Hi Aleksey, I tried to verify the test file which is placed on your website at [ http://www.aleksey.com/xmlsec/tests/aleksey-xmldsig-01/enveloping-dsa-x509chain.xml] using online tool present on your site as well as using a locally placed xmlsec.exe. The command i am using locally is
xmlsec.exe --verify signature.xml [Please tell me if I am not using the command correctly] I error I get is still the same after all the different efforts i have put in. The current procedure i am following is: 1. Read the signature.xml file and add each certificate as trusted pem. 2. in X509_vfy.c, i would delete all the certs which are not self-signed or intermediate CA. The verification succeeds in this way of verification. The risk i see in this process is that I am simply trusting any certificates that are present in the signature.xml which is a big threat. Will be extremely glad to know your response at your earliest. Regards, Naval. On Wed, Dec 22, 2010 at 11:32 AM, Naval Patel <[email protected]>wrote: > This is the error when root CA is in the signed xml > > > func=xmlSecOpenSSLX509StoreVerify:file=d:\svn_simulator\white\products\76xx\app\module\wrtconfig\wrtconfig\external\libxmlsec\src\openssl\x509vfy > .c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto library > function > failed:subj=/C=IN/ST=Mah/L=Pune/O=Agreeya/OU=Almond/CN=rootca/emailAd > [email protected];err=19;msg=self signed certificate in certificate > chain > > func=xmlSecOpenSSLX509StoreVerify:file=d:\svn_simulator\white\products\76xx\app\module\wrtconfig\wrtconfig\external\libxmlsec\src\openssl\x509vfy > .c:line=408:obj=x509-store:subj=unknown:error=71:certificate verification > failed:err=19;msg=self signed certificate in certificate chain > > this is the error when root ca is not in the signed xml, but passed > explicitly as trusted. > > > func=xmlSecOpenSSLX509StoreVerify:file=d:\svn_simulator\white\products\76xx\app\module\wrtconfig\wrtconfig\external\libxmlsec\src\openssl\x509vfy > .c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto library > function > failed:subj=/C=IN/ST=Maharashtra/L=Pune/O=Agreeya/OU=Almond/CN=ca1/em > [email protected];err=24;msg=invalid CA certificate > > func=xmlSecOpenSSLX509StoreVerify:file=d:\svn_simulator\white\products\76xx\app\module\wrtconfig\wrtconfig\external\libxmlsec\src\openssl\x509vfy > .c:line=408:obj=x509-store:subj=unknown:error=71:certificate verification > failed:err=24;msg=invalid CA certificate > > > Thanks, > Naval. > > > On Wed, Dec 22, 2010 at 11:27 AM, Aleksey Sanin <[email protected]>wrote: > >> Could you please copy/paste the complete error? >> >> Aleksey >> >> >> On 12/21/10 9:56 PM, Naval Patel wrote: >> >>> If the entire cert chain is in the signed document the error i get is >>> msg=self signed certificate in certificate chain >>> >>> if i remove the Root certificate from the chain in the signed xml file, >>> and pass a root certificate as trusted, then i get the error as >>> msg=invalid CA certificate >>> >>> is there something that i am missing or this is not the right way to do? >>> >>> thanks :) >>> >>> Naval. >>> >>> On Tue, Dec 21, 2010 at 9:24 PM, Aleksey Sanin <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> What errors do you get? >>> >>> Aleksey >>> >>> >>> On 12/21/10 12:38 AM, Naval Patel wrote: >>> >>> Hi, >>> >>> Its been quite some time i am modifying my code to allow a >>> signed xml >>> document containing the entire chain of certificates from "Local >>> cert" >>> through CAs and ultimately the Root CA. I have debugged the code >>> till >>> the call goes to *X509_verify_cert(&xsc)*. I have observed that >>> for each >>> *<X509Certificate> *the xmlsec adds the certificate to the >>> X509_STACK. >>> The function call (*xmlSecOpenSSLX509FindNextChainCert*) inside >>> the *for >>> loop* inside the function *xmlSecOpenSSLX509StoreVerify* with the >>> comment [/* get one cert after another and try to verify */] >>> returns >>> NULL only when it finds that the certificate does not extend any >>> other >>> certificates. >>> >>> I have RootCa.pem > CA1.pem > CA2.pem > signerCert.pem. >>> >>> If i simply execute the signeddoc.xml, I am receiving the error >>> [*msg=invalid CA certificate* for CA2.pem] ... the command used is >>> *xmlsec.exe verify --trusted-pem RootCa.pem signeddoc.xml* >>> I broke the certificate chain by removing RootCa.pem from the >>> signeddoc.xml and the error i received is same as of the above >>> case >>> *xmlsec.exe verify --trusted-pem RootCa.pem signeddoc.xml >>> *I changed the command for the above file as *xmlsec.exe verify >>> --trusted-pem RootCa.pem --trusted-pem CA2.pem signeddoc.xml*, >>> still the >>> error was same >>> I maintained only CA1, CA2 and signerCert.pem in signeddoc.xml >>> and used >>> the command *xmlsec.exe verify --trusted-pem RootCa.pem >>> --trusted-pem >>> CA1.pem --trusted-pem CA2.pem signeddoc.xml >>> *Now I removed CA2 from the signeddoc.xml and kept only CA1 and >>> signerCert.pem, and used the command *xmlsec.exe verify >>> --trusted-pem >>> RootCa.pem --trusted-pem CA1.pem --trusted-pem CA2.pem >>> signeddoc.xml ... >>> *i could see that the verification was passing. >>> >>> I have deviced another way too to make this work, but i am not >>> sure how >>> good this way is... >>> >>> before passing the signeddoc.xml to xmlsec, I load the >>> x509certificate >>> as trusted using the api *xmlSecCryptoAppKeysMngrCertLoadMemory* >>> but the >>> problem is not solved because the same document continues to be >>> evaluated by xmlsec later and the results produced are same. >>> >>> Another alternative i thought was once the function >>> *xmlSecOpenSSLX509FindNextChainCert *returns NULL, I would >>> remove the >>> other certificates from the STACK. That way, i will have trusted >>> certs >>> loaded to the global stack and while signerCert.pem is verified. >>> >>> Please let me know your suggestions, I will try your suggested >>> methods. >>> >>> And thanks a lot for this library, it had done wonders for my >>> work till >>> now :) >>> >>> I had read an email from the archive >>> [*http://www.aleksey.com/pipermail/xmlsec/2008/008326.html*], but >>> i >>> could not get the break through yet :( >>> >>> Regards, >>> Naval >>> >>> >>> >>> _______________________________________________ >>> xmlsec mailing list >>> [email protected] <mailto:[email protected]> >>> >>> http://www.aleksey.com/mailman/listinfo/xmlsec >>> >>> >>> >>> >>> -- >>> Naval Patel >>> ~ have fun ~ >>> >> > > > -- > Naval Patel > ~ have fun ~ > -- Naval Patel ~ have fun ~
_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
