[xmlsec] Verify invalid certificate chain

Roman Khlystik dont.avt at gmail.com
Tue Aug 14 08:38:51 PDT 2012


Hi Aleksey!

I'm trying to develop simple license system using xmlsec library.
My idea was to build simple private PKI with one CA key pair and separate
key-pair for each customer.
Then I planned to sign xml license file with client certificate for each
client.

I decided to embbed CA certificate in our app and verify certificate chain
from xml file up to CA certificate.
But I have a problem with xmlsec library. I can't find how to verify full
certificate chain with it.
I used example from here
http://www.aleksey.com/xmlsec/api/xmlsec-verify-with-x509.html·
and I have a problem when certificate chain is invalid.
I got error to console:

func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto
library function failed:subj=/C=UA/ST=Kyiv
region/L=Kyiv/O=test/OU=test/CN=server1/emailAddress=s
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate
verification failed:err=20;msg=unable to get local issuer certificate
OK
SignedInfo References (ok/all): 1/1·
Manifests References (ok/all): 0/0·

but verification result dsigCtx->status has xmlSecDSigStatusSucceeded value.

Can you tell me how can I verify that certificate chain is invalid with
xmlsec api?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20120814/34932e08/attachment.html>


More information about the xmlsec mailing list