[xmlsec] Trusted certs directory

dnorrell at gmx.net dnorrell at gmx.net
Tue Aug 15 01:35:34 PDT 2006

Hi Aleksey,

> Hm... Yes you are right! Sorry, I forgot about this. If you use
> OpenSSL then the "config" parameter is pointing to the folder
> with trusted certs (see xmlSecOpenSSLSetDefaultTrustedCertsFolder
> function).
> Do you have any errors from xmlsec? Can you put a breakpoint
> in xmlSecOpenSSLX509StoreInitialize() function on this line:

Yes, I get the following error when I try to load a key with xmlSecKeyInfoNodeRead:

func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate verification failed:err=18;msg=self signed certificate

The certificate is self-signed but I have the certificate in the directory I'm trying to set as the trusted certs folder. If I add it using xmlSecCryptoAppKeysMngrCertLoad, the error goes away.

>      path = xmlSecOpenSSLGetDefaultTrustedCertsFolder();
>      if(path != NULL) {
> 	X509_LOOKUP *lookup = NULL;
> 	lookup = X509_STORE_add_lookup(ctx->xst,
>                           X509_LOOKUP_hash_dir());
>          if(lookup == NULL) {
>             ...
>          }
> 	X509_LOOKUP_add_dir(lookup, (char*)path, X509_FILETYPE_DEFAULT);
>      }
> and then trace down if 1) you have correct value in "path" and
> 2) X509_LOOKUP_add_dir() succeeds? BTW, there is a small bug in this
> code... I need to check the return value from X509_LOOKUP_add_dir()
> and report an error if needed. I'll fix it tonight.

I can confirm that the path is receiving the correct value at this point and X509_LOOKUP_add_dir() is returning 1.

I did wonder what the format of the files in the directory should be? My trusted cert is a PEM file. I have also tried using the openssl c_rehash tool on the directory, but still the same problem. I will keep looking today.


Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen!
Ideal für Modem und ISDN: http://www.gmx.net/de/go/smartsurfer

More information about the xmlsec mailing list