Dear all, I'm new in openssl api and I'm trying to write e simple application to verify an x509 certificate but I'm facing with some strange problem.
Here there is a snapshot of my code to use to replicate my scenario : #include<stdio.h> #include<stdlib.h> #include<string.h> #include <openssl/pem.h> #include <openssl/err.h> #include <openssl/sha.h> #include <openssl/ssl.h> const char root_cert_data[] = "-----BEGIN CERTIFICATE-----\n\ MIIDQjCCAqugAwIBAg ... Rinw==\n\ -----END CERTIFICATE-----\n"; int main(int argc, char **argv){ FILE *fp; X509 *root_cert; X509_STORE *CAcerts; X509 * cert; X509_STORE_CTX ca_ctx; char *strerr; BIO *bio; STACK_OF(X509) *trusted_chain; trusted_chain = sk_X509_new_null(); if (!(bio = BIO_new_mem_buf((void *) root_cert_data, -1))) { printf("BIO_new_mem_buf\n"); exit(1); } BIO_set_close(bio, BIO_NOCLOSE); if (!(root_cert = PEM_read_bio_X509(bio, 0, 0, 0))) { printf("PEM_read_bio_X509 (root)\n"); ERR_print_errors_fp(stdout); exit(1); } sk_X509_push(trusted_chain, root_cert); /* load CA cert store */ if (!(CAcerts = X509_STORE_new())) { printf ("\nError1\n"); } if (X509_STORE_load_locations(CAcerts, "/home/frank/test/test-CA/calist.pem" , NULL ) != 1) { printf ("\nError2\n"); } if (X509_STORE_set_default_paths(CAcerts) != 1) { printf ("\nError3\n"); } /* load X509 certificate */ if (!(fp = fopen ("cert.pem", "r"))){ printf ("\nError4\n"); } if (!(cert = PEM_read_X509 (fp, NULL, NULL, NULL))){ printf ("\nError5\n"); } /* verify */ if (X509_STORE_CTX_init(&ca_ctx, CAcerts, cert, trusted_chain) != 1) { printf ("\nError6\n"); } X509_STORE_CTX_trusted_stack(&ca_ctx, trusted_chain); if (X509_verify_cert(&ca_ctx) != 1) { strerr = (char *) X509_verify_cert_error_string(ca_ctx.error); printf("Verification error: %s", strerr); } X509_STORE_free(CAcerts); X509_free(cert); return 0; } obviously root_cert_data[] and cert.pem have to be replaced with your certs. Compilated as gcc -Wall x509.c -o x509 -lssl -lcrypto after execution I receive this error : Verification error: certificate signature failure Even if I try to verify my certificate by mean command line tool openssl verify -CAfile /home/frank/test/test-CA/calist.pem cert.pem The output is : cert.pem: OK Does anybody know where is the problem ? Thanks in advance, Francesco la Torre ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]