That shouldn't be the case. The only possibility is that there is a key in the signature file (not in certificate).
Run xmlsec with debug output to find out where it finds key Aleksey On 8/15/12 1:21 AM, Roman Khlystik wrote: > Thanks for your answer, Aleksey. > > I think I've understood behaviour of xmlsec in this situation. > And according to this logic I assume (and actually I checked it) that > when there isn't any > valid certificate chain result code of signature verification is still > succeeded. Why? > > Here is example using command-line tool. > ca.crt isn't related to the certificate > in license-signed-ca1-server1.xml. So, there isn't any valid certificate > chain. Why verification status is OK? > > #xmlsec1 --verify --trusted-pem cas/ca2/ca/certs/ca.crt > license-signed-ca1-server1.xml > > > > > func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto > library function failed:subj=/C=UA/ST=Kyiv > region/L=Kyiv/O=test/OU=Ukraine > Department/CN=server1/[email protected] > <mailto:[email protected]>;err=20;msg=unable to get local issuer > certificate > > func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate > verification failed:err=20;msg=unable to get local issuer certificate > OK > SignedInfo References (ok/all): 1/1 > Manifests References (ok/all): 0/0 > > > > So, I have another question: Is it possibe to detect with xmlsec that > there is no one valid certificate chain up to the one of the trusted > certificates? I want to reject signed xml file if there isn't any valid > vertificate chain. > > Thanks. > > 2012/8/14 Aleksey Sanin <[email protected] <mailto:[email protected]>> > > Roman, > > During the verification, xmlsec tries to verify the signature using > all possible certificate chains. It is enough to have one of them > succeed. The errors you see are from ones that failed. Safe to ignore > as long, just check the result code. > > Aleksey > > On 8/14/12 8:38 AM, Roman Khlystik wrote: > > Hi Aleksey! > > > > I'm trying to develop simple license system using xmlsec library. > > My idea was to build simple private PKI with one CA key pair and > > separate key-pair for each customer. > > Then I planned to sign xml license file with client certificate > for each > > client. > > > > I decided to embbed CA certificate in our app and verify certificate > > chain from xml file up to CA certificate. > > But I have a problem with xmlsec library. I can't find how to verify > > full certificate chain with it. > > I used example from here > > http://www.aleksey.com/xmlsec/api/xmlsec-verify-with-x509.html· > <http://www.aleksey.com/xmlsec/api/xmlsec-verify-with-x509.html%C2%B7> > > <http://www.aleksey.com/xmlsec/api/xmlsec-verify-with-x509.html%C2%B7> > > and I have a problem when certificate chain is invalid. > > I got error to console: > > > > > > func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto > > library function failed:subj=/C=UA/ST=Kyiv > > region/L=Kyiv/O=test/OU=test/CN=server1/emailAddress=s > > > > func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate > > verification failed:err=20;msg=unable to get local issuer certificate > > OK > > SignedInfo References (ok/all): 1/1· > > Manifests References (ok/all): 0/0· > > > > but verification result dsigCtx->status has > xmlSecDSigStatusSucceeded value. > > > > Can you tell me how can I verify that certificate chain is invalid > with > > xmlsec api? > > > > > > _______________________________________________ > > xmlsec mailing list > > [email protected] <mailto:[email protected]> > > http://www.aleksey.com/mailman/listinfo/xmlsec > > > > _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
