Looks like the body of my previous message was somehow scrubbed along with the attachment. Here it is again:
On Feb 19, 2008 11:00 AM, Paul Keeler <[EMAIL PROTECTED]> wrote: > Ok, I guess it was a bit unreasonable to send you a link - my apologies! > Here's a concrete example. See attached. > > Thanks for your patience. > > > On Feb 18, 2008 5:08 PM, Aleksey Sanin <[EMAIL PROTECTED]> wrote: > > > I have no idea what "target kdm certificate" is :) Please, attach > > a signed document to the email. > > > > Aleksey > > > > Paul Keeler wrote: > > > Here is a link to an online generator of signed documents that will > > > demonstrate the behaviour I described previously: > > > > > > http://www.cinecert.com/dci_ref_01/ > > > > > > Is there perhaps something about these documents that means xmlsec is > > > unable to populate a store of untrusted certificates? > > > > > > Many thanks for your help already. > > > > > > > > > On Feb 14, 2008 5:29 PM, Aleksey Sanin <[EMAIL PROTECTED] > > > <mailto:[EMAIL PROTECTED]>> wrote: > > > > > > The error indicates that verification of one of the certificate > > > chains failed but xmlsec was able to extract the key either from > > > another certificate chain or from some other place. Hard to say > > > more w/o looking at the document. > > > > > > Aleksey > > > > > > > > > > > > Paul Keeler wrote: > > > > I would be grateful if somone could help me with this problem. > > I > > > have a > > > > signed document which reports that it verifies ok, but also > > gives an > > > > error message: "unable to get local issuer certificate". The > > > same thing > > > > happens both running from my own application and calling xmlsec > > > from the > > > > command line: > > > > > > > > xmlsec1 --verify --id-attr:<my_ID_attribute_name> > > > > <my_node_namespace_uri>:<my_first_node_name> > > > > --id-attr:<my_ID_attribute_name> > > > > <my_node_namespace_uri>:<my_second_node_name> --trusted-pem > > > > <my_trusted_root_pem> <my_signed_document> > > > > > > > > This is the result: > > > > > > > > > > > func=xmlSecOpenSSLX509StoreVerify:file= > > x509vfy.c:line=351:obj=x509-store:subj=unknown:error=71:certificate > > > > verification failed:err=20;msg=unable to get local issuer > > certificate > > > > OK > > > > SignedInfo References (ok/all): 2/2 > > > > Manifests References (ok/all): 0/0 > > > > > > > > The verification seems to have been successful (indicated by > > > "OK"), but > > > > clearly an error was also reported. > > > > > > > > The signed document contains my entire certificate chain: > > Signer -> > > > > Intermediate CA -> Root CA. The Root CA in the chain is the > > same > > > as the > > > > trusted root pem I pass using the --trusted-pem option, so I > > would > > > > expect verification to succeed. > > > > > > > > Now, I can make the error message go away by extracting the > > > Intermediate > > > > CA certificate from the signed document and passing it to > > XMLSEC > > > using > > > > the --untrusted-pem option: > > > > > > > > xmlsec1 --verify --id-attr:<my_ID_attribute_name> > > > > <my_node_namespace_uri>:<my_first_node_name> > > > > --id-attr:<my_ID_attribute_name> > > > > <my_node_namespace_uri>:<my_second_node_name> --trusted-pem > > > > <my_trusted_root_pem> --untrusted-pem <intermediate_CA_pem> > > > > <my_signed_document> > > > > > > > > I did not expect that I would have to explicitly pass a > > > certificate from > > > > the chain to xmlsec and flag it as being untrusted. Am I doing > > > > something wrong? Surely xmlsec should assume that all X509 > > > certificates > > > > in a chain are untrusted by default? Have I missed the point > > > somewhere? > > > > > > > > Many thanks in advance. > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > _______________________________________________ > > > > xmlsec mailing list > > > > [email protected] <mailto:[email protected]> > > > > http://www.aleksey.com/mailman/listinfo/xmlsec > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > _______________________________________________ > > > xmlsec mailing list > > > [email protected] > > > http://www.aleksey.com/mailman/listinfo/xmlsec > > > >
_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
