[xmlsec] Signature Verification Problem Using X509 Certificates
Paul Keeler
keelerp at googlemail.com
Thu Feb 14 03:33:42 PST 2008
I would be grateful if somone could help me with this problem. I have a
signed document which reports that it verifies ok, but also gives an error
message: "unable to get local issuer certificate". The same thing happens
both running from my own application and calling xmlsec from the command
line:
xmlsec1 --verify --id-attr:<my_ID_attribute_name>
<my_node_namespace_uri>:<my_first_node_name>
--id-attr:<my_ID_attribute_name>
<my_node_namespace_uri>:<my_second_node_name> --trusted-pem
<my_trusted_root_pem> <my_signed_document>
This is the result:
func=xmlSecOpenSSLX509StoreVerify:file=
x509vfy.c:line=351:obj=x509-store:subj=unknown:error=71:certificateverification
failed:err=20;msg=unable to get local issuer certificate
OK
SignedInfo References (ok/all): 2/2
Manifests References (ok/all): 0/0
The verification seems to have been successful (indicated by "OK"), but
clearly an error was also reported.
The signed document contains my entire certificate chain: Signer ->
Intermediate CA -> Root CA. The Root CA in the chain is the same as the
trusted root pem I pass using the --trusted-pem option, so I would expect
verification to succeed.
Now, I can make the error message go away by extracting the Intermediate CA
certificate from the signed document and passing it to XMLSEC using the
--untrusted-pem option:
xmlsec1 --verify --id-attr:<my_ID_attribute_name>
<my_node_namespace_uri>:<my_first_node_name>
--id-attr:<my_ID_attribute_name>
<my_node_namespace_uri>:<my_second_node_name> --trusted-pem
<my_trusted_root_pem> --untrusted-pem <intermediate_CA_pem>
<my_signed_document>
I did not expect that I would have to explicitly pass a certificate from the
chain to xmlsec and flag it as being untrusted. Am I doing something
wrong? Surely xmlsec should assume that all X509 certificates in a chain
are untrusted by default? Have I missed the point somewhere?
Many thanks in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.aleksey.com/pipermail/xmlsec/attachments/20080214/1b41b8ed/attachment-0002.htm
More information about the xmlsec
mailing list