[xmlsec] Fwd: Verify Sign Issue

Aleksey Sanin aleksey at aleksey.com
Mon Nov 24 12:37:02 PST 2014


You need to verify the signature using the "trusted" certificate,
not the original key you used for signing since this key is already
available in the certificate inside the signed XML document.

Aleksey

On 11/24/14 11:11 AM, Renato Fermi wrote:
> Thanks,
> Do you have any tips what kind of mistake am I doing?
> 
> I'll learn more about this subjects that you suggested.
> 
> Att.
> 
> 2014-11-24 17:04 GMT-02:00 Aleksey Sanin <aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>>:
> 
>     You are not verifying the signature correctly. Please read about
>     certificates verification, trusted certificates,etc.
> 
>     Aleksey
> 
>     On 11/24/14 10:54 AM, Renato Fermi wrote:
>     > Sorry, the verifying line was :
>     >   - xmlsec1 --verify --id-attr:Id infNFe --privkey-pem
>     > nfcek.pem,cert.pem signed.xml
>     >
>     > 2014-11-24 16:45 GMT-02:00 Renato Fermi <repiazza at gmail.com <mailto:repiazza at gmail.com>
>     > <mailto:repiazza at gmail.com <mailto:repiazza at gmail.com>>>:
>     >
>     >     Hello Aleksey,
>     >
>     >     I was really using a wrong certificate to sign and check it.
>     >     Now I'm using the same certificate, the one who generated key
>     file.
>     >     So I have 2 files:
>     >      - cert.pem - client certificate, obtained using the following
>     >     command, from the full certificate:
>     >          openssl pkcs12 -in certificate.pfx -out cert.pem -clcerts
>     >     -nokeys -nodes
>     >     - nfcek.pem - key file obtained this way:
>     >          openssl pkcs12 -in certificate.pfx -out nfcek.pem
>     -nocerts -nodes
>     >
>     >     Im signing using :
>     >       - xmlsec1 --sign --id-attr:Id infNFe --privkey-pem
>     >     nfcek.pem,cert.pem --output signed.xml 0A000U209.xml
>     >     And verifying :
>     >       - xmlsec1 --verify --id-attr:Id infNFe --privkey-pem
>     >     nfcek.pem,certificado.pem signed.xml
>     >
>     >     So I got an OK, but with errors:
>     >   
>      func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto
>     >     library function
>     >     failed:subj=/C=BR/ST=SP/L=BARUERI/O=ICP-Brasil/OU=Secretaria da
>     >     Receita Federal do Brasil - RFB/OU=RFB e-CNPJ A1/OU=AR
>     >     SERASA/CN=CONECTO SISTEMAS
>     LTDA:05113966000159;err=20;msg=unable to
>     >     get local issuer certificate
>     >   
>      func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate
>     >     verification failed:err=20;msg=unable to get local issuer
>     certificate
>     >     OK
>     >     SignedInfo References (ok/all): 1/1
>     >     Manifests References (ok/all): 0/0
>     >
>     >     Do you have any ideia about it?
>     >
>     >     Thanks again.
>     >
>     >     2014-11-24 16:23 GMT-02:00 Aleksey Sanin <aleksey at aleksey.com
>     <mailto:aleksey at aleksey.com>
>     >     <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>:
>     >
>     >         Are you sure that the cacert.pem contains the certificate for
>     >         nfcek.pem
>     >         key? It looks like you are signing with one key and verifying
>     >         with another.
>     >
>     >         Aleksey
>     >
>     >         On 11/24/14 10:15 AM, Renato Fermi wrote:
>     >         > I've added 2 files (inuput) 0AU00209.xml and output.xml.
>     >         >
>     >         >
>     >         >
>     >         >
>     >         > 2014-11-24 16:05 GMT-02:00 Aleksey Sanin <aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>     <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>
>     >         > <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>
>     <mailto:aleksey at aleksey.com <mailto:aleksey at aleksey.com>>>>:
>     >         >
>     >         >     How does the input.xml looks like?
>     >         >
>     >         >     Aleksey
>     >         >
>     >         >     On 11/24/14 9:58 AM, Renato Fermi wrote:
>     >         >     > Hello Aleksey,
>     >         >     >
>     >         >     > I'm having troubles after sucessfully signing a
>     XML, when
>     >         >     verifying it.
>     >         >     >
>     >         >     > What I've done:
>     >         >     >  - Signed XML with my cert key and cacert :
>     >         >     >  $ xmlsec1 --sign --id-attr:Id infNFe --privkey-pem
>     >         >     nfcek.pem,cacert.pem
>     >         >     > --output signed.xml input.xml
>     >         >     >  - Verified the signature:
>     >         >     > xmlsec1 --verify --id-attr:Id infNFe --privkey-pem
>     >         >     nfcek.pem,cacert.pem
>     >         >     > signed.xml
>     >         >     >
>     >         >     > And received the return:
>     >         >     >
>     >         >
>     >         
>     func=xmlSecOpenSSLEvpSignatureVerify:file=signatures.c:line=493:obj=rsa-sha1:subj=EVP_VerifyFinal:error=18:data
>     >         >     > do not match:signature do not match
>     >         >     > FAIL
>     >         >     > SignedInfo References (ok/all): 1/1
>     >         >     > Manifests References (ok/all): 0/0
>     >         >     > Error: failed to verify file "signed.xml"
>     >         >     >
>     >         >     > Am I doing anything wrong?
>     >         >     >
>     >         >     > Thanks in advance.
>     >         >     >
>     >         >     > Renato Fermi
>     >         >     >
>     >         >     >
>     >         >     > _______________________________________________
>     >         >     > xmlsec mailing list
>     >         >     > xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>     <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
>     >         <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>     <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>>
>     >         >     > http://www.aleksey.com/mailman/listinfo/xmlsec
>     >         >     >
>     >         >
>     >         >
>     >         >
>     >         >
>     >         > _______________________________________________
>     >         > xmlsec mailing list
>     >         > xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>     <mailto:xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>>
>     >         > http://www.aleksey.com/mailman/listinfo/xmlsec
>     >         >
>     >
>     >
>     >
>     >
>     >
>     >
>     > _______________________________________________
>     > xmlsec mailing list
>     > xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>     > http://www.aleksey.com/mailman/listinfo/xmlsec
>     >
> 
> 


More information about the xmlsec mailing list