[xmlsec] Signature Verification Problem Using X509 Certificates

[Aleksey Sanin]

I got to the bottom of it. Here is what is happening:
- xmlsec reads the first x509data node and immediately tries to
   verify and extract the key, there is no full chain yet so
   we fail with the error;
- xmlsec goes to the next node, immediately tries to
   verify and extract the key, there is no full chain yet so
   we fail with the error;
- repeat the previous step several times;
- finally we got to the 4th certificate that can be verified

The bottom line is that the error is harmless. If you are using
the xmlsec via C API, then you can install your own error handler
callbacks, accumulate all the errors/warnings and then print
them at the very end *if and only if* signature verification fails.
Otherwise, just ignore all the errors.

If you use command line tool, then you can do a similar trick
with redirecting stderr to a temp file and checking the xmlsec
command line tool return code.

Best,
Aleksey

Aleksey Sanin wrote:
> Mostly likely you need to debug openssl :) I'll try to take a look at
> it over weekend but no promises....
> 
> Aleksey
>