[xmlsec] Error: unable to get local issuer certificate

wz qiang weizhongqiang at gmail.com
Tue Jul 15 14:41:41 PDT 2008 

hello,
Thanks to your kind reply. :)
The code piece is as follows, I think there is aready <X509Data/> in the
<Signature/> part, it is not necessary to load the certificate.
Hope you can find something wrong in this code piece. :)

Thanks a lot
Weizhong Qiang

******************************
bool SAMLToken::Authenticate(const std::string& cafile, const std::string&
capath) {
  xmlSecKeysMngr* keys_manager = NULL;
  xmlSecDSigCtx *dsigCtx;

  //Verify the signature under saml:assertion
  if((bool)x509data && (!cafile.empty() || !capath.empty())) {
    keys_manager = *load_trusted_certs*(&keys_manager, cafile.c_str(),
capath.c_str());
    if(keys_manager == NULL) { std::cerr<<"Can not load trusted
certificates"<<std::endl; return false; }
  }
  else if((bool)x509data)
    { std::cerr<<"No trusted certificates exists"<<std::endl; return false;}
  if(keys_manager == NULL){ std::cerr<<"No <X509Data/> exists, or no trusted
certificates configured"<<std::endl; return false;}

  dsigCtx = xmlSecDSigCtxCreate(keys_manager);
  if (xmlSecDSigCtxVerify(dsigCtx, assertion_signature_nd) < 0) {
    xmlSecDSigCtxDestroy(dsigCtx);
    if (keys_manager) xmlSecKeysMngrDestroy(keys_manager);
    std::cerr<<"Signature verification failed for
saml:assertion"<<std::endl;
    return false;
  }
  if(keys_manager != NULL)xmlSecKeysMngrDestroy(keys_manager);
  if(dsigCtx->status == xmlSecDSigStatusSucceeded) {
    std::cout<<"Succeed to verify the signature in
saml:assertion"<<std::endl;
    xmlSecDSigCtxDestroy(dsigCtx);
  }
}
else { std::cerr<<"Invalid signature in saml:assertion"<<std::endl;
xmlSecDSigCtxDestroy(dsigCtx); return false; }
}


*load_trusted_certs *is as follows:


//Load trusted cetificates into key manager
xmlSecKeysMngrPtr load_trusted_certs(xmlSecKeysMngrPtr* keys_manager, const
char* cafile, const char* capath) {
  xmlSecKeysMngrPtr keys_mngr;
  if((keys_manager != NULL) && (*keys_manager != NULL)) keys_mngr =
*keys_manager;
  else {
    keys_mngr = xmlSecKeysMngrCreate();
    //initialize keys manager
    if (xmlSecCryptoAppDefaultKeysMngrInit(keys_mngr)<0) {
      std::cerr<<"Can not initialize xmlSecKeysMngr object"<<std::endl;
      xmlSecKeysMngrDestroy(keys_mngr); return NULL;
    }
  }
  if(keys_mngr == NULL) { std::cerr<<"Can not create xmlSecKeysMngr
object"<<std::endl; return NULL;}

  //load ca certs into keys manager, the two method used here could not work
in some old xmlsec verion,
  //because of some bug about X509_FILETYPE_DEFAULT and X509_FILETYPE_PEM
  //load a ca path

  if(!capath)
    if(*xmlSecOpenSSLAppKeysMngrAddCertsPath*(keys_mngr, capath) < 0) {
      xmlSecKeysMngrDestroy(keys_mngr);
      return NULL;
    }
  //load a ca file  TODO: can only be used in some new version of xmlsec
  if(!cafile)
    if(*xmlSecOpenSSLAppKeysMngrAddCertsFile*(keys_mngr, cafile) < 0) {
      xmlSecKeysMngrDestroy(keys_mngr);
      return NULL;
  }
}


On 7/15/08, Aleksey Sanin <aleksey at aleksey.com> wrote:
> Well, I haven't seen your code so I have no idea what is wrong
> with it. You can take a look at what xmlsec command does and
> then do copy/paste.
>
>
> Aleksey
>
> wz qiang wrote:
> > hello,
> > When I used the command line, I got the result which seems ok.
> >
> > xmlsec1 --verify --trusted-pem ca.pem --id-attr:AssertionID
> > saml:Assertion  assertion.xml
> > OK
> > SignedInfo References (ok/all): 1/1
> > Manifests References (ok/all): 0/0
> >
> >
> > Is there some hint?
> >
> > Thanks a lot
> > Weizhong Qiang
> >
> >
> > On 7/15/08, Aleksey Sanin <aleksey at aleksey.com> wrote:
> >
> > > Try to reproduce the problem using xmlsec1 command line tool
> > >
> > > Aleksey
> > >
> > >
> > > wz qiang wrote:
> > >
> > > > hello,
> > > > I knew it is a openssl problem. :)
> > > > But the strange thing is that the same certificate and ca
certificate
> > > > works well when I use tls.
> > > > SSL_CTX_load_verify_locations(sslctx_,
> ca_file_.c_str(),
> > > >
> > > NULL)
> > >
> > > > So I would know whether there is something wrong when I use xmlsec.
> > > >
> > > > Thanks
> > > > Weizhong Qiang
> > > >
> > > > On 7/15/08, Aleksey Sanin <aleksey at aleksey.com> wrote:
> > > >
> > > >
> > >
> http://www.mail-archive.com/openssl-users@openssl.org/msg45532.html
> > >
> > > >
> > > > > wz qiang wrote:
> > > > >
> > > > >
> > > > > > hi all,
> > > > > > I am doing some signature verification test with trusted
> certificates.
> > > > > > I used
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> "xmlSecCryptoAppKeysMngrCertLoad(keys_mngr,
> > >
> > > >
> > > > > ca_file,
> > > > >
> > > > >
> > > > > > xmlSecKeyDataFormatPem, xmlSecKeyDataTypeTrusted)" to load the
ca
> > > > > > certificate into keymanager, there is <X509Data/> under
> > > > > > <Signature><KeyInfo/></Signature>.
> > > > > >
> > > > > > But when I verify the signature (xmlSecDSigCtxVerify), I get the
> > > > > > following error. The ca certificate is exactly the one which
sign
> the
> > > > > > certificate under <X509Data/>.
> > > > > > And I also tried to use
> > > > > > xmlSecOpenSSLAppKeysMngrAddCertsFile(keys_mngr,
> > > > > >
> > > > >
> > > >
> > > cafile)
> > >
> > > >
> > > > > to load the
> > > > >
> > > > >
> > > > > > ca ceriticate, and got the same error.
> > > > > > Could somebody give some hint about sloving this problem?
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
>
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto
> > >
> > > >
> > > > >
> > > > > > library function
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> failed:subj=/C=NO/ST=Oslo/O=UiO/CN=test;err=20;msg=unable
> > >
> > > >
> > > > > to get local
> > > > >
> > > > >
> > > > > > issuer certificate
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
>
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate
> > >
> > > >
> > > > >
> > > > > > verification failed:err=20;msg=unable to get local issuer
> certificate
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
>
func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec
> > >
> > > >
> > > > >
> > > > > > library function failed:
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
>
func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key
> > >
> > > >
> > > > >
> > > > > > is not found:
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
>
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
> > >
> > > >
> > > > >
> > > > > > library function failed:
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
>
func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
> > >
> > > >
> > > > >
> > > > > > library function failed:
> > > > > > Signature verification failed for saml:assertion
> > > > > >
> > > > > > Thanks in advance
> > > > > > Weizhong Qiang
> > > > > > _______________________________________________
> > > > > > xmlsec mailing list
> > > > > > xmlsec at aleksey.com
> > > > > > http://www.aleksey.com/mailman/listinfo/xmlsec
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > _______________________________________________
> > > > xmlsec mailing list
> > > > xmlsec at aleksey.com
> > > > http://www.aleksey.com/mailman/listinfo/xmlsec
> > > >
> > > >
> > >
> > _______________________________________________
> > xmlsec mailing list
> > xmlsec at aleksey.com
> > http://www.aleksey.com/mailman/listinfo/xmlsec
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.aleksey.com/pipermail/xmlsec/attachments/20080715/65ce2a71/attachment-0002.htm

More information about the xmlsec mailing list