[xmlsec] Urgent help needed : Certificate verification failed
Ashish Agrawal
meetashish at gmail.com
Thu Jun 4 10:01:50 PDT 2009
Hi Aleksey,
i ve a doubt that since this chain was successfully verified by openssl, so
we put an additional checks in xmlsec which might fail the validation
interms of the certificate constraints ?
Regards,
Ashish
On Thu, Jun 4, 2009 at 10:01 PM, Ashish Agrawal <meetashish at gmail.com>wrote:
> Yes i am trying to debug simultaneously . Hopefully i will get some luck.
>
> I am attaching the certificate chain for ur reference, can u pls take a
> look and see if you can find some thing suspicious.
>
> Your help is deeply appreciated.
>
> Regards,
> Ashish
>
>
>
>
> On Thu, Jun 4, 2009 at 9:54 PM, Aleksey Sanin <aleksey at aleksey.com> wrote:
>
>> No specific order. Sorry, you will need to debug it to see what is
>> going on.
>>
>> Aleksey
>>
>> Ashish Agrawal wrote:
>>
>>> I tried the same but for same error :
>>> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto
>>> library function failed:subj=/C=CN/ST=BJ/O=JIL/OU=JIL/CN=JIL EE
>>> demo;err=20;msg=unable to get local issuer certificate
>>> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate
>>> verification failed:err=20;msg=unable to get local issuer certificate
>>> func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec
>>> library function failed:
>>> func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=884:obj=unknown:subj=unknown:error=45:key
>>> is not found:
>>> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=578:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
>>> library function failed:
>>> func=xmlSecDSigCtxVerify:file=xmldsig.c:line=379:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
>>> library function failed:
>>>
>>> Is there ny specfic order in which certificates should be present in the
>>> signature file ? can there be problem with the certificate fields ?
>>>
>>>
>>> Regards,
>>> Ashish
>>>
>>> On Thu, Jun 4, 2009 at 9:39 PM, Aleksey Sanin <aleksey at aleksey.com<mailto:
>>> aleksey at aleksey.com>> wrote:
>>>
>>> Try
>>>
>>> xmlsec1 --verify \
>>> --trusted-pem root.pem \
>>> --trusted-pem int.pem \
>>> signature.xml
>>>
>>> Aleksey
>>>
>>> Ashish Agrawal wrote:
>>>
>>> I have tried with:
>>> xmlsec1 --verify --trusted-pem root.pem --untrusted-pem int.pem
>>> signature.xml (removing the intermedaite CA cert from signature
>>> file)
>>> &
>>> xmlsec1 --verify --trusted-pem root.pem signature.xml ( keeping
>>> the intermedia CA cert and end certtificate in the signature file)
>>>
>>> Got same result..
>>> Regards,
>>> Ashish
>>>
>>> On Thu, Jun 4, 2009 at 9:25 PM, Aleksey Sanin
>>> <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>> wrote:
>>>
>>> What command line options do you use?
>>>
>>> Aleksey
>>>
>>> Ashish Agrawal wrote:
>>>
>>> Srry, I did not understand your reply completely,
>>> You mean to check the subject field for the certifices:
>>>
>>> I see them as :
>>>
>>> End Cert: Subject: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL EE
>>> demo
>>> Issuer: C=CN, ST=BJ, O=JIL, OU=JIL,
>>> CN=JIL subCA
>>> demo
>>>
>>> Intermediate cert: Subject: C=CN, ST=BJ, O=JIL, OU=JIL,
>>> CN=JIL
>>> subCA demo
>>> Issuer: C=CN, ST=BJ, O=JIL,
>>> OU=JIL,
>>> CN=JIL Root demo
>>>
>>> Root Cert: Subject: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL
>>> Root demo
>>> Issuer: C=CN, ST=BJ, O=JIL, OU=JIL,
>>> CN=JIL Root demo
>>>
>>> So seems like the chain is correct. but verification
>>> fails.strange thing is it passes with openssl but not here.
>>>
>>> Regards,
>>> Ashish
>>>
>>> On Thu, Jun 4, 2009 at 8:59 PM, Aleksey Sanin
>>> <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
>>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>>
>>> wrote:
>>>
>>> No there is no ordering problems. You have the subject
>>> of certificate which is at the end of the chain. Try
>>> to figure out "why?".
>>>
>>> Aleksey
>>>
>>> Ashish Agrawal wrote:
>>>
>>> Yes Aleksey,
>>> I have already tried with the openssl utility,
>>>
>>> openssl verify -CAfile root.pem EE.pem
>>> here root.pem is the root ca pem file & EE,pem
>>> contains the
>>> intermediate certificate and then the end
>>> certificate. and it
>>> passess with no error.
>>>
>>> but xmlsec fails :(
>>> Can there be any ordering issue ? shall i send my
>>> certs, will
>>> that help in root causing ?
