Srry, I did not understand your reply completely,
You mean to check the subject field for the certifices:
I see them as :
End Cert: Subject: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL EE demo
Issuer: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL subCA demo
Intermediate cert: Subject: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL subCA demo
Issuer: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL
Root demo
Root Cert: Subject: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL Root demo
Issuer: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL Root demo
So seems like the chain is correct. but verification fails.strange thing
is it passes with openssl but not here.
Regards,
Ashish
On Thu, Jun 4, 2009 at 8:59 PM, Aleksey Sanin <[email protected]
<mailto:[email protected]>> wrote:
No there is no ordering problems. You have the subject
of certificate which is at the end of the chain. Try
to figure out "why?".
Aleksey
Ashish Agrawal wrote:
Yes Aleksey,
I have already tried with the openssl utility,
openssl verify -CAfile root.pem EE.pem
here root.pem is the root ca pem file & EE,pem contains the
intermediate certificate and then the end certificate. and it
passess with no error.
but xmlsec fails :(
Can there be any ordering issue ? shall i send my certs, will
that help in root causing ?
Regards,
Ashish
On Thu, Jun 4, 2009 at 8:53 PM, Aleksey Sanin
<[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>> wrote:
Try to verify your certs chain using openssl command line
tool directly.
Aleksey
Ashish Agrawal wrote:
Hi Aleksey,
My signature.xml file has two certificate, one is the end
certificate and the other is the intermediate CA.
In the intermediate certificate also the "CA" field is true
.Could this be the root cause of the problem.
Attaching the intermediate CA pem file
Thanks for ur help.
Regards,
Ashish
On Thu, Jun 4, 2009 at 8:21 PM, Aleksey Sanin
<[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>
<mailto:[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>>> wrote:
This error means that xmlsec can't build certs chain
for some
reasons.
Aleksey
Ashish Agrawal wrote:
Hi Aleksey,
I ve a problem where i v a root CA and and two
certificates in
the chain, when i try to verify the chain using
openssl
it works :
openssl verify -CAfile root.pem EE.pem
but when i to to verify using xmlsec it fails with the
error :
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto
library function
failed:subj=/C=CN/ST=BJ/O=JIL/OU=JIL/CN=JIL EE
demo;err=20;msg=unable to get local issuer certificate
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate
verification failed:err=20;msg=unable to get local
issuer
certificate
func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec
library function failed:
func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=884:obj=unknown:subj=unknown:error=45:key
is not found:
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=578:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
library function failed:
func=xmlSecDSigCtxVerify:file=xmldsig.c:line=379:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
library function failed:
Error: signature failed
ERROR
SignedInfo References (ok/all): 6/6
Manifests References (ok/all): 0/0
Does xmlsec imposes ny additional constraint on the
certificate
validation and if yes what are they ?
Regards,
Ashish
------------------------------------------------------------------------
_______________________________________________
xmlsec mailing list
[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>
<mailto:[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>>
http://www.aleksey.com/mailman/listinfo/xmlsec
------------------------------------------------------------------------
_______________________________________________
xmlsec mailing list
[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>
http://www.aleksey.com/mailman/listinfo/xmlsec
------------------------------------------------------------------------
_______________________________________________
xmlsec mailing list
[email protected] <mailto:[email protected]>
http://www.aleksey.com/mailman/listinfo/xmlsec
------------------------------------------------------------------------
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec
