Here is a link to an online generator of signed documents that will demonstrate the behaviour I described previously:
http://www.cinecert.com/dci_ref_01/ Is there perhaps something about these documents that means xmlsec is unable to populate a store of untrusted certificates? Many thanks for your help already. On Feb 14, 2008 5:29 PM, Aleksey Sanin <[EMAIL PROTECTED]> wrote: > The error indicates that verification of one of the certificate > chains failed but xmlsec was able to extract the key either from > another certificate chain or from some other place. Hard to say > more w/o looking at the document. > > Aleksey > > > > Paul Keeler wrote: > > I would be grateful if somone could help me with this problem. I have a > > signed document which reports that it verifies ok, but also gives an > > error message: "unable to get local issuer certificate". The same thing > > happens both running from my own application and calling xmlsec from the > > command line: > > > > xmlsec1 --verify --id-attr:<my_ID_attribute_name> > > <my_node_namespace_uri>:<my_first_node_name> > > --id-attr:<my_ID_attribute_name> > > <my_node_namespace_uri>:<my_second_node_name> --trusted-pem > > <my_trusted_root_pem> <my_signed_document> > > > > This is the result: > > > > func=xmlSecOpenSSLX509StoreVerify:file= > x509vfy.c:line=351:obj=x509-store:subj=unknown:error=71:certificate > > verification failed:err=20;msg=unable to get local issuer certificate > > OK > > SignedInfo References (ok/all): 2/2 > > Manifests References (ok/all): 0/0 > > > > The verification seems to have been successful (indicated by "OK"), but > > clearly an error was also reported. > > > > The signed document contains my entire certificate chain: Signer -> > > Intermediate CA -> Root CA. The Root CA in the chain is the same as the > > trusted root pem I pass using the --trusted-pem option, so I would > > expect verification to succeed. > > > > Now, I can make the error message go away by extracting the Intermediate > > CA certificate from the signed document and passing it to XMLSEC using > > the --untrusted-pem option: > > > > xmlsec1 --verify --id-attr:<my_ID_attribute_name> > > <my_node_namespace_uri>:<my_first_node_name> > > --id-attr:<my_ID_attribute_name> > > <my_node_namespace_uri>:<my_second_node_name> --trusted-pem > > <my_trusted_root_pem> --untrusted-pem <intermediate_CA_pem> > > <my_signed_document> > > > > I did not expect that I would have to explicitly pass a certificate from > > the chain to xmlsec and flag it as being untrusted. Am I doing > > something wrong? Surely xmlsec should assume that all X509 certificates > > in a chain are untrusted by default? Have I missed the point somewhere? > > > > Many thanks in advance. > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > xmlsec mailing list > > [email protected] > > http://www.aleksey.com/mailman/listinfo/xmlsec >
_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
