I tried the same but for same error : func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto library function failed:subj=/C=CN/ST=BJ/O=JIL/OU=JIL/CN=JIL EE demo;err=20;msg=unable to get local issuer certificate func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate verification failed:err=20;msg=unable to get local issuer certificate func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec library function failed: func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=884:obj=unknown:subj=unknown:error=45:key is not found: func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=578:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function failed: func=xmlSecDSigCtxVerify:file=xmldsig.c:line=379:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec library function failed:
Is there ny specfic order in which certificates should be present in the signature file ? can there be problem with the certificate fields ? Regards, Ashish On Thu, Jun 4, 2009 at 9:39 PM, Aleksey Sanin <[email protected]> wrote: > Try > > xmlsec1 --verify \ > --trusted-pem root.pem \ > --trusted-pem int.pem \ > signature.xml > > Aleksey > > Ashish Agrawal wrote: > >> I have tried with: >> xmlsec1 --verify --trusted-pem root.pem --untrusted-pem int.pem >> signature.xml (removing the intermedaite CA cert from signature file) >> & >> xmlsec1 --verify --trusted-pem root.pem signature.xml ( keeping the >> intermedia CA cert and end certtificate in the signature file) >> >> Got same result.. >> Regards, >> Ashish >> >> On Thu, Jun 4, 2009 at 9:25 PM, Aleksey Sanin <[email protected]<mailto: >> [email protected]>> wrote: >> >> What command line options do you use? >> >> Aleksey >> >> Ashish Agrawal wrote: >> >> Srry, I did not understand your reply completely, >> You mean to check the subject field for the certifices: >> >> I see them as : >> >> End Cert: Subject: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL EE demo >> Issuer: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL subCA >> demo >> >> Intermediate cert: Subject: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL >> subCA demo >> Issuer: C=CN, ST=BJ, O=JIL, OU=JIL, >> CN=JIL Root demo >> >> Root Cert: Subject: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL Root demo >> Issuer: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL Root >> demo >> >> So seems like the chain is correct. but verification >> fails.strange thing is it passes with openssl but not here. >> >> Regards, >> Ashish >> >> On Thu, Jun 4, 2009 at 8:59 PM, Aleksey Sanin >> <[email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>>> wrote: >> >> No there is no ordering problems. You have the subject >> of certificate which is at the end of the chain. Try >> to figure out "why?". >> >> Aleksey >> >> Ashish Agrawal wrote: >> >> Yes Aleksey, >> I have already tried with the openssl utility, >> >> openssl verify -CAfile root.pem EE.pem >> here root.pem is the root ca pem file & EE,pem contains the >> intermediate certificate and then the end certificate. and >> it >> passess with no error. >> >> but xmlsec fails :( >> Can there be any ordering issue ? shall i send my certs, >> will >> that help in root causing ? >> >> Regards, >> Ashish >> >> On Thu, Jun 4, 2009 at 8:53 PM, Aleksey Sanin >> <[email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>> >> <mailto:[email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>>>> wrote: >> >> Try to verify your certs chain using openssl command line >> tool directly. >> >> Aleksey >> >> Ashish Agrawal wrote: >> >> Hi Aleksey, >> >> My signature.xml file has two certificate, one is >> the end >> certificate and the other is the intermediate CA. >> In the intermediate certificate also the "CA" >> field is true >> .Could this be the root cause of the problem. >> >> Attaching the intermediate CA pem file >> >> Thanks for ur help. >> >> Regards, >> Ashish >> >> >> On Thu, Jun 4, 2009 at 8:21 PM, Aleksey Sanin >> <[email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>> >> <mailto:[email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>>> >> <mailto:[email protected] >> <mailto:[email protected]> <mailto:[email protected] >> <mailto:[email protected]>> >> <mailto:[email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>>>>> >> wrote: >> >> This error means that xmlsec can't build certs >> chain >> for some >> reasons. >> >> Aleksey >> >> Ashish Agrawal wrote: >> >> Hi Aleksey, >> >> I ve a problem where i v a root CA and and two >> certificates in >> the chain, when i try to verify the chain >> using >> openssl >> it works : >> openssl verify -CAfile root.pem EE.pem >> but when i to to verify using xmlsec it >> fails with the >> error : >> >> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto >> library function >> failed:subj=/C=CN/ST=BJ/O=JIL/OU=JIL/CN=JIL EE >> demo;err=20;msg=unable to get local issuer >> certificate >> >> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate >> verification failed:err=20;msg=unable to >> get local >> issuer >> certificate >> >> func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec >> library function failed: >> >> func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=884:obj=unknown:subj=unknown:error=45:key >> is not found: >> >> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=578:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec >> library function failed: >> >> func=xmlSecDSigCtxVerify:file=xmldsig.c:line=379:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec >> library function failed: >> Error: signature failed >> ERROR >> SignedInfo References (ok/all): 6/6 >> Manifests References (ok/all): 0/0 >> >> >> Does xmlsec imposes ny additional >> constraint on the >> certificate >> validation and if yes what are they ? >> >> Regards, >> Ashish >> >> >> >> ------------------------------------------------------------------------ >> >> >> _______________________________________________ >> xmlsec mailing list >> [email protected] >> <mailto:[email protected]> <mailto:[email protected] >> <mailto:[email protected]>> >> <mailto:[email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>>> >> <mailto:[email protected] >> <mailto:[email protected]> <mailto:[email protected] >> <mailto:[email protected]>> >> <mailto:[email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>>>> >> >> >> >> http://www.aleksey.com/mailman/listinfo/xmlsec >> >> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> xmlsec mailing list >> [email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>> >> <mailto:[email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>>> >> http://www.aleksey.com/mailman/listinfo/xmlsec >> >> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> xmlsec mailing list >> [email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>> >> http://www.aleksey.com/mailman/listinfo/xmlsec >> >> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> xmlsec mailing list >> [email protected] <mailto:[email protected]> >> http://www.aleksey.com/mailman/listinfo/xmlsec >> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> xmlsec mailing list >> [email protected] >> http://www.aleksey.com/mailman/listinfo/xmlsec >> >
_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
