Do you have "trusted" or "root" certificate in the xmlsec keys manager?
Aleksey
Jaume Saura wrote:
Hello,
I've an XMLDSig file which includes the signing certificate in a
<ds:X509Certificate> tag, but xmlsec shows these error messages when I
try to verify the signature with "xmlsec verify ..\endesa.xml":
func=xmlSecKeysMngrGetKey:file=..\src\keys.c:line=1364:obj=unknown:subj=xmlSecKe
ysMngrFindKey:error=1:xmlsec library function failed:
func=xmlSecDSigCtxProcessKeyInfoNode:file=..\src\xmldsig.c:line=871:obj=unknown:
subj=unknown:error=45:key is not found:
func=xmlSecDSigCtxProcessSignatureNode:file=..\src\xmldsig.c:line=565:obj=unknow
n:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function
failed:
func=xmlSecDSigCtxVerify:file=..\src\xmldsig.c:line=366:obj=unknown:subj=xmlSecD
SigCtxSigantureProcessNode:error=1:xmlsec library function failed:
Error: signature failed
ERROR
SignedInfo References (ok/all): 2/2
Manifests References (ok/all): 0/0
Error: failed to verify file "..\endesa.xml"
The signature is OK, and I can verify this if I extract manually the
certificate and, from openssl, get its public key and then, again from
xmlsec, retry the verification so:
xmlsec verify --pubkey endesa-pkey.pem ..\endesa.xml
OK
SignedInfo References (ok/all): 2/2
Manifests References (ok/all): 0/0
This is the certificate that xmlsec doesn't handle well:
<ds:X509Certificate xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
MIII2zCCB8OgAwIBAgIQZpIEicjJWTFxpWfnQvHRDTANBgkqhkiG9w0BAQUFADCB2jELMAkGA1UE
BhMCRVMxDzANBgNVBAgTBk1hZHJpZDE3MDUGA1UEBxMuUGFzZW8gZGVsIEdlbmVyYWwgTWFydGlu
ZXogQ2FtcG9zIDQ2LTZhIHBsYW50YTFLMEkGA1UEChNCQWdlbmNpYSBOb3RhcmlhbCBkZSBDZXJ0
aWZpY2FjaW9uIFMuTC4gVW5pcGVyc29uYWwgLSBDSUYgQjgzMzk1OTg4MTQwMgYDVQQDEytBTkNF
UlQgQ2VydGlmaWNhZG9zIE5vdGFyaWFsZXMgQ29ycG9yYXRpdm9zMB4XDTA3MDExNzEzNDExMloX
DTEwMDExNjEzNDExMlowggE+MQswCQYDVQQGEwJFUzE7MDkGA1UEChMyQ2VydGlmaWNhZG8gTm90
YXJpYWwgQ29ycG9yYXRpdm8gZGUgUmVwcmVzZW50YWNpb24xODA2BgNVBAsTL0VOREVTQSBFTkVS
R0lBIFMuQS4gVU5JUEVSU09OQUwgLSBDSUYgQTgxOTQ4MDc3MTcwNQYDVQQLEy5BdXRvcml6YWRv
IGFudGUgTm90YXJpbyBTQU5USUFHTyBSVUJJTyBMSU5JRVJTMRIwEAYDVQQFEwkxODQxNDQ2N1Qx
FjAUBgNVBAQTDUFaTkFSIEJSVVNDQVMxETAPBgNVBCoTCEZFUk5BTkRPMR8wHQYDVQQDExZGRVJO
QU5ETyBBWk5BUiBCUlVTQ0FTMR8wHQYJKoZIhvcNAQkBFhBmYXpuYXJAZW5kZXNhLmVzMIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9SYH3av2JmIf4gC37JxDaQUA4pKY5tTPPHuqbkJ0c9LfM
JgsCGZ8+jC8xMRYVuuMlzqPlBzPR0Pw5NX4Egd5vkGAzLWvyqtk/JSfPQYtHlUDAGc2g/oXJE2Lq
qsMOJWByyoQri1ZscpG3Xd40/V1qOBwQA6S5FdpJfyOM01HPEwIDAQABo4IEuDCCBLQwPwYIKwYB
