[xmlsec] Unable to verify Multiple <X509Certificate> in a single signed XML
Naval Patel
www.naval.com at gmail.com
Tue Dec 21 22:02:48 PST 2010
This is the error when root CA is in the signed xml
func=xmlSecOpenSSLX509StoreVerify:file=d:\svn_simulator\white\products\76xx\app\module\wrtconfig\wrtconfig\external\libxmlsec\src\openssl\x509vfy
.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto library
function
failed:subj=/C=IN/ST=Mah/L=Pune/O=Agreeya/OU=Almond/CN=rootca/emailAd
dress=rootca at agreeya.com;err=19;msg=self signed certificate in certificate
chain
func=xmlSecOpenSSLX509StoreVerify:file=d:\svn_simulator\white\products\76xx\app\module\wrtconfig\wrtconfig\external\libxmlsec\src\openssl\x509vfy
.c:line=408:obj=x509-store:subj=unknown:error=71:certificate verification
failed:err=19;msg=self signed certificate in certificate chain
this is the error when root ca is not in the signed xml, but passed
explicitly as trusted.
func=xmlSecOpenSSLX509StoreVerify:file=d:\svn_simulator\white\products\76xx\app\module\wrtconfig\wrtconfig\external\libxmlsec\src\openssl\x509vfy
.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto library
function
failed:subj=/C=IN/ST=Maharashtra/L=Pune/O=Agreeya/OU=Almond/CN=ca1/em
ailAddress=ca1 at agreeya.com;err=24;msg=invalid CA certificate
func=xmlSecOpenSSLX509StoreVerify:file=d:\svn_simulator\white\products\76xx\app\module\wrtconfig\wrtconfig\external\libxmlsec\src\openssl\x509vfy
.c:line=408:obj=x509-store:subj=unknown:error=71:certificate verification
failed:err=24;msg=invalid CA certificate
Thanks,
Naval.
On Wed, Dec 22, 2010 at 11:27 AM, Aleksey Sanin <aleksey at aleksey.com> wrote:
> Could you please copy/paste the complete error?
>
> Aleksey
>
>
> On 12/21/10 9:56 PM, Naval Patel wrote:
>
>> If the entire cert chain is in the signed document the error i get is
>> msg=self signed certificate in certificate chain
>>
>> if i remove the Root certificate from the chain in the signed xml file,
>> and pass a root certificate as trusted, then i get the error as
>> msg=invalid CA certificate
>>
>> is there something that i am missing or this is not the right way to do?
>>
>> thanks :)
>>
>> Naval.
>>
>> On Tue, Dec 21, 2010 at 9:24 PM, Aleksey Sanin <aleksey at aleksey.com
>> <mailto:aleksey at aleksey.com>> wrote:
>>
>> What errors do you get?
>>
>> Aleksey
>>
>>
>> On 12/21/10 12:38 AM, Naval Patel wrote:
>>
>> Hi,
>>
>> Its been quite some time i am modifying my code to allow a
>> signed xml
>> document containing the entire chain of certificates from "Local
>> cert"
>> through CAs and ultimately the Root CA. I have debugged the code
>> till
>> the call goes to *X509_verify_cert(&xsc)*. I have observed that
>> for each
>> *<X509Certificate> *the xmlsec adds the certificate to the
>> X509_STACK.
>> The function call (*xmlSecOpenSSLX509FindNextChainCert*) inside
>> the *for
>> loop* inside the function *xmlSecOpenSSLX509StoreVerify* with the
>> comment [/* get one cert after another and try to verify */]
>> returns
>> NULL only when it finds that the certificate does not extend any
>> other
>> certificates.
>>
>> I have RootCa.pem > CA1.pem > CA2.pem > signerCert.pem.
>>
>> If i simply execute the signeddoc.xml, I am receiving the error
>> [*msg=invalid CA certificate* for CA2.pem] ... the command used is
>> *xmlsec.exe verify --trusted-pem RootCa.pem signeddoc.xml*
>> I broke the certificate chain by removing RootCa.pem from the
>> signeddoc.xml and the error i received is same as of the above case
>> *xmlsec.exe verify --trusted-pem RootCa.pem signeddoc.xml
>> *I changed the command for the above file as *xmlsec.exe verify
>> --trusted-pem RootCa.pem --trusted-pem CA2.pem signeddoc.xml*,
>> still the
>> error was same
>> I maintained only CA1, CA2 and signerCert.pem in signeddoc.xml
>> and used
>> the command *xmlsec.exe verify --trusted-pem RootCa.pem
>> --trusted-pem
>> CA1.pem --trusted-pem CA2.pem signeddoc.xml
>> *Now I removed CA2 from the signeddoc.xml and kept only CA1 and
>> signerCert.pem, and used the command *xmlsec.exe verify
>> --trusted-pem
>> RootCa.pem --trusted-pem CA1.pem --trusted-pem CA2.pem
>> signeddoc.xml ...
>> *i could see that the verification was passing.
>>
>> I have deviced another way too to make this work, but i am not
>> sure how
>> good this way is...
>>
>> before passing the signeddoc.xml to xmlsec, I load the
>> x509certificate
>> as trusted using the api *xmlSecCryptoAppKeysMngrCertLoadMemory*
>> but the
>> problem is not solved because the same document continues to be
>> evaluated by xmlsec later and the results produced are same.
>>
>> Another alternative i thought was once the function
>> *xmlSecOpenSSLX509FindNextChainCert *returns NULL, I would
>> remove the
>> other certificates from the STACK. That way, i will have trusted
>> certs
>> loaded to the global stack and while signerCert.pem is verified.
>>
>> Please let me know your suggestions, I will try your suggested
>> methods.
>>
>> And thanks a lot for this library, it had done wonders for my
>> work till
>> now :)
>>
>> I had read an email from the archive
>> [*http://www.aleksey.com/pipermail/xmlsec/2008/008326.html*], but
>> i
>> could not get the break through yet :(
>>
>> Regards,
>> Naval
>>
>>
>>
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>>
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>
>>
>>
>>
>> --
>> Naval Patel
>> ~ have fun ~
>>
>
--
Naval Patel
~ have fun ~
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20101222/7ac5343d/attachment-0001.html>
More information about the xmlsec
mailing list