[xmlsec] Signature Verification Problem Using X509 Certificates
keelerp at googlemail.com
Thu Feb 21 02:21:16 PST 2008
My understanding (which may be flawed!) is that the following output
represents a single unique chain:
Thanks once again though!
On Thu, Feb 21, 2008 at 1:52 AM, Aleksey Sanin <aleksey at aleksey.com> wrote:
> Here is my new theory :) You've asked for it ;)
> 1) The error appears during certificate chain verification
> and indicates that openssl can not find or verify certificate
> in the chain. There is no easy way to suppress this error
> because it might be a real problem (we don't know this at the
> moment this error is generated).
> 2) For some reasons, the certificates you have in the signature
> allow one to construct more than one certificates chain. The first
> one can not be verified. But the second one can.
> 3) The certificates chains are constructed using certificates
> issuers/subjects. If you have time and would like to nail it down,
> extract the issuers/subjects from all certificates in the
> signature and see if there is indeed two or more chains.
> Paul Keeler wrote:
> > All your ideas are more than welcome! I tried your suggestion, but the
> > output is exactly the same. Not sure where that leaves us?
> > Thanks again.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the xmlsec