On Tue, Feb 09, 2010, skillz...@gmail.com wrote: > I'm trying to programmatically verify that a certificate from a sub-CA > is signed by a specific root CA. I get an error of 7 > (X509_V_ERR_CERT_SIGNATURE_FAILURE) from X509_verify_cert. If I verify > with the openssl command line tool using 'openssl verify -CAfile > root.pem cert.pem', it returns OK. Here's what I'm doing to verify the > certifcate in code: > > 1. Call certStore = X509_STORE_new(). > 2. Convert DER-encoded root certificate to an X509 object using > d2i_X509. Returns a valid X509 pointer. > 3. Call X509_STORE_add_cert to add root X509 object to X509_STORE. > Returns 1 (success). > 4. Call storeContext = X509_STORE_CTX_new(). > 5. Convert DER-encoded sub-CA cert to an X509 object using d2i_X509. > Returns a valid X509 pointer. > 6. Call X509_STORE_CTX_init( storeContext, certStore, cert, NULL ). > Returns 1 (success). > 7. Call X509_verify_cert( storeContext ). Returns 0 (failed). > X509_STORE_CTX_get_error() returns 7. > > Is there something I'm missing?
OpenSSL_add_all_algorithms(), see the FAQ. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