BQUHAQEEMzAxMC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5hYy5hbmNlcnQuY29tL29jc3AueHVk
YTAfBgNVHSMEGDAWgBRRGituL85KOF50CLZR7ow3XROMrTAMBgNVHRMBAf8EAjAAMIGPBgNVHR8E
gYcwgYQwgYGgf6B9hidodHRwOi8vd3d3LmFuY2VydC5jb20vY3JsL0FOQ0VSVENOQy5jcmyGKGh0
dHA6Ly93d3cyLmFuY2VydC5jb20vY3JsL0FOQ0VSVENOQy5jcmyGKGh0dHA6Ly93d3czLmFuY2Vy
dC5jb20vY3JsL0FOQ0VSVENOQy5jcmwwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMA4G
A1UdDwEB/wQEAwIE8DAbBgNVHREEFDASgRBmYXpuYXJAZW5kZXNhLmVzMBEGCWCGSAGG+EIBAQQE
AwIHgDCCAmMGA1UdIASCAlowggJWMIICUgYMKwYBBAGBk2gBAwIBMIICQDCCAjwGCCsGAQUFBwIC
MIICLjAKFgZBTkNFUlQwABqCAh5Fc3RlIGNlcnRpZmljYWRvIHNlIGV4cGlkZSBjb21vIENlcnRp
ZmljYWRvIFJlY29ub2NpZG8gZGUgYWN1ZXJkbyBjb24gbGEgbGVnaXNsYWNpb24gdmlnZW50ZS4g
TGEgZGVjbGFyYWNpb24gZGUgcHJhY3RpY2FzIGRlIGNlcnRpZmljYWNpb24geSBsYSBwb2xpdGlj
YSBkZSBjZXJ0aWZpY2FjaW9uIHF1ZSByaWdlbiBlbCBmdW5jaW9uYW1pZW50byBkZSBlc3RlIGNl
cnRpZmljYWRvIHNlIGVuY3VlbnRyYW4gZGlzcG9uaWJsZXMgZW4gaHR0cDovL3d3dy5hbmNlcnQu
Y29tLgoKQ2xhc2UgQXBvZGVyYW1pZW50bzogQXBvZGVyYWRvIE1lcmNhbnRpbApMaW1pdGUgZGUg
Q3VhbnRpYTogU2luIGxpbWl0ZSBkZSBjdWFudGlhClJlcHJlc2VudGFjaW9uOiBOb3RhcmlvIFNB
TlRJQUdPIFJVQklPIExJTklFUlMgLSAjMTIgLSAyMDA2CkRhdG9zIHJlZ2lzdHJhbGVzIGRlbCBQ
b2RlciBkZWwgUmVwcmVzZW50YW50ZTogUkVHSVNUUk8gTUVSQ0FOVElMIERFIE1BRFJJRCwgVE9N
TyAxMjc5NywgRk9MSU8gMjA4LCBIT0pBIE0tMjA1MzgxLCBJTlNDUklQQ0lPTiAxCjAjBgorBgEE
gZNoCgEBBBUTE0Fwb2RlcmFkbyBNZXJjYW50aWwwJQYKKwYBBIGTaAoBAgQXExVTaW4gbGltaXRl
IGRlIGN1YW50aWEwOwYKKwYBBIGTaAoBAwQtEytOb3RhcmlvIFNBTlRJQUdPIFJVQklPIExJTklF
UlMgLSAjMTIgLSAyMDA2MGEGCisGAQSBk2gKAQYEUxNRUkVHSVNUUk8gTUVSQ0FOVElMIERFIE1B
RFJJRCwgVE9NTyAxMjc5NywgRk9MSU8gMjA4LCBIT0pBIE0tMjA1MzgxLCBJTlNDUklQQ0lPTiAx
MA0GCSqGSIb3DQEBBQUAA4IBAQCrGMcH6PmCRMvWKrn/FARQkj0iSdKrzRBdSRvZf53anz5srD4y
VTAevvd3ww93gT3zUCiKADKZszNmmIe2/ByWjdaGH6EXzyCsIGr/uKGgJuTbcD158L6GVz/1eK+k
V5RcXPfHLYheTUKZBrAIR7mhOcjOCVZI8UJunjqYWBx0yKFC1iiuIbMicWu5UEJ3BRfC05DhJ8jf
amTDu2vYaUKi0ig8/VjFg80h1j6WzcWKCMFNe8iT0V1+z7Dgy1Abes/MU+15Cl2Ruz9eJspWHeqm
9wkbVX+2tDwMVVhfxSOm3IWTWwp7avzt0gBqExOSt8xD+/jpErd1npddRMiklfbK
</ds:X509Certificate>
Do you know why xmlsec fails to recover the public key from this
certificate? (openssl command line tool works well with it)
There is some solution?
------------------------------------------------------------------------
¡Accede al correo desde el móvil! ¿Qué opinas?
<http://vivelive.com/encuesta/>
------------------------------------------------------------------------
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec
