Hi,

This is a classical C bug : the parameter cert of the function createCertificate is passed by value instead of being passed by reference as it should be since this function modifies its content. So, in order to solve your problem, change the declaration of createCertificate as follows : void createCertificate(X509_NAME *issuerName, X509_NAME *serverName, EVP_PKEY *caKey, struct certKey* cert)

and then pass the address of the local variable clientCert in main as follows :
  createCertificate(X509_get_subject_name(caCertificate),
                    X509_get_subject_name(oldCertificate),
                    caKey,
&clientCert);

With these modifications, everything will be OK.

Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr



On 1/20/2011 2:36 PM, Bret McDanel wrote:
I am trying to load an old certificate, take the subject line and make a
new certificate signed with my self signed certificate.  I am  sure that
it is something obvious that I am overlooking, but no matter what I try
I always fail when I try to check the private key of the new
certificate.

I have a "CA cert" which works with other things so I am fairly sure
that is done correctly.  I have an old certificate that I read in, and I
can read it with the CLI program so I am fairly sure that too is not
corrupted.

The new certificate is what is giving me problems.  I would appreciate
any pointers on where the problem may be.  Attached is my program, I
tried to redact it as much as possible without totally refactoring it
for fear of introducing new unrelated bugs.  It is most likely something
in "createCertificate" that I am either not doing and should or doing
and should not.


Thanks for any help,



#include<openssl/ssl.h>


struct certKey {
   EVP_PKEY *keys;
   X509 *certificate;
};


void createCertificate(X509_NAME *issuerName, X509_NAME *serverName,
                        EVP_PKEY *caKey, struct certKey cert)
{
   RSA *rsaKeyPair  = RSA_generate_key(1024, RSA_F4, NULL, NULL);
   cert.certificate = X509_new();

   X509_set_version(cert.certificate, 3);
   ASN1_INTEGER_set(X509_get_serialNumber(cert.certificate), 1234);
   X509_set_subject_name(cert.certificate, serverName);
   X509_set_issuer_name(cert.certificate, issuerName);

   cert.keys = EVP_PKEY_new();
   EVP_PKEY_assign_RSA(cert.keys, rsaKeyPair);
   X509_set_pubkey(cert.certificate, cert.keys);

   X509_gmtime_adj(X509_get_notBefore(cert.certificate), 0);
   X509_gmtime_adj(X509_get_notAfter(cert.certificate),
                   (long)60*60*24*365);

   X509_sign(cert.certificate, caKey, EVP_sha1());
}


X509* loadCertificateFromFile(const char *file)
{
   SSL_CTX *ctx = SSL_CTX_new(SSLv23_server_method());
   SSL_CTX_use_certificate_file(ctx,file,SSL_FILETYPE_PEM);
   return SSL_get_certificate(SSL_new(ctx));
}


EVP_PKEY* loadKeyFromFile(char *file, char *password)
{
   EVP_PKEY *privKey;
   FILE *fp;

   if (!(fp = fopen (file, "r"))) {
     printf("Error reading private key file\n");
     exit(1);
   }

   if (!(privKey = PEM_read_PrivateKey (fp, NULL, NULL, password))) {
     printf("Error reading private key in file\n");
     exit(1);
   }

   fclose (fp);
   return privKey;
}



main()
{
   X509 *caCertificate;
   EVP_PKEY *caKey;
   char *caCertFile = "cacert.pem";
   char *caKeyFile = "cakey.pem";
   char *oldCertFile = "oldcert.pem";

   X509 *oldCertificate;
   struct certKey clientCert={0};
   SSL_CTX *ctx;
   static int session_id_ctx = 1;

   SSL_library_init();
   OpenSSL_add_all_algorithms();

   caCertificate = loadCertificateFromFile(caCertFile);
   caKey = loadKeyFromFile(caKeyFile,NULL);
   oldCertificate = loadCertificateFromFile(oldCertFile);

   createCertificate(X509_get_subject_name(caCertificate),
                     X509_get_subject_name(oldCertificate),
                     caKey,
                     clientCert);

   ctx = SSL_CTX_new(SSLv23_server_method());;
   SSL_CTX_set_session_id_context(ctx,
                                  (void*)&session_id_ctx,
                                  sizeof session_id_ctx);
   SSL_CTX_use_certificate(ctx, clientCert.certificate);
   SSL_CTX_use_PrivateKey(ctx, clientCert.keys);


   if (SSL_CTX_check_private_key(ctx) == 0) {
     printf("private key is the fail\n");
   }

}



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to