[xmlsec] Signature Verification Problem Using X509 Certificates
Paul Keeler
keelerp at googlemail.com
Wed Feb 20 13:45:37 PST 2008
All your ideas are more than welcome! I tried your suggestion, but the
output is exactly the same. Not sure where that leaves us?
Thanks again.
On Wed, Feb 20, 2008 at 8:09 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:
> OK, what you say makes sense. Sorry that my idea was not
> correct. Could you please try one more thing? Can you remove
> from <X509Data> node everything but <X509Certificate> ?
> I.e. <X509IssuerSerial>, and other nodes?
>
> Aleksey
>
> Paul Keeler wrote:
> > Thanks for that. Here are a couple of observations:
> >
> > 1. If I add the root certificate to the openssl installation's own store
> > in addition to using --trusted-pem on the command line I still get the
> > error. (I've checked that the certificate is installed correctly by
> > using it with "openssl verify ...")
> >
> > 2. Without adding the certificate to the openssl installation, the error
> > can be avoided using the --untrusted-pem option on the command line to
> > identify all of the appropriate intermediate certificates. From what
> > you have said I would still expect the openssl verification route to
> > result in failure.
> >
> > So, something still doesn't really make sense. However, as you say,
> > ultimately verification has been successful so perhaps there is no
> > significant problem. In that case, is there a way to suppress these
> > types of error? I am worried that users of my application may be
> > worried by these errors being printed to the console.
> >
> > Many thanks again for your thoughts.
> >
> > On Feb 19, 2008 8:03 PM, Aleksey Sanin <aleksey at aleksey.com
> > <mailto:aleksey at aleksey.com>> wrote:
> >
> > There is no failure. This error just indicates that one of the
> > attempts to verify the certificates chain failed. xmlsec-openssl
> > performs certification against different sets of trusted certs:
> > 1) ones from the openssl installation
> > 2) ones you specify in the command line
> >
> > One of the attempts failed. That's it. You can safely ignore this
> error.
> >
> > Aleksey
> >
> > Paul Keeler wrote:
> > > The 5 certificates represent a whole certificate chain in order
> from
> > > signer back to self-signed trusted root. If I use the fifth
> > certificate
> > > as a trusted root (extract it to file, add the begin/end
> certificate
> > > tags, and use the --trusted-pem option), then my understanding is
> > that I
> > > should be able to verify the signature and the entire certificate
> > > chain. Surely there should be no failure? Am I missing
> > something here?
> > >
> > > Thanks again.
> > >
> > > On Feb 19, 2008 3:26 PM, Aleksey Sanin <aleksey at aleksey.com
> > <mailto:aleksey at aleksey.com>
> > > <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>> wrote:
> > >
> > > You have multiple certificates (X509Data) element. The error
> > > indicates that verification of one certificate have failed
> > > but the other succeeds and the signature is verified.
> > >
> > > Aleksey
> > >
> > > Paul Keeler wrote:
> > > > Looks like the body of my previous message was somehow
> > scrubbed along
> > > > with the attachment. Here it is again:
> > > >
> > > > On Feb 19, 2008 11:00 AM, Paul Keeler
> > <keelerp at googlemail.com <mailto:keelerp at googlemail.com>
> > > <mailto:keelerp at googlemail.com <mailto:keelerp at googlemail.com
> >>
> > > > <mailto:keelerp at googlemail.com
> > <mailto:keelerp at googlemail.com> <mailto:keelerp at googlemail.com
> > <mailto:keelerp at googlemail.com>>>>
> > > wrote:
> > > >
> > > > Ok, I guess it was a bit unreasonable to send you a
> > link - my
> > > > apologies! Here's a concrete example. See attached.
> > > >
> > > > Thanks for your patience.
> > > >
> > > >
> > > > On Feb 18, 2008 5:08 PM, Aleksey Sanin
> > <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> > > <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
> > > > <mailto:aleksey at aleksey.com
> > <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
> > <mailto:aleksey at aleksey.com>>>> wrote:
> > > >
> > > > I have no idea what "target kdm certificate" is :)
> > > Please, attach
> > > > a signed document to the email.
> > > >
> > > > Aleksey
> > > >
> > > > Paul Keeler wrote:
> > > > > Here is a link to an online generator of signed
> > documents
> > > > that will
> > > > > demonstrate the behaviour I described
> previously:
> > > > >
> > > > > http://www.cinecert.com/dci_ref_01/
> > > > >
> > > > > Is there perhaps something about these
> > documents that
> > > means
> > > > xmlsec is
> > > > > unable to populate a store of untrusted
> > certificates?
> > > > >
> > > > > Many thanks for your help already.
> > > > >
> > > > >
> > > > > On Feb 14, 2008 5:29 PM, Aleksey Sanin
> > > <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> > <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
> > > > <mailto:aleksey at aleksey.com
> > <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
> > <mailto:aleksey at aleksey.com>>>
> > > > > <mailto:aleksey at aleksey.com
> > <mailto:aleksey at aleksey.com>
> > > <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
> > <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
> > > <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>>>
> > wrote:
> > > > >
> > > > > The error indicates that verification of
> > one of the
> > > > certificate
> > > > > chains failed but xmlsec was able to
> > extract the key
> > > > either from
> > > > > another certificate chain or from some
> other
> > > place. Hard
> > > > to say
> > > > > more w/o looking at the document.
