Adding Root Certificates to for verification of certificates using libxmlsecurity
Hi , I want to verify a particular certificate stored in an xml ,against a self signed root certificate using openssl. For this, am using libxmlsecurity [ internally has openssl ] for parsing my signature.xml having a certificate . 1. For adding Root Certifiates to *keystore *am using * xmlSecOpenSSLAppKeysMngrCertLoad()* of libxmlsecurity which calls openssl apis to do so . 2. To verify this signature file against a Root Certificate[self signed] i use libxmlsecurity which internally calls *X509_verify_cert* of openSSL. Problem: Signature passes successfully for the first time but fails if i send the verification request again. *X509_verify_cert* returns 0 and the Error Code*XMLSEC_ERRORS_R_CRYPTO_FAILED * is printed. NOTE: Each time I send a verification request I add the Root certificates to keys Store. *Error logs :* : ERROR/(244): Optional Transform node is present : ERROR/(244): xptrExpr = 0x2c97d8 : ERROR/(244): ERROR CODE: 7, ERROR MSG: *certificate signature failure *: ERROR/(244): ERROR: external/libxmlsecurity/android/../src/openssl/x509vfy.c[359] : ERROR/(244): ERROR CODE: 7, ERROR MSG:* certificate signature failure *: ERROR/(244): ERROR: external/libxmlsecurity/android/../src/openssl/x509vfy.c[408] : ERROR/(244): ERROR: external/libxmlsecurity/android/../src/openssl/x509.c[1714] : ERROR/(244): ERROR: external/libxmlsecurity/android/../src/keys.c[1364] : ERROR/(244): ERROR: external/libxmlsecurity/android/../src/xmldsig.c[1034] : ERROR/(244): ERROR: external/libxmlsecurity/android/../src/xmldsig.c[726] : ERROR/(244): ERROR: external/libxmlsecurity/android/../src/xmldsig.c[526] I am not able to understand why for the first time the verification is success but the second it fails with above error code. Any suggestions for the above problem will be helpful. Regards, Mayur
Using PEM_read_X509 openSSL Api
Hi , I am using X509* ** pX = * PEM_read_X509*(FILE *fp, X509 **x, pem_password_cb *cb, void *u); to get a X509 certificate structure from PEM format File. My File(fp) looks like below: -BEGIN CERTIFICATE- MIIEQzCCAyugAwIBAgIPAMdMAQEALqZRDlTBXHdHMA0GCSqGSIb3DQEBCwUAMGAxCzAJBgNVBAYTAkdCMSUwIwYDVQQKDBxXQUMgQXBwbGljYXRpb24gU2VydmljZXMgTHRkMSowKAYDVQQDDCFXQUMgQXBwbGljYXRpb24gU2VydmljZXMgTHRkIFRFU1QwHhcNMTEwNDI3MDg0NDIxWhcNMjYwNDI3MDg0NDIxWjBXMQswCQYDVQQGEwJHQjElMCMGA1UECgwcV0FDIEFwcGxpY2F0aW9uIFNlcnZpY2VzIEx0ZDEhMB8GA1UEAwwYV0FDIEFTTCBJbnRlcm5hbCBDQSBURVNUMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjuY5+eOh/4+EpslfIsixpDEJquJSOcMjuX/AOhgR5b5FeoU/KiS5VKFiTHyRKdWOVbRwpR3jvmT6wgeRaqV5Y+CgtskCaRsERUxf5rtBdFZtwfYkWhSteli+nMTMO/FJ87gvIGmpguitqehtzdXkYXz7cPIMQRkMlZTi9LLSzkh9SSlj6n8RTEGwXsHmuFUiSAWE7Z4wAN3EuYbPxxvzBHz7b91rlkqT/EtPFjoW9jcnSYw6HF0gr2DegZpgIc1KuAULkasZxhEANJDF/GJSnnow01t6tlmTLqmZrns+kGOioMT1PbEbdyYXKeKfoUnZvD+DOSGhfzy3K1EF4OiCkwIDAQABo4IBATCB/jAfBgNVHSMEGDAWgBQp5dzy2tJEArpTqcQWNXG6J7y5WTASBgNVHRMBAf8ECDAGAQH/AgEAMFIGA1UdIARLMEkwRwYGZ4ENAQEBMD0wOwYIKwYBBQUHAgEWL2h0dHA6Ly9jYS53YWNhcHBzLm5ldC9yZXBvc2l0b3J5L1dpZGdldENQUy5odG1sMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU8G2pqrYU/O/vZCje2QEVW4quJjMwRAYDVR0fBD0wOzA5oDegNYYzaHR0cDovL2NybC5wcC5jYS53YWNhcHBzLm5ldC9jcmwvV0FDRG9tYWluLVRFU1QuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCBF8E8pQkcxSHcNU5rzFrJZY3KiZvaO+p0csuaqxzPTByKkGCPZA+/evM8X9fimMIJMQyFkER8GLvEw2QS/1Jc2WJBnpYfjiCr7nCzViUFH2XYKJqmRx4TDqyDjXmW1/sEo3659VBny8493UMuuXxP4737BJRteRf7O/YwrHeOUEegYZOBfamvG+JYaLqflRM+W7XbP7j3IrdoWUEnyoMBUWCMra2jn/WmhNxa8wknxyLUB815dt33kQOHjjeMKjcXx+kZ5igg7bJW9QkenBKp86VSDhnod+sACgPuNqg9R5jJQp2GXBaykOMnKvNJ8/pCdo3rdSuuzZxxMXUXnbyw -END CERTIFICATE- The above api is returning me a NULL in pX and x both . Q1 ) So was wondering whether the PEM File am passing as input to the Api is correct or not ? Q2) And which amongst pX and x will give me the required X509 Certificate.? I could not find any explanation of the api on net , only got the signature so need some help for the above problem. Regards, Mayur
Re: Adding Multiple Root certificates in Openssl
Hi Ciprian, Thanks for the immediate reply . I have some questions on both the approaches suggested. You can create a file where you may concatenate all your trusted certificates in PEM format and use that file for verification. [Mayur]--- Is there any openSSL api which helps parsing this file[say myStorageFile] which has all my root certificates in it. ? Also my intention as mentioned in the scenario in previous mail is that I ll be passing a chain A --B and would like to find C [self signed ,root certificate] from myStorageFile .* * Another way is to store your trusted certificates in PEM format in filesystem and create a folder from where you create symbolic links to every certificate. The symbolic link name should be named as HASH.0. HASH can be obtained from the certificate using -hash option like: openssl x509 -in root.cer -hash [Mayur]After storing links to my PEM format Certificate files how do I parse the folder having links to get root C for my chain A --B ? Regards, Mayur On Fri, Jul 15, 2011 at 10:05 PM, Ciprian Pavel ciprian.pa...@gmail.comwrote: Hi Mayur, You can create a file where you may concatenate all your trusted certificates in PEM format and use that file for verification. Another way is to store your trusted certificates in PEM format in filesystem and create a folder from where you create symbolic links to every certificate. The symbolic link name should be named as HASH.0. HASH can be obtained from the certificate using -hash option like: openssl x509 -in root.cer -hash If you need CRL checking the same procedure can be applied with the exception that the symbolic link name has to be HASH.r0. Regards, Ciprian On Fri, Jul 15, 2011 at 3:01 PM, Mayur Premi premi.ma...@gmail.comwrote: Hi , I am using openssl for signature verification of the files in my application. For supporting multiple root certificates , Is there a db or storage area[file] which openssl searches while finding the root of the passed input certificates ? I am using X509_Verify_cert api of openssl to verify certificates. The scenario is as below : Say I have 2 certificates A and B in my application , A's Issuer is B and B 's issuer is C. Here C is the [self signed] root certificate. Can I store C somewhere in openssl and find it to complete the chain A--B--C Regards, Mayur
Adding Multiple Root certificates in Openssl
Hi , I am using openssl for signature verification of the files in my application. For supporting multiple root certificates , Is there a db or storage area[file] which openssl searches while finding the root of the passed input certificates ? I am using X509_Verify_cert api of openssl to verify certificates. The scenario is as below : Say I have 2 certificates A and B in my application , A's Issuer is B and B 's issuer is C. Here C is the [self signed] root certificate. Can I store C somewhere in openssl and find it to complete the chain A--B--C Regards, Mayur