Hi Aleksey, i ve a doubt that since this chain was successfully verified by openssl, so we put an additional checks in xmlsec which might fail the validation interms of the certificate constraints ?
Regards, Ashish On Thu, Jun 4, 2009 at 10:01 PM, Ashish Agrawal <[email protected]>wrote: > Yes i am trying to debug simultaneously . Hopefully i will get some luck. > > I am attaching the certificate chain for ur reference, can u pls take a > look and see if you can find some thing suspicious. > > Your help is deeply appreciated. > > Regards, > Ashish > > > > > On Thu, Jun 4, 2009 at 9:54 PM, Aleksey Sanin <[email protected]> wrote: > >> No specific order. Sorry, you will need to debug it to see what is >> going on. >> >> Aleksey >> >> Ashish Agrawal wrote: >> >>> I tried the same but for same error : >>> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto >>> library function failed:subj=/C=CN/ST=BJ/O=JIL/OU=JIL/CN=JIL EE >>> demo;err=20;msg=unable to get local issuer certificate >>> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate >>> verification failed:err=20;msg=unable to get local issuer certificate >>> func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec >>> library function failed: >>> func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=884:obj=unknown:subj=unknown:error=45:key >>> is not found: >>> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=578:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec >>> library function failed: >>> func=xmlSecDSigCtxVerify:file=xmldsig.c:line=379:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec >>> library function failed: >>> >>> Is there ny specfic order in which certificates should be present in the >>> signature file ? can there be problem with the certificate fields ? >>> >>> >>> Regards, >>> Ashish >>> >>> On Thu, Jun 4, 2009 at 9:39 PM, Aleksey Sanin <[email protected]<mailto: >>> [email protected]>> wrote: >>> >>> Try >>> >>> xmlsec1 --verify \ >>> --trusted-pem root.pem \ >>> --trusted-pem int.pem \ >>> signature.xml >>> >>> Aleksey >>> >>> Ashish Agrawal wrote: >>> >>> I have tried with: >>> xmlsec1 --verify --trusted-pem root.pem --untrusted-pem int.pem >>> signature.xml (removing the intermedaite CA cert from signature >>> file) >>> & >>> xmlsec1 --verify --trusted-pem root.pem signature.xml ( keeping >>> the intermedia CA cert and end certtificate in the signature file) >>> >>> Got same result.. >>> Regards, >>> Ashish >>> >>> On Thu, Jun 4, 2009 at 9:25 PM, Aleksey Sanin >>> <[email protected] <mailto:[email protected]> >>> <mailto:[email protected] <mailto:[email protected]>>> wrote: >>> >>> What command line options do you use? >>> >>> Aleksey >>> >>> Ashish Agrawal wrote: >>> >>> Srry, I did not understand your reply completely, >>> You mean to check the subject field for the certifices: >>> >>> I see them as : >>> >>> End Cert: Subject: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL EE >>> demo >>> Issuer: C=CN, ST=BJ, O=JIL, OU=JIL, >>> CN=JIL subCA >>> demo >>> >>> Intermediate cert: Subject: C=CN, ST=BJ, O=JIL, OU=JIL, >>> CN=JIL >>> subCA demo >>> Issuer: C=CN, ST=BJ, O=JIL, >>> OU=JIL, >>> CN=JIL Root demo >>> >>> Root Cert: Subject: C=CN, ST=BJ, O=JIL, OU=JIL, CN=JIL >>> Root demo >>> Issuer: C=CN, ST=BJ, O=JIL, OU=JIL, >>> CN=JIL Root demo >>> >>> So seems like the chain is correct. but verification >>> fails.strange thing is it passes with openssl but not here. >>> >>> Regards, >>> Ashish >>> >>> On Thu, Jun 4, 2009 at 8:59 PM, Aleksey Sanin >>> <[email protected] <mailto:[email protected]> >>> <mailto:[email protected] <mailto:[email protected]>> >>> <mailto:[email protected] <mailto:[email protected]> >>> <mailto:[email protected] <mailto:[email protected]>>>> >>> wrote: >>> >>> No there is no ordering problems. You have the subject >>> of certificate which is at the end of the chain. Try >>> to figure out "why?". >>> >>> Aleksey >>> >>> Ashish Agrawal wrote: >>> >>> Yes Aleksey, >>> I have already tried with the openssl utility, >>> >>> openssl verify -CAfile root.pem EE.pem >>> here root.pem is the root ca pem file & EE,pem >>> contains the >>> intermediate certificate and then the end >>> certificate. and it >>> passess with no error. >>> >>> but xmlsec fails :( >>> Can there be any ordering issue ? shall i send my >>> certs, will >>> that help in root causing ? >>> >>> Regards, >>> Ashish >>> >>> On Thu, Jun 4, 2009 at 8:53 PM, Aleksey Sanin >>> <[email protected] <mailto:[email protected]> >>> <mailto:[email protected] <mailto:[email protected]>> >>> <mailto:[email protected] <mailto:[email protected]> >>> <mailto:[email protected] <mailto:[email protected]>>> >>> <mailto:[email protected] >>> <mailto:[email protected]> <mailto:[email protected] >>> <mailto:[email protected]>> >>> <mailto:[email protected] <mailto:[email protected]> >>> <mailto:[email protected] <mailto:[email protected]>>>>> >>> wrote: >>> >>> Try to verify your certs chain using openssl >>> command line >>> tool directly. >>> >>> Aleksey >>> >>> Ashish Agrawal wrote: >>> >>> Hi Aleksey, >>> >>> My signature.xml file has two certificate, >>> one is >>> the end >>> certificate and the other is the >>> intermediate CA. >>> In the intermediate certificate also the "CA" >>> field is true >>> .Could this be the root cause of the problem. >>> >>> Attaching the intermediate CA pem file >>> >>> Thanks for ur help. >>> >>> Regards, >>> Ashish >>> >>> >>> On Thu, Jun 4, 2009 at 8:21 PM, Aleksey