This is the error when root CA is in the signed xml func=xmlSecOpenSSLX509StoreVerify:file=d:\svn_simulator\white\products\76xx\app\module\wrtconfig\wrtconfig\external\libxmlsec\src\openssl\x509vfy .c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto library function failed:subj=/C=IN/ST=Mah/L=Pune/O=Agreeya/OU=Almond/CN=rootca/emailAd [email protected];err=19;msg=self signed certificate in certificate chain func=xmlSecOpenSSLX509StoreVerify:file=d:\svn_simulator\white\products\76xx\app\module\wrtconfig\wrtconfig\external\libxmlsec\src\openssl\x509vfy .c:line=408:obj=x509-store:subj=unknown:error=71:certificate verification failed:err=19;msg=self signed certificate in certificate chain
this is the error when root ca is not in the signed xml, but passed explicitly as trusted. func=xmlSecOpenSSLX509StoreVerify:file=d:\svn_simulator\white\products\76xx\app\module\wrtconfig\wrtconfig\external\libxmlsec\src\openssl\x509vfy .c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto library function failed:subj=/C=IN/ST=Maharashtra/L=Pune/O=Agreeya/OU=Almond/CN=ca1/em [email protected];err=24;msg=invalid CA certificate func=xmlSecOpenSSLX509StoreVerify:file=d:\svn_simulator\white\products\76xx\app\module\wrtconfig\wrtconfig\external\libxmlsec\src\openssl\x509vfy .c:line=408:obj=x509-store:subj=unknown:error=71:certificate verification failed:err=24;msg=invalid CA certificate Thanks, Naval. On Wed, Dec 22, 2010 at 11:27 AM, Aleksey Sanin <[email protected]> wrote: > Could you please copy/paste the complete error? > > Aleksey > > > On 12/21/10 9:56 PM, Naval Patel wrote: > >> If the entire cert chain is in the signed document the error i get is >> msg=self signed certificate in certificate chain >> >> if i remove the Root certificate from the chain in the signed xml file, >> and pass a root certificate as trusted, then i get the error as >> msg=invalid CA certificate >> >> is there something that i am missing or this is not the right way to do? >> >> thanks :) >> >> Naval. >> >> On Tue, Dec 21, 2010 at 9:24 PM, Aleksey Sanin <[email protected] >> <mailto:[email protected]>> wrote: >> >> What errors do you get? >> >> Aleksey >> >> >> On 12/21/10 12:38 AM, Naval Patel wrote: >> >> Hi, >> >> Its been quite some time i am modifying my code to allow a >> signed xml >> document containing the entire chain of certificates from "Local >> cert" >> through CAs and ultimately the Root CA. I have debugged the code >> till >> the call goes to *X509_verify_cert(&xsc)*. I have observed that >> for each >> *<X509Certificate> *the xmlsec adds the certificate to the >> X509_STACK. >> The function call (*xmlSecOpenSSLX509FindNextChainCert*) inside >> the *for >> loop* inside the function *xmlSecOpenSSLX509StoreVerify* with the >> comment [/* get one cert after another and try to verify */] >> returns >> NULL only when it finds that the certificate does not extend any >> other >> certificates. >> >> I have RootCa.pem > CA1.pem > CA2.pem > signerCert.pem. >> >> If i simply execute the signeddoc.xml, I am receiving the error >> [*msg=invalid CA certificate* for CA2.pem] ... the command used is >> *xmlsec.exe verify --trusted-pem RootCa.pem signeddoc.xml* >> I broke the certificate chain by removing RootCa.pem from the >> signeddoc.xml and the error i received is same as of the above case >> *xmlsec.exe verify --trusted-pem RootCa.pem signeddoc.xml >> *I changed the command for the above file as *xmlsec.exe verify >> --trusted-pem RootCa.pem --trusted-pem CA2.pem signeddoc.xml*, >> still the >> error was same >> I maintained only CA1, CA2 and signerCert.pem in signeddoc.xml >> and used >> the command *xmlsec.exe verify --trusted-pem RootCa.pem >> --trusted-pem >> CA1.pem --trusted-pem CA2.pem signeddoc.xml >> *Now I removed CA2 from the signeddoc.xml and kept only CA1 and >> signerCert.pem, and used the command *xmlsec.exe verify >> --trusted-pem >> RootCa.pem --trusted-pem CA1.pem --trusted-pem CA2.pem >> signeddoc.xml ... >> *i could see that the verification was passing. >> >> I have deviced another way too to make this work, but i am not >> sure how >> good this way is... >> >> before passing the signeddoc.xml to xmlsec, I load the >> x509certificate >> as trusted using the api *xmlSecCryptoAppKeysMngrCertLoadMemory* >> but the >> problem is not solved because the same document continues to be >> evaluated by xmlsec later and the results produced are same. >> >> Another alternative i thought was once the function >> *xmlSecOpenSSLX509FindNextChainCert *returns NULL, I would >> remove the >> other certificates from the STACK. That way, i will have trusted >> certs >> loaded to the global stack and while signerCert.pem is verified. >> >> Please let me know your suggestions, I will try your suggested >> methods. >> >> And thanks a lot for this library, it had done wonders for my >> work till >> now :) >> >> I had read an email from the archive >> [*http://www.aleksey.com/pipermail/xmlsec/2008/008326.html*], but >> i >> could not get the break through yet :( >> >> Regards, >> Naval >> >> >> >> _______________________________________________ >> xmlsec mailing list >> [email protected] <mailto:[email protected]> >> >> http://www.aleksey.com/mailman/listinfo/xmlsec >> >> >> >> >> -- >> Naval Patel >> ~ have fun ~ >> > -- Naval Patel ~ have fun ~
_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
