It would be helpful if we could see the certificate. My guess is that either
your cert is self signed, in which case you need to treat this case in your
callback, or the certificate you are trying to verify is not signed by the
trust anchor that you provide. Also you must be careful which text editor you
are using because some may replace spaces with their owns ( eg CRLF - CR or LF
) in the root_cert_data declaration, and that might spoil the signature.
Cheers.
----- Original Message ----
From: .:: Francesco la Torre ::. <[EMAIL PROTECTED]>
To: openssl-users@openssl.org
Sent: Friday, August 1, 2008 8:02:44 PM
Subject: Re: Verify x509 certificate
Any help from someone ?
:-)
Flt
Il giorno mer, 30/07/2008 alle 23.57 +0200, Francesco la Torre ha
scritto:
> Dear all,
> I'm new in openssl api and I'm trying to write e simple application to
> verify an x509 certificate but I'm facing with some strange problem.
>
> Here there is a snapshot of my code to use to replicate my scenario :
>
> #include<stdio.h>
> #include<stdlib.h>
> #include<string.h>
> #include <openssl/pem.h>
> #include <openssl/err.h>
> #include <openssl/sha.h>
> #include <openssl/ssl.h>
>
> const char root_cert_data[] =
> "-----BEGIN CERTIFICATE-----\n\
> MIIDQjCCAqugAwIBAg ... Rinw==\n\
> -----END CERTIFICATE-----\n";
>
> int main(int argc, char **argv){
>
> FILE *fp;
> X509 *root_cert;
>
> X509_STORE *CAcerts;
> X509 * cert;
>
> X509_STORE_CTX ca_ctx;
> char *strerr;
> BIO *bio;
>
> STACK_OF(X509) *trusted_chain;
>
> trusted_chain = sk_X509_new_null();
>
> if (!(bio = BIO_new_mem_buf((void *) root_cert_data, -1))) {
> printf("BIO_new_mem_buf\n");
> exit(1);
> }
> BIO_set_close(bio, BIO_NOCLOSE);
> if (!(root_cert = PEM_read_bio_X509(bio, 0, 0, 0))) {
> printf("PEM_read_bio_X509 (root)\n");
> ERR_print_errors_fp(stdout);
> exit(1);
> }
>
> sk_X509_push(trusted_chain, root_cert);
> /* load CA cert store */
> if (!(CAcerts = X509_STORE_new())) {
> printf ("\nError1\n");
> }
>
> if (X509_STORE_load_locations(CAcerts,
> "/home/frank/test/test-CA/calist.pem" , NULL ) != 1) {
> printf ("\nError2\n");
> }
> if (X509_STORE_set_default_paths(CAcerts) != 1) {
> printf ("\nError3\n");
> }
>
> /* load X509 certificate */
> if (!(fp = fopen ("cert.pem", "r"))){
> printf ("\nError4\n");
> }
> if (!(cert = PEM_read_X509 (fp, NULL, NULL, NULL))){
> printf ("\nError5\n");
> }
>
> /* verify */
> if (X509_STORE_CTX_init(&ca_ctx, CAcerts, cert, trusted_chain) != 1)
> {
> printf ("\nError6\n");
> }
>
> X509_STORE_CTX_trusted_stack(&ca_ctx, trusted_chain);
>
> if (X509_verify_cert(&ca_ctx) != 1) {
> strerr = (char *) X509_verify_cert_error_string(ca_ctx.error);
> printf("Verification error: %s", strerr);
> }
>
> X509_STORE_free(CAcerts);
> X509_free(cert);
>
> return 0;
> }
>
> obviously root_cert_data[] and cert.pem have to be replaced with your
> certs.
> Compilated as
>
> gcc -Wall x509.c -o x509 -lssl -lcrypto
>
> after execution I receive this error :
>
> Verification error: certificate signature failure
>
> Even if I try to verify my certificate by mean command line tool
>
> openssl verify -CAfile /home/frank/test/test-CA/calist.pem cert.pem
>
> The output is :
>
> cert.pem: OK
>
> Does anybody know where is the problem ?
>
> Thanks in advance,
> Francesco la Torre
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
