Hi,
This is a classical C bug : the parameter cert of the function createCertificate is passed by value instead of being passed by reference as it should be since this function modifies its content. So, in order to solve your problem, change the declaration of createCertificate as follows : void createCertificate(X509_NAME *issuerName, X509_NAME *serverName, EVP_PKEY *caKey, struct certKey* cert)
and then pass the address of the local variable clientCert in main as follows :
createCertificate(X509_get_subject_name(caCertificate), X509_get_subject_name(oldCertificate), caKey, &clientCert); With these modifications, everything will be OK. Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On 1/20/2011 2:36 PM, Bret McDanel wrote:
I am trying to load an old certificate, take the subject line and make a new certificate signed with my self signed certificate. I am sure that it is something obvious that I am overlooking, but no matter what I try I always fail when I try to check the private key of the new certificate. I have a "CA cert" which works with other things so I am fairly sure that is done correctly. I have an old certificate that I read in, and I can read it with the CLI program so I am fairly sure that too is not corrupted. The new certificate is what is giving me problems. I would appreciate any pointers on where the problem may be. Attached is my program, I tried to redact it as much as possible without totally refactoring it for fear of introducing new unrelated bugs. It is most likely something in "createCertificate" that I am either not doing and should or doing and should not. Thanks for any help, #include<openssl/ssl.h> struct certKey { EVP_PKEY *keys; X509 *certificate; }; void createCertificate(X509_NAME *issuerName, X509_NAME *serverName, EVP_PKEY *caKey, struct certKey cert) { RSA *rsaKeyPair = RSA_generate_key(1024, RSA_F4, NULL, NULL); cert.certificate = X509_new(); X509_set_version(cert.certificate, 3); ASN1_INTEGER_set(X509_get_serialNumber(cert.certificate), 1234); X509_set_subject_name(cert.certificate, serverName); X509_set_issuer_name(cert.certificate, issuerName); cert.keys = EVP_PKEY_new(); EVP_PKEY_assign_RSA(cert.keys, rsaKeyPair); X509_set_pubkey(cert.certificate, cert.keys); X509_gmtime_adj(X509_get_notBefore(cert.certificate), 0); X509_gmtime_adj(X509_get_notAfter(cert.certificate), (long)60*60*24*365); X509_sign(cert.certificate, caKey, EVP_sha1()); } X509* loadCertificateFromFile(const char *file) { SSL_CTX *ctx = SSL_CTX_new(SSLv23_server_method()); SSL_CTX_use_certificate_file(ctx,file,SSL_FILETYPE_PEM); return SSL_get_certificate(SSL_new(ctx)); } EVP_PKEY* loadKeyFromFile(char *file, char *password) { EVP_PKEY *privKey; FILE *fp; if (!(fp = fopen (file, "r"))) { printf("Error reading private key file\n"); exit(1); } if (!(privKey = PEM_read_PrivateKey (fp, NULL, NULL, password))) { printf("Error reading private key in file\n"); exit(1); } fclose (fp); return privKey; } main() { X509 *caCertificate; EVP_PKEY *caKey; char *caCertFile = "cacert.pem"; char *caKeyFile = "cakey.pem"; char *oldCertFile = "oldcert.pem"; X509 *oldCertificate; struct certKey clientCert={0}; SSL_CTX *ctx; static int session_id_ctx = 1; SSL_library_init(); OpenSSL_add_all_algorithms(); caCertificate = loadCertificateFromFile(caCertFile); caKey = loadKeyFromFile(caKeyFile,NULL); oldCertificate = loadCertificateFromFile(oldCertFile); createCertificate(X509_get_subject_name(caCertificate), X509_get_subject_name(oldCertificate), caKey, clientCert); ctx = SSL_CTX_new(SSLv23_server_method());; SSL_CTX_set_session_id_context(ctx, (void*)&session_id_ctx, sizeof session_id_ctx); SSL_CTX_use_certificate(ctx, clientCert.certificate); SSL_CTX_use_PrivateKey(ctx, clientCert.keys); if (SSL_CTX_check_private_key(ctx) == 0) { printf("private key is the fail\n"); } }
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org