I have no idea what "target kdm certificate" is :) Please, attach
a signed document to the email.
Aleksey
Paul Keeler wrote:
Here is a link to an online generator of signed documents that will
demonstrate the behaviour I described previously:
http://www.cinecert.com/dci_ref_01/
Is there perhaps something about these documents that means xmlsec is
unable to populate a store of untrusted certificates?
Many thanks for your help already.
On Feb 14, 2008 5:29 PM, Aleksey Sanin <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
The error indicates that verification of one of the certificate
chains failed but xmlsec was able to extract the key either from
another certificate chain or from some other place. Hard to say
more w/o looking at the document.
Aleksey
Paul Keeler wrote:
> I would be grateful if somone could help me with this problem. I
have a
> signed document which reports that it verifies ok, but also gives an
> error message: "unable to get local issuer certificate". The
same thing
> happens both running from my own application and calling xmlsec
from the
> command line:
>
> xmlsec1 --verify --id-attr:<my_ID_attribute_name>
> <my_node_namespace_uri>:<my_first_node_name>
> --id-attr:<my_ID_attribute_name>
> <my_node_namespace_uri>:<my_second_node_name> --trusted-pem
> <my_trusted_root_pem> <my_signed_document>
>
> This is the result:
>
>
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=351:obj=x509-store:subj=unknown:error=71:certificate
> verification failed:err=20;msg=unable to get local issuer certificate
> OK
> SignedInfo References (ok/all): 2/2
> Manifests References (ok/all): 0/0
>
> The verification seems to have been successful (indicated by
"OK"), but
> clearly an error was also reported.
>
> The signed document contains my entire certificate chain: Signer ->
> Intermediate CA -> Root CA. The Root CA in the chain is the same
as the
> trusted root pem I pass using the --trusted-pem option, so I would
> expect verification to succeed.
>
> Now, I can make the error message go away by extracting the
Intermediate
> CA certificate from the signed document and passing it to XMLSEC
using
> the --untrusted-pem option:
>
> xmlsec1 --verify --id-attr:<my_ID_attribute_name>
> <my_node_namespace_uri>:<my_first_node_name>
> --id-attr:<my_ID_attribute_name>
> <my_node_namespace_uri>:<my_second_node_name> --trusted-pem
> <my_trusted_root_pem> --untrusted-pem <intermediate_CA_pem>
> <my_signed_document>
>
> I did not expect that I would have to explicitly pass a
certificate from
> the chain to xmlsec and flag it as being untrusted. Am I doing
> something wrong? Surely xmlsec should assume that all X509
certificates
> in a chain are untrusted by default? Have I missed the point
somewhere?
>
> Many thanks in advance.
>
>
>
------------------------------------------------------------------------
>
> _______________________________________________
> xmlsec mailing list
> xmlsec@aleksey.com <mailto:xmlsec@aleksey.com>
> http://www.aleksey.com/mailman/listinfo/xmlsec
------------------------------------------------------------------------
_______________________________________________
xmlsec mailing list
xmlsec@aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec
_______________________________________________
xmlsec mailing list
xmlsec@aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec
