The error indicates that verification of one of the certificate
chains failed but xmlsec was able to extract the key either from
another certificate chain or from some other place. Hard to say
more w/o looking at the document.
Aleksey
Paul Keeler wrote:
I would be grateful if somone could help me with this problem. I have a
signed document which reports that it verifies ok, but also gives an
error message: "unable to get local issuer certificate". The same thing
happens both running from my own application and calling xmlsec from the
command line:
xmlsec1 --verify --id-attr:<my_ID_attribute_name>
<my_node_namespace_uri>:<my_first_node_name>
--id-attr:<my_ID_attribute_name>
<my_node_namespace_uri>:<my_second_node_name> --trusted-pem
<my_trusted_root_pem> <my_signed_document>
This is the result:
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=351:obj=x509-store:subj=unknown:error=71:certificate
verification failed:err=20;msg=unable to get local issuer certificate
OK
SignedInfo References (ok/all): 2/2
Manifests References (ok/all): 0/0
The verification seems to have been successful (indicated by "OK"), but
clearly an error was also reported.
The signed document contains my entire certificate chain: Signer ->
Intermediate CA -> Root CA. The Root CA in the chain is the same as the
trusted root pem I pass using the --trusted-pem option, so I would
expect verification to succeed.
Now, I can make the error message go away by extracting the Intermediate
CA certificate from the signed document and passing it to XMLSEC using
the --untrusted-pem option:
xmlsec1 --verify --id-attr:<my_ID_attribute_name>
<my_node_namespace_uri>:<my_first_node_name>
--id-attr:<my_ID_attribute_name>
<my_node_namespace_uri>:<my_second_node_name> --trusted-pem
<my_trusted_root_pem> --untrusted-pem <intermediate_CA_pem>
<my_signed_document>
I did not expect that I would have to explicitly pass a certificate from
the chain to xmlsec and flag it as being untrusted. Am I doing
something wrong? Surely xmlsec should assume that all X509 certificates
in a chain are untrusted by default? Have I missed the point somewhere?
Many thanks in advance.
------------------------------------------------------------------------
_______________________________________________
xmlsec mailing list
xmlsec@aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec
_______________________________________________
xmlsec mailing list
xmlsec@aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec
