[xmlsec] Unable to verify Multiple <X509Certificate> in a single signed XML

Aleksey Sanin aleksey at aleksey.com
Tue Dec 21 07:54:07 PST 2010

What errors do you get?


On 12/21/10 12:38 AM, Naval Patel wrote:
> Hi,
> Its been quite some time i am modifying my code to allow a signed xml
> document containing the entire chain of certificates from "Local cert"
> through CAs and ultimately the Root CA. I have debugged the code till
> the call goes to *X509_verify_cert(&xsc)*. I have observed that for each
> *<X509Certificate> *the xmlsec adds the certificate to the X509_STACK.
> The function call (*xmlSecOpenSSLX509FindNextChainCert*) inside the *for
> loop* inside the function *xmlSecOpenSSLX509StoreVerify* with the
> comment [/* get one cert after another and try to verify */] returns
> NULL only when it finds that the certificate does not extend any other
> certificates.
> I have RootCa.pem > CA1.pem > CA2.pem > signerCert.pem.
> If i simply execute the signeddoc.xml, I am receiving the error
> [*msg=invalid CA certificate* for CA2.pem] ... the command used is
> *xmlsec.exe verify --trusted-pem RootCa.pem signeddoc.xml*
> I broke the certificate chain by removing RootCa.pem from the
> signeddoc.xml and the error i received is same as of the above case
> *xmlsec.exe verify --trusted-pem RootCa.pem signeddoc.xml
> *I changed the command for the above file as *xmlsec.exe verify
> --trusted-pem RootCa.pem --trusted-pem CA2.pem signeddoc.xml*, still the
> error was same
> I maintained only CA1, CA2 and signerCert.pem in signeddoc.xml and used
> the command *xmlsec.exe verify --trusted-pem RootCa.pem --trusted-pem
> CA1.pem --trusted-pem CA2.pem signeddoc.xml
> *Now I removed CA2 from the signeddoc.xml and kept only CA1 and
> signerCert.pem, and used the command *xmlsec.exe verify --trusted-pem
> RootCa.pem --trusted-pem CA1.pem --trusted-pem CA2.pem signeddoc.xml ...
> *i could see that the verification was passing.
> I have deviced another way too to make this work, but i am not sure how
> good this way is...
> before passing the signeddoc.xml to xmlsec, I load the x509certificate
> as trusted using the api *xmlSecCryptoAppKeysMngrCertLoadMemory* but the
> problem is not solved because the same document continues to be
> evaluated by xmlsec later and the results produced are same.
> Another alternative i thought was once the function
> *xmlSecOpenSSLX509FindNextChainCert *returns NULL, I would remove the
> other certificates from the STACK. That way, i will have trusted certs
> loaded to the global stack and while signerCert.pem is verified.
> Please let me know your suggestions, I will try your suggested methods.
> And thanks a lot for this library, it had done wonders for my work till
> now :)
> I had read an email from the archive
> [*http://www.aleksey.com/pipermail/xmlsec/2008/008326.html*], but i
> could not get the break through yet :(
> Regards,
> Naval
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec

More information about the xmlsec mailing list