[xmlsec] Urgent help needed : Certificate verification failed

Ashish Agrawal meetashish at gmail.com
Thu Jun 4 08:01:08 PDT 2009 

Hi Aleksey,

Taking pointers from this mail thred:
http://www.aleksey.com/pipermail/xmlsec/2008/008300.html

I also tried extracting the intermediate CA cert from my signed file and
give it as a untrusted input, still the verification fails.

 xmlsec1 --verify --trusted-pem Root.pem --untrusted-pem .pem  signa
ture.xml

Regards,
Ashish

On Thu, Jun 4, 2009 at 8:25 PM, Ashish Agrawal <meetashish at gmail.com> wrote:

> Hi Aleksey,
>
> My signature.xml file has two certificate, one is the end certificate and
> the other is the intermediate CA.
> In the intermediate certificate also the "CA" field is true .Could this be
> the root cause of the problem.
>
> Attaching the intermediate CA pem file
>
> Thanks for ur help.
>
> Regards,
> Ashish
>
>
>
> On Thu, Jun 4, 2009 at 8:21 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:
>
>> This error means that xmlsec can't build certs chain for some reasons.
>>
>> Aleksey
>>
>> Ashish Agrawal wrote:
>>
>>> Hi Aleksey,
>>>
>>> I ve a problem where i v a root CA and and two certificates in the chain,
>>> when i try to verify the chain using openssl it works :
>>> openssl verify -CAfile root.pem EE.pem
>>> but when i to to verify using xmlsec it fails with the error :
>>> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto
>>> library function failed:subj=/C=CN/ST=BJ/O=JIL/OU=JIL/CN=JIL EE
>>> demo;err=20;msg=unable to get local issuer certificate
>>> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate
>>> verification failed:err=20;msg=unable to get local issuer certificate
>>> func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec
>>> library function failed:
>>> func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=884:obj=unknown:subj=unknown:error=45:key
>>> is not found:
>>> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=578:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
>>> library function failed:
>>> func=xmlSecDSigCtxVerify:file=xmldsig.c:line=379:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
>>> library function failed:
>>> Error: signature failed
>>> ERROR
>>> SignedInfo References (ok/all): 6/6
>>> Manifests References (ok/all): 0/0
>>>
>>>
>>> Does xmlsec imposes ny additional constraint on the certificate
>>> validation and if yes what are they ?
>>>
>>> Regards,
>>> Ashish
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> xmlsec mailing list
>>> xmlsec at aleksey.com
>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.aleksey.com/pipermail/xmlsec/attachments/20090604/b93d201c/attachment-0001.htm

More information about the xmlsec mailing list