[xmlsec] Error "unable to get local issuer certificate", I need to understand the concept of how to verify a signature (XML sig)!

Aleksey Sanin aleksey at aleksey.com
Mon Apr 2 07:53:41 PDT 2012 

you might want to start from reading a book on cryptography

Aleksey

On 4/2/12 6:59 AM, Renato Tegon Forti wrote:
> Hi,
> 
> I have one doubt about verify one sign!
> 
> I need to understand the concept of how to verify a signature? What and
> which parts are involved! How does the validation process works.
> 
> For sample, if I have this XML sign:
> 
> <!-- … -->
> 
> <Signaturexmlns="*http://www.w3.org/2000/09/xmldsig#*">
> <file:///C:\aws\xmlsec\my-s_sign.xml>
> <SignedInfo>
> <file:///C:\aws\xmlsec\my-s_sign.xml><CanonicalizationMethod
> Algorithm="*http://www.w3.org/TR/2001/REC-xml-c14n-20010315*"/><SignatureMethod
> Algorithm="*http://www.w3.org/2000/09/xmldsig#rsa-sha1*"/><ReferenceURI="*#4306039266561101315555099000006996000289563*">
> <file:///C:\aws\xmlsec\my-s_sign.xml><Transforms>
> <file:///C:\aws\xmlsec\my-s_sign.xml><Transform
> Algorithm="*http://www.w3.org/2000/09/xmldsig#enveloped-signature*"/><Transform
> Algorithm="*http://www.w3.org/TR/2001/REC-xml-c14n-20010315*"/></Transforms><DigestMethod
> Algorithm="*http://www.w3.org/2000/09/xmldsig#sha1*"/><DigestValue>mMtctkqg9krbX4G+UAy2YSOq/IY=</DigestValue></Reference></SignedInfo><SignatureValue>I06m4f7PZ2fDfgg3ayq0JFyjvQftx4AmIb52R7b5ofo6vKVL35UUdjAD0TM31lmJawwep7JqYqBx7+5roBoQ3y5lX8xR8qZWNnVCGAAr6kdXJSF8NYuKM9E5lvPmJk9S+mSsowORgMboPvOuDL2WVGFEN2uU3kL/7eeE8YMDnbg=</SignatureValue><KeyInfo>
> <file:///C:\aws\xmlsec\my-s_sign.xml><X509Data>
> <file:///C:\aws\xmlsec\my-s_sign.xml><X509Certificate>MIIFNTCCBB2gAwIBAgIQMjAwNTA5MjkxMjU5NTkwMjANBgkqhkiG9w0BAQUFADCBhzELMAkGA1UEBhMCQlIxEzARBgNVBAoTCklDUC1CcmFzaWwxLDAqBgNVBAsTI1NlY3JldGFyaWEgZGEgUmVjZWl0YSBGZWRlcmFsIC0gU1JGMTUwMwYDVQQDEyxIT01BdXRvcmlkYWRlIENlcnRpZmljYWRvcmEgZG8gU0VSUFJPIFNSRiB2MTAeFw0wNTA5MjkxODU2MTNaFw0wNjA5MjkxODU2MTNaMIHIMQswCQYDVQQGEwJCUjETMBEGA1UEChMKSUNQLUJyYXNpbDEqMCgGA1UECxMhU2VjcmV0YXJpYSBkYSBSZWNlaXRhIEZlZGVyYWwtU1JGMRUwEwYDVQQLEwxDT05UUklCVUlOVEUxFjAUBgNVBAsTDVNSRiBlLUNOUEogQTExSTBHBgNVBAMTQEFTU09DSUFDQU8gRE9TIE1PUkFET1JFUyBFIEFNSUdPUyBCIFBBUlFVRSBTIEogREU6MDAwNzIzOTYwMDAxODIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALltaH8iaZTQEnzyMWTtYAmt3ByWizHAgmimkGBzmCxL11GY4/Tj1tuAM/i8zZNAtqWIG6QHG61tE/CtiNKEwWI6D0FbSxY4mjPBmShv/eRs2v1vMa8Fmyo+19lqBtR859jR4zVo4591ij1udtgo4OXWL2EWJTBArBJEYBK6IYOhAgMBAAGjggHcMIIB2DAPBgNVHRMBAf8EBTADAQEAMCIGA1UdIwEBAAQYMBaAFMLPx9JzFJ+VPZDGpeEztGAmJ7rMMA4GA1UdDwEB/wQEAwIF4DBgBgNVHSABAQAEVjBUMFIGBmBMAQIBEDBIMEYGCCsGAQUFBwIBFjpodHRwOi8vY2N
