[xmlsec] Signature Verification Problem Using X509 Certificates

Paul Keeler keelerp at googlemail.com
Thu Feb 14 03:33:42 PST 2008

I would be grateful if somone could help me with this problem.  I have a
signed document which reports that it verifies ok, but also gives an error
message: "unable to get local issuer certificate".  The same thing happens
both running from my own application and calling xmlsec from the command

xmlsec1 --verify --id-attr:<my_ID_attribute_name>
<my_node_namespace_uri>:<my_second_node_name> --trusted-pem
<my_trusted_root_pem>  <my_signed_document>

This is the result:

failed:err=20;msg=unable to get local issuer certificate
SignedInfo References (ok/all): 2/2
Manifests References (ok/all): 0/0

The verification seems to have been successful (indicated by "OK"), but
clearly an error was also reported.

The signed document contains my entire certificate chain: Signer ->
Intermediate CA -> Root CA.  The Root CA in the chain is the same as the
trusted root pem I pass using the --trusted-pem option, so I would expect
verification to succeed.

Now, I can make the error message go away by extracting the Intermediate CA
certificate from the signed document and passing it to XMLSEC using the
--untrusted-pem option:

xmlsec1 --verify --id-attr:<my_ID_attribute_name>
<my_node_namespace_uri>:<my_second_node_name> --trusted-pem
<my_trusted_root_pem> --untrusted-pem <intermediate_CA_pem>

I did not expect that I would have to explicitly pass a certificate from the
chain to xmlsec and flag it as being untrusted.  Am I doing something
wrong?  Surely xmlsec should assume that all X509 certificates in a chain
are untrusted by default?  Have I missed the point somewhere?

Many thanks in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.aleksey.com/pipermail/xmlsec/attachments/20080214/1b41b8ed/attachment-0002.htm

More information about the xmlsec mailing list