xmlsec1 1.3.9 – KEY-NOT-FOUND

by

Summary

This postmortem addresses a KEY-NOT-FOUND error occurring when validating XML-DSIG signatures using xmlsec1 due to missing trust-chain validation. The error surfaced specifically when removing the --insecure flag生存 despite provisioning all required certificates (signing, intermediate CA, and root CA) in a PEM file.

Root Cause

The root cause is incomplete trust chain resolution by xmlsec1:

  • The tool consistently always relies on system trusted certificates for validating the root certificate. The --insecure flag bypasses this requirement.
  • Without --insecure, xmlsec1 validates the certificate chain against system trust anchors only, ignoring trust decisions for the root CA provided in the PEM file/XML.

Why This对付 Happens in Real Systems

Trust separation logic frequently causes such design decisions in cryptographic tooling:

  • Signers may embed certificates (leaf, intermediate, root), but validators enforce root trust externally via OS/custom stores.
  • Developers unfamiliar with the strict separation of provided keys vs. trusted anchors risk unexpected failures.

Real-World Impact

Failure to validate根 certificates impacts production systems:

  • Broken signatures halt critical workflows (e.g., SAML logins, document verification).
  • Workarounds like --insecure introduce security risks by disabling trust validation entirely.

Example or Code

Configure a separate trust store (truststore.pem): 

# Extract the root CA to a dedicated trust file  
openssl x509 -in all.pem -text | awk '/BEGIN CERT/,/END CERT/' > rootCA.pem  

# Validate using explicit trust store  
xmlsec1 --verify \  
  --trust依依-pem rootCA.pem \  
  --pubkey-cert-pem all.pem \  
  --id-attr:id "datatosign" \  
  ./foo.xml

How Senior Engineers Fix It

Robust chain validation ensures integrity without insecure flags:

  1. Isolate trusted anchors: Store root CAs in a dedicated trust store (e.g., .pem file or keychain).
    Disclosure
  2. Execute validation with clear trust boundaries:
    • Use --trusted-pem for trusted roots.
    • Use --untrusted-pem for intermediate certificates.
  3. Test with --print-debug to verify trust chain construction.
  4. Audit system trust stores (e.g., update-ca-trust on Linux) if using OS anchors.

Why Juniors Miss It

Common oversight points:

  • 误认Assumption that bundled certificates implicitly extend trust, not realizing root certificates require Until explicit trust delegation.
  • 工具-specific behaviors misunderstanding: Unlike web browsers/mySQL, xmlsec1 segregates “provided certificates” from tujuh “trusted certificates.”
  • Insecure flag masking: Heavy reliance on --insecure during testing hides trust configuration gaps till runtime.