Verify x509 certificate

Fri, 01 Aug 2008 02:12:26 -0700 

Dear all,
I'm new in openssl api and I'm trying to write e simple application to
verify an x509 certificate but I'm facing with some strange problem.

Here there is a snapshot of my code to use to replicate my scenario :

#include<stdio.h>
#include<stdlib.h>
#include<string.h>
#include <openssl/pem.h>
#include <openssl/err.h>
#include <openssl/sha.h>
#include <openssl/ssl.h>

const char root_cert_data[] =
"-----BEGIN CERTIFICATE-----\n\
MIIDQjCCAqugAwIBAg ... Rinw==\n\
-----END CERTIFICATE-----\n";

int main(int argc, char **argv){

    FILE *fp;
    X509 *root_cert;

    X509_STORE *CAcerts;
    X509 * cert;

    X509_STORE_CTX ca_ctx;
    char *strerr;
    BIO *bio;

    STACK_OF(X509) *trusted_chain;

    trusted_chain = sk_X509_new_null();

    if (!(bio = BIO_new_mem_buf((void *) root_cert_data, -1))) {
        printf("BIO_new_mem_buf\n");
        exit(1);
    }
    BIO_set_close(bio, BIO_NOCLOSE);
    if (!(root_cert = PEM_read_bio_X509(bio, 0, 0, 0))) {
        printf("PEM_read_bio_X509 (root)\n");
        ERR_print_errors_fp(stdout);
        exit(1);
    }

   sk_X509_push(trusted_chain, root_cert);
    /* load CA cert store */
    if (!(CAcerts = X509_STORE_new())) {
        printf ("\nError1\n");
    }

    if (X509_STORE_load_locations(CAcerts,
"/home/frank/test/test-CA/calist.pem" , NULL ) != 1) {
        printf ("\nError2\n");
    }
    if (X509_STORE_set_default_paths(CAcerts) != 1) {
        printf ("\nError3\n");
    }

    /* load X509 certificate */
    if (!(fp = fopen ("cert.pem", "r"))){
        printf ("\nError4\n");
    }
    if (!(cert = PEM_read_X509 (fp, NULL, NULL, NULL))){
        printf ("\nError5\n");
    }

    /* verify */
    if (X509_STORE_CTX_init(&ca_ctx, CAcerts, cert, trusted_chain) != 1)
{
        printf ("\nError6\n");
    }

    X509_STORE_CTX_trusted_stack(&ca_ctx, trusted_chain);

    if (X509_verify_cert(&ca_ctx) != 1) {
        strerr = (char *) X509_verify_cert_error_string(ca_ctx.error);
        printf("Verification error: %s", strerr);
    }

    X509_STORE_free(CAcerts);
    X509_free(cert);

    return 0;
}

obviously root_cert_data[] and cert.pem have to be replaced with your
certs.
Compilated as

 gcc -Wall x509.c -o x509 -lssl -lcrypto

after execution I receive this error :

Verification error: certificate signature failure

Even if I try to verify my certificate by mean command line tool

openssl verify -CAfile /home/frank/test/test-CA/calist.pem cert.pem

The output is :

cert.pem: OK

Does anybody know where is the problem ?

Thanks in advance,
Francesco la Torre
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to