[xmlsec] Signature Verification Problem Using X509 Certificates

Paul Keeler keelerp at googlemail.com
Mon Feb 18 03:19:22 PST 2008 

Here is a link to an online generator of signed documents that will
demonstrate the behaviour I described previously:

http://www.cinecert.com/dci_ref_01/

Is there perhaps something about these documents that means xmlsec is unable
to populate a store of untrusted certificates?

Many thanks for your help already.


On Feb 14, 2008 5:29 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:

> The error indicates that verification of one of the certificate
> chains failed but xmlsec was able to extract the key either from
> another certificate chain or from some other place. Hard to say
> more w/o looking at the document.
>
> Aleksey
>
>
>
> Paul Keeler wrote:
> > I would be grateful if somone could help me with this problem.  I have a
> > signed document which reports that it verifies ok, but also gives an
> > error message: "unable to get local issuer certificate".  The same thing
> > happens both running from my own application and calling xmlsec from the
> > command line:
> >
> > xmlsec1 --verify --id-attr:<my_ID_attribute_name>
> > <my_node_namespace_uri>:<my_first_node_name>
> > --id-attr:<my_ID_attribute_name>
> > <my_node_namespace_uri>:<my_second_node_name> --trusted-pem
> > <my_trusted_root_pem>  <my_signed_document>
> >
> > This is the result:
> >
> > func=xmlSecOpenSSLX509StoreVerify:file=
> x509vfy.c:line=351:obj=x509-store:subj=unknown:error=71:certificate
> > verification failed:err=20;msg=unable to get local issuer certificate
> > OK
> > SignedInfo References (ok/all): 2/2
> > Manifests References (ok/all): 0/0
> >
> > The verification seems to have been successful (indicated by "OK"), but
> > clearly an error was also reported.
> >
> > The signed document contains my entire certificate chain: Signer ->
> > Intermediate CA -> Root CA.  The Root CA in the chain is the same as the
> > trusted root pem I pass using the --trusted-pem option, so I would
> > expect verification to succeed.
> >
> > Now, I can make the error message go away by extracting the Intermediate
> > CA certificate from the signed document and passing it to XMLSEC using
> > the --untrusted-pem option:
> >
> > xmlsec1 --verify --id-attr:<my_ID_attribute_name>
> > <my_node_namespace_uri>:<my_first_node_name>
> > --id-attr:<my_ID_attribute_name>
> > <my_node_namespace_uri>:<my_second_node_name> --trusted-pem
> > <my_trusted_root_pem> --untrusted-pem <intermediate_CA_pem>
> > <my_signed_document>
> >
> > I did not expect that I would have to explicitly pass a certificate from
> > the chain to xmlsec and flag it as being untrusted.  Am I doing
> > something wrong?  Surely xmlsec should assume that all X509 certificates
> > in a chain are untrusted by default?  Have I missed the point somewhere?
> >
> > Many thanks in advance.
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > xmlsec mailing list
> > xmlsec at aleksey.com
> > http://www.aleksey.com/mailman/listinfo/xmlsec
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.aleksey.com/pipermail/xmlsec/attachments/20080218/24a23f1c/attachment-0002.htm

More information about the xmlsec mailing list