[xmlsec] Failed to verify

Aleksey Sanin aleksey at aleksey.com
Wed Aug 31 21:04:24 PDT 2011 

Specify individual trusted certificates --trusted-pem option.

Aleksey


On 8/31/11 8:24 PM, Bernardo Hoehl wrote:
> Helo List,
>
>
> I am trying to get XMLSEC to verify a signature, and it seems to result in an openssl error that will not trust the brazilian chain of certification...
>
> This is the command and result:
>
> ######### Command begins:
>
> $ export LD_LIBRARY_PATH=/opt/local/lib; ./xmlsec1 --verify --id-attr:Id infNFe --trusted-pem /Library/certs/USINA.pem /Users/bernardo/Desktop/teste.xml
> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto library function failed:subj=/C=BR/O=ICP-Brasil/OU=Autoridade Certificadora SERPROACF/OU=PRONOVA/OU=Pessoa Juridica A1/L=QUEIMADOS/ST=RJ/CN=USINA BRASILEIRA DE CRISTOBALITA LTDA:73264202000114;err=20;msg=unable to get local issuer certificate
> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate verification failed:err=20;msg=unable to get local issuer certificate
> func=xmlSecKeysMngrGetKey:file=keys.c:line=1370:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec library function failed:
> func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key is not found:
> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function failed:
> func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec library function failed:
> Error: signature failed
> ERROR
> SignedInfo References (ok/all): 1/1
> Manifests References (ok/all): 0/0
> Error: failed to verify file "/Users/bernardo/Desktop/teste.xml"
>
> ############## Command ends
>
> I have read in openssl.org page that I could tell openssl to trust a chain of certificates using the option "-CApath directory", but I have no idea how to pass this option in the above XMLSEC command.
>
> I apreciate any help,
>
> Thanks,
>
>
> Bernardo Höhl
> Rio de Janeiro - Brazil
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec

More information about the xmlsec mailing list