Re: [openssl-users] [EXTERNAL] Certificate gets verified OK over SSL-CLI, but not when using SSL-API
> > Hence, if at all, verification requirements must have been lowered in the > > new OpenSSL version. > > No, it is also the case that the new version now more correctly accepts > some chains as valid that because of bugs, the old version did not. Understood! My reply was related to message only, as I was afraid he might have mistook the problem description. Hence, I wanted to clarify this. I have taken your advice to upgrade to OpenSSL 1.1.0 seriously and did accordingly. We are now using OpenSSL 1.1.0g and everything seems to be doing fine so far. This matter can thus be regarded as solved. Thanks to everyone who contributed! Best regards, Manuel -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] [EXTERNAL] Certificate gets verified OK over SSL-CLI, but not when using SSL-API
> Hence, if at all, verification requirements must have been lowered in the new > OpenSSL version. No, it is also the case that the new version now more correctly accepts some chains as valid that because of bugs, the old version did not. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] [EXTERNAL] Certificate gets verified OK over SSL-CLI, but not when using SSL-API
Am Fr, 22. Dez 2017, um 20:31, schrieb Sands, Daniel: > On Fri, 2017-12-22 at 11:14 +0100, Manuel Wagesreither wrote: > > Unfortunately this didn't work either. The end result is the same; > > OpenSSL still emits a "certificate signature failure" with an error > > depth of 0. > > > In light of what Salz said about verification, could we assume that the > openssl verify program that succeeded is based on the older library? Thanks for your feedback! Actually it's the other way round. Validation succeeds with the *new* library (libssl.so.1.1), and fails with the *old* one (libssl.so.1.0.0). This is true with the openssl verify program as well: `openssl verify` succeeds for OpenSSL 1.1.0f, and fails for OpenSSL 1.0.1g. Hence, if at all, verification requirements must have been lowered in the new OpenSSL version. I'm just about to look for a list of criterias a certificate has to pass in order to validate successfully in the two OpenSSL versions. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] [EXTERNAL] Certificate gets verified OK over SSL-CLI, but not when using SSL-API
On Fri, 2017-12-22 at 11:14 +0100, Manuel Wagesreither wrote: > Unfortunately this didn't work either. The end result is the same; > OpenSSL still emits a "certificate signature failure" with an error > depth of 0. > In light of what Salz said about verification, could we assume that the openssl verify program that succeeded is based on the older library? It could be that your CA cert is missing an extension that OSSL now checks for, such as (spitballing here) that the certificate is valid for certificate signing. You could check by substituting other certificates in your program to see if the code itself works, and also closely examine your own certificates to make sure all the requirements are met. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] [EXTERNAL] Certificate gets verified OK over SSL-CLI, but not when using SSL-API
Yes, the certificate validation was fixed, and improved, in 1.1.0. You should not use 1.0.1 if you can at all avoid it. It has many bugs, probably security issues, and missing features. Like, for example, cert validation. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] [EXTERNAL] Certificate gets verified OK over SSL-CLI, but not when using SSL-API
Dear all, I just found out that this problem only occurs when I'm linking the executable against libssl 1.0.1k. When linking against libssl 1.1.0f, the certificate does get validated fine. Does anyone know possible reasons? Do these libssl versions differ in regard to certificate validation? I would like my code to work with libssl 1.0.1k preferably. Regards, Manuel -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] [EXTERNAL] Certificate gets verified OK over SSL-CLI, but not when using SSL-API
Hi,
On 22/12/17 11:14, Manuel Wagesreither wrote:
Unfortunately this didn't work either. The end result is the same; OpenSSL still emits a
"certificate signature failure" with an error depth of 0.
here's a stripped down version of my 'grid-proxy-verify.c' that verifies
a certificate loaded from memory. My cert is included in the file. The
CA used to verify the certificate is loaded from a directory, but the
principle for reading a CA file from memory is the same:
char CAdata[] = "";
if ( !(CA_bio = BIO_new_mem_buf(CAdata, -1) ) ) return ERR_get_error();
etc.
This code is a bit overkill - it will verify a stack of certificates,
not just a single one, but I am sure you can rework it just to verify a
single cert ;)
HTH,
JJK
#define _GNU_SOURCE
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define L_ERROR 0 /* errors */
#define L_WARN 1 /* all unusual */
#define L_INFO 2 /* all status changes etc. */
#define L_DEBUG 3 /* all, including trace */
intlog_level = 1;
void Log( int msg_level, const char *msg, ...)
{
va_list argp;
if ( log_level >= msg_level )
{
if (msg_level == L_WARN ) fprintf( stderr, "Warning: " );
if (msg_level == L_INFO ) fprintf( stderr, "Info:" );
if (msg_level == L_DEBUG ) fprintf( stderr, "Debug: " );
va_start( argp, msg );
vfprintf( stderr, msg, argp );
va_end( argp );
fprintf( stderr, "\n" );
}
}
void Error( const char *operation, const char *msg, ...)
