Yes Aleksey, I have already tried with the openssl utility, openssl verify -CAfile root.pem EE.pem
here root.pem is the root ca pem file & EE,pem contains the intermediate certificate and then the end certificate. and it passess with no error. but xmlsec fails :( Can there be any ordering issue ? shall i send my certs, will that help in root causing ? Regards, Ashish On Thu, Jun 4, 2009 at 8:53 PM, Aleksey Sanin <[email protected]> wrote: > Try to verify your certs chain using openssl command line tool directly. > > Aleksey > > Ashish Agrawal wrote: > >> Hi Aleksey, >> >> My signature.xml file has two certificate, one is the end certificate and >> the other is the intermediate CA. >> In the intermediate certificate also the "CA" field is true .Could this be >> the root cause of the problem. >> >> Attaching the intermediate CA pem file >> >> Thanks for ur help. >> >> Regards, >> Ashish >> >> >> On Thu, Jun 4, 2009 at 8:21 PM, Aleksey Sanin <[email protected]<mailto: >> [email protected]>> wrote: >> >> This error means that xmlsec can't build certs chain for some reasons. >> >> Aleksey >> >> Ashish Agrawal wrote: >> >> Hi Aleksey, >> >> I ve a problem where i v a root CA and and two certificates in >> the chain, when i try to verify the chain using openssl it works : >> openssl verify -CAfile root.pem EE.pem >> but when i to to verify using xmlsec it fails with the error : >> >> >> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto >> library function failed:subj=/C=CN/ST=BJ/O=JIL/OU=JIL/CN=JIL EE >> demo;err=20;msg=unable to get local issuer certificate >> >> >> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate >> verification failed:err=20;msg=unable to get local issuer >> certificate >> >> >> func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec >> library function failed: >> >> >> func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=884:obj=unknown:subj=unknown:error=45:key >> is not found: >> >> >> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=578:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec >> library function failed: >> >> >> func=xmlSecDSigCtxVerify:file=xmldsig.c:line=379:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec >> library function failed: >> Error: signature failed >> ERROR >> SignedInfo References (ok/all): 6/6 >> Manifests References (ok/all): 0/0 >> >> >> Does xmlsec imposes ny additional constraint on the certificate >> validation and if yes what are they ? >> >> Regards, >> Ashish >> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> xmlsec mailing list >> [email protected] <mailto:[email protected]> >> http://www.aleksey.com/mailman/listinfo/xmlsec >> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> xmlsec mailing list >> [email protected] >> http://www.aleksey.com/mailman/listinfo/xmlsec >> >
_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
