[xmlsec] Signature Verification Problem Using X509 Certificates

Aleksey Sanin aleksey at aleksey.com
Wed Feb 20 12:09:01 PST 2008


OK, what you say makes sense. Sorry that my idea was not
correct. Could you please try one more thing? Can you remove
from <X509Data> node everything but <X509Certificate> ?
I.e. <X509IssuerSerial>, and other nodes?

Aleksey

Paul Keeler wrote:
> Thanks for that.  Here are a couple of observations:
> 
> 1. If I add the root certificate to the openssl installation's own store 
> in addition to using --trusted-pem on the command line I still get the 
> error.  (I've checked that the certificate is installed correctly by 
> using it with "openssl verify ...")
> 
> 2. Without adding the certificate to the openssl installation, the error 
> can be avoided using the --untrusted-pem option on the command line to 
> identify all of the appropriate intermediate certificates.  From what 
> you have said I would still expect the openssl verification route to 
> result in failure.
> 
> So, something still doesn't really make sense.  However, as you say, 
> ultimately verification has been successful so perhaps there is no 
> significant problem.  In that case, is there a way to suppress these 
> types of error?  I am worried that users of my application may be 
> worried by these errors being printed to the console.
> 
> Many thanks again for your thoughts.
> 
> On Feb 19, 2008 8:03 PM, Aleksey Sanin <aleksey at aleksey.com 
> <mailto:aleksey at aleksey.com>> wrote:
> 
>     There is no failure. This error just indicates that one of the
>     attempts to verify the certificates chain failed. xmlsec-openssl
>     performs certification against different sets of trusted certs:
>     1) ones from the openssl installation
>     2) ones you specify in the command line
> 
>     One of the attempts failed. That's it. You can safely ignore this error.
> 
>     Aleksey
> 
>     Paul Keeler wrote:
>      > The 5 certificates represent a whole certificate chain in order from
>      > signer back to self-signed trusted root.  If I use the fifth
>     certificate
>      > as a trusted root (extract it to file, add the begin/end certificate
>      > tags, and use the --trusted-pem option), then my understanding is
>     that I
>      > should be able to verify the signature and the entire certificate
>      > chain.  Surely there should be no failure?  Am I missing
>     something here?
>      >
>      > Thanks again.
>      >
>      > On Feb 19, 2008 3:26 PM, Aleksey Sanin <aleksey at aleksey.com
>     <mailto:aleksey at aleksey.com>
>      > <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>> wrote:
>      >
>      >     You have multiple certificates (X509Data) element. The error
>      >     indicates that verification of one certificate have failed
>      >     but the other succeeds and the signature is verified.
>      >
>      >     Aleksey
>      >
>      >     Paul Keeler wrote:
>      >      > Looks like the body of my previous message was somehow
>     scrubbed along
>      >      > with the attachment.  Here it is again:
>      >      >
>      >      > On Feb 19, 2008 11:00 AM, Paul Keeler
>     <keelerp at googlemail.com <mailto:keelerp at googlemail.com>
>      >     <mailto:keelerp at googlemail.com <mailto:keelerp at googlemail.com>>
>      >      > <mailto:keelerp at googlemail.com
>     <mailto:keelerp at googlemail.com> <mailto:keelerp at googlemail.com
>     <mailto:keelerp at googlemail.com>>>>
>      >     wrote:
>      >      >
>      >      >     Ok, I guess it was a bit unreasonable to send you a
>     link - my
>      >      >     apologies!  Here's a concrete example.  See attached.
>      >      >
>      >      >     Thanks for your patience.
>      >      >
>      >      >
>      >      >     On Feb 18, 2008 5:08 PM, Aleksey Sanin
>     <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>      >     <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
>      >      >     <mailto:aleksey at aleksey.com
>     <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
>     <mailto:aleksey at aleksey.com>>>> wrote:
>      >      >
>      >      >         I have no idea what "target kdm certificate" is :)
>      >     Please, attach
>      >      >         a signed document to the email.
>      >      >
>      >      >         Aleksey
>      >      >
>      >      >         Paul Keeler wrote:
>      >      >          > Here is a link to an online generator of signed
>     documents
>      >      >         that will
>      >      >          > demonstrate the behaviour I described previously:
>      >      >          >
>      >      >          > http://www.cinecert.com/dci_ref_01/
>      >      >          >
>      >      >          > Is there perhaps something about these
>     documents that
>      >     means
>      >      >         xmlsec is
>      >      >          > unable to populate a store of untrusted
>     certificates?
>      >      >          >
>      >      >          > Many thanks for your help already.
>      >      >          >
>      >      >          >
>      >      >          > On Feb 14, 2008 5:29 PM, Aleksey Sanin
>      >     <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>     <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
>      >      >         <mailto:aleksey at aleksey.com
>     <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
>     <mailto:aleksey at aleksey.com>>>
>      >      >          > <mailto:aleksey at aleksey.com
>     <mailto:aleksey at aleksey.com>
>      >     <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
>     <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>      >     <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>>>
>     wrote:
>      >      >          >
>      >      >          >     The error indicates that verification of
>     one of the
>      >      >         certificate
>      >      >          >     chains failed but xmlsec was able to
>     extract the key
>      >      >         either from
>      >      >          >     another certificate chain or from some other
>      >     place. Hard
>      >      >         to say
>      >      >          >     more w/o looking at the document.
>      >      >          >
>      >      >          >     Aleksey
>      >      >          >
>      >      >          >
>      >      >          >
>      >      >          >     Paul Keeler wrote:
>      >      >          >      > I would be grateful if somone could help me
>      >     with this
>      >      >         problem.  I
>      >      >          >     have a
>      >      >          >      > signed document which reports that it
>     verifies
>      >     ok, but
>      >      >         also gives an
>      >      >          >      > error message: "unable to get local issuer
>      >      >         certificate".  The
>      >      >          >     same thing
>      >      >          >      > happens both running from my own
>     application and
>      >      >         calling xmlsec
>      >      >          >     from the
>      >      >          >      > command line:
>      >      >          >      >
>      >      >          >      > xmlsec1 --verify
>     --id-attr:<my_ID_attribute_name>
>      >      >          >      > <my_node_namespace_uri>:<my_first_node_name>
>      >      >          >      > --id-attr:<my_ID_attribute_name>
>      >      >          >      >
>     <my_node_namespace_uri>:<my_second_node_name>
>      >      >         --trusted-pem
>      >      >          >      > <my_trusted_root_pem>  <my_signed_document>
>      >      >          >      >
>      >      >          >      > This is the result:
>      >      >          >      >
>      >      >          >      >
>      >      >          >
>      >      >
>      >    
>     func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=351:obj=x509-store:subj=unknown:error=71:certificate
>      >      >          >      > verification failed:err=20;msg=unable to
>     get local
>      >      >         issuer certificate
>      >      >          >      > OK
>      >      >          >      > SignedInfo References (ok/all): 2/2
>      >      >          >      > Manifests References (ok/all): 0/0
>      >      >          >      >
>      >      >          >      > The verification seems to have been
>     successful
>      >      >         (indicated by
>      >      >          >     "OK"), but
>      >      >          >      > clearly an error was also reported.
>      >      >          >      >
>      >      >          >      > The signed document contains my entire
>     certificate
>      >      >         chain: Signer ->
>      >      >          >      > Intermediate CA -> Root CA.  The Root CA
>     in the
>      >     chain
>      >      >         is the same
>      >      >          >     as the
>      >      >          >      > trusted root pem I pass using the
>     --trusted-pem
>      >      >         option, so I would
>      >      >          >      > expect verification to succeed.
>      >      >          >      >
>      >      >          >      > Now, I can make the error message go away by
>      >      >         extracting the
>      >      >          >     Intermediate
>      >      >          >      > CA certificate from the signed document and
>      >     passing it
>      >      >         to XMLSEC
>      >      >          >     using
>      >      >          >      > the --untrusted-pem option:
>      >      >          >      >
>      >      >          >      > xmlsec1 --verify
>     --id-attr:<my_ID_attribute_name>
>      >      >          >      > <my_node_namespace_uri>:<my_first_node_name>
>      >      >          >      > --id-attr:<my_ID_attribute_name>
>      >      >          >      >
>     <my_node_namespace_uri>:<my_second_node_name>
>      >      >         --trusted-pem
>      >      >          >      > <my_trusted_root_pem> --untrusted-pem
>      >      >         <intermediate_CA_pem>
>      >      >          >      > <my_signed_document>
>      >      >          >      >
>      >      >          >      > I did not expect that I would have to
>      >     explicitly pass a
>      >      >          >     certificate from
>      >      >          >      > the chain to xmlsec and flag it as being
>     untrusted.
>      >      >          Am I doing
>      >      >          >      > something wrong?  Surely xmlsec should
>     assume
>      >     that all
>      >      >         X509
>      >      >          >     certificates
>      >      >          >      > in a chain are untrusted by default?
>      Have I missed
>      >      >         the point
>      >      >          >     somewhere?
>      >      >          >      >
>      >      >          >      > Many thanks in advance.
>      >      >          >      >
>      >      >          >      >
>      >      >          >      >
>      >      >          >
>      >      >
>      >    
>     ------------------------------------------------------------------------
>      >      >          >      >
>      >      >          >      >
>     _______________________________________________
>      >      >          >      > xmlsec mailing list
>      >      >          >      > xmlsec at aleksey.com
>     <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
>     <mailto:xmlsec at aleksey.com>>
>      >     <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>     <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>
>      >      >         <mailto:xmlsec at aleksey.com
>     <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
>     <mailto:xmlsec at aleksey.com>>
>      >     <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>     <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>>
>      >      >          >      >
>     http://www.aleksey.com/mailman/listinfo/xmlsec
>      >      >          >
>      >      >          >
>      >      >          >
>      >      >          >
>      >      >
>      >    
>     ------------------------------------------------------------------------
>      >      >          >
>      >      >          > _______________________________________________
>      >      >          > xmlsec mailing list
>      >      >          > xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>     <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
>      >     <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>     <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>
>      >      >          > http://www.aleksey.com/mailman/listinfo/xmlsec
>      >      >
>      >      >
>      >      >
>      >      >
>      >      >
>      >    
>     ------------------------------------------------------------------------
>      >      >
>      >      > _______________________________________________
>      >      > xmlsec mailing list
>      >      > xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>     <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
>      >      > http://www.aleksey.com/mailman/listinfo/xmlsec
>      >
>      >
>      >
>      >
>     ------------------------------------------------------------------------
>      >
>      > _______________________________________________
>      > xmlsec mailing list
>      > xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>      > http://www.aleksey.com/mailman/listinfo/xmlsec
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec



More information about the xmlsec mailing list