All your ideas are more than welcome! I tried your suggestion, but the output is exactly the same. Not sure where that leaves us?
Thanks again. On Wed, Feb 20, 2008 at 8:09 PM, Aleksey Sanin <[EMAIL PROTECTED]> wrote: > OK, what you say makes sense. Sorry that my idea was not > correct. Could you please try one more thing? Can you remove > from <X509Data> node everything but <X509Certificate> ? > I.e. <X509IssuerSerial>, and other nodes? > > Aleksey > > Paul Keeler wrote: > > Thanks for that. Here are a couple of observations: > > > > 1. If I add the root certificate to the openssl installation's own store > > in addition to using --trusted-pem on the command line I still get the > > error. (I've checked that the certificate is installed correctly by > > using it with "openssl verify ...") > > > > 2. Without adding the certificate to the openssl installation, the error > > can be avoided using the --untrusted-pem option on the command line to > > identify all of the appropriate intermediate certificates. From what > > you have said I would still expect the openssl verification route to > > result in failure. > > > > So, something still doesn't really make sense. However, as you say, > > ultimately verification has been successful so perhaps there is no > > significant problem. In that case, is there a way to suppress these > > types of error? I am worried that users of my application may be > > worried by these errors being printed to the console. > > > > Many thanks again for your thoughts. > > > > On Feb 19, 2008 8:03 PM, Aleksey Sanin <[EMAIL PROTECTED] > > <mailto:[EMAIL PROTECTED]>> wrote: > > > > There is no failure. This error just indicates that one of the > > attempts to verify the certificates chain failed. xmlsec-openssl > > performs certification against different sets of trusted certs: > > 1) ones from the openssl installation > > 2) ones you specify in the command line > > > > One of the attempts failed. That's it. You can safely ignore this > error. > > > > Aleksey > > > > Paul Keeler wrote: > > > The 5 certificates represent a whole certificate chain in order > from > > > signer back to self-signed trusted root. If I use the fifth > > certificate > > > as a trusted root (extract it to file, add the begin/end > certificate > > > tags, and use the --trusted-pem option), then my understanding is > > that I > > > should be able to verify the signature and the entire certificate > > > chain. Surely there should be no failure? Am I missing > > something here? > > > > > > Thanks again. > > > > > > On Feb 19, 2008 3:26 PM, Aleksey Sanin <[EMAIL PROTECTED] > > <mailto:[EMAIL PROTECTED]> > > > <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>> wrote: > > > > > > You have multiple certificates (X509Data) element. The error > > > indicates that verification of one certificate have failed > > > but the other succeeds and the signature is verified. > > > > > > Aleksey > > > > > > Paul Keeler wrote: > > > > Looks like the body of my previous message was somehow > > scrubbed along > > > > with the attachment. Here it is again: > > > > > > > > On Feb 19, 2008 11:00 AM, Paul Keeler > > <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > > <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED] > >> > > > > <mailto:[EMAIL PROTECTED] > > <mailto:[EMAIL PROTECTED]> <mailto:[EMAIL PROTECTED] > > <mailto:[EMAIL PROTECTED]>>>> > > > wrote: > > > > > > > > Ok, I guess it was a bit unreasonable to send you a > > link - my > > > > apologies! Here's a concrete example. See attached. > > > > > > > > Thanks for your patience. > > > > > > > > > > > > On Feb 18, 2008 5:08 PM, Aleksey Sanin > > <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > > <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> > > > > <mailto:[EMAIL PROTECTED] > > <mailto:[EMAIL PROTECTED]> <mailto:[EMAIL PROTECTED] > > <mailto:[EMAIL PROTECTED]>>>> wrote: > > > > > > > > I have no idea what "target kdm certificate" is :) > > > Please, attach > > > > a signed document to the email. > > > > > > > > Aleksey > > > > > > > > Paul Keeler wrote: > > > > > Here is a link to an online generator of signed > > documents > > > > that will > > > > > demonstrate the behaviour I described > previously: > > > > > > > > > > http://www.cinecert.com/dci_ref_01/ > > > > > > > > > > Is there perhaps something about these > > documents that > > > means > > > > xmlsec is > > > > > unable to populate a store of untrusted > > certificates? > > > > > > > > > > Many thanks for your help already. > > > > > > > > > > > > > > > On Feb 14, 2008 5:29 PM, Aleksey Sanin > > > <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> > > > > <mailto:[EMAIL PROTECTED] > > <mailto:[EMAIL PROTECTED]> <mailto:[EMAIL PROTECTED] > > <mailto:[EMAIL PROTECTED]>>> > > > > > <mailto:[EMAIL PROTECTED] > > <mailto:[EMAIL PROTECTED]> > > > <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> > > <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > > <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>>>> > > wrote: > > > > > > > > > > The error indicates that verification of > > one of the > > > > certificate > > > > > chains failed but xmlsec was able to > > extract the key > > > > either from > > > > > another certificate chain or from some > other > > > place. Hard > > > > to say > > > > > more w/o looking at the document. > > > > > > > > > > Aleksey > > > > > > > > > > > > > > > > > > > > Paul Keeler wrote: > > > > > > I would be grateful if somone could help > me > > > with this > > > > problem. I > > > > > have a > > > > > > signed document which reports that it > > verifies > > > ok, but > > > > also gives an > > > > > > error message: "unable to get local > issuer > > > > certificate". The > > > > > same thing > > > > > > happens both running from my own > > application and > > > > calling xmlsec > > > > > from the > > > > > > command line: > > > > > > > > > > > > xmlsec1 --verify > > --id-attr:<my_ID_attribute_name> > > > > > > > <my_node_namespace_uri>:<my_first_node_name> > > > > > > --id-attr:<my_ID_attribute_name> > > > > > > > > <my_node_namespace_uri>:<my_second_node_name> > > > > --trusted-pem > > > > > > <my_trusted_root_pem> > <my_signed_document> > > > > > > > > > > > > This is the result: > > > > > > > > > > > > > > > > > > > > > > > > > > func=xmlSecOpenSSLX509StoreVerify:file= > x509vfy.c:line=351:obj=x509-store:subj=unknown:error=71:certificate > > > > > > verification failed:err=20;msg=unable to > > get local > > > > issuer certificate > > > > > > OK > > > > > > SignedInfo References (ok/all): 2/2 > > > > > > Manifests References (ok/all): 0/0 > > > > > > > > > > > > The verification seems to have been > > successful > > > > (indicated by > > > > > "OK"), but > > > > > > clearly an error was also reported. > > > > > > > > > > > > The signed document contains my entire > > certificate > > > > chain: Signer -> > > > > > > Intermediate CA -> Root CA. The Root CA > > in the > > > chain > > > > is the same > > > > > as the > > > > > > trusted root pem I pass using the > > --trusted-pem > > > > option, so I would > > > > > > expect verification to succeed. > > > > > > > > > > > > Now, I can make the error message go > away by > > > > extracting the > > > > > Intermediate > > > > > > CA certificate from the signed document > and > > > passing it > > > > to XMLSEC > > > > > using > > > > > > the --untrusted-pem option: > > > > > > > > > > > > xmlsec1 --verify > > --id-attr:<my_ID_attribute_name> > > > > > > > <my_node_namespace_uri>:<my_first_node_name> > > > > > > --id-attr:<my_ID_attribute_name> > > > > > > > > <my_node_namespace_uri>:<my_second_node_name> > > > > --trusted-pem > > > > > > <my_trusted_root_pem> --untrusted-pem > > > > <intermediate_CA_pem> > > > > > > <my_signed_document> > > > > > > > > > > > > I did not expect that I would have to > > > explicitly pass a > > > > > certificate from > > > > > > the chain to xmlsec and flag it as being > > untrusted. > > > > Am I doing > > > > > > something wrong? Surely xmlsec should > > assume > > > that all > > > > X509 > > > > > certificates > > > > > > in a chain are untrusted by default? > > Have I missed > > > > the point > > > > > somewhere? > > > > > > > > > > > > Many thanks in advance. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > > > _______________________________________________ > > > > > > xmlsec mailing list > > > > > > [email protected] > > <mailto:[email protected]> <mailto:[email protected] > > <mailto:[email protected]>> > > > <mailto:[email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>> > > > > <mailto:[email protected] > > <mailto:[email protected]> <mailto:[email protected] > > <mailto:[email protected]>> > > > <mailto:[email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>>> > > > > > > > > http://www.aleksey.com/mailman/listinfo/xmlsec > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > _______________________________________________ > > > > > xmlsec mailing list > > > > > [email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>> > > > <mailto:[email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>> > > > > > http://www.aleksey.com/mailman/listinfo/xmlsec > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > _______________________________________________ > > > > xmlsec mailing list > > > > [email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>> > > > > http://www.aleksey.com/mailman/listinfo/xmlsec > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > _______________________________________________ > > > xmlsec mailing list > > > [email protected] <mailto:[email protected]> > > > http://www.aleksey.com/mailman/listinfo/xmlsec > > > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > xmlsec mailing list > > [email protected] > > http://www.aleksey.com/mailman/listinfo/xmlsec >
_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
