I have tried with: xmlsec1 --verify --trusted-pem root.pem --untrusted-pem int.pem signature.xml (removing the intermedaite CA cert from signature file) & xmlsec1 --verify --trusted-pem root.pem signature.xml ( keeping the intermedia CA cert and end certtificate in the signature file)
Got same result.. Regards, Ashish On Thu, Jun 4, 2009 at 9:25 PM, Aleksey Sanin <[email protected]> wrote: > What command line options do you use? > > Aleksey > > Ashish Agrawal wrote: > >> Srry, I did not understand your reply completely, >> You mean to check the subject field for the certifices: >> >> I see them as : >> >> End Cert: Subject: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL EE demo >> Issuer: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL subCA demo >> >> Intermediate cert: Subject: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL subCA demo >> Issuer: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL >> Root demo >> >> Root Cert: Subject: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL Root demo >> Issuer: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL Root demo >> >> So seems like the chain is correct. but verification fails.strange thing >> is it passes with openssl but not here. >> >> Regards, >> Ashish >> >> On Thu, Jun 4, 2009 at 8:59 PM, Aleksey Sanin <[email protected]<mailto: >> [email protected]>> wrote: >> >> No there is no ordering problems. You have the subject >> of certificate which is at the end of the chain. Try >> to figure out "why?". >> >> Aleksey >> >> Ashish Agrawal wrote: >> >> Yes Aleksey, >> I have already tried with the openssl utility, >> >> openssl verify -CAfile root.pem EE.pem >> here root.pem is the root ca pem file & EE,pem contains the >> intermediate certificate and then the end certificate. and it >> passess with no error. >> >> but xmlsec fails :( >> Can there be any ordering issue ? shall i send my certs, will >> that help in root causing ? >> >> Regards, >> Ashish >> >> On Thu, Jun 4, 2009 at 8:53 PM, Aleksey Sanin >> <[email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>>> wrote: >> >> Try to verify your certs chain using openssl command line >> tool directly. >> >> Aleksey >> >> Ashish Agrawal wrote: >> >> Hi Aleksey, >> >> My signature.xml file has two certificate, one is the end >> certificate and the other is the intermediate CA. >> In the intermediate certificate also the "CA" field is true >> .Could this be the root cause of the problem. >> >> Attaching the intermediate CA pem file >> >> Thanks for ur help. >> >> Regards, >> Ashish >> >> >> On Thu, Jun 4, 2009 at 8:21 PM, Aleksey Sanin >> <[email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>> >> <mailto:[email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>>>> wrote: >> >> This error means that xmlsec can't build certs chain >> for some >> reasons. >> >> Aleksey >> >> Ashish Agrawal wrote: >> >> Hi Aleksey, >> >> I ve a problem where i v a root CA and and two >> certificates in >> the chain, when i try to verify the chain using >> openssl >> it works : >> openssl verify -CAfile root.pem EE.pem >> but when i to to verify using xmlsec it fails with >> the >> error : >> >> >> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto >> library function >> failed:subj=/C=CN/ST=BJ/O=JIL/OU=JIL/CN=JIL EE >> demo;err=20;msg=unable to get local issuer >> certificate >> >> >> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate >> verification failed:err=20;msg=unable to get local >> issuer >> certificate >> >> >> func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec >> library function failed: >> >> >> func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=884:obj=unknown:subj=unknown:error=45:key >> is not found: >> >> >> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=578:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec >> library function failed: >> >> >> func=xmlSecDSigCtxVerify:file=xmldsig.c:line=379:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec >> library function failed: >> Error: signature failed >> ERROR >> SignedInfo References (ok/all): 6/6 >> Manifests References (ok/all): 0/0 >> >> >> Does xmlsec imposes ny additional constraint on the >> certificate >> validation and if yes what are they ? >> >> Regards, >> Ashish >> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> xmlsec mailing list >> [email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>> >> <mailto:[email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>>> >> >> >> http://www.aleksey.com/mailman/listinfo/xmlsec >> >> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> xmlsec mailing list >> [email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>> >> http://www.aleksey.com/mailman/listinfo/xmlsec >> >> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> xmlsec mailing list >> [email protected] <mailto:[email protected]> >> http://www.aleksey.com/mailman/listinfo/xmlsec >> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> xmlsec mailing list >> [email protected] >> http://www.aleksey.com/mailman/listinfo/xmlsec >> >
_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
