[xmlsec] Trusted certs directory
dnorrell at gmx.net
dnorrell at gmx.net
Tue Aug 15 01:35:34 PDT 2006
Hi Aleksey,
> Hm... Yes you are right! Sorry, I forgot about this. If you use
> OpenSSL then the "config" parameter is pointing to the folder
> with trusted certs (see xmlSecOpenSSLSetDefaultTrustedCertsFolder
> function).
>
> Do you have any errors from xmlsec? Can you put a breakpoint
> in xmlSecOpenSSLX509StoreInitialize() function on this line:
Yes, I get the following error when I try to load a key with xmlSecKeyInfoNodeRead:
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate verification failed:err=18;msg=self signed certificate
The certificate is self-signed but I have the certificate in the directory I'm trying to set as the trusted certs folder. If I add it using xmlSecCryptoAppKeysMngrCertLoad, the error goes away.
> path = xmlSecOpenSSLGetDefaultTrustedCertsFolder();
> if(path != NULL) {
> X509_LOOKUP *lookup = NULL;
>
> lookup = X509_STORE_add_lookup(ctx->xst,
> X509_LOOKUP_hash_dir());
> if(lookup == NULL) {
> ...
> }
> X509_LOOKUP_add_dir(lookup, (char*)path, X509_FILETYPE_DEFAULT);
> }
>
>
> and then trace down if 1) you have correct value in "path" and
> 2) X509_LOOKUP_add_dir() succeeds? BTW, there is a small bug in this
> code... I need to check the return value from X509_LOOKUP_add_dir()
> and report an error if needed. I'll fix it tonight.
I can confirm that the path is receiving the correct value at this point and X509_LOOKUP_add_dir() is returning 1.
I did wonder what the format of the files in the directory should be? My trusted cert is a PEM file. I have also tried using the openssl c_rehash tool on the directory, but still the same problem. I will keep looking today.
David.
--
Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen!
Ideal für Modem und ISDN: http://www.gmx.net/de/go/smartsurfer
More information about the xmlsec
mailing list