>>>
>>> Regards,
>>> Ashish
>>>
>>> On Thu, Jun 4, 2009 at 8:53 PM, Aleksey Sanin
>>> <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
>>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>
>>> <mailto:aleksey at aleksey.com
>>> <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
>>> <mailto:aleksey at aleksey.com>>
>>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>>>
>>> wrote:
>>>
>>> Try to verify your certs chain using openssl
>>> command line
>>> tool directly.
>>>
>>> Aleksey
>>>
>>> Ashish Agrawal wrote:
>>>
>>> Hi Aleksey,
>>>
>>> My signature.xml file has two certificate,
>>> one is
>>> the end
>>> certificate and the other is the
>>> intermediate CA.
>>> In the intermediate certificate also the "CA"
>>> field is true
>>> .Could this be the root cause of the problem.
>>>
>>> Attaching the intermediate CA pem file
>>>
>>> Thanks for ur help.
>>>
>>> Regards,
>>> Ashish
>>>
>>>
>>> On Thu, Jun 4, 2009 at 8:21 PM, Aleksey Sanin
>>> <aleksey at aleksey.com
>>> <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
>>> <mailto:aleksey at aleksey.com>>
>>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>
>>> <mailto:aleksey at aleksey.com
>>> <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
>>> <mailto:aleksey at aleksey.com>>
>>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>>
>>> <mailto:aleksey at aleksey.com
>>> <mailto:aleksey at aleksey.com>
>>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
>>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>
>>> <mailto:aleksey at aleksey.com
>>> <mailto:aleksey at aleksey.com> <mailto:aleksey at aleksey.com
>>> <mailto:aleksey at aleksey.com>>
>>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>>> <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>>>>
>>> wrote:
>>>
>>> This error means that xmlsec can't build
>>> certs
>>> chain
>>> for some
>>> reasons.
>>>
>>> Aleksey
>>>
>>> Ashish Agrawal wrote:
>>>
>>> Hi Aleksey,
>>>
>>> I ve a problem where i v a root CA
>>> and and two
>>> certificates in
>>> the chain, when i try to verify the
>>> chain using
>>> openssl
>>> it works :
>>> openssl verify -CAfile root.pem EE.pem
>>> but when i to to verify using xmlsec
>>> it
>>> fails with the
>>> error :
>>>
>>> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto
>>> library function
>>> failed:subj=/C=CN/ST=BJ/O=JIL/OU=JIL/CN=JIL
>>> EE
>>> demo;err=20;msg=unable to get local
>>> issuer
>>> certificate
>>>
>>> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate
>>> verification failed:err=20;msg=unable
>>> to
>>> get local
>>> issuer
>>> certificate
>>>
>>> func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec
>>> library function failed:
>>>
>>> func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=884:obj=unknown:subj=unknown:error=45:key
>>> is not found:
>>>
>>> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=578:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
>>> library function failed:
>>>
>>> func=xmlSecDSigCtxVerify:file=xmldsig.c:line=379:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
>>> library function failed:
>>> Error: signature failed
>>> ERROR
>>> SignedInfo References (ok/all): 6/6
>>> Manifests References (ok/all): 0/0
>>>
>>>
>>> Does xmlsec imposes ny additional
>>> constraint on the
>>> certificate
>>> validation and if yes what are they ?
>>>
>>> Regards,
>>> Ashish
>>>
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>>
>>> _______________________________________________
>>> xmlsec mailing list
>>> xmlsec at aleksey.com
>>> <mailto:xmlsec at aleksey.com>
>>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
>>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>
>>> <mailto:xmlsec at aleksey.com
>>> <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
>>> <mailto:xmlsec at aleksey.com>>
>>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>>
>>> <mailto:xmlsec at aleksey.com
>>> <mailto:xmlsec at aleksey.com>
>>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
>>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>
>>> <mailto:xmlsec at aleksey.com
>>> <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
>>> <mailto:xmlsec at aleksey.com>>
>>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>>>
>>>
>>>
>>>
>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>>
>>> _______________________________________________
>>> xmlsec mailing list
>>> xmlsec at aleksey.com
>>> <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
>>> <mailto:xmlsec at aleksey.com>>
>>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>
>>> <mailto:xmlsec at aleksey.com
>>> <mailto:xmlsec at aleksey.com> <mailto:xmlsec at aleksey.com
>>> <mailto:xmlsec at aleksey.com>>
>>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>>
>>>
>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> xmlsec mailing list
>>> xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
>>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>
>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> xmlsec mailing list
>>> xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>>> <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> xmlsec mailing list
>>> xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> xmlsec mailing list
>>> xmlsec at aleksey.com
>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.aleksey.com/pipermail/xmlsec/attachments/20090604/39f06187/attachment-0001.htm
More information about the xmlsec
mailing list