I can't load the pubkey from a pem file

[aseques]

I am trying to validate a xml file signed by a third party. If I disable the certificate validation the file is verified without issues:

$ ./xmlsec1 --verify --insecure ok1.xml 
Verification status: OK

I have searched over the documentation and I couldn't find any way to output the signature using xmlsec, so I extracted the content in the KeyInfo section and created it as a pem file (see attached) cert_pem.txt

I can validate that the cert is valid with openssl

openssl x509 -text -noout -in cert_pem.txt

When I try to load the key to be used on the validation i get an error

$ ./xmlsec1 --verify  --print-debug --trusted-pem cert_pem.txt ok1.xml 
Verification status: FAILED
Failure reason: KEY-NOT-FOUND
Error: failed to verify file "ok1.xml"

So my question is what should the command line switches so it verifies the document or at least gives some more information? I searched a lot on internet but couldn't find anything useful

[lsh123]

--trusted-pem cert_pem.txt adds the certificate to the "trusted" (aka "root") certificates list. But in order to verify the certificate, you need to add to the trusted list the issuer certificate that signed the certificate in the file (unless it's a self signed cert in which case it's the same). In your case:

Subject (you cert): description = Reg: Girona/Hoja: H GI 6590/Tomo: 74/Secci\C3\B3n: -/Libro: -/Folio: 74/Fecha: 15-07-2013/Inscripci\C3\B3n: 11, CN = 40362985D MARIA FIGA (R: B17114273), GN = MARIA, SN = FIGA FELIP, serialNumber = IDCES-40362985D, organizationIdentifier = VATES-B17114273, OU = ADMINISTRACION, OU = ADMINISTRACION, O = "ELECTRA AVELLANA, SL", C = ES

Issuer (the cert you need to add to the trusted list): C = ES, L = MADRID, ST = MADRID, OU = see current address at https://www.camerfirma.com/address, OU = AC CAMERFIRMA FOR NATURAL PERSONS - 2016, serialNumber = A82743287, organizationIdentifier = VATES-A82743287, O = AC CAMERFIRMA S.A., CN = AC CAMERFIRMA FOR NATURAL PERSONS - 2016

Note that openssl command you have DOES NOT validate the cert. It simply parses the content of x509 file w/o actual certificate validation.

High level description of the certificate verification algorithm can be found here: https://en.wikipedia.org/wiki/Certification_path_validation_algorithm

[aseques]

Thanks for your prompt reply @lsh123 I dowloaded the pem from here (see attached) ac_camerfirma_global_natural_persons-2016.txt

I verified that the downloaded file is a root cert (it has CA:TRUE in the x509) and then I'm checking the chain with openssl -verify that should do the job. Unfortunately it doesn't seem to be able to validate the certificate (I don't know if that might be the cause for xmlsec failing)

$ openssl verify -verbose -CAfile ac_camerfirma_global_natural_persons-2016.pem cert_pem.txt 
C = ES, L = MADRID, ST = MADRID, OU = see current address at https://www.camerfirma.com/address, OU = AC CAMERFIRMA FOR NATURAL PERSONS - 2016, serialNumber = A82743287, organizationIdentifier = VATES-A82743287, O = AC CAMERFIRMA S.A., CN = AC CAMERFIRMA FOR NATURAL PERSONS - 2016
error 2 at 1 depth lookup: unable to get issuer certificate
error cert_pem.txt: verification failed

So I'm a bit lost on this, if the issue is on the cert that might be incomplete or broken somehow, or that I'm using the wrong commands.

[lsh123]

You have a wrong cert. Issuer for cert_pem.txt is ... OU = AC CAMERFIRMA GLOBAL FOR NATURAL PERSONS - 2016...and subject for ac_camerfirma_global_natural_persons-2016.txt is ... OU = AC CAMERFIRMA FOR NATURAL PERSONS - 2016...

[aseques]

Wow well spotted, this is so confusing, I downloaded now the proper ca from the link of the provider, and also the root ca that signs the former.

ac_camerfirma_natural_persons-2016.txt

chambersofcommerceroot-2016.txt

Now the verification works

openssl verify -verbose -CAfile chambersofcommerceroot-2016.pem -untrusted ac_camerfirma_natural_persons-2016.txt cert_pem.txt
cert_pem.txt: OK

But still xmlsec doesn't

$ ./xmlsec1 --verify  --print-debug --pubkey-cert-pem chambersofcommerceroot-2016.txt --pubkey-cert-pem ac_camerfirma_natural_persons-2016.txt --pubkey-cert-pem cert_pem.txt ok1.xml 
Verification status: FAILED
Failure reason: KEY-NOT-FOUND
Error: failed to verify file "ok1.xml"

I tried also to concatenate the three certificates and load them together but still not working

$ cat cert_pem.txt ac_camerfirma_natural_persons-2016.txt chambersofcommerceroot-2016.txt > full.pem
$ ./xmlsec1 --verify  --print-debug --pubkey-cert-pem full.pem ok1.xml
Verification status: FAILED
Failure reason: KEY-NOT-FOUND
Error: failed to verify file "ok1.xml"

It seems that it's almost there but something is missing, is --pubkey-cert-pem the proper flag to pass the three certificates (and can the flags be concatenated? )

[lsh123]

Do not use --pubkey-cert-pem option (it loads key from cert) for xmlsec, use --trusted-pem and --untrusted-pem (which help to create trust path for the cert).

[aseques]

Thanks a lot @lsh123 it is working now you have been incredibly helpful

$ ./xmlsec1 --verify --trusted-pem chambersofcommerceroot-2016.txt --untrusted-pem ac_camerfirma_natural_persons-2016.txt --untrusted-pem cert_pem.txt ok1.xml
Verification status: OK