I got to the bottom of it. Here is what is happening: - xmlsec reads the first x509data node and immediately tries to verify and extract the key, there is no full chain yet so we fail with the error; - xmlsec goes to the next node, immediately tries to verify and extract the key, there is no full chain yet so we fail with the error; - repeat the previous step several times; - finally we got to the 4th certificate that can be verified
The bottom line is that the error is harmless. If you are using the xmlsec via C API, then you can install your own error handler callbacks, accumulate all the errors/warnings and then print them at the very end *if and only if* signature verification fails. Otherwise, just ignore all the errors. If you use command line tool, then you can do a similar trick with redirecting stderr to a temp file and checking the xmlsec command line tool return code. Best, Aleksey Aleksey Sanin wrote:
Mostly likely you need to debug openssl :) I'll try to take a look at it over weekend but no promises.... Aleksey
_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
