In the XML-File there were 3 certificates at all included. The first certificate you extracted as "a.pem".
I saved these certificates as b.pem and c.pem too.
when I run verify that with openssl I get an success for a.pem.
So you need all certificates which are presented in the XML when you verify the signature. Does xmlsec uses all these certificates or only get the first one ?!
When I try to load the extracted b.pem and c.pem as trusted certificates into xmlsec I get
xmlSecX509StoreLoadPemCert (x509.c:1182): error 3: crypto operation failed : X509_LOOKUP_load_file(b.pem) - 0
Error: unable to load certificate file "b.pem".
What could be the reason for that error ?
Ingo Fischer
Aleksey Sanin wrote:
The issuer of the certificate in the signature
C=US, O=MasterCard International Incorporated Test System Subordinate, OU=SecureCode Test System Subordinate CA Certificate, CN=MasterCard SecureCode Test Issuer and Directory Subordinate
match none of the subjects of the certificates you sent to me. You might
use "openssl x509" and "openssl verify" commands to verify "plain" certs
w/o XML stuff around. For example, I've saved cert from the signature
to a.pem file, put all your certs in the same dir and executed the following
command (added lines formatting):
[EMAIL PROTECTED] openssl verify -CAfile mctestRootCA.pem *.pem
a.pem: /C=US/O=MasterCard International Inc Test System Subordinate /OU=SecureCode Test System Subordinate CA Stage 2 /CN=MasterCard SecureCode Issuer Test1 Signing Stage error 20 at 0 depth lookup:unable to get local issuer certificate mctestRoot_2.pem: OK mctestRootCA.pem: OK mctestSubcCA.pem: OK
And I have the same results with "- CAfile mctestRoot_2.pem".
Also, as you probably know I prefer to answer xmlsec questions in the mailing list.
Aleksey
Ingo Fischer wrote:
Hello !
We had contact some time ago.
Now I have another problem. I have an XML-Signature which I need to verify.
When I try that with:
> xmlsec verify --trusted /home/ipayment/doc_root/../certs/3dsecure/mctestRoot_2.pem /tmp/3dsec_xmldsig_verify_3006.xml
xmlSecX509StoreVerify (x509.c:1090): error 41: cert verification failed : error=19 (self signed certificate in certificate chain)
xmlSecX509DataNodeRead (keyinfo.c:1196): error 41: cert verification failed :
xmlSecKeysMngrGetKey (keys.c:518): error 17: key not found :
xmlSecSignedInfoRead (xmldsig.c:1437): error 17: key not found :
xmlSecSignatureRead (xmldsig.c:1175): error 2: xmlsec operation failed : xmlSecSignedInfoRead - -1
xmlSecDSigValidate (xmldsig.c:733): error 2: xmlsec operation failed : xmlSecSignatureRead - -1
ERROR
Error: operation failed
That's correct that way because the Root-Certificate is selfsigned by Mastercard. Now I have the CA-Certificates as two .pem-files too (they have an hierarchy of an Master-CA and an Sub-CA which are both needed)
So I tried to set the as --trusted too:
> xmlsec verify --trusted /home/ipayment/doc_root/../certs/3dsecure/mctestRoot_2.pem --trusted /home/ipayment/doc_root/../certs/3dsecure/mctest/mctestRootCA.pem --trusted /home/ipayment/doc_root/../certs/3dsecure/mctest/mctestSubcCA.pem /tmp/3dsec_xmldsig_verify_3006.xml
xmlSecX509StoreLoadPemCert (x509.c:1182): error 3: crypto operation failed : X509_LOOKUP_load_file(/home/ipayment/doc_root/../certs/3dsecure/mctest/mctestSubcCA.pem) - 0
Error: unable to load certificate file "/home/ipayment/doc_root/../certs/3dsecure/mctest/mctestSubcCA.pem".
Usage: xmlsec verify [<options>] <file> [<file> [ ... ]]
...
I attached all the files referenced (packed as ZIP) and it would be great if you could give me a hint what goes wrong there.
Hoping for a fast answer ;-))
Ingo Fischer
-- Ingo Fischer _____________________________________________________________________
Ingo Fischer Schlund + Partner AG NOF-Components : http://www.apollon.de Karlsruhe ICQ-Number : 3183043 Tel.: 0721/91374-0 http://www.schlund.de _____________________________________________________________________
_______________________________________________ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
