[xmlsec] Error: unable to get local issuer certificate
Aleksey Sanin
aleksey at aleksey.com
Tue Jul 15 14:22:40 PDT 2008
Well, I haven't seen your code so I have no idea what is wrong
with it. You can take a look at what xmlsec command does and
then do copy/paste.
Aleksey
wz qiang wrote:
> hello,
> When I used the command line, I got the result which seems ok.
>
> xmlsec1 --verify --trusted-pem ca.pem --id-attr:AssertionID
> saml:Assertion assertion.xml
> OK
> SignedInfo References (ok/all): 1/1
> Manifests References (ok/all): 0/0
>
>
> Is there some hint?
>
> Thanks a lot
> Weizhong Qiang
>
>
> On 7/15/08, Aleksey Sanin <aleksey at aleksey.com> wrote:
>> Try to reproduce the problem using xmlsec1 command line tool
>>
>> Aleksey
>>
>>
>> wz qiang wrote:
>>> hello,
>>> I knew it is a openssl problem. :)
>>> But the strange thing is that the same certificate and ca certificate
>>> works well when I use tls.
>>> SSL_CTX_load_verify_locations(sslctx_, ca_file_.c_str(),
>> NULL)
>>> So I would know whether there is something wrong when I use xmlsec.
>>>
>>> Thanks
>>> Weizhong Qiang
>>>
>>> On 7/15/08, Aleksey Sanin <aleksey at aleksey.com> wrote:
>>>
>> http://www.mail-archive.com/openssl-users@openssl.org/msg45532.html
>>>> wz qiang wrote:
>>>>
>>>>> hi all,
>>>>> I am doing some signature verification test with trusted certificates.
>>>>> I used
>>>>>
>> "xmlSecCryptoAppKeysMngrCertLoad(keys_mngr,
>>>> ca_file,
>>>>
>>>>> xmlSecKeyDataFormatPem, xmlSecKeyDataTypeTrusted)" to load the ca
>>>>> certificate into keymanager, there is <X509Data/> under
>>>>> <Signature><KeyInfo/></Signature>.
>>>>>
>>>>> But when I verify the signature (xmlSecDSigCtxVerify), I get the
>>>>> following error. The ca certificate is exactly the one which sign the
>>>>> certificate under <X509Data/>.
>>>>> And I also tried to use
>>>>> xmlSecOpenSSLAppKeysMngrAddCertsFile(keys_mngr,
>> cafile)
>>>> to load the
>>>>
>>>>> ca ceriticate, and got the same error.
>>>>> Could somebody give some hint about sloving this problem?
>>>>>
>>>>>
>>>>>
>> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto
>>>>> library function
>>>>>
>> failed:subj=/C=NO/ST=Oslo/O=UiO/CN=test;err=20;msg=unable
>>>> to get local
>>>>
>>>>> issuer certificate
>>>>>
>>>>>
>> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate
>>>>> verification failed:err=20;msg=unable to get local issuer certificate
>>>>>
>>>>>
>> func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec
>>>>> library function failed:
>>>>>
>>>>>
>> func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key
>>>>> is not found:
>>>>>
>>>>>
>> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
>>>>> library function failed:
>>>>>
>>>>>
>> func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
>>>>> library function failed:
>>>>> Signature verification failed for saml:assertion
>>>>>
>>>>> Thanks in advance
>>>>> Weizhong Qiang
>>>>> _______________________________________________
>>>>> xmlsec mailing list
>>>>> xmlsec at aleksey.com
>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>>>
>>>>>
>>> _______________________________________________
>>> xmlsec mailing list
>>> xmlsec at aleksey.com
>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
More information about the xmlsec
mailing list