Hi, I'm a newbie user of OpenSSL.
I want to create a simple C program that verify a certificate chain like
this:
rootCA->CA-A->client
i found this example on the internet that should work for two consecutive
certificate (but it doesn't work for me); i don't known how to create the
chain...
[code]
#include <openssl/pem.h>
#include <openssl/x509_vfy.h>
#include <openssl/x509.h>
#include <openssl/ssl.h>
#include <openssl/x509v3.h>
int main(int argc,char **argv)
{
int i;
FILE *fp;
X509 * cert;
X509_STORE_CTX csc;
char *strerr;
fp = fopen ("ca-a-cert.pem", "r");
cert = PEM_read_X509 (fp, NULL, NULL, NULL);
X509_STORE *ctx=NULL;
ctx=X509_STORE_new();
X509_STORE_load_locations(ctx, "cacert.pem", "./");
X509_STORE_set_default_paths(ctx);
X509_STORE_CTX_init(&csc,ctx,cert,NULL);
if (X509_verify_cert(&csc) != 1) {
strerr = (char *) X509_verify_cert_error_string(csc.error);
printf("Verification error: %s\n", strerr);
return 1;
}
X509_STORE_CTX_cleanup(&csc);
}
[/code]
the output is: Verification error: certificate signature failure
"cacert.pem" is the certificate of the rootCA, whereas "ca-a-cert.pem" is
the CA-A cert.
the certificate are good because i verify it by the bash command: openssl
verify -CAfile cacert.pem ca-a-cert.pem
with output:
ca-a-cert.pem: OK
any suggestion?
p.s. sorry for my bad English :)
--
View this message in context:
http://old.nabble.com/verify-certificate-in-c-tp29043989p29043989.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
