Could you please copy/paste the complete error? Aleksey
On 12/21/10 9:56 PM, Naval Patel wrote:
If the entire cert chain is in the signed document the error i get is msg=self signed certificate in certificate chain if i remove the Root certificate from the chain in the signed xml file, and pass a root certificate as trusted, then i get the error as msg=invalid CA certificate is there something that i am missing or this is not the right way to do? thanks :) Naval. On Tue, Dec 21, 2010 at 9:24 PM, Aleksey Sanin <[email protected] <mailto:[email protected]>> wrote: What errors do you get? Aleksey On 12/21/10 12:38 AM, Naval Patel wrote: Hi, Its been quite some time i am modifying my code to allow a signed xml document containing the entire chain of certificates from "Local cert" through CAs and ultimately the Root CA. I have debugged the code till the call goes to *X509_verify_cert(&xsc)*. I have observed that for each *<X509Certificate> *the xmlsec adds the certificate to the X509_STACK. The function call (*xmlSecOpenSSLX509FindNextChainCert*) inside the *for loop* inside the function *xmlSecOpenSSLX509StoreVerify* with the comment [/* get one cert after another and try to verify */] returns NULL only when it finds that the certificate does not extend any other certificates. I have RootCa.pem > CA1.pem > CA2.pem > signerCert.pem. If i simply execute the signeddoc.xml, I am receiving the error [*msg=invalid CA certificate* for CA2.pem] ... the command used is *xmlsec.exe verify --trusted-pem RootCa.pem signeddoc.xml* I broke the certificate chain by removing RootCa.pem from the signeddoc.xml and the error i received is same as of the above case *xmlsec.exe verify --trusted-pem RootCa.pem signeddoc.xml *I changed the command for the above file as *xmlsec.exe verify --trusted-pem RootCa.pem --trusted-pem CA2.pem signeddoc.xml*, still the error was same I maintained only CA1, CA2 and signerCert.pem in signeddoc.xml and used the command *xmlsec.exe verify --trusted-pem RootCa.pem --trusted-pem CA1.pem --trusted-pem CA2.pem signeddoc.xml *Now I removed CA2 from the signeddoc.xml and kept only CA1 and signerCert.pem, and used the command *xmlsec.exe verify --trusted-pem RootCa.pem --trusted-pem CA1.pem --trusted-pem CA2.pem signeddoc.xml ... *i could see that the verification was passing. I have deviced another way too to make this work, but i am not sure how good this way is... before passing the signeddoc.xml to xmlsec, I load the x509certificate as trusted using the api *xmlSecCryptoAppKeysMngrCertLoadMemory* but the problem is not solved because the same document continues to be evaluated by xmlsec later and the results produced are same. Another alternative i thought was once the function *xmlSecOpenSSLX509FindNextChainCert *returns NULL, I would remove the other certificates from the STACK. That way, i will have trusted certs loaded to the global stack and while signerCert.pem is verified. Please let me know your suggestions, I will try your suggested methods. And thanks a lot for this library, it had done wonders for my work till now :) I had read an email from the archive [*http://www.aleksey.com/pipermail/xmlsec/2008/008326.html*], but i could not get the break through yet :( Regards, Naval _______________________________________________ xmlsec mailing list [email protected] <mailto:[email protected]> http://www.aleksey.com/mailman/listinfo/xmlsec -- Naval Patel ~ have fun ~
_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
