You have multiple certificates (X509Data) element. The error
indicates that verification of one certificate have failed
but the other succeeds and the signature is verified.
Aleksey
Paul Keeler wrote:
Looks like the body of my previous message was somehow scrubbed along
with the attachment. Here it is again:
On Feb 19, 2008 11:00 AM, Paul Keeler <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
Ok, I guess it was a bit unreasonable to send you a link - my
apologies! Here's a concrete example. See attached.
Thanks for your patience.
On Feb 18, 2008 5:08 PM, Aleksey Sanin <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
I have no idea what "target kdm certificate" is :) Please, attach
a signed document to the email.
Aleksey
Paul Keeler wrote:
> Here is a link to an online generator of signed documents
that will
> demonstrate the behaviour I described previously:
>
> http://www.cinecert.com/dci_ref_01/
>
> Is there perhaps something about these documents that means
xmlsec is
> unable to populate a store of untrusted certificates?
>
> Many thanks for your help already.
>
>
> On Feb 14, 2008 5:29 PM, Aleksey Sanin <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
> <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>> wrote:
>
> The error indicates that verification of one of the
certificate
> chains failed but xmlsec was able to extract the key
either from
> another certificate chain or from some other place. Hard
to say
> more w/o looking at the document.
>
> Aleksey
>
>
>
> Paul Keeler wrote:
> > I would be grateful if somone could help me with this
problem. I
> have a
> > signed document which reports that it verifies ok, but
also gives an
> > error message: "unable to get local issuer
certificate". The
> same thing
> > happens both running from my own application and
calling xmlsec
> from the
> > command line:
> >
> > xmlsec1 --verify --id-attr:<my_ID_attribute_name>
> > <my_node_namespace_uri>:<my_first_node_name>
> > --id-attr:<my_ID_attribute_name>
> > <my_node_namespace_uri>:<my_second_node_name>
--trusted-pem
> > <my_trusted_root_pem> <my_signed_document>
> >
> > This is the result:
> >
> >
>
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=351:obj=x509-store:subj=unknown:error=71:certificate
> > verification failed:err=20;msg=unable to get local
issuer certificate
> > OK
> > SignedInfo References (ok/all): 2/2
> > Manifests References (ok/all): 0/0
> >
> > The verification seems to have been successful
(indicated by
> "OK"), but
> > clearly an error was also reported.
> >
> > The signed document contains my entire certificate
chain: Signer ->
> > Intermediate CA -> Root CA. The Root CA in the chain
is the same
> as the
> > trusted root pem I pass using the --trusted-pem
option, so I would
> > expect verification to succeed.
> >
> > Now, I can make the error message go away by
extracting the
> Intermediate
> > CA certificate from the signed document and passing it
to XMLSEC
> using
> > the --untrusted-pem option:
> >
> > xmlsec1 --verify --id-attr:<my_ID_attribute_name>
> > <my_node_namespace_uri>:<my_first_node_name>
> > --id-attr:<my_ID_attribute_name>
> > <my_node_namespace_uri>:<my_second_node_name>
--trusted-pem
> > <my_trusted_root_pem> --untrusted-pem
<intermediate_CA_pem>
> > <my_signed_document>
> >
> > I did not expect that I would have to explicitly pass a
> certificate from
> > the chain to xmlsec and flag it as being untrusted.
Am I doing
> > something wrong? Surely xmlsec should assume that all
X509
> certificates
> > in a chain are untrusted by default? Have I missed
the point
> somewhere?
> >
> > Many thanks in advance.
> >
> >
> >
>
------------------------------------------------------------------------
> >
> > _______________________________________________
> > xmlsec mailing list
> > xmlsec@aleksey.com <mailto:xmlsec@aleksey.com>
<mailto:xmlsec@aleksey.com <mailto:xmlsec@aleksey.com>>
> > http://www.aleksey.com/mailman/listinfo/xmlsec
>
>
>
>
------------------------------------------------------------------------
>
> _______________________________________________
> xmlsec mailing list
> xmlsec@aleksey.com <mailto:xmlsec@aleksey.com>
> http://www.aleksey.com/mailman/listinfo/xmlsec
------------------------------------------------------------------------
_______________________________________________
xmlsec mailing list
xmlsec@aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec
_______________________________________________
xmlsec mailing list
xmlsec@aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec
