OK, what you say makes sense. Sorry that my idea was not
correct. Could you please try one more thing? Can you remove
from <X509Data> node everything but <X509Certificate> ?
I.e. <X509IssuerSerial>, and other nodes?
Aleksey
Paul Keeler wrote:
Thanks for that. Here are a couple of observations:
1. If I add the root certificate to the openssl installation's own store
in addition to using --trusted-pem on the command line I still get the
error. (I've checked that the certificate is installed correctly by
using it with "openssl verify ...")
2. Without adding the certificate to the openssl installation, the error
can be avoided using the --untrusted-pem option on the command line to
identify all of the appropriate intermediate certificates. From what
you have said I would still expect the openssl verification route to
result in failure.
So, something still doesn't really make sense. However, as you say,
ultimately verification has been successful so perhaps there is no
significant problem. In that case, is there a way to suppress these
types of error? I am worried that users of my application may be
worried by these errors being printed to the console.
Many thanks again for your thoughts.
On Feb 19, 2008 8:03 PM, Aleksey Sanin <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
There is no failure. This error just indicates that one of the
attempts to verify the certificates chain failed. xmlsec-openssl
performs certification against different sets of trusted certs:
1) ones from the openssl installation
2) ones you specify in the command line
One of the attempts failed. That's it. You can safely ignore this error.
Aleksey
Paul Keeler wrote:
> The 5 certificates represent a whole certificate chain in order from
> signer back to self-signed trusted root. If I use the fifth
certificate
> as a trusted root (extract it to file, add the begin/end certificate
> tags, and use the --trusted-pem option), then my understanding is
that I
> should be able to verify the signature and the entire certificate
> chain. Surely there should be no failure? Am I missing
something here?
>
> Thanks again.
>
> On Feb 19, 2008 3:26 PM, Aleksey Sanin <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
> <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>> wrote:
>
> You have multiple certificates (X509Data) element. The error
> indicates that verification of one certificate have failed
> but the other succeeds and the signature is verified.
>
> Aleksey
>
> Paul Keeler wrote:
> > Looks like the body of my previous message was somehow
scrubbed along
> > with the attachment. Here it is again:
> >
> > On Feb 19, 2008 11:00 AM, Paul Keeler
<[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
> <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>
> > <mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> <mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>>>>
> wrote:
> >
> > Ok, I guess it was a bit unreasonable to send you a
link - my
> > apologies! Here's a concrete example. See attached.
> >
> > Thanks for your patience.
> >
> >
> > On Feb 18, 2008 5:08 PM, Aleksey Sanin
<[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
> <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>
> > <mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> <mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>>>> wrote:
> >
> > I have no idea what "target kdm certificate" is :)
> Please, attach
> > a signed document to the email.
> >
> > Aleksey
> >
> > Paul Keeler wrote:
> > > Here is a link to an online generator of signed
documents
> > that will
> > > demonstrate the behaviour I described previously:
> > >
> > > http://www.cinecert.com/dci_ref_01/
> > >
> > > Is there perhaps something about these
documents that
> means
> > xmlsec is
> > > unable to populate a store of untrusted
certificates?
> > >
> > > Many thanks for your help already.
> > >
> > >
> > > On Feb 14, 2008 5:29 PM, Aleksey Sanin
> <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
<mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>
> > <mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> <mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>>>
> > > <mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
> <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>
<mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
> <mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>>>>
wrote:
> > >
> > > The error indicates that verification of
one of the
> > certificate
> > > chains failed but xmlsec was able to
extract the key
> > either from
> > > another certificate chain or from some other
> place. Hard
> > to say
> > > more w/o looking at the document.
> > >
> > > Aleksey
> > >
> > >
> > >
> > > Paul Keeler wrote:
> > > > I would be grateful if somone could help me
> with this
> > problem. I
> > > have a
> > > > signed document which reports that it
verifies
> ok, but
> > also gives an
> > > > error message: "unable to get local issuer
> > certificate". The
> > > same thing
> > > > happens both running from my own
application and
> > calling xmlsec
> > > from the
> > > > command line:
> > > >
> > > > xmlsec1 --verify
--id-attr:<my_ID_attribute_name>
> > > > <my_node_namespace_uri>:<my_first_node_name>
> > > > --id-attr:<my_ID_attribute_name>
> > > >
<my_node_namespace_uri>:<my_second_node_name>
> > --trusted-pem
> > > > <my_trusted_root_pem> <my_signed_document>
> > > >
> > > > This is the result:
> > > >
> > > >
> > >
> >
>
func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=351:obj=x509-store:subj=unknown:error=71:certificate
> > > > verification failed:err=20;msg=unable to
get local
> > issuer certificate
> > > > OK
> > > > SignedInfo References (ok/all): 2/2
> > > > Manifests References (ok/all): 0/0
> > > >
> > > > The verification seems to have been
successful
> > (indicated by
> > > "OK"), but
> > > > clearly an error was also reported.
> > > >
> > > > The signed document contains my entire
certificate
> > chain: Signer ->
> > > > Intermediate CA -> Root CA. The Root CA
in the
> chain
> > is the same
> > > as the
> > > > trusted root pem I pass using the
--trusted-pem
> > option, so I would
> > > > expect verification to succeed.
> > > >
> > > > Now, I can make the error message go away by
> > extracting the
> > > Intermediate
> > > > CA certificate from the signed document and
> passing it
> > to XMLSEC
> > > using
> > > > the --untrusted-pem option:
> > > >
> > > > xmlsec1 --verify
--id-attr:<my_ID_attribute_name>
> > > > <my_node_namespace_uri>:<my_first_node_name>
> > > > --id-attr:<my_ID_attribute_name>
> > > >
<my_node_namespace_uri>:<my_second_node_name>
> > --trusted-pem
> > > > <my_trusted_root_pem> --untrusted-pem
> > <intermediate_CA_pem>
> > > > <my_signed_document>
> > > >
> > > > I did not expect that I would have to
> explicitly pass a
> > > certificate from
> > > > the chain to xmlsec and flag it as being
untrusted.
> > Am I doing
> > > > something wrong? Surely xmlsec should
assume
> that all
> > X509
> > > certificates
> > > > in a chain are untrusted by default?
Have I missed
> > the point
> > > somewhere?
> > > >
> > > > Many thanks in advance.
> > > >
> > > >
> > > >
> > >
> >
>
------------------------------------------------------------------------
> > > >
> > > >
_______________________________________________
> > > > xmlsec mailing list
> > > > xmlsec@aleksey.com
<mailto:xmlsec@aleksey.com> <mailto:xmlsec@aleksey.com
<mailto:xmlsec@aleksey.com>>
> <mailto:xmlsec@aleksey.com <mailto:xmlsec@aleksey.com>
<mailto:xmlsec@aleksey.com <mailto:xmlsec@aleksey.com>>>
> > <mailto:xmlsec@aleksey.com
<mailto:xmlsec@aleksey.com> <mailto:xmlsec@aleksey.com
<mailto:xmlsec@aleksey.com>>
> <mailto:xmlsec@aleksey.com <mailto:xmlsec@aleksey.com>
<mailto:xmlsec@aleksey.com <mailto:xmlsec@aleksey.com>>>>
> > > >
http://www.aleksey.com/mailman/listinfo/xmlsec
> > >
> > >
> > >
> > >
> >
>
------------------------------------------------------------------------
> > >
> > > _______________________________________________
> > > xmlsec mailing list
> > > xmlsec@aleksey.com <mailto:xmlsec@aleksey.com>
<mailto:xmlsec@aleksey.com <mailto:xmlsec@aleksey.com>>
> <mailto:xmlsec@aleksey.com <mailto:xmlsec@aleksey.com>
<mailto:xmlsec@aleksey.com <mailto:xmlsec@aleksey.com>>>
> > > http://www.aleksey.com/mailman/listinfo/xmlsec
> >
> >
> >
> >
> >
>
------------------------------------------------------------------------
> >
> > _______________________________________________
> > xmlsec mailing list
> > xmlsec@aleksey.com <mailto:xmlsec@aleksey.com>
<mailto:xmlsec@aleksey.com <mailto:xmlsec@aleksey.com>>
> > http://www.aleksey.com/mailman/listinfo/xmlsec
>
>
>
>
------------------------------------------------------------------------
>
> _______________________________________________
> xmlsec mailing list
> xmlsec@aleksey.com <mailto:xmlsec@aleksey.com>
> http://www.aleksey.com/mailman/listinfo/xmlsec
------------------------------------------------------------------------
_______________________________________________
xmlsec mailing list
xmlsec@aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec
_______________________________________________
xmlsec mailing list
xmlsec@aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec