There is no failure. This error just indicates that one of the
attempts to verify the certificates chain failed. xmlsec-openssl
performs certification against different sets of trusted certs:
1) ones from the openssl installation
2) ones you specify in the command line
One of the attempts failed. That's it. You can safely ignore this error.
Aleksey
Paul Keeler wrote:
The 5 certificates represent a whole certificate chain in order from
signer back to self-signed trusted root. If I use the fifth certificate
as a trusted root (extract it to file, add the begin/end certificate
tags, and use the --trusted-pem option), then my understanding is that I
should be able to verify the signature and the entire certificate
chain. Surely there should be no failure? Am I missing something here?
Thanks again.
On Feb 19, 2008 3:26 PM, Aleksey Sanin <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
You have multiple certificates (X509Data) element. The error
indicates that verification of one certificate have failed
but the other succeeds and the signature is verified.
Aleksey
Paul Keeler wrote:
> Looks like the body of my previous message was somehow scrubbed along
> with the attachment. Here it is again:
>
> On Feb 19, 2008 11:00 AM, Paul Keeler <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
> <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>>
wrote:
>
> Ok, I guess it was a bit unreasonable to send you a link - my
> apologies! Here's a concrete example. See attached.
>
> Thanks for your patience.
>
>
> On Feb 18, 2008 5:08 PM, Aleksey Sanin <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
> <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>> wrote:
>
> I have no idea what "target kdm certificate" is :)
Please, attach
> a signed document to the email.
>
> Aleksey
>
> Paul Keeler wrote:
> > Here is a link to an online generator of signed documents
> that will
> > demonstrate the behaviour I described previously:
> >
> > http://www.cinecert.com/dci_ref_01/
> >
> > Is there perhaps something about these documents that
means
> xmlsec is
> > unable to populate a store of untrusted certificates?
> >
> > Many thanks for your help already.
> >
> >
> > On Feb 14, 2008 5:29 PM, Aleksey Sanin
<[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
> <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>
> > <mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> <mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>>>> wrote:
> >
> > The error indicates that verification of one of the
> certificate
> > chains failed but xmlsec was able to extract the key
> either from
> > another certificate chain or from some other
place. Hard
> to say
> > more w/o looking at the document.
> >
> > Aleksey
> >
> >
> >
> > Paul Keeler wrote:
> > > I would be grateful if somone could help me
with this
> problem. I
> > have a
> > > signed document which reports that it verifies
ok, but
> also gives an
> > > error message: "unable to get local issuer
> certificate". The
> > same thing
> > > happens both running from my own application and
> calling xmlsec
> > from the
> > > command line:
> > >
> > > xmlsec1 --verify --id-attr:<my_ID_attribute_name>
> > > <my_node_namespace_uri>:<my_first_node_name>
> > > --id-attr:<my_ID_attribute_name>
> > > <my_node_namespace_uri>:<my_second_node_name>
> --trusted-pem
> > > <my_trusted_root_pem> <my_signed_document>
> > >
> > > This is the result:
> > >
> > >
> >
>
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=351:obj=x509-store:subj=unknown:error=71:certificate
> > > verification failed:err=20;msg=unable to get local
> issuer certificate
> > > OK
> > > SignedInfo References (ok/all): 2/2
> > > Manifests References (ok/all): 0/0
> > >
> > > The verification seems to have been successful
> (indicated by
> > "OK"), but
> > > clearly an error was also reported.
> > >
> > > The signed document contains my entire certificate
> chain: Signer ->
> > > Intermediate CA -> Root CA. The Root CA in the
chain
> is the same
> > as the
> > > trusted root pem I pass using the --trusted-pem
> option, so I would
> > > expect verification to succeed.
> > >
> > > Now, I can make the error message go away by
> extracting the
> > Intermediate
> > > CA certificate from the signed document and
passing it
> to XMLSEC
> > using
> > > the --untrusted-pem option:
> > >
> > > xmlsec1 --verify --id-attr:<my_ID_attribute_name>
> > > <my_node_namespace_uri>:<my_first_node_name>
> > > --id-attr:<my_ID_attribute_name>
> > > <my_node_namespace_uri>:<my_second_node_name>
> --trusted-pem
> > > <my_trusted_root_pem> --untrusted-pem
> <intermediate_CA_pem>
> > > <my_signed_document>
> > >
> > > I did not expect that I would have to
explicitly pass a
> > certificate from
> > > the chain to xmlsec and flag it as being untrusted.
> Am I doing
> > > something wrong? Surely xmlsec should assume
that all
> X509
> > certificates
> > > in a chain are untrusted by default? Have I missed
> the point
> > somewhere?
> > >
> > > Many thanks in advance.
> > >
> > >
> > >
> >
>
------------------------------------------------------------------------
> > >
> > > _______________________________________________
> > > xmlsec mailing list
> > > xmlsec@aleksey.com <mailto:xmlsec@aleksey.com>
<mailto:xmlsec@aleksey.com <mailto:xmlsec@aleksey.com>>
> <mailto:xmlsec@aleksey.com <mailto:xmlsec@aleksey.com>
<mailto:xmlsec@aleksey.com <mailto:xmlsec@aleksey.com>>>
> > > http://www.aleksey.com/mailman/listinfo/xmlsec
> >
> >
> >
> >
>
------------------------------------------------------------------------
> >
> > _______________________________________________
> > xmlsec mailing list
> > xmlsec@aleksey.com <mailto:xmlsec@aleksey.com>
<mailto:xmlsec@aleksey.com <mailto:xmlsec@aleksey.com>>
> > http://www.aleksey.com/mailman/listinfo/xmlsec
>
>
>
>
>
------------------------------------------------------------------------
>
> _______________________________________________
> xmlsec mailing list
> xmlsec@aleksey.com <mailto:xmlsec@aleksey.com>
> http://www.aleksey.com/mailman/listinfo/xmlsec
------------------------------------------------------------------------
_______________________________________________
xmlsec mailing list
xmlsec@aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec
_______________________________________________
xmlsec mailing list
xmlsec@aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec
