You are not verifying the signature correctly. Please read about certificates verification, trusted certificates,etc.
Aleksey On 11/24/14 10:54 AM, Renato Fermi wrote: > Sorry, the verifying line was : > - xmlsec1 --verify --id-attr:Id infNFe --privkey-pem > nfcek.pem,cert.pem signed.xml > > 2014-11-24 16:45 GMT-02:00 Renato Fermi <[email protected] > <mailto:[email protected]>>: > > Hello Aleksey, > > I was really using a wrong certificate to sign and check it. > Now I'm using the same certificate, the one who generated key file. > So I have 2 files: > - cert.pem - client certificate, obtained using the following > command, from the full certificate: > openssl pkcs12 -in certificate.pfx -out cert.pem -clcerts > -nokeys -nodes > - nfcek.pem - key file obtained this way: > openssl pkcs12 -in certificate.pfx -out nfcek.pem -nocerts -nodes > > Im signing using : > - xmlsec1 --sign --id-attr:Id infNFe --privkey-pem > nfcek.pem,cert.pem --output signed.xml 0A000U209.xml > And verifying : > - xmlsec1 --verify --id-attr:Id infNFe --privkey-pem > nfcek.pem,certificado.pem signed.xml > > So I got an OK, but with errors: > > func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto > library function > failed:subj=/C=BR/ST=SP/L=BARUERI/O=ICP-Brasil/OU=Secretaria da > Receita Federal do Brasil - RFB/OU=RFB e-CNPJ A1/OU=AR > SERASA/CN=CONECTO SISTEMAS LTDA:05113966000159;err=20;msg=unable to > get local issuer certificate > > func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate > verification failed:err=20;msg=unable to get local issuer certificate > OK > SignedInfo References (ok/all): 1/1 > Manifests References (ok/all): 0/0 > > Do you have any ideia about it? > > Thanks again. > > 2014-11-24 16:23 GMT-02:00 Aleksey Sanin <[email protected] > <mailto:[email protected]>>: > > Are you sure that the cacert.pem contains the certificate for > nfcek.pem > key? It looks like you are signing with one key and verifying > with another. > > Aleksey > > On 11/24/14 10:15 AM, Renato Fermi wrote: > > I've added 2 files (inuput) 0AU00209.xml and output.xml. > > > > > > > > > > 2014-11-24 16:05 GMT-02:00 Aleksey Sanin <[email protected] > <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>>: > > > > How does the input.xml looks like? > > > > Aleksey > > > > On 11/24/14 9:58 AM, Renato Fermi wrote: > > > Hello Aleksey, > > > > > > I'm having troubles after sucessfully signing a XML, when > > verifying it. > > > > > > What I've done: > > > - Signed XML with my cert key and cacert : > > > $ xmlsec1 --sign --id-attr:Id infNFe --privkey-pem > > nfcek.pem,cacert.pem > > > --output signed.xml input.xml > > > - Verified the signature: > > > xmlsec1 --verify --id-attr:Id infNFe --privkey-pem > > nfcek.pem,cacert.pem > > > signed.xml > > > > > > And received the return: > > > > > > > func=xmlSecOpenSSLEvpSignatureVerify:file=signatures.c:line=493:obj=rsa-sha1:subj=EVP_VerifyFinal:error=18:data > > > do not match:signature do not match > > > FAIL > > > SignedInfo References (ok/all): 1/1 > > > Manifests References (ok/all): 0/0 > > > Error: failed to verify file "signed.xml" > > > > > > Am I doing anything wrong? > > > > > > Thanks in advance. > > > > > > Renato Fermi > > > > > > > > > _______________________________________________ > > > xmlsec mailing list > > > [email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > > http://www.aleksey.com/mailman/listinfo/xmlsec > > > > > > > > > > > > > _______________________________________________ > > xmlsec mailing list > > [email protected] <mailto:[email protected]> > > http://www.aleksey.com/mailman/listinfo/xmlsec > > > > > > > > > _______________________________________________ > xmlsec mailing list > [email protected] > http://www.aleksey.com/mailman/listinfo/xmlsec > _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
