[xmlsec] debian problem - works on sarge, fails on etch

Martin Waite martin.waite at datacash.com
Wed Oct 10 09:05:28 PDT 2007

Martin Waite wrote:
> Aleksey Sanin wrote:
>>> Does anyone know what the problem might be ?
>>> $ xmlsec1 --verify  --trusted-pem src/test/root.cert ll
>>> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto
>>> library function failed:subj=/C=UK/ST=Scotland/L=Edinburgh/O=DataCash
>>> Ltd/OU=Technology/CN=DataCash Payments
>>> CA/emailAddress=martin at datacash.com;err=24;msg=invalid CA certificate
>>> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate
>>> verification failed:err=24;msg=invalid CA certificate
>> Seems like you have problems with root.cert. For example,
>> a different openssl version might be more strict about extra
>> cert attributes, or something like this.
> I was afraid you might say that.
> I have been playing with "openssl verify" to try to get it to replicate
> the problem:  it makes a lot of noise, but seems quite happy with the
> certificates.
> I'll regenerate the certificates using the newer openssl and see if that
> fixes it.
> Thanks for the confirmation.

A working root certificate requires

        X509v3 extensions:
             X509v3 Key Usage: critical
                Certificate Sign, CRL Sign

Mine didn't have that.

Martin Waite
System Architect

Tel (Direct): +44 (0)131 538 8431
Mobile: +44 (0)7866 750509

DataCash Ltd, Suite 3/1 Great Michael House,
14 Links Place, Edinburgh, EH6 7EZ, United Kingdom.

Tel: +44 (0)870 7274 762
Fax: +44 (0)870 7274 782

www.datacash.com <http://www.datacash.com/>

DISCLAIMER: This email and any files transmitted with it are
confidential to DataCash Group plc and its group companies. It is
intended only for the person to whom it is addressed. If you have
received this email in error, please forward it to info at datacash.com
<mailto:info at datacash.com> with the subject line "Received in Error". If
you are not the intended recipient you must not use, disclose, copy,
print, distribute or rely on this email or any of its transmitted files.

More information about the xmlsec mailing list