Signing fails when certificate is in trust store

[lsh123]

Discussed in #938

^{Originally posted by hrantzsch July 22, 2025}
Hi,

I'm seeing an error where xmlsec1 --sign fails if the certificate that signs the xml is also in OpenSSL's trusted CA certificates. I don't know if I am just using it wrong, or if this might be a bug. Maybe it's worth mentioning that my use-case is SAML2, using xmlsec1 via https://github.com/IdentityPython/pysaml2.

The issue occurs with xmlsec >= 1.3.0, but not with 1.2.*. Using OpenSSL 3.0.13.

To reproduce, the following is as minimal as I managed to make it. I'll attach the xml tosign.xml, the certificate cert.pem and the certificate's key key.pem below.

Signing with xmlsec1 --sign --verbose --privkey-pem key.pem --lax-key-search --output signed.xml tosign.xml works fine (just warns about the self-signed cert). However, if the certificate where present in OpenSSL's trust store, which we can emulate via SSL_CERT_FILE:

SSL_CERT_FILE=cert.pem xmlsec1 --sign --verbose --privkey-pem key.pem --lax-key-search --output signed.xml tosign.xml
func=xmlSecOpenSSLEvpSignatureSign:file=signatures.c:line=1141:obj=rsa-sha1:subj=EVP_PKEY_sign:error=4:crypto library function failed:ret=0; openssl error: error:1C880004:Provider routines::RSA lib
func=xmlSecOpenSSLEvpSignatureExecute:file=signatures.c:line=1263:obj=rsa-sha1:subj=xmlSecOpenSSLEvpSignatureSign:error=1:xmlsec library function failed: 
func=xmlSecTransformDefaultPushBin:file=transforms.c:line=1971:obj=rsa-sha1:subj=xmlSecTransformExecute:error=1:xmlsec library function failed:final=1
func=xmlSecTransformIOBufferClose:file=transforms.c:line=2600:obj=rsa-sha1:subj=xmlSecTransformPushBin:error=1:xmlsec library function failed: 
func=xmlSecTransformC14NPushXml:file=c14n.c:line=241:obj=c14n:subj=xmlOutputBufferClose:error=5:libxml2 library function failed:xml error: 0: NULL
func=xmlSecTransformCtxXmlExecute:file=transforms.c:line=1080:obj=c14n:subj=xmlSecTransformPushXml:error=1:xmlsec library function failed: 
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=584:obj=unknown:subj=xmlSecTransformCtxXmlExecute:error=1:xmlsec library function failed: 
func=xmlSecDSigCtxSign:file=xmldsig.c:line=301:obj=unknown:subj=xmlSecDSigCtxProcessSignatureNode:error=1:xmlsec library function failed: 
Signature status: ERROR
Error: failed to sign file "tosign.xml"

Any insights on what's going on are greatly appreciated.

---

tosign.xml:

<?xml version="1.0" encoding="UTF-8"?>
<Envelope xmlns="urn:envelope">
  <Data>
    Hello, World!
  </Data>
  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
      <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
      <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
      <Reference URI="">
        <Transforms>
          <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
        <DigestValue>
      </DigestValue>
    </Reference>
  </SignedInfo>
  <SignatureValue/>
  <KeyInfo>
    <X509Data>
      <X509Certificate>
        MIIDUzCCAjugAwIBAgIUHkIseC37seB3mye5wysrNpc84ikwDQYJKoZIhvcNAQEL
        BQAwIzEhMB8GA1UEAwwYVGVzdCBTaWduaW5nIENlcnRpZmljYXRlMB4XDTI1MDcy
        MjA5NDM0NFoXDTI2MDcyMjA5NDM0NFowIzEhMB8GA1UEAwwYVGVzdCBTaWduaW5n
        IENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlFWY
        +JQtEhv4IAOOkOHD+sNJFQv0kn9WKxJQ/EQggHfTgYohdH0Et3RLL9NxPMc7nyNa
        XMVLBhxsWPCsyOGwktiNLs0Vq28moRqIjcH1U8X8dqEC2tQnEv87iU0CA5gYWuMl
        NaYaTZgLoO6Q1IDZ45rzGfZKxGvtpS+xRL9O+tZJKba7fcWiBt6aD6WPoz/d9dnL
        3vq0axJxDv8XtYkClhbeE6aDqv/QSDkasNUeDmVnr73aL+locM6ecxWfynLhAZP3
        BLL1xiFhVxUeyGrXJlbq0w1zS6fs3ROZUxVzds4ullGxqyBmM+usRiDVCRJsTQeg
        5QViNMQT+1OTcFvP8wIDAQABo38wfTAdBgNVHQ4EFgQUrBlqpqrJQnL3bmtHF5Jy
        RfQPYwMwHwYDVR0jBBgwFoAUrBlqpqrJQnL3bmtHF5JyRfQPYwMwDwYDVR0TAQH/
        BAUwAwEB/zALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
        BwMCMA0GCSqGSIb3DQEBCwUAA4IBAQBm+MwobZ5nZfubr4qw7Sftt+8la9/OJ6qv
        fpLtRh2YRi8gMlmB4G3bMF7IJm0Q3o5yE6d9qWVwkxLTJVD4ywfRZfYuoLcCHCGT
        kvIcd/6UNR3we5dVh4c+kWQJ0MHWYduNsTRbmI4cZrX/F/m+c/yjE74nU4kbPram
        OTrRTW9hqQXV01sQd6BgDpYVn2eTyf0aX8Cz+p8zA6AKZ+Zfzl9eySofXiAxyW6C
        AYMohisoOFCJ7o0El2RKpZvTM0d8kQt/93CSTtCGeRK4uRqLgTuNkPVYOxU0vTJI
        2XIbLcapxC3XLWzWBkKcD0hWAZsh0EW79mnF5c54rQoxPi3K10e/
      </X509Certificate>
    </X509Data>
    <KeyName/>
  </KeyInfo>
</Signature>
</Envelope>

