I tried to track down the problem, but it still seems that , when it
comes to certificate verification, on the OpenWRT fails what works on
a standard linux desktop PC. I wrote a short program that validates
certificates, that I'll append to this mail. If someone has some
MIPSEL platform available please verify my results since I really need
to know if this errors is caused by a programming mistake on my side,
by some bug in OpenSSL or simply by a lack of understanding. I used
the OpenWRT's SDK for cross compilation (the whiterussian one, because
the Kamikaze version doesn't include OpenSSL). The problem still
existing is that it seems to work on both platform, but on the MIPSEL
it's not validating (valid) certificate, while it does on Linux.
Thanks in advance
Till
--- BEGIN CERTTEST.C ---
/*
* verifies a certificate (PEM format) using a CA's certificate
*
* compile: gcc certtest.c -o certtest -lssl -lcrypto
*
* place the resulting executable into the same directory as the
certificate
* files:
* - certificate: client.pem
* - CA file: cacert.pem
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <openssl/ssl.h>
#include <openssl/x509.h>
#include <openssl/x509_vfy.h>
#include <openssl/pem.h>
#include <openssl/err.h>
char *cert_file, *ca_file;
FILE *cert_fp;
X509 *x509;
X509_STORE_CTX *x509_ctx;
X509_STORE *x509_store;
X509_LOOKUP *x509_lookup;
X509_NAME *x509_name;
int main() {
cert_file = "client.pem";
ca_file = "cacert.pem";
SSL_library_init();
ERR_load_crypto_strings();
// open certificate file
if (!(cert_fp = fopen(cert_file, "r"))) {
printf("ERR: Error opening certificate file: %s. Exiting.\n",
strerror(errno));
exit(2);
} else{
printf("Certificate file opened.\n");
}
// read certificate
if (!(x509 = PEM_read_X509(cert_fp, NULL, NULL, NULL))) {
printf("ERR: Error reading certificate from file: %s\n",
ERR_error_string(ERR_get_error(), NULL));
exit(2);
} else {
printf("Certificate read.\n");
}
fclose(cert_fp);
// create the cerificate storing object
if (!(x509_store = X509_STORE_new())) {
printf("ERR: Error creating X509_STORE object: %s. Exiting.\n",
ERR_error_string(ERR_get_error(), NULL));
exit(2);
} else {
printf("Certificate storing object created.\n");
}
// add CA attributes to X509_STORE object
if (X509_STORE_load_locations(x509_store, ca_file, NULL) != 1) {
printf("ERR: Error loading CA file: %s. Exiting.\n",
ERR_error_string(ERR_get_error(), NULL));
exit(2);
} else {
printf("CA certificate added to storing object.\n");
}
if (!(x509_lookup = X509_STORE_add_lookup(x509_store,
X509_LOOKUP_file()))) {
printf("ERR: Error creating X509 lookup object: %s. Exiting.\n",
ERR_error_string(ERR_get_error(), NULL));
exit(2);
} else {
printf("X509 lookup object created.\n");
}
// create and initialize X509 vertification context
if (!(x509_ctx = X509_STORE_CTX_new())) {
printf("ERR: Error creating X509 verification context, %s. Exiting.
\n", ERR_error_string(ERR_get_error(), NULL));
exit(2);
} else {
printf("X509 verification context object created.\n");
}
if (X509_STORE_CTX_init(x509_ctx, x509_store, x509, NULL) != 1) {
printf("ERR: Error initializing X509 verification context: %s.
Exiting\n.", ERR_error_string(ERR_get_error(), NULL));
exit(2);
} else {
printf("X509 verification context object initialized.\n");
}
// verify certificate
if (X509_verify_cert(x509_ctx) != 1) {
printf("Error: Certificate invalid!\n");
exit(1);
} else {
printf("Certificate checked and validated!\n");
exit(0);
}
}
--- END CERTTEST.C ---
Am 26.05.2008 um 15:40 schrieb Lutz Jaenicke:
Till Elsner wrote:
Am 26.05.2008 um 13:13 schrieb Lutz Jaenicke:
Till Elsner wrote:
Ok, after verifying what platform I'm actually compiling for, it's
definitely little-endian (Linksys WRT54G running on Broadcom
BCM4712).
So what else could be the problem here?
Am 24.05.2008 um 22:23 schrieb Lutz Jänicke:
I am not aware of any specific problems of OpenSSL on MIPS
platforms.
As long as OpenSSL is configured correctly (big or little endian)
everything should work just out of the box.
As I already wrote: I am not aware of any specific problems in MIPS.
Having this said, your problem report does not really help much in
tracking down the problem. It reads: Hey, it fails, what might be
wrong?
Without any more details we cannot help you. What exactly happens?
Your
application does crash?
When verifying certificates, against which CAs? Is your filesystem
layout containing the CA certificates the same?
Ok, I see this was really not very detailed and not very helpful for
finding a solution. So what happens is the following:
I have a self-signed certificate used as CA and some certificates
signed by this CA. Checking the signature with OpenSSL on the command
line verifies the certificates correctly. Now in the software I've
build, the certificates get verified agains my CA using
X509_verify_cert (which should work quite similar to what OpenSSL
does
on the command line, I think). Now when I run the program on standard
linux desktop machines (tried on debian distros), everything works
fine, the certificates get verified just like they should. But when I
compile the program for a router and run it there, it also starts,
but
the verification of the certificates fails. No crashes, no error
messages saying something is wrong with OpenSSL, just the failing
verification. The router is a Linksys WRT54G running OpenWRT 7.09.
If your application is using X509_verify_cert() it uses a
X509_STORE_CTX
that must be initialized with the certificates to verify against and
can
be initialized with a verification callback function that is fed with
the error codes and finally decides about whether a certificate is
accepted or not.
Unfortunately there is no manual page for X509_verify_cert(), but it
is
the same function that is used internally for SSL certificate
verification and the behaviour and the callback function are described
in the SSL_CTX_set_verify() manpage.#
A good source of information might be ssl/
ssl_cert.c:ssl_verify_cert_chain()
Best regards,
Lutz
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
