Re: [openssl-users] Certificate gets verified OK over SSL-CLI, but not when using SSL-API

Sat, 23 Dec 2017 10:12:47 -0800 


> On Dec 21, 2017, at 6:42 AM, Manuel Wagesreither <man...@fastmail.fm> wrote:
> 
> 
> #include <openssl/x509.h>
> #include <stdexcept>
> #include <iostream>
> 
> unsigned char g_authority[] = {       0x30, 0x82, 0x03, 0x00 /* and so on */ 
> };
> unsigned char g_cert[] = { 0x30, 0x82, 0x02, 0x9b /* and so on */ };

Eliding the certificate data makes it very difficult to provide
meaningful feedback.

> 
> int main(int, char**)
> {
>       // This holds the return codes and gets reused for most function calls
>       int rc = 0;
> 
>       // Make a new store
>       X509_STORE *x509_store = X509_STORE_new();
>       if (x509_store == NULL) {
>               throw std::runtime_error("X509_STORE_new() failed");
>       }
> 
>       // Load and convert the authoritys certificate to a compatible form
>       X509 *auth_cert = NULL;
>       {
>               const unsigned char* auth_cert_ptr = g_authority;
>               auth_cert = d2i_X509(NULL, &auth_cert_ptr, sizeof(g_authority));
>               if (auth_cert == nullptr) {
>                       throw std::runtime_error("d2i_X509() failed for 
> authoritys certificate");
>               }
>       }
> 
>       // Add the authoritys certificate to the store
>       rc = X509_STORE_add_cert(x509_store, auth_cert);
>       if (rc != 1) {
>               throw std::runtime_error("X509_STORE_add_cert() failed");
>       }
> 
>       // Make a new store context
>       X509_STORE_CTX *x509_store_ctx = X509_STORE_CTX_new();
>       if (x509_store_ctx == NULL) {
>               throw std::runtime_error("X509_STORE_CTX_new() failed");
>       }
> 
>       // Load and convert the certificate to be verified to a compatible form
>       X509 *myself = NULL;
>       {
>               const unsigned char *my_cert_ptr = g_cert;
>               myself = d2i_X509(NULL, &my_cert_ptr, sizeof(g_cert));
>               if (myself == NULL) {
>                       throw std::runtime_error("d2i_X509() failed for own 
> certificate");
>               }
>       }
> 
>       rc = X509_STORE_CTX_init(x509_store_ctx, x509_store, myself, NULL);
>       if (rc != 1) {
>               throw std::runtime_error("X509_STORE_CTX_init() failed");
>       }
> 
>       rc = X509_verify_cert(x509_store_ctx);
> 
>       X509_STORE_free(x509_store);
>       X509_STORE_CTX_free(x509_store_ctx);

You're freeing x509_store_ctx too early, it is used below for error
reporting.

> 
>       if (rc > 0) {
>               std::cout << 
> X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509_store_ctx)) << 
> std::endl;
>               return 0;
>       } else {
>               std::cerr << 
> X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509_store_ctx)) << 
> std::endl;
>               std::cerr << "Error depth: " << 
> X509_STORE_CTX_get_error_depth(x509_store_ctx) << std::endl;
>               return 1;
>       }
> }

Please re-post the source code with the *complete* certificate
data.

-- 
        Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply via email to