[xmlsec] Unable to verify Multiple <X509Certificate> in a single signed XML

Naval Patel www.naval.com at gmail.com
Tue Dec 21 00:38:53 PST 2010


Hi,

Its been quite some time i am modifying my code to allow a signed xml
document containing the entire chain of certificates from "Local cert"
through CAs and ultimately the Root CA. I have debugged the code till the
call goes to *X509_verify_cert(&xsc)*. I have observed that for each
*<X509Certificate>
*the xmlsec adds the certificate to the X509_STACK. The function call (*
xmlSecOpenSSLX509FindNextChainCert*) inside the *for loop* inside the
function *xmlSecOpenSSLX509StoreVerify* with the comment [/* get one cert
after another and try to verify */] returns NULL only when it finds that the
certificate does not extend any other certificates.

I have RootCa.pem > CA1.pem > CA2.pem > signerCert.pem.

If i simply execute the signeddoc.xml, I am receiving the error [*msg=invalid
CA certificate* for CA2.pem] ... the command used is *xmlsec.exe verify
--trusted-pem RootCa.pem signeddoc.xml*
I broke the certificate chain by removing RootCa.pem from the signeddoc.xml
and the error i received is same as of the above case *xmlsec.exe verify
--trusted-pem RootCa.pem signeddoc.xml
*I changed the command for the above file as *xmlsec.exe verify
--trusted-pem RootCa.pem --trusted-pem CA2.pem signeddoc.xml*, still the
error was same
I maintained only CA1, CA2 and signerCert.pem in signeddoc.xml and used the
command *xmlsec.exe verify --trusted-pem RootCa.pem --trusted-pem CA1.pem
--trusted-pem CA2.pem signeddoc.xml
*Now I removed CA2 from the signeddoc.xml and kept only CA1 and
signerCert.pem, and used the command *xmlsec.exe verify --trusted-pem
RootCa.pem --trusted-pem CA1.pem --trusted-pem CA2.pem signeddoc.xml ...  *i
could see that the verification was passing.

I have deviced another way too to make this work, but i am not sure how good
this way is...

before passing the signeddoc.xml to xmlsec, I load the x509certificate as
trusted using the api *xmlSecCryptoAppKeysMngrCertLoadMemory* but the
problem is not solved because the same document continues to be evaluated by
xmlsec later and the results produced are same.

Another alternative i thought was once the function
*xmlSecOpenSSLX509FindNextChainCert
*returns NULL, I would remove the other certificates from the STACK. That
way, i will have trusted certs loaded to the global stack and while
signerCert.pem is verified.

Please let me know your suggestions, I will try your suggested methods.

And thanks a lot for this library, it had done wonders for my work till now
:)

I had read an email from the archive [*
http://www.aleksey.com/pipermail/xmlsec/2008/008326.html*], but i could not
get the break through yet :(

Regards,
Naval
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20101221/cf694cab/attachment.html>


More information about the xmlsec mailing list