[xmlsec] Error "unable to get local issuer certificate", I need to understand the concept of how to verify a signature (XML sig)!

Renato Tegon Forti re.tf at acm.org
Mon Apr 2 06:59:56 PDT 2012


Hi,

I have one doubt about verify one sign!

I need to understand the concept of how to verify a signature? What and
which parts are involved! How does the validation process works.

For sample, if I have this XML sign:

<!-- . -->

 <file:///C:\aws\xmlsec\my-s_sign.xml> <Signature
xmlns="http://www.w3.org/2000/09/xmldsig#">
 <file:///C:\aws\xmlsec\my-s_sign.xml> <SignedInfo><CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/><SignatureMetho
d Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<file:///C:\aws\xmlsec\my-s_sign.xml> <Reference
URI="#4306039266561101315555099000006996000289563">
<file:///C:\aws\xmlsec\my-s_sign.xml> <Transforms><Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><Transfor
m
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/></Transforms><D
igestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><DigestValue>mMtctkqg9kr
bX4G+UAy2YSOq/IY=</DigestValue></Reference></SignedInfo><SignatureValue>I06m
4f7PZ2fDfgg3ayq0JFyjvQftx4AmIb52R7b5ofo6vKVL35UUdjAD0TM31lmJawwep7JqYqBx7+5r
oBoQ3y5lX8xR8qZWNnVCGAAr6kdXJSF8NYuKM9E5lvPmJk9S+mSsowORgMboPvOuDL2WVGFEN2uU
3kL/7eeE8YMDnbg=</SignatureValue> <file:///C:\aws\xmlsec\my-s_sign.xml>
<KeyInfo> <file:///C:\aws\xmlsec\my-s_sign.xml>
<X509Data><X509Certificate>MIIFNTCCBB2gAwIBAgIQMjAwNTA5MjkxMjU5NTkwMjANBgkqh
kiG9w0BAQUFADCBhzELMAkGA1UEBhMCQlIxEzARBgNVBAoTCklDUC1CcmFzaWwxLDAqBgNVBAsTI
1NlY3JldGFyaWEgZGEgUmVjZWl0YSBGZWRlcmFsIC0gU1JGMTUwMwYDVQQDEyxIT01BdXRvcmlkY
WRlIENlcnRpZmljYWRvcmEgZG8gU0VSUFJPIFNSRiB2MTAeFw0wNTA5MjkxODU2MTNaFw0wNjA5M
jkxODU2MTNaMIHIMQswCQYDVQQGEwJCUjETMBEGA1UEChMKSUNQLUJyYXNpbDEqMCgGA1UECxMhU
2VjcmV0YXJpYSBkYSBSZWNlaXRhIEZlZGVyYWwtU1JGMRUwEwYDVQQLEwxDT05UUklCVUlOVEUxF
jAUBgNVBAsTDVNSRiBlLUNOUEogQTExSTBHBgNVBAMTQEFTU09DSUFDQU8gRE9TIE1PUkFET1JFU
yBFIEFNSUdPUyBCIFBBUlFVRSBTIEogREU6MDAwNzIzOTYwMDAxODIwgZ8wDQYJKoZIhvcNAQEBB
QADgY0AMIGJAoGBALltaH8iaZTQEnzyMWTtYAmt3ByWizHAgmimkGBzmCxL11GY4/Tj1tuAM/i8z
ZNAtqWIG6QHG61tE/CtiNKEwWI6D0FbSxY4mjPBmShv/eRs2v1vMa8Fmyo+19lqBtR859jR4zVo4
591ij1udtgo4OXWL2EWJTBArBJEYBK6IYOhAgMBAAGjggHcMIIB2DAPBgNVHRMBAf8EBTADAQEAM
CIGA1UdIwEBAAQYMBaAFMLPx9JzFJ+VPZDGpeEztGAmJ7rMMA4GA1UdDwEB/wQEAwIF4DBgBgNVH
SABAQAEVjBUMFIGBmBMAQIBEDBIMEYGCCsGAQUFBwIBFjpodHRwOi8vY2NkLnNlcnByby5nb3YuY
nIvc2VycHJvYWNmL2RvY3MvZHBjYWNzZXJwcm9hY2YucGRmMIHEBgNVHREBAQAEgbkwgbagPQYFY
EwBAwSgNAQyMjIwNjE5NTMyMzY0NTc4NDY5MTEyMzQ2ODc4Njc4MTQ5ODUxNjI2MDU0ODk0c3NwQ
kGgKQYFYEwBAwKgIAQeamhkZmdlcmhmaGV0amVydGpraHJudGtqcmh5dWl1oBkGBWBMAQMDoBAED
jAwMDcyMzk2MDAwMTgyoBcGBWBMAQMHoA4EDDg3OTQ1NjU2NDg3NIEWd2lsbHJvY2hhMUBob3RtY
WlsLmNvbTAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwRgYDVR0fAQEABDwwOjA4o
DagNIYyaHR0cDovL2NjZGhvbS5zZXJwcm8uZ292LmJyL2xjci9ob21hY3NlcnByb3NyZi5jcmwwD
QYJKoZIhvcNAQEFBQADggEBAGuhtqYJ3/8ZtGqaEkH9RgiGwBGh06er9WhWu6SI1XCMpjPMdH+1B
2VHrtVxg/L5KSRjeJGOcW5ALgbpe4at+p4iUq7eB5Et/VAGoR3RiZKQCZYLbg14itpdzAe8xDRP/
LdClFISkOqaP3Gf1PHD9/FrDZ1wuu0qAAmpgrdz3aszDcHgpz9b33kNdxaqw8H+1VlZmYEKzqfKV
sHeK40xORLAKeyPHrHetC0oA4kw8qiiPbotevf9lheofvy3aw2lLK0ztmMs5RPJ71qoN9GqBKmq3
ziym29QKBhmEBHvLQCssoobLtZvoMtw5RAo1xJmCMzwKerOFH58sO8DhbJckbU=</X509Certifi
cate></X509Data></KeyInfo></Signature>

 

My question: 

1)      What I need to validate, if the file(sign) is correct?

2)      What files (certificates) are involved (for verification)?

For sample, on xmlsec1, I'd try:

xmlsec1 --verify rsdtd.xml

ubuntu at ip-10-248-24-210:~$ xmlsec1 --verify  rsdtd.xml

func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:sub
j=X509_verify_cert:error=4:crypto library function
failed:subj=/C=BR/O=ICP-Brasil/OU=Secretaria da Receita
Federal-SRF/OU=CONTRIBUINTE/OU=SRF e-CNPJ A1/CN=ASSOCIACAO DOS MORADORES E
AMIGOS B PARQUE S J DE:00072396000182;err=20;msg=unable to get local issuer
certificate

func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:sub
j=unknown:error=71:certificate verification failed:err=20;msg=unable to get
local issuer certificate

func=xmlSecKeysMngrGetKey:file=keys.c:line=1370:obj=unknown:subj=xmlSecKeysM
ngrFindKey:error=1:xmlsec library function failed:

func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:sub
j=unknown:error=45:key is not found:

func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:s
ubj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function failed:

func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSig
CtxSigantureProcessNode:error=1:xmlsec library function failed:

Error: signature failed

ERROR

SignedInfo References (ok/all): 1/1

Manifests References (ok/all): 0/0

Error: failed to verify file "rsdtd.xml"

Thanks

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20120402/5ccaf4b6/attachment.html>


More information about the xmlsec mailing list