> > > > >
> > > > > Aleksey
> > > > >
> > > > >
> > > > >
> > > > > Paul Keeler wrote:
> > > > > > I would be grateful if somone could help
> me
> > > with this
> > > > problem. I
> > > > > have a
> > > > > > signed document which reports that it
> > verifies
> > > ok, but
> > > > also gives an
> > > > > > error message: "unable to get local
> issuer
> > > > certificate". The
> > > > > same thing
> > > > > > happens both running from my own
> > application and
> > > > calling xmlsec
> > > > > from the
> > > > > > command line:
> > > > > >
> > > > > > xmlsec1 --verify
> > --id-attr:<my_ID_attribute_name>
> > > > > >
> <my_node_namespace_uri>:<my_first_node_name>
> > > > > > --id-attr:<my_ID_attribute_name>
> > > > > >
> > <my_node_namespace_uri>:<my_second_node_name>
> > > > --trusted-pem
> > > > > > <my_trusted_root_pem>
> <my_signed_document>
> > > > > >
> > > > > > This is the result:
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> > func=xmlSecOpenSSLX509StoreVerify:file=
> x509vfy.c:line=351:obj=x509-store:subj=unknown:error=71:certificate
> > > > > > verification failed:err=20;msg=unable to
> > get local
> > > > issuer certificate
> > > > > > OK
> > > > > > SignedInfo References (ok/all): 2/2
> > > > > > Manifests References (ok/all): 0/0
> > > > > >
> > > > > > The verification seems to have been
> > successful
> > > > (indicated by
> > > > > "OK"), but
> > > > > > clearly an error was also reported.
> > > > > >
> > > > > > The signed document contains my entire
> > certificate
> > > > chain: Signer ->
> > > > > > Intermediate CA -> Root CA. The Root CA
> > in the
> > > chain
> > > > is the same
> > > > > as the
> > > > > > trusted root pem I pass using the
> > --trusted-pem
> > > > option, so I would
> > > > > > expect verification to succeed.
> > > > > >
> > > > > > Now, I can make the error message go
> away by
> > > > extracting the
> > > > > Intermediate
> > > > > > CA certificate from the signed document
> and
> > > passing it
> > > > to XMLSEC
> > > > > using
> > > > > > the --untrusted-pem option:
> > > > > >
> > > > > > xmlsec1 --verify
> > --id-attr:<my_ID_attribute_name>
> > > > > >
> <my_node_namespace_uri>:<my_first_node_name>
> > > > > > --id-attr:<my_ID_attribute_name>
> > > > > >
> > <my_node_namespace_uri>:<my_second_node_name>
> > > > --trusted-pem
> > > > > > <my_trusted_root_pem> --untrusted-pem
> > > > <intermediate_CA_pem>
> > > > > > <my_signed_document>
> > > > > >
> > > > > > I did not expect that I would have to
> > > explicitly pass a
> > > > > certificate from
> > > > > > the chain to xmlsec and flag it as being
> > untrusted.
> > > > Am I doing
> > > > > > something wrong? Surely xmlsec should
> > assume
> > > that all
> > > > X509
> > > > > certificates
> > > > > > in a chain are untrusted by default?
> > Have I missed
> > > > the point
> > > > > somewhere?
> > > > > >
> > > > > > Many thanks in advance.
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> ------------------------------------------------------------------------
> > > > > >
> > > > > >
> > _______________________________________________
> > > > > > xmlsec mailing list
> > > > > > xmlsec at aleksey.com
> > <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
> > <mailto:xmlsec at aleksey.com>>
> > > <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> > <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>
> > > > <mailto:xmlsec at aleksey.com
> > <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
> > <mailto:xmlsec at aleksey.com>>
> > > <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> > <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>>
> > > > > >
> > http://www.aleksey.com/mailman/listinfo/xmlsec
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > >
> >
> ------------------------------------------------------------------------
> > > > >
> > > > > _______________________________________________
> > > > > xmlsec mailing list
> > > > > xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> > <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
> > > <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> > <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>
> > > > > http://www.aleksey.com/mailman/listinfo/xmlsec
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> >
> ------------------------------------------------------------------------
> > > >
> > > > _______________________________________________
> > > > xmlsec mailing list
> > > > xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> > <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
> > > > http://www.aleksey.com/mailman/listinfo/xmlsec
> > >
> > >
> > >
> > >
> >
> ------------------------------------------------------------------------
> > >
> > > _______________________________________________
> > > xmlsec mailing list
> > > xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
> > > http://www.aleksey.com/mailman/listinfo/xmlsec
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > xmlsec mailing list
> > xmlsec at aleksey.com
> > http://www.aleksey.com/mailman/listinfo/xmlsec
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.aleksey.com/pipermail/xmlsec/attachments/20080220/469c8352/attachment-0002.htm
More information about the xmlsec
mailing list