[xmlsec] Verify invalid certificate chain

Roman Khlystik dont.avt at gmail.com
Tue Aug 14 08:38:51 PDT 2012

Hi Aleksey!

I'm trying to develop simple license system using xmlsec library.
My idea was to build simple private PKI with one CA key pair and separate
key-pair for each customer.
Then I planned to sign xml license file with client certificate for each

I decided to embbed CA certificate in our app and verify certificate chain
from xml file up to CA certificate.
But I have a problem with xmlsec library. I can't find how to verify full
certificate chain with it.
I used example from here
and I have a problem when certificate chain is invalid.
I got error to console:

library function failed:subj=/C=UA/ST=Kyiv
verification failed:err=20;msg=unable to get local issuer certificate
SignedInfo References (ok/all): 1/1·
Manifests References (ok/all): 0/0·

but verification result dsigCtx->status has xmlSecDSigStatusSucceeded value.

Can you tell me how can I verify that certificate chain is invalid with
xmlsec api?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20120814/34932e08/attachment.html>

More information about the xmlsec mailing list