{
va_list argp;
fprintf( stderr, "ERROR: %s: ", operation );
va_start( argp, msg );
vfprintf( stderr, msg, argp );
va_end( argp );
fprintf( stderr, "\n" );
}
unsigned long read_memCert( STACK_OF(X509) **certstack )
{
char*oper = "Reading mem";
STACK_OF(X509_INFO) *sk = NULL;
BIO *certbio = NULL;
X509_INFO *xi;
unsigned longerr;
char data[] = "\n\
-BEGIN CERTIFICATE-\n\
MIIE7zCCA9egAwIBAgICFF8wDQYJKoZIhvcNAQELBQAwUjELMAkGA1UEBhMCTkwx\n\
DzANBgNVBAoTBk5JS0hFRjEyMDAGA1UEAxMpTklLSEVGIG1lZGl1bS1zZWN1cml0\n\
eSBjZXJ0aWZpY2F0aW9uIGF1dGgwHhcNMTcwNTMxMDAwMDAwWhcNMTgwNTMxMTQ1\n\
NzQwWjBQMRIwEAYDVQQKEwlkdXRjaGdyaWQxDjAMBgNVBAoTBXVzZXJzMQ8wDQYD\n\
VQQKEwZuaWtoZWYxGTAXBgNVBAMTEEphbiBKdXN0IEtlaWpzZXIwggEiMA0GCSqG\n\
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCUgM6fRU95Qs/qiquRpLqtLFX2EEooIFFm\n\
Jo0IxwpISgIq37HUgfbNBB97ZXaMDtrWrcJt1PbXIj7NCXsDJ4V6zueKwx3Dsr2W\n\
H5V9FvK6bj+vz3S1bOvG1EJUpnS81/Fmlawkd7bK7dXwuZVbUp7QcmzGuwmFO3/3\n\
h2sX5a1z7gkb3VZXIyFk2lz1W+bt4bgb6WNvcOZuXwbawsF4F6LZkaHJ6JwsuZMc\n\
/gIOhQYXD4+KPOG96/PRgpC7BBWcwfmg9fPNxp09QD6q9XEM9MN307BYQ7BWAgrq\n\
yUvhL69/+DIBCwkcUnzWxeZbcsfziHx/HUR251NybNsp6Mu+IdjJAgMBAAGjggHP\n\
MIIByzAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIEsDAdBgNVHSUEFjAUBggr\n\
BgEFBQcDAgYIKwYBBQUHAwQwOAYDVR0fBDEwLzAtoCugKYYnaHR0cDovL2NhLmR1\n\
dGNoZ3JpZC5ubC9tZWRpdW0vY2FjcmwuZGVyMCgGA1UdIAQhMB8wDwYNKwYBBAHR\n\
QgQCAgEDAjAMBgoqhkiG90wFAgIBMB8GA1UdIwQYMBaAFFsFOpnG1SK9/ZSA/BGo\n\
0PFx1kukMB0GA1UdDgQWBBRrObKYCp8RcKwXn4kcHa6zFXpU7DARBglghkgBhvhC\n\
AQEEBAMCBaAwNAYJYIZIAYb4QgEIBCcWJWh0dHA6Ly9jYS5kdXRjaGdyaWQubmwv\n\
bWVkaXVtL3BvbGljeS8wgZ4GCWCGSAGG+EIBDQSBkBaBjUVFQyBpc3N1ZWQgdW5k\n\
ZXIgcG9saWN5IHZlcnNpb24gMy4yIC0gbGltaXRlZCBsaWFiaWxpdGllcyBhcHBs\n\
eSwgc2VlIGh0dHA6Ly9jYS5kdXRjaGdyaWQubmwvbWVkaXVtL3BvbGljeS8gLSBD\n\
ZXJ0aWZpY2F0ZSBUYWc6IDY5MDRhMTdkLTk0ODBjZTANBgkqhkiG9w0BAQsFAAOC\n\
AQEAeLFnQAYF4FWHJ0y+7T9bUtFoQLv6ZsqBlaSwlzuhpSMlOVvzOLvqlmLVdbk5\n\
nkEBu008FBTA2r9UysIhB00MxhypAxkhzIXxfslZBwtxdmZ0s0MBoIwLb6Lo3Td5\n\
ktFKra31KOlwdiAFZxmsi5Du4p+sY5uW5RNIsa9dxqccOd0+TOglARF/sF5xliHv\n\
x8y+qvVmiMBa0nZmvqO0OQfTb4oNbByGeeH6yQyQqxWpJwwdXx+Q4JJhZhXAJIOt\n\
Ze52sXps/K/1R3laqXaEW7xYZbragtgimbkMkPCHr6624ajslViyqI2efwlI1+em\n\
ueVU4EK03fp65Egd6Qs9yx5+VA==\n\
-END CERTIFICATE-\n\
";
Log( L_DEBUG, "--- Welcome to the read_memCert function ---");
*certstack = sk_X509_new_null();
if (*certstack == NULL) return ERR_get_error();
if ( !(certbio = BIO_new_mem_buf(data, -1) ) ) return ERR_get_error();
Log( L_DEBUG, "Reading X509_INFO records" );
if ( !(sk=PEM_X509_INFO_read_bio(certbio, NULL, NULL, NULL)) )
{
err = ERR_get_error();
Error( oper, "No X509 records found" );
BIO_free(certbio);
sk_X509_INFO_free(sk);
sk_X509_free(*certstack);
*certstack = NULL;
return err;
}
while (sk_X509_INFO_num(sk))
{
xi=sk_X509_INFO_shift(sk);
if (xi->x509 != NULL)
{
sk_X509_push