Sanin >>> <[email protected] >>> <mailto:[email protected]> <mailto:[email protected] >>> <mailto:[email protected]>> >>> <mailto:[email protected] <mailto:[email protected]> >>> <mailto:[email protected] <mailto:[email protected]>>> >>> <mailto:[email protected] >>> <mailto:[email protected]> <mailto:[email protected] >>> <mailto:[email protected]>> >>> <mailto:[email protected] <mailto:[email protected]> >>> <mailto:[email protected] <mailto:[email protected]>>>> >>> <mailto:[email protected] >>> <mailto:[email protected]> >>> <mailto:[email protected] <mailto:[email protected]>> >>> <mailto:[email protected] <mailto:[email protected]> >>> <mailto:[email protected] <mailto:[email protected]>>> >>> <mailto:[email protected] >>> <mailto:[email protected]> <mailto:[email protected] >>> <mailto:[email protected]>> >>> <mailto:[email protected] <mailto:[email protected]> >>> <mailto:[email protected] <mailto:[email protected]>>>>>> >>> wrote: >>> >>> This error means that xmlsec can't build >>> certs >>> chain >>> for some >>> reasons. >>> >>> Aleksey >>> >>> Ashish Agrawal wrote: >>> >>> Hi Aleksey, >>> >>> I ve a problem where i v a root CA >>> and and two >>> certificates in >>> the chain, when i try to verify the >>> chain using >>> openssl >>> it works : >>> openssl verify -CAfile root.pem EE.pem >>> but when i to to verify using xmlsec >>> it >>> fails with the >>> error : >>> >>> >>> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto >>> library function >>> failed:subj=/C=CN/ST=BJ/O=JIL/OU=JIL/CN=JIL >>> EE >>> demo;err=20;msg=unable to get local >>> issuer >>> certificate >>> >>> >>> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate >>> verification failed:err=20;msg=unable >>> to >>> get local >>> issuer >>> certificate >>> >>> >>> func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec >>> library function failed: >>> >>> >>> func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=884:obj=unknown:subj=unknown:error=45:key >>> is not found: >>> >>> >>> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=578:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec >>> library function failed: >>> >>> >>> func=xmlSecDSigCtxVerify:file=xmldsig.c:line=379:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec >>> library function failed: >>> Error: signature failed >>> ERROR >>> SignedInfo References (ok/all): 6/6 >>> Manifests References (ok/all): 0/0 >>> >>> >>> Does xmlsec imposes ny additional >>> constraint on the >>> certificate >>> validation and if yes what are they ? >>> >>> Regards, >>> Ashish >>> >>> >>> >>> ------------------------------------------------------------------------ >>> >>> >>> _______________________________________________ >>> xmlsec mailing list >>> [email protected] >>> <mailto:[email protected]> >>> <mailto:[email protected] <mailto:[email protected]>> >>> <mailto:[email protected] <mailto:[email protected]> >>> <mailto:[email protected] <mailto:[email protected]>>> >>> <mailto:[email protected] >>> <mailto:[email protected]> <mailto:[email protected] >>> <mailto:[email protected]>> >>> <mailto:[email protected] <mailto:[email protected]> >>> <mailto:[email protected] <mailto:[email protected]>>>> >>> <mailto:[email protected] >>> <mailto:[email protected]> >>> <mailto:[email protected] <mailto:[email protected]>> >>> <mailto:[email protected] <mailto:[email protected]> >>> <mailto:[email protected] <mailto:[email protected]>>> >>> <mailto:[email protected] >>> <mailto:[email protected]> <mailto:[email protected] >>> <mailto:[email protected]>> >>> <mailto:[email protected] <mailto:[email protected]> >>> <mailto:[email protected] <mailto:[email protected]>>>>> >>> >>> >>> >>> http://www.aleksey.com/mailman/listinfo/xmlsec >>> >>> >>> >>> >>> ------------------------------------------------------------------------ >>> >>> >>> _______________________________________________ >>> xmlsec mailing list >>> [email protected] >>> <mailto:[email protected]> <mailto:[email protected] >>> <mailto:[email protected]>> >>> <mailto:[email protected] <mailto:[email protected]> >>> <mailto:[email protected] <mailto:[email protected]>>> >>> <mailto:[email protected] >>> <mailto:[email protected]> <mailto:[email protected] >>> <mailto:[email protected]>> >>> <mailto:[email protected] <mailto:[email protected]> >>> <mailto:[email protected] <mailto:[email protected]>>>> >>> >>> http://www.aleksey.com/mailman/listinfo/xmlsec >>> >>> >>> >>> >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> xmlsec mailing list >>> [email protected] <mailto:[email protected]> >>> <mailto:[email protected] <mailto:[email protected]>> >>> <mailto:[email protected] <mailto:[email protected]> >>> <mailto:[email protected] <mailto:[email protected]>>> >>> http://www.aleksey.com/mailman/listinfo/xmlsec >>> >>> >>> >>> >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> xmlsec mailing list >>> [email protected] <mailto:[email protected]> >>> <mailto:[email protected] <mailto:[email protected]>> >>> http://www.aleksey.com/mailman/listinfo/xmlsec >>> >>> >>> >>> >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> xmlsec mailing list >>> [email protected] <mailto:[email protected]> >>> http://www.aleksey.com/mailman/listinfo/xmlsec >>> >>> >>> >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> xmlsec mailing list >>> [email protected] >>> http://www.aleksey.com/mailman/listinfo/xmlsec >>> >> >
_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
