I'm trying to programmatically verify that a certificate from a sub-CA is signed by a specific root CA. I get an error of 7 (X509_V_ERR_CERT_SIGNATURE_FAILURE) from X509_verify_cert. If I verify with the openssl command line tool using 'openssl verify -CAfile root.pem cert.pem', it returns OK. Here's what I'm doing to verify the certifcate in code:
1. Call certStore = X509_STORE_new(). 2. Convert DER-encoded root certificate to an X509 object using d2i_X509. Returns a valid X509 pointer. 3. Call X509_STORE_add_cert to add root X509 object to X509_STORE. Returns 1 (success). 4. Call storeContext = X509_STORE_CTX_new(). 5. Convert DER-encoded sub-CA cert to an X509 object using d2i_X509. Returns a valid X509 pointer. 6. Call X509_STORE_CTX_init( storeContext, certStore, cert, NULL ). Returns 1 (success). 7. Call X509_verify_cert( storeContext ). Returns 0 (failed). X509_STORE_CTX_get_error() returns 7. Is there something I'm missing? ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
