Then what is the right API to do signature verification ?
thanks, -wenwu On 11/2/06, Olaf Gellert <[EMAIL PROTECTED]> wrote:
Krishna Prasad wrote: > You can check for the Authority Key Identifier and in that the certificate > serial number of the issuer. No, that's not enough. Authority Key Identifier is only to FIND the issuer certificate. After you found one or more certificates matching the Authority Key Identifier, you still have to check the validity of the signature! And: Authority Key Identifier comes in more than one flavour. It might contain the DN of the issuers issuer and the serial number (so if you have a root CA, an intermediate CA and a client certificate, in the client certificates Authority Key Identifier you would find the DN of the root and the serial number of the intermediate CAs certificate). Or you might simply find a hash value identifying the key of the issueing CA. Olaf > On 11/2/06, Bin Lu <[EMAIL PROTECTED]> wrote: >> >> Hi there, >> >> I have 2 certificates in X509 and I want to verify if one cert is the >> issuer of the other, not using the (issuer)name comparison. What is >> the APIshould I use to verify the signature ? I tried the following >> but it >> doesn't work: >> >> X509 *cert, *issuer; >> .... >> int result = X509_verify(cert, X509_get_pubkey(issuer)); >> >> It always returns -1 even when "cert" is issued by "issuer". >> >> Appreciate any input. >> >> -wenwu >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> Automated List Manager [EMAIL PROTECTED] >> > -- Dipl.Inform. Olaf Gellert INTRUSION-LAB.NET Senior Researcher, www.intrusion-lab.net PKI - and IDS - Services [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
