HI,
I need to prepare for some codes to verify globus proxy certificate in
my teaching,
but I meet some problems when I try to write the c codes with OpenSSL.
The codes I implemented to verify globus proxy certificate is listed
as follows,
but it does not work well.
--------------------------------------- codes
-----------------------------------------------
struct _my_credentials
{
X509 *certificate; // proxy certificate
EVP_PKEY *private_key; //
STACK *certificate_chain; // certificate chain
stored in issuer certificate
};
typedef struct _my_credentials SSL_CREDENTIALS;
----------------------------------------------------------------------------------------------------------
The above struct is used to hold Globus proxy certificate. Simply, I
inherited it
from similar one of myproxy, and loaded information of proxy by
myproxy's interfaces.
But I want to rewrite a simple function to verify proxy for easily
understood by
my students.
The codes for verifying proxy are as follows:
----------------------------------------- codes
---------------------------------------------
int my_verifycert(SSL_CREDENTIALS *creds,char* CAfile)
{
int ret,i,j;
X509 *x1 = NULL ;
X509_STORE *store=NULL;
X509 *cert = NULL ;
X509_STORE_CTX ctx;
X509_LOOKUP *lookup=NULL;
STACK_OF(X509)* tchain = NULL;
char *CRLfile = NULL,*certdir = "./";
ret = SSL_ERROR;
OpenSSL_add_all_algorithms();
// hold the proxy certificate
x1 = creds->certificate;
// process certificate chain
// add certs chains to stack
if((tchain = sk_X509_new_null()) == NULL)
{
printf("%s:sk_X509_new_null() fail\n",__FUNCTION__);
goto err;
}
if (creds->certificate_chain != NULL)
{
for (i = 0; i < sk_X509_num(creds->certificate_chain); i++)
{
cert = sk_X509_value(creds->certificate_chain, i);
j = sk_X509_push(tchain, cert);
if (!j)
{
printf("%s:sk_X509_push()
fail\n",__FUNCTION__);
goto err;
}
}
}
store=X509_STORE_new();
lookup=X509_STORE_add_lookup(store,X509_LOOKUP_file());
if(lookup == NULL) return SSL_ERROR;
ret=X509_LOOKUP_load_file(lookup,CAfile,X509_FILETYPE_PEM);
if(!ret) return SSL_ERROR;
lookup=X509_STORE_add_lookup(store,X509_LOOKUP_file());
if(lookup == NULL) return SSL_ERROR;
lookup=X509_STORE_add_lookup(store,X509_LOOKUP_hash_dir());
if(lookup == NULL) return SSL_ERROR;
ret = X509_LOOKUP_add_dir(lookup,certdir,X509_FILETYPE_DEFAULT);
if(!ret) return SSL_ERROR;
//X509_STORE_CTX_set_flags(&ctx,X509_V_FLAG_ALLOW_PROXY_CERTS);
if(!X509_STORE_CTX_init(&ctx,store ,x1,NULL)) // verify x1,
proxy certificate
return SSL_ERROR;
if(tchain) X509_STORE_CTX_trusted_stack(&ctx, tchain);
ret=X509_verify_cert(&ctx);
if(ret != !)
{
printf("return code %d - %s\n",ctx.error,
(char*)X509_verify_cert_error_string(ctx.error));
goto err;
}
ret = SSL_SUCCESS;
err:
X509_STORE_CTX_cleanup(&ctx);
if(store)X509_STORE_free(store);
return ret;
}
--------------------------------------------------------------------------------------------------------
But when I test the codes, it threw out a error message:
return code 2 - unable to get issuer certificate
In Globus, the issuer certificate has been stored in proxy's
certificate chain, I check the chain and found the issuer's certificate
had been put in tchain.
I don't know why it threw out this message and return a fail.
Could anybody give me some advices.
Thanks in advance.
Best Regards,
Ian
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