kLnNlcnByby5nb3YuYnIvc2VycHJvYWNmL2RvY3MvZHBjYWNzZXJwcm9hY2YucGRmMIHEBgNVHREBAQAEgbkwgbagPQYFYEwBAwSgNAQyMjIwNjE5NTMyMzY0NTc4NDY5MTEyMzQ2ODc4Njc4MTQ5ODUxNjI2MDU0ODk0c3NwQkGgKQYFYEwBAwKgIAQeamhkZmdlcmhmaGV0amVydGpraHJudGtqcmh5dWl1oBkGBWBMAQMDoBAEDjAwMDcyMzk2MDAwMTgyoBcGBWBMAQMHoA4EDDg3OTQ1NjU2NDg3NIEWd2lsbHJvY2hhMUBob3RtYWlsLmNvbTAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwRgYDVR0fAQEABDwwOjA4oDagNIYyaHR0cDovL2NjZGhvbS5zZXJwcm8uZ292LmJyL2xjci9ob21hY3NlcnByb3NyZi5jcmwwDQYJKoZIhvcNAQEFBQADggEBAGuhtqYJ3/8ZtGqaEkH9RgiGwBGh06er9WhWu6SI1XCMpjPMdH+1B2VHrtVxg/L5KSRjeJGOcW5ALgbpe4at+p4iUq7eB5Et/VAGoR3RiZKQCZYLbg14itpdzAe8xDRP/LdClFISkOqaP3Gf1PHD9/FrDZ1wuu0qAAmpgrdz3aszDcHgpz9b33kNdxaqw8H+1VlZmYEKzqfKVsHeK40xORLAKeyPHrHetC0oA4kw8qiiPbotevf9lheofvy3aw2lLK0ztmMs5RPJ71qoN9GqBKmq3ziym29QKBhmEBHvLQCssoobLtZvoMtw5RAo1xJmCMzwKerOFH58sO8DhbJckbU=</X509Certificate></X509Data></KeyInfo></Signature>
> 
>  
> 
> My question:
> 
> 1)      What I need to validate, if the file(sign) is correct?
> 
> 2)      What files (certificates) are involved (for verification)?
> 
> For sample, on xmlsec1, I’d try:
> 
> xmlsec1 --verify rsdtd.xml
> 
> ubuntu at ip-10-248-24-210:~$ xmlsec1 --verify  rsdtd.xml
> 
> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto
> library function failed:subj=/C=BR/O=ICP-Brasil/OU=Secretaria da Receita
> Federal-SRF/OU=CONTRIBUINTE/OU=SRF e-CNPJ A1/CN=ASSOCIACAO DOS MORADORES
> E AMIGOS B PARQUE S J DE:00072396000182;err=20;msg=unable to get local
> issuer certificate
> 
> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate
> verification failed:err=20;msg=unable to get local issuer certificate
> 
> func=xmlSecKeysMngrGetKey:file=keys.c:line=1370:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec
> library function failed:
> 
> func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key
> is not found:
> 
> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
> library function failed:
> 
> func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
> library function failed:
> 
> Error: signature failed
> 
> ERROR
> 
> SignedInfo References (ok/all): 1/1
> 
> Manifests References (ok/all): 0/0
> 
> Error: failed to verify file "rsdtd.xml"
> 
> Thanks
> 
>  
> 
>  
> 
> 
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec

More information about the xmlsec mailing list