[xmlsec] Verify invalid certificate chain

Aleksey Sanin aleksey at aleksey.com
Tue Aug 14 10:03:58 PDT 2012


During the verification, xmlsec tries to verify the signature using
all possible certificate chains. It is enough to have one of them
succeed. The errors you see are from ones that failed. Safe to ignore
as long, just check the result code.


On 8/14/12 8:38 AM, Roman Khlystik wrote:
> Hi Aleksey!
> I'm trying to develop simple license system using xmlsec library.
> My idea was to build simple private PKI with one CA key pair and
> separate key-pair for each customer.
> Then I planned to sign xml license file with client certificate for each
> client.
> I decided to embbed CA certificate in our app and verify certificate
> chain from xml file up to CA certificate.
> But I have a problem with xmlsec library. I can't find how to verify
> full certificate chain with it.
> I used example from here
> http://www.aleksey.com/xmlsec/api/xmlsec-verify-with-x509.html·
> <http://www.aleksey.com/xmlsec/api/xmlsec-verify-with-x509.html%C2%B7>
> and I have a problem when certificate chain is invalid.
> I got error to console:
> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto
> library function failed:subj=/C=UA/ST=Kyiv
> region/L=Kyiv/O=test/OU=test/CN=server1/emailAddress=s
> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate
> verification failed:err=20;msg=unable to get local issuer certificate
> OK
> SignedInfo References (ok/all): 1/1·
> Manifests References (ok/all): 0/0·
> but verification result dsigCtx->status has xmlSecDSigStatusSucceeded value.
> Can you tell me how can I verify that certificate chain is invalid with
> xmlsec api?
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec

More information about the xmlsec mailing list