cert.pem:

-----BEGIN CERTIFICATE-----
MIIDUzCCAjugAwIBAgIUHkIseC37seB3mye5wysrNpc84ikwDQYJKoZIhvcNAQEL
BQAwIzEhMB8GA1UEAwwYVGVzdCBTaWduaW5nIENlcnRpZmljYXRlMB4XDTI1MDcy
MjA5NDM0NFoXDTI2MDcyMjA5NDM0NFowIzEhMB8GA1UEAwwYVGVzdCBTaWduaW5n
IENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlFWY
+JQtEhv4IAOOkOHD+sNJFQv0kn9WKxJQ/EQggHfTgYohdH0Et3RLL9NxPMc7nyNa
XMVLBhxsWPCsyOGwktiNLs0Vq28moRqIjcH1U8X8dqEC2tQnEv87iU0CA5gYWuMl
NaYaTZgLoO6Q1IDZ45rzGfZKxGvtpS+xRL9O+tZJKba7fcWiBt6aD6WPoz/d9dnL
3vq0axJxDv8XtYkClhbeE6aDqv/QSDkasNUeDmVnr73aL+locM6ecxWfynLhAZP3
BLL1xiFhVxUeyGrXJlbq0w1zS6fs3ROZUxVzds4ullGxqyBmM+usRiDVCRJsTQeg
5QViNMQT+1OTcFvP8wIDAQABo38wfTAdBgNVHQ4EFgQUrBlqpqrJQnL3bmtHF5Jy
RfQPYwMwHwYDVR0jBBgwFoAUrBlqpqrJQnL3bmtHF5JyRfQPYwMwDwYDVR0TAQH/
BAUwAwEB/zALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
BwMCMA0GCSqGSIb3DQEBCwUAA4IBAQBm+MwobZ5nZfubr4qw7Sftt+8la9/OJ6qv
fpLtRh2YRi8gMlmB4G3bMF7IJm0Q3o5yE6d9qWVwkxLTJVD4ywfRZfYuoLcCHCGT
kvIcd/6UNR3we5dVh4c+kWQJ0MHWYduNsTRbmI4cZrX/F/m+c/yjE74nU4kbPram
OTrRTW9hqQXV01sQd6BgDpYVn2eTyf0aX8Cz+p8zA6AKZ+Zfzl9eySofXiAxyW6C
AYMohisoOFCJ7o0El2RKpZvTM0d8kQt/93CSTtCGeRK4uRqLgTuNkPVYOxU0vTJI
2XIbLcapxC3XLWzWBkKcD0hWAZsh0EW79mnF5c54rQoxPi3K10e/
-----END CERTIFICATE-----

key.pem:

-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCUVZj4lC0SG/gg
A46Q4cP6w0kVC/SSf1YrElD8RCCAd9OBiiF0fQS3dEsv03E8xzufI1pcxUsGHGxY
8KzI4bCS2I0uzRWrbyahGoiNwfVTxfx2oQLa1CcS/zuJTQIDmBha4yU1phpNmAug
7pDUgNnjmvMZ9krEa+2lL7FEv0761kkptrt9xaIG3poPpY+jP9312cve+rRrEnEO
/xe1iQKWFt4TpoOq/9BIORqw1R4OZWevvdov6Whwzp5zFZ/KcuEBk/cEsvXGIWFX
FR7IatcmVurTDXNLp+zdE5lTFXN2zi6WUbGrIGYz66xGINUJEmxNB6DlBWI0xBP7
U5NwW8/zAgMBAAECggEAHyP7OdBtx9v8Usg8YVksOhROXu9EGI9ICUHOo68vvZiq
XAsiK+DlIRh2gmNa5f4Tm7yhx1EaB33nFyLruz56QdHZjeY7MuLiUrcNzOjXto8d
idASl9srGtdfadszXYrMLiR6ltE4u2p8onwDBsHIPHq2p5AnsSXRXbjt97dL/ue0
3NvcDxvYjDU1Jv9A7dKT3vGji7jf2KLeTAm3yFvGfjSBRQM21ohDLyMo6x59F8bk
rFSLr8SUtVcwxpwSxI5eM0yYRjaJVCJPfKSlUozLrmRrSoRqlUzv/FcM4E/N18x4
mJtRjBeH5PqsIF+qTxGlvFBPrMBQTkU2jYmKM3YksQKBgQDG77hLgEbQcWmMBAWR
HzXdrS0rbg18oGkIsdBABbxRHExzMAwIZ1gqm/OW5mmHlpnNf8AR0AqkAwtztAgT
nb32CKSg2YsvXlxn9frM9oIPMuD9dfDhTm0a3RFLFYtTC2zqt8bMuR1Nl6LWWjFY
BLzKfixQw9LmCmKSgmxwHqZbcQKBgQC+4hK9JxemqqB8RuEz4zsQNfcSfkwJSxmD
n+DbIKXkTN1qWWJPixWD/Ma38wf0UKptcYxDVxeXsMHyMeyPaOf15DOaZyDTHExT
gGpWmSW91bTqrR3QpwZOk23WwpoUOIpoDG2fhod23MiIA7zA+5cVro373kAmi5wX
mHoIhCeHowKBgHti46OwhDt0nEpDlFBWU0qSxplRQPwzYfIKl2eeJxcHvkMTYeM0
dfK3l3XYo0t9lRdoTPC/YFopqUiyOPAxvkiDQ9igFTvkAtxYLJ5DppdWr0WFiUm1
IuauhrNTQX7Yb02FfsArcIlXq5/XgRNenNnbOBE/4+baOhk0250O5Y+BAoGBAJRs
V2PLFOHchON9fbkJ9DAbth0kJV2IjrNBSuc4UKXfer8p936gSD+T+rSn/cRkQNDO
3OCzxL2HjJcVaLruOIeDRPjHPcfJljPLg2QIu0cL+BwONkO6y/WnP14hfQtCF6Tm
HQtQ4N50uFzCgy+PsaADVZXF8B3IqrvSLPmYQOB/AoGBAJRDEH9y13GG/Ysa+3Vp
r46SdeftkteixqCWBT6Feaj6alehLby07+r73pWCihkhC+DczXDSUF3C4sC9Xw+N
LhcPc18L4ecgyw/0G+wOvNFADxRVJPACTMmsCpOuPzV+xQXsqKxTH64TVFcAdobv
CGuURHij9jHl8pR72ieF6VFS
-----END PRIVATE KEY-----

[lsh123]

These are the errors from OpenSSL:

4037D19FF87B0000:error:020000B3:rsa routines:rsa_ossl_private_encrypt:missing private key:../crypto/rsa/rsa_ossl.c:335:
4037D19FF87B0000:error:1C880004:Provider routines:rsa_sign:RSA lib:../providers/implementations/signature/rsa_sig.c:588:

This indicates that XMLSec selected public key from the certificate instead of private key specified in the command line. The outcome here is a combination of multiple things:

1/ OpenSSL doesn't have a good way to check if a given key is public or private, hence all keys are assumed to be private (see issue #588)

2/ The --lax-key-search parameter should not be used, it's a source of many issues like this.

Recommendation:

Use KeyName to point XMLSec to the right key:

1/ Add KeyName to the template:

  <KeyInfo>
    <KeyName>MyKey</KeyName>
    <X509Data>
      <X509Certificate>
        MIIDUzCCAjugAwI...
      </X509Certificate>
    </X509Data>
  </KeyInfo>

2/ Add same key name to the command line:

$ SSL_CERT_FILE=cert.pem xmlsec1 --sign --verbose --privkey-pem:MyKey key.pem --lax-key-search --output signed.xml tosign.xml
Signature status: OK