SecureCode Test System         Subordinate CA 
Certificate/CN=MasterCard SecureCode Test Issuer and Directory Subordinate
        error 2 at 1 depth lookup:unable to get issuer certificate

The only idea I have is that you have some cert installed in the default 
openssl path
that I don't have (for example, it might be original root cert used for 
other certs generation).
And xmlsec does not know about it either. The only suggestion I have is 
to run xmlsec or openssl
in the debugger. It should be somewhere in openssl/crypto/x509/x509.c or 

> Does xmlsec uses all these certificates or only get the first one ?!

Yes, of course. It loads everything it can find.

> When I try to load the extracted b.pem and c.pem as trusted 
> certificates into xmlsec I get
> xmlSecX509StoreLoadPemCert (x509.c:1182): error 3: crypto operation 
> failed : X509_LOOKUP_load_file(b.pem) - 0
> Error: unable to load certificate file "b.pem".
> What could be the reason for that error ?
Have you added magic "----BEGIN CERTIFICATE----" and "-----END 
CERTIFICATE-----" to the extracted
certs? xmlsec utility expects certs in PEM files.


More information about the xmlsec mailing list