The 5 certificates represent a whole certificate chain in order from signer back to self-signed trusted root. If I use the fifth certificate as a trusted root (extract it to file, add the begin/end certificate tags, and use the --trusted-pem option), then my understanding is that I should be able to verify the signature and the entire certificate chain. Surely there should be no failure? Am I missing something here?
Thanks again. On Feb 19, 2008 3:26 PM, Aleksey Sanin <[EMAIL PROTECTED]> wrote: > You have multiple certificates (X509Data) element. The error > indicates that verification of one certificate have failed > but the other succeeds and the signature is verified. > > Aleksey > > Paul Keeler wrote: > > Looks like the body of my previous message was somehow scrubbed along > > with the attachment. Here it is again: > > > > On Feb 19, 2008 11:00 AM, Paul Keeler <[EMAIL PROTECTED] > > <mailto:[EMAIL PROTECTED]>> wrote: > > > > Ok, I guess it was a bit unreasonable to send you a link - my > > apologies! Here's a concrete example. See attached. > > > > Thanks for your patience. > > > > > > On Feb 18, 2008 5:08 PM, Aleksey Sanin <[EMAIL PROTECTED] > > <mailto:[EMAIL PROTECTED]>> wrote: > > > > I have no idea what "target kdm certificate" is :) Please, > attach > > a signed document to the email. > > > > Aleksey > > > > Paul Keeler wrote: > > > Here is a link to an online generator of signed documents > > that will > > > demonstrate the behaviour I described previously: > > > > > > http://www.cinecert.com/dci_ref_01/ > > > > > > Is there perhaps something about these documents that means > > xmlsec is > > > unable to populate a store of untrusted certificates? > > > > > > Many thanks for your help already. > > > > > > > > > On Feb 14, 2008 5:29 PM, Aleksey Sanin <[EMAIL PROTECTED] > > <mailto:[EMAIL PROTECTED]> > > > <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>> > wrote: > > > > > > The error indicates that verification of one of the > > certificate > > > chains failed but xmlsec was able to extract the key > > either from > > > another certificate chain or from some other place. Hard > > to say > > > more w/o looking at the document. > > > > > > Aleksey > > > > > > > > > > > > Paul Keeler wrote: > > > > I would be grateful if somone could help me with this > > problem. I > > > have a > > > > signed document which reports that it verifies ok, but > > also gives an > > > > error message: "unable to get local issuer > > certificate". The > > > same thing > > > > happens both running from my own application and > > calling xmlsec > > > from the > > > > command line: > > > > > > > > xmlsec1 --verify --id-attr:<my_ID_attribute_name> > > > > <my_node_namespace_uri>:<my_first_node_name> > > > > --id-attr:<my_ID_attribute_name> > > > > <my_node_namespace_uri>:<my_second_node_name> > > --trusted-pem > > > > <my_trusted_root_pem> <my_signed_document> > > > > > > > > This is the result: > > > > > > > > > > > > > func=xmlSecOpenSSLX509StoreVerify:file= > x509vfy.c:line=351:obj=x509-store:subj=unknown:error=71:certificate > > > > verification failed:err=20;msg=unable to get local > > issuer certificate > > > > OK > > > > SignedInfo References (ok/all): 2/2 > > > > Manifests References (ok/all): 0/0 > > > > > > > > The verification seems to have been successful > > (indicated by > > > "OK"), but > > > > clearly an error was also reported. > > > > > > > > The signed document contains my entire certificate > > chain: Signer -> > > > > Intermediate CA -> Root CA. The Root CA in the chain > > is the same > > > as the > > > > trusted root pem I pass using the --trusted-pem > > option, so I would > > > > expect verification to succeed. > > > > > > > > Now, I can make the error message go away by > > extracting the > > > Intermediate > > > > CA certificate from the signed document and passing it > > to XMLSEC > > > using > > > > the --untrusted-pem option: > > > > > > > > xmlsec1 --verify --id-attr:<my_ID_attribute_name> > > > > <my_node_namespace_uri>:<my_first_node_name> > > > > --id-attr:<my_ID_attribute_name> > > > > <my_node_namespace_uri>:<my_second_node_name> > > --trusted-pem > > > > <my_trusted_root_pem> --untrusted-pem > > <intermediate_CA_pem> > > > > <my_signed_document> > > > > > > > > I did not expect that I would have to explicitly pass > a > > > certificate from > > > > the chain to xmlsec and flag it as being untrusted. > > Am I doing > > > > something wrong? Surely xmlsec should assume that all > > X509 > > > certificates > > > > in a chain are untrusted by default? Have I missed > > the point > > > somewhere? > > > > > > > > Many thanks in advance. > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > _______________________________________________ > > > > xmlsec mailing list > > > > xmlsec@aleksey.com <mailto:xmlsec@aleksey.com> > > <mailto:xmlsec@aleksey.com <mailto:xmlsec@aleksey.com>> > > > > http://www.aleksey.com/mailman/listinfo/xmlsec > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > _______________________________________________ > > > xmlsec mailing list > > > xmlsec@aleksey.com <mailto:xmlsec@aleksey.com> > > > http://www.aleksey.com/mailman/listinfo/xmlsec > > > > > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > xmlsec mailing list > > xmlsec@aleksey.com > > http://www.aleksey.com/mailman/listinfo/xmlsec >
_______________________________________________ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec