[xmlsec] Signature Verification Problem Using X509 Certificates

Paul Keeler keelerp at googlemail.com
Tue Feb 19 04:02:54 PST 2008


Looks like the body of my previous message was somehow scrubbed along with
the attachment.  Here it is again:

On Feb 19, 2008 11:00 AM, Paul Keeler <keelerp at googlemail.com> wrote:

> Ok, I guess it was a bit unreasonable to send you a link - my apologies!
> Here's a concrete example.  See attached.
>
> Thanks for your patience.
>
>
> On Feb 18, 2008 5:08 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:
>
> > I have no idea what "target kdm certificate" is :) Please, attach
> > a signed document to the email.
> >
> > Aleksey
> >
> > Paul Keeler wrote:
> > > Here is a link to an online generator of signed documents that will
> > > demonstrate the behaviour I described previously:
> > >
> > > http://www.cinecert.com/dci_ref_01/
> > >
> > > Is there perhaps something about these documents that means xmlsec is
> > > unable to populate a store of untrusted certificates?
> > >
> > > Many thanks for your help already.
> > >
> > >
> > > On Feb 14, 2008 5:29 PM, Aleksey Sanin <aleksey at aleksey.com
> > > <mailto:aleksey at aleksey.com>> wrote:
> > >
> > >     The error indicates that verification of one of the certificate
> > >     chains failed but xmlsec was able to extract the key either from
> > >     another certificate chain or from some other place. Hard to say
> > >     more w/o looking at the document.
> > >
> > >     Aleksey
> > >
> > >
> > >
> > >     Paul Keeler wrote:
> > >      > I would be grateful if somone could help me with this problem.
> >  I
> > >     have a
> > >      > signed document which reports that it verifies ok, but also
> > gives an
> > >      > error message: "unable to get local issuer certificate".  The
> > >     same thing
> > >      > happens both running from my own application and calling xmlsec
> > >     from the
> > >      > command line:
> > >      >
> > >      > xmlsec1 --verify --id-attr:<my_ID_attribute_name>
> > >      > <my_node_namespace_uri>:<my_first_node_name>
> > >      > --id-attr:<my_ID_attribute_name>
> > >      > <my_node_namespace_uri>:<my_second_node_name> --trusted-pem
> > >      > <my_trusted_root_pem>  <my_signed_document>
> > >      >
> > >      > This is the result:
> > >      >
> > >      >
> > >     func=xmlSecOpenSSLX509StoreVerify:file=
> > x509vfy.c:line=351:obj=x509-store:subj=unknown:error=71:certificate
> > >      > verification failed:err=20;msg=unable to get local issuer
> > certificate
> > >      > OK
> > >      > SignedInfo References (ok/all): 2/2
> > >      > Manifests References (ok/all): 0/0
> > >      >
> > >      > The verification seems to have been successful (indicated by
> > >     "OK"), but
> > >      > clearly an error was also reported.
> > >      >
> > >      > The signed document contains my entire certificate chain:
> > Signer ->
> > >      > Intermediate CA -> Root CA.  The Root CA in the chain is the
> > same
> > >     as the
> > >      > trusted root pem I pass using the --trusted-pem option, so I
> > would
> > >      > expect verification to succeed.
> > >      >
> > >      > Now, I can make the error message go away by extracting the
> > >     Intermediate
> > >      > CA certificate from the signed document and passing it to
> > XMLSEC
> > >     using
> > >      > the --untrusted-pem option:
> > >      >
> > >      > xmlsec1 --verify --id-attr:<my_ID_attribute_name>
> > >      > <my_node_namespace_uri>:<my_first_node_name>
> > >      > --id-attr:<my_ID_attribute_name>
> > >      > <my_node_namespace_uri>:<my_second_node_name> --trusted-pem
> > >      > <my_trusted_root_pem> --untrusted-pem <intermediate_CA_pem>
> > >      > <my_signed_document>
> > >      >
> > >      > I did not expect that I would have to explicitly pass a
> > >     certificate from
> > >      > the chain to xmlsec and flag it as being untrusted.  Am I doing
> > >      > something wrong?  Surely xmlsec should assume that all X509
> > >     certificates
> > >      > in a chain are untrusted by default?  Have I missed the point
> > >     somewhere?
> > >      >
> > >      > Many thanks in advance.
> > >      >
> > >      >
> > >      >
> > >
> > ------------------------------------------------------------------------
> > >      >
> > >      > _______________________________________________
> > >      > xmlsec mailing list
> > >      > xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> > >      > http://www.aleksey.com/mailman/listinfo/xmlsec
> > >
> > >
> > >
> > >
> > ------------------------------------------------------------------------
> > >
> > > _______________________________________________
> > > xmlsec mailing list
> > > xmlsec at aleksey.com
> > > http://www.aleksey.com/mailman/listinfo/xmlsec
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.aleksey.com/pipermail/xmlsec/attachments/20080219/92bdfe6b/attachment-0002.htm


More information about the xmlsec mailing list