[xmlsec] Verify invalid certificate chain

Aleksey Sanin aleksey at aleksey.com
Wed Aug 15 07:24:07 PDT 2012


That shouldn't be the case. The only possibility is that there
is a key in the signature file (not in certificate).

Run xmlsec with debug output to find out where it finds key

Aleksey

On 8/15/12 1:21 AM, Roman Khlystik wrote:
> Thanks for your answer, Aleksey.
> 
> I think I've understood behaviour of xmlsec in this situation.
> And according to this logic I assume (and actually I checked it) that
> when there isn't any
> valid certificate chain result code of signature verification is still
> succeeded. Why?
> 
> Here is example using command-line tool.
> ca.crt isn't related to the certificate
> in license-signed-ca1-server1.xml. So, there isn't any valid certificate
> chain. Why verification status is OK?
> 
>     #xmlsec1 --verify --trusted-pem cas/ca2/ca/certs/ca.crt
>     license-signed-ca1-server1.xml
> 
>  
> 
>     func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto
>     library function failed:subj=/C=UA/ST=Kyiv
>     region/L=Kyiv/O=test/OU=Ukraine
>     Department/CN=server1/emailAddress=support at test.com
>     <mailto:support at test.com>;err=20;msg=unable to get local issuer
>     certificate
>     func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate
>     verification failed:err=20;msg=unable to get local issuer certificate
>     OK
>     SignedInfo References (ok/all): 1/1
>     Manifests References (ok/all): 0/0
> 
> 
> 
> So, I have another question: Is it possibe to detect with xmlsec that
> there is no one valid certificate chain up to the one of the trusted
> certificates? I want to reject signed xml file if there isn't any valid
> vertificate chain.
> 
> Thanks.
> 
> 2012/8/14 Aleksey Sanin <aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
> 
>     Roman,
> 
>     During the verification, xmlsec tries to verify the signature using
>     all possible certificate chains. It is enough to have one of them
>     succeed. The errors you see are from ones that failed. Safe to ignore
>     as long, just check the result code.
> 
>     Aleksey
> 
>     On 8/14/12 8:38 AM, Roman Khlystik wrote:
>     > Hi Aleksey!
>     >
>     > I'm trying to develop simple license system using xmlsec library.
>     > My idea was to build simple private PKI with one CA key pair and
>     > separate key-pair for each customer.
>     > Then I planned to sign xml license file with client certificate
>     for each
>     > client.
>     >
>     > I decided to embbed CA certificate in our app and verify certificate
>     > chain from xml file up to CA certificate.
>     > But I have a problem with xmlsec library. I can't find how to verify
>     > full certificate chain with it.
>     > I used example from here
>     > http://www.aleksey.com/xmlsec/api/xmlsec-verify-with-x509.html·
>     <http://www.aleksey.com/xmlsec/api/xmlsec-verify-with-x509.html%C2%B7>
>     > <http://www.aleksey.com/xmlsec/api/xmlsec-verify-with-x509.html%C2%B7>
>     > and I have a problem when certificate chain is invalid.
>     > I got error to console:
>     >
>     >
>     func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto
>     > library function failed:subj=/C=UA/ST=Kyiv
>     > region/L=Kyiv/O=test/OU=test/CN=server1/emailAddress=s
>     >
>     func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate
>     > verification failed:err=20;msg=unable to get local issuer certificate
>     > OK
>     > SignedInfo References (ok/all): 1/1·
>     > Manifests References (ok/all): 0/0·
>     >
>     > but verification result dsigCtx->status has
>     xmlSecDSigStatusSucceeded value.
>     >
>     > Can you tell me how can I verify that certificate chain is invalid
>     with
>     > xmlsec api?
>     >
>     >
>     > _______________________________________________
>     > xmlsec mailing list
>     > xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>     > http://www.aleksey.com/mailman/listinfo/xmlsec
>     >
> 
> 


More information about the xmlsec mailing list