You need to verify the signature using the "trusted" certificate, not the original key you used for signing since this key is already available in the certificate inside the signed XML document.
Aleksey On 11/24/14 11:11 AM, Renato Fermi wrote: > Thanks, > Do you have any tips what kind of mistake am I doing? > > I'll learn more about this subjects that you suggested. > > Att. > > 2014-11-24 17:04 GMT-02:00 Aleksey Sanin <[email protected] > <mailto:[email protected]>>: > > You are not verifying the signature correctly. Please read about > certificates verification, trusted certificates,etc. > > Aleksey > > On 11/24/14 10:54 AM, Renato Fermi wrote: > > Sorry, the verifying line was : > > - xmlsec1 --verify --id-attr:Id infNFe --privkey-pem > > nfcek.pem,cert.pem signed.xml > > > > 2014-11-24 16:45 GMT-02:00 Renato Fermi <[email protected] > <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>>: > > > > Hello Aleksey, > > > > I was really using a wrong certificate to sign and check it. > > Now I'm using the same certificate, the one who generated key > file. > > So I have 2 files: > > - cert.pem - client certificate, obtained using the following > > command, from the full certificate: > > openssl pkcs12 -in certificate.pfx -out cert.pem -clcerts > > -nokeys -nodes > > - nfcek.pem - key file obtained this way: > > openssl pkcs12 -in certificate.pfx -out nfcek.pem > -nocerts -nodes > > > > Im signing using : > > - xmlsec1 --sign --id-attr:Id infNFe --privkey-pem > > nfcek.pem,cert.pem --output signed.xml 0A000U209.xml > > And verifying : > > - xmlsec1 --verify --id-attr:Id infNFe --privkey-pem > > nfcek.pem,certificado.pem signed.xml > > > > So I got an OK, but with errors: > > > > func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto > > library function > > failed:subj=/C=BR/ST=SP/L=BARUERI/O=ICP-Brasil/OU=Secretaria da > > Receita Federal do Brasil - RFB/OU=RFB e-CNPJ A1/OU=AR > > SERASA/CN=CONECTO SISTEMAS > LTDA:05113966000159;err=20;msg=unable to > > get local issuer certificate > > > > func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate > > verification failed:err=20;msg=unable to get local issuer > certificate > > OK > > SignedInfo References (ok/all): 1/1 > > Manifests References (ok/all): 0/0 > > > > Do you have any ideia about it? > > > > Thanks again. > > > > 2014-11-24 16:23 GMT-02:00 Aleksey Sanin <[email protected] > <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>>: > > > > Are you sure that the cacert.pem contains the certificate for > > nfcek.pem > > key? It looks like you are signing with one key and verifying > > with another. > > > > Aleksey > > > > On 11/24/14 10:15 AM, Renato Fermi wrote: > > > I've added 2 files (inuput) 0AU00209.xml and output.xml. > > > > > > > > > > > > > > > 2014-11-24 16:05 GMT-02:00 Aleksey Sanin <[email protected] > <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>>: > > > > > > How does the input.xml looks like? > > > > > > Aleksey > > > > > > On 11/24/14 9:58 AM, Renato Fermi wrote: > > > > Hello Aleksey, > > > > > > > > I'm having troubles after sucessfully signing a > XML, when > > > verifying it. > > > > > > > > What I've done: > > > > - Signed XML with my cert key and cacert : > > > > $ xmlsec1 --sign --id-attr:Id infNFe --privkey-pem > > > nfcek.pem,cacert.pem > > > > --output signed.xml input.xml > > > > - Verified the signature: > > > > xmlsec1 --verify --id-attr:Id infNFe --privkey-pem > > > nfcek.pem,cacert.pem > > > > signed.xml > > > > > > > > And received the return: > > > > > > > > > > > func=xmlSecOpenSSLEvpSignatureVerify:file=signatures.c:line=493:obj=rsa-sha1:subj=EVP_VerifyFinal:error=18:data > > > > do not match:signature do not match > > > > FAIL > > > > SignedInfo References (ok/all): 1/1 > > > > Manifests References (ok/all): 0/0 > > > > Error: failed to verify file "signed.xml" > > > > > > > > Am I doing anything wrong? > > > > > > > > Thanks in advance. > > > > > > > > Renato Fermi > > > > > > > > > > > > _______________________________________________ > > > > xmlsec mailing list > > > > [email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> > > > > http://www.aleksey.com/mailman/listinfo/xmlsec > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > xmlsec mailing list > > > [email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > > http://www.aleksey.com/mailman/listinfo/xmlsec > > > > > > > > > > > > > > > > > _______________________________________________ > > xmlsec mailing list > > [email protected] <mailto:[email protected]> > > http://www.aleksey.com/mailman/listinfo/xmlsec > > > > _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
