Try to verify your certs chain using openssl command line tool directly.
Aleksey
Ashish Agrawal wrote:
Hi Aleksey,
My signature.xml file has two certificate, one is the end certificate
and the other is the intermediate CA.
In the intermediate certificate also the "CA" field is true .Could this
be the root cause of the problem.
Attaching the intermediate CA pem file
Thanks for ur help.
Regards,
Ashish
On Thu, Jun 4, 2009 at 8:21 PM, Aleksey Sanin <[email protected]
<mailto:[email protected]>> wrote:
This error means that xmlsec can't build certs chain for some reasons.
Aleksey
Ashish Agrawal wrote:
Hi Aleksey,
I ve a problem where i v a root CA and and two certificates in
the chain, when i try to verify the chain using openssl it works :
openssl verify -CAfile root.pem EE.pem
but when i to to verify using xmlsec it fails with the error :
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto
library function failed:subj=/C=CN/ST=BJ/O=JIL/OU=JIL/CN=JIL EE
demo;err=20;msg=unable to get local issuer certificate
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate
verification failed:err=20;msg=unable to get local issuer
certificate
func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec
library function failed:
func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=884:obj=unknown:subj=unknown:error=45:key
is not found:
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=578:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
library function failed:
func=xmlSecDSigCtxVerify:file=xmldsig.c:line=379:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
library function failed:
Error: signature failed
ERROR
SignedInfo References (ok/all): 6/6
Manifests References (ok/all): 0/0
Does xmlsec imposes ny additional constraint on the certificate
validation and if yes what are they ?
Regards,
Ashish
------------------------------------------------------------------------
_______________________________________________
xmlsec mailing list
[email protected] <mailto:[email protected]>
http://www.aleksey.com/mailman/listinfo/xmlsec
------------------------------------------------------------------------
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec
