[xmlsec] Problem extracting public key from X509 certificate

Mon Dec 15 04:04:09 PST 2008

Hello,

I've an XMLDSig file which includes the signing certificate in a <ds:X509Certificate> tag, but xmlsec shows these error messages when I try to verify the signature with "xmlsec verify ..\endesa.xml":

func=xmlSecKeysMngrGetKey:file=..\src\keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec library function failed:
func=xmlSecDSigCtxProcessKeyInfoNode:file=..\src\xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key is not found:
func=xmlSecDSigCtxProcessSignatureNode:file=..\src\xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function failed:
func=xmlSecDSigCtxVerify:file=..\src\xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec library function failed:
Error: signature failedERRORSignedInfo References (ok/all): 2/2Manifests References (ok/all): 0/0Error: failed to verify file "..\endesa.xml"

The signature is OK, and I can verify this if I extract manually the certificate and, from openssl, get its public key and then, again from xmlsec, retry the verification so:

xmlsec verify --pubkey endesa-pkey.pem ..\endesa.xml

OKSignedInfo References (ok/all): 2/2Manifests References (ok/all): 0/0

This is the certificate that xmlsec doesn't handle well:

<ds:X509Certificate xmlns:ds="http://www.w3.org/2000/09/xmldsig#">MIII2zCCB8OgAwIBAgIQZpIEicjJWTFxpWfnQvHRDTANBgkqhkiG9w0BAQUFADCB2jELMAkGA1UEBhMCRVMxDzANBgNVBAgTBk1hZHJpZDE3MDUGA1UEBxMuUGFzZW8gZGVsIEdlbmVyYWwgTWFydGluZXogQ2FtcG9zIDQ2LTZhIHBsYW50YTFLMEkGA1UEChNCQWdlbmNpYSBOb3RhcmlhbCBkZSBDZXJ0aWZpY2FjaW9uIFMuTC4gVW5pcGVyc29uYWwgLSBDSUYgQjgzMzk1OTg4MTQwMgYDVQQDEytBTkNFUlQgQ2VydGlmaWNhZG9zIE5vdGFyaWFsZXMgQ29ycG9yYXRpdm9zMB4XDTA3MDExNzEzNDExMloXDTEwMDExNjEzNDExMlowggE+MQswCQYDVQQGEwJFUzE7MDkGA1UEChMyQ2VydGlmaWNhZG8gTm90YXJpYWwgQ29ycG9yYXRpdm8gZGUgUmVwcmVzZW50YWNpb24xODA2BgNVBAsTL0VOREVTQSBFTkVSR0lBIFMuQS4gVU5JUEVSU09OQUwgLSBDSUYgQTgxOTQ4MDc3MTcwNQYDVQQLEy5BdXRvcml6YWRvIGFudGUgTm90YXJpbyBTQU5USUFHTyBSVUJJTyBMSU5JRVJTMRIwEAYDVQQFEwkxODQxNDQ2N1QxFjAUBgNVBAQTDUFaTkFSIEJSVVNDQVMxETAPBgNVBCoTCEZFUk5BTkRPMR8wHQYDVQQDExZGRVJOQU5ETyBBWk5BUiBCUlVTQ0FTMR8wHQYJKoZIhvcNAQkBFhBmYXpuYXJAZW5kZXNhLmVzMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9SYH3av2JmIf4gC37JxDaQUA4pKY5tTPPHuqbkJ0c9LfMJgsCGZ8+jC8xMRYVuuMlzqPlBzPR0Pw5NX4Egd5vkGAzLWvyqtk/JSfPQYtHlUDAGc2g/oXJE2LqqsMOJWByyoQri1ZscpG3Xd40/V1qOBwQA6S5FdpJfyOM01HPEwIDAQABo4IEuDCCBLQwPwYIKwYBBQUHAQEEMzAxMC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5hYy5hbmNlcnQuY29tL29jc3AueHVkYTAfBgNVHSMEGDAWgBRRGituL85KOF50CLZR7ow3XROMrTAMBgNVHRMBAf8EAjAAMIGPBgNVHR8EgYcwgYQwgYGgf6B9hidodHRwOi8vd3d3LmFuY2VydC5jb20vY3JsL0FOQ0VSVENOQy5jcmyGKGh0dHA6Ly93d3cyLmFuY2VydC5jb20vY3JsL0FOQ0VSVENOQy5jcmyGKGh0dHA6Ly93d3czLmFuY2VydC5jb20vY3JsL0FOQ0VSVENOQy5jcmwwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIE8DAbBgNVHREEFDASgRBmYXpuYXJAZW5kZXNhLmVzMBEGCWCGSAGG+EIBAQQEAwIHgDCCAmMGA1UdIASCAlowggJWMIICUgYMKwYBBAGBk2gBAwIBMIICQDCCAjwGCCsGAQUFBwICMIICLjAKFgZBTkNFUlQwABqCAh5Fc3RlIGNlcnRpZmljYWRvIHNlIGV4cGlkZSBjb21vIENlcnRpZmljYWRvIFJlY29ub2NpZG8gZGUgYWN1ZXJkbyBjb24gbGEgbGVnaXNsYWNpb24gdmlnZW50ZS4gTGEgZGVjbGFyYWNpb24gZGUgcHJhY3RpY2FzIGRlIGNlcnRpZmljYWNpb24geSBsYSBwb2xpdGljYSBkZSBjZXJ0aWZpY2FjaW9uIHF1ZSByaWdlbiBlbCBmdW5jaW9uYW1pZW50byBkZSBlc3RlIGNlcnRpZmljYWRvIHNlIGVuY3VlbnRyYW4gZGlzcG9uaWJsZXMgZW4gaHR0cDovL3d3dy5hbmNlcnQuY29tLgoKQ2xhc2UgQXBvZGVyYW1pZW50bzogQXBvZGVyYWRvIE1lcmNhbnRpbApMaW1pdGUgZGUgQ3VhbnRpYTogU2luIGxpbWl0ZSBkZSBjdWFudGlhClJlcHJlc2VudGFjaW9uOiBOb3RhcmlvIFNBTlRJQUdPIFJVQklPIExJTklFUlMgLSAjMTIgLSAyMDA2CkRhdG9zIHJlZ2lzdHJhbGVzIGRlbCBQb2RlciBkZWwgUmVwcmVzZW50YW50ZTogUkVHSVNUUk8gTUVSQ0FOVElMIERFIE1BRFJJRCwgVE9NTyAxMjc5NywgRk9MSU8gMjA4LCBIT0pBIE0tMjA1MzgxLCBJTlNDUklQQ0lPTiAxCjAjBgorBgEEgZNoCgEBBBUTE0Fwb2RlcmFkbyBNZXJjYW50aWwwJQYKKwYBBIGTaAoBAgQXExVTaW4gbGltaXRlIGRlIGN1YW50aWEwOwYKKwYBBIGTaAoBAwQtEytOb3RhcmlvIFNBTlRJQUdPIFJVQklPIExJTklFUlMgLSAjMTIgLSAyMDA2MGEGCisGAQSBk2gKAQYEUxNRUkVHSVNUUk8gTUVSQ0FOVElMIERFIE1BRFJJRCwgVE9NTyAxMjc5NywgRk9MSU8gMjA4LCBIT0pBIE0tMjA1MzgxLCBJTlNDUklQQ0lPTiAxMA0GCSqGSIb3DQEBBQUAA4IBAQCrGMcH6PmCRMvWKrn/FARQkj0iSdKrzRBdSRvZf53anz5srD4yVTAevvd3ww93gT3zUCiKADKZszNmmIe2/ByWjdaGH6EXzyCsIGr/uKGgJuTbcD158L6GVz/1eK+kV5RcXPfHLYheTUKZBrAIR7mhOcjOCVZI8UJunjqYWBx0yKFC1iiuIbMicWu5UEJ3BRfC05DhJ8jfamTDu2vYaUKi0ig8/VjFg80h1j6WzcWKCMFNe8iT0V1+z7Dgy1Abes/MU+15Cl2Ruz9eJspWHeqm9wkbVX+2tDwMVVhfxSOm3IWTWwp7avzt0gBqExOSt8xD+/jpErd1npddRMiklfbK</ds:X509Certificate>

Do you know why xmlsec fails to recover the public key from this certificate? (openssl command line tool works well with it)

There is some solution?
_________________________________________________________________
Comparte hasta 500 fotos en un solo email con Windows Live
http://download.live.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.aleksey.com/pipermail/xmlsec/attachments/20081215/af77e2bd/attachment.htm