[xmlsec] Problem extracting public key from X509 certificate

Mon Dec 15 07:36:39 PST 2008

Do you have "trusted" or "root" certificate in the xmlsec keys manager?

Aleksey

Jaume Saura wrote:
> Hello,
>  
> I've an XMLDSig file which includes the signing certificate in a 
> <ds:X509Certificate> tag, but xmlsec shows these error messages when I 
> try to verify the signature with "xmlsec verify ..\endesa.xml":
>  
> func=xmlSecKeysMngrGetKey:file=..\src\keys.c:line=1364:obj=unknown:subj=xmlSecKe
> ysMngrFindKey:error=1:xmlsec library function failed:
> 
> func=xmlSecDSigCtxProcessKeyInfoNode:file=..\src\xmldsig.c:line=871:obj=unknown:
> subj=unknown:error=45:key is not found:
> 
> func=xmlSecDSigCtxProcessSignatureNode:file=..\src\xmldsig.c:line=565:obj=unknow
> n:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function 
> failed:
> 
> func=xmlSecDSigCtxVerify:file=..\src\xmldsig.c:line=366:obj=unknown:subj=xmlSecD
> SigCtxSigantureProcessNode:error=1:xmlsec library function failed:
> 
> Error: signature failed
> ERROR
> SignedInfo References (ok/all): 2/2
> Manifests References (ok/all): 0/0
> Error: failed to verify file "..\endesa.xml"
>  
> The signature is OK, and I can verify this if I extract manually the 
> certificate and, from openssl, get its public key and then, again from 
> xmlsec, retry the verification so:
>  
> xmlsec verify --pubkey endesa-pkey.pem ..\endesa.xml
>  
> OK
> SignedInfo References (ok/all): 2/2
> Manifests References (ok/all): 0/0
>  
> This is the certificate that xmlsec doesn't handle well:
>  
> <ds:X509Certificate xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> MIII2zCCB8OgAwIBAgIQZpIEicjJWTFxpWfnQvHRDTANBgkqhkiG9w0BAQUFADCB2jELMAkGA1UE
> BhMCRVMxDzANBgNVBAgTBk1hZHJpZDE3MDUGA1UEBxMuUGFzZW8gZGVsIEdlbmVyYWwgTWFydGlu
> ZXogQ2FtcG9zIDQ2LTZhIHBsYW50YTFLMEkGA1UEChNCQWdlbmNpYSBOb3RhcmlhbCBkZSBDZXJ0
> aWZpY2FjaW9uIFMuTC4gVW5pcGVyc29uYWwgLSBDSUYgQjgzMzk1OTg4MTQwMgYDVQQDEytBTkNF
> UlQgQ2VydGlmaWNhZG9zIE5vdGFyaWFsZXMgQ29ycG9yYXRpdm9zMB4XDTA3MDExNzEzNDExMloX
> DTEwMDExNjEzNDExMlowggE+MQswCQYDVQQGEwJFUzE7MDkGA1UEChMyQ2VydGlmaWNhZG8gTm90
> YXJpYWwgQ29ycG9yYXRpdm8gZGUgUmVwcmVzZW50YWNpb24xODA2BgNVBAsTL0VOREVTQSBFTkVS
> R0lBIFMuQS4gVU5JUEVSU09OQUwgLSBDSUYgQTgxOTQ4MDc3MTcwNQYDVQQLEy5BdXRvcml6YWRv
> IGFudGUgTm90YXJpbyBTQU5USUFHTyBSVUJJTyBMSU5JRVJTMRIwEAYDVQQFEwkxODQxNDQ2N1Qx
> FjAUBgNVBAQTDUFaTkFSIEJSVVNDQVMxETAPBgNVBCoTCEZFUk5BTkRPMR8wHQYDVQQDExZGRVJO
> QU5ETyBBWk5BUiBCUlVTQ0FTMR8wHQYJKoZIhvcNAQkBFhBmYXpuYXJAZW5kZXNhLmVzMIGfMA0G
> CSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9SYH3av2JmIf4gC37JxDaQUA4pKY5tTPPHuqbkJ0c9LfM
> JgsCGZ8+jC8xMRYVuuMlzqPlBzPR0Pw5NX4Egd5vkGAzLWvyqtk/JSfPQYtHlUDAGc2g/oXJE2Lq
> qsMOJWByyoQri1ZscpG3Xd40/V1qOBwQA6S5FdpJfyOM01HPEwIDAQABo4IEuDCCBLQwPwYIKwYB
> BQUHAQEEMzAxMC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5hYy5hbmNlcnQuY29tL29jc3AueHVk
> YTAfBgNVHSMEGDAWgBRRGituL85KOF50CLZR7ow3XROMrTAMBgNVHRMBAf8EAjAAMIGPBgNVHR8E
> gYcwgYQwgYGgf6B9hidodHRwOi8vd3d3LmFuY2VydC5jb20vY3JsL0FOQ0VSVENOQy5jcmyGKGh0
> dHA6Ly93d3cyLmFuY2VydC5jb20vY3JsL0FOQ0VSVENOQy5jcmyGKGh0dHA6Ly93d3czLmFuY2Vy
> dC5jb20vY3JsL0FOQ0VSVENOQy5jcmwwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMA4G
> A1UdDwEB/wQEAwIE8DAbBgNVHREEFDASgRBmYXpuYXJAZW5kZXNhLmVzMBEGCWCGSAGG+EIBAQQE
> AwIHgDCCAmMGA1UdIASCAlowggJWMIICUgYMKwYBBAGBk2gBAwIBMIICQDCCAjwGCCsGAQUFBwIC
> MIICLjAKFgZBTkNFUlQwABqCAh5Fc3RlIGNlcnRpZmljYWRvIHNlIGV4cGlkZSBjb21vIENlcnRp
> ZmljYWRvIFJlY29ub2NpZG8gZGUgYWN1ZXJkbyBjb24gbGEgbGVnaXNsYWNpb24gdmlnZW50ZS4g
> TGEgZGVjbGFyYWNpb24gZGUgcHJhY3RpY2FzIGRlIGNlcnRpZmljYWNpb24geSBsYSBwb2xpdGlj
> YSBkZSBjZXJ0aWZpY2FjaW9uIHF1ZSByaWdlbiBlbCBmdW5jaW9uYW1pZW50byBkZSBlc3RlIGNl
> cnRpZmljYWRvIHNlIGVuY3VlbnRyYW4gZGlzcG9uaWJsZXMgZW4gaHR0cDovL3d3dy5hbmNlcnQu
> Y29tLgoKQ2xhc2UgQXBvZGVyYW1pZW50bzogQXBvZGVyYWRvIE1lcmNhbnRpbApMaW1pdGUgZGUg
> Q3VhbnRpYTogU2luIGxpbWl0ZSBkZSBjdWFudGlhClJlcHJlc2VudGFjaW9uOiBOb3RhcmlvIFNB
> TlRJQUdPIFJVQklPIExJTklFUlMgLSAjMTIgLSAyMDA2CkRhdG9zIHJlZ2lzdHJhbGVzIGRlbCBQ
> b2RlciBkZWwgUmVwcmVzZW50YW50ZTogUkVHSVNUUk8gTUVSQ0FOVElMIERFIE1BRFJJRCwgVE9N
> TyAxMjc5NywgRk9MSU8gMjA4LCBIT0pBIE0tMjA1MzgxLCBJTlNDUklQQ0lPTiAxCjAjBgorBgEE
> gZNoCgEBBBUTE0Fwb2RlcmFkbyBNZXJjYW50aWwwJQYKKwYBBIGTaAoBAgQXExVTaW4gbGltaXRl
> IGRlIGN1YW50aWEwOwYKKwYBBIGTaAoBAwQtEytOb3RhcmlvIFNBTlRJQUdPIFJVQklPIExJTklF
> UlMgLSAjMTIgLSAyMDA2MGEGCisGAQSBk2gKAQYEUxNRUkVHSVNUUk8gTUVSQ0FOVElMIERFIE1B
> RFJJRCwgVE9NTyAxMjc5NywgRk9MSU8gMjA4LCBIT0pBIE0tMjA1MzgxLCBJTlNDUklQQ0lPTiAx
> MA0GCSqGSIb3DQEBBQUAA4IBAQCrGMcH6PmCRMvWKrn/FARQkj0iSdKrzRBdSRvZf53anz5srD4y
> VTAevvd3ww93gT3zUCiKADKZszNmmIe2/ByWjdaGH6EXzyCsIGr/uKGgJuTbcD158L6GVz/1eK+k
> V5RcXPfHLYheTUKZBrAIR7mhOcjOCVZI8UJunjqYWBx0yKFC1iiuIbMicWu5UEJ3BRfC05DhJ8jf
> amTDu2vYaUKi0ig8/VjFg80h1j6WzcWKCMFNe8iT0V1+z7Dgy1Abes/MU+15Cl2Ruz9eJspWHeqm
> 9wkbVX+2tDwMVVhfxSOm3IWTWwp7avzt0gBqExOSt8xD+/jpErd1npddRMiklfbK
> </ds:X509Certificate>
>  
> Do you know why xmlsec fails to recover the public key from this 
> certificate? (openssl command line tool works well with it)
>  
> There is some solution?
> 
> ------------------------------------------------------------------------
> ¡Accede al correo desde el móvil! ¿Qué opinas? 
> <http://vivelive.com/encuesta/>
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec