Re: [xmlsec] Failed to verify

Wed, 31 Aug 2011 21:04:35 -0700 

Specify individual trusted certificates --trusted-pem option.

Aleksey


On 8/31/11 8:24 PM, Bernardo Hoehl wrote:

Helo List,


I am trying to get XMLSEC to verify a signature, and it seems to result in an 
openssl error that will not trust the brazilian chain of certification...

This is the command and result:

######### Command begins:

$ export LD_LIBRARY_PATH=/opt/local/lib; ./xmlsec1 --verify --id-attr:Id infNFe 
--trusted-pem /Library/certs/USINA.pem /Users/bernardo/Desktop/teste.xml
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto
 library function failed:subj=/C=BR/O=ICP-Brasil/OU=Autoridade Certificadora 
SERPROACF/OU=PRONOVA/OU=Pessoa Juridica A1/L=QUEIMADOS/ST=RJ/CN=USINA 
BRASILEIRA DE CRISTOBALITA LTDA:73264202000114;err=20;msg=unable to get local 
issuer certificate
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate
 verification failed:err=20;msg=unable to get local issuer certificate
func=xmlSecKeysMngrGetKey:file=keys.c:line=1370:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec
 library function failed:
func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key
 is not found:
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
 library function failed:
func=xmlSecDSigCtxVerify:file=xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
 library function failed:
Error: signature failed
ERROR
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
Error: failed to verify file "/Users/bernardo/Desktop/teste.xml"

############## Command ends

I have read in openssl.org page that I could tell openssl to trust a chain of 
certificates using the option "-CApath directory", but I have no idea how to 
pass this option in the above XMLSEC command.

I apreciate any help,

Thanks,


Bernardo Höhl
Rio de Janeiro - Brazil

_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec

_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec

Reply via email to