Hi Nicholas,
Not calling OpenSSL_add_all_algorithms(); at the beginning could cause it?
Cheers,
Frank
Nicholas Mainardi <mailto:mainardinicho...@gmail.com>
Monday, February 01, 2016 8:57 PM
I wrote this small program which takes as input X509 certificates,
base64-encoded, parse them and build a certificate chain, which is
eventually verified by |x509_Verify_cert()|. The last certificate is
added to the trusted store if it's self-signed, in order to avoid
OpenSSL policy about self.signed certificates, as it's recommended in
this post
<https://zakird.com/2013/10/13/certificate-parsing-with-openssl/>. The
code is at this pastebin link <http://pastebin.com/2N2DSxbe>.
However, when I run this with a correct certificate chain (Facebook
one, already tested with other libraries), I got error 7, certificate
signature validation, at depth 1. The certificate chain is composed by
server certificate, CA certificate and a self-signed root certificate,
which is also in the trusted system store. Hence, it seems that the
public key of the self-signed root certificate is not correctly used
to verify the signature on the CA certificate. Moreover, I compile the
same source but linking boringSSL crypto library instead of OpenSSL
one, and everything works perfectly. Hence, my hyphotesis is that this
is an OpenSSL issue found by Google and fixed in BoringSSL, but it has
not been fixed in OpenSSL yet. So, I would like to know if I'm missing
some steps in order to properly use |x509_verify_cert()| method, or my
hyphotesis about BoringSSL fixing could be appropriate.
Thank You,
Nicholas
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
Sent with Postbox <http://www.getpostbox.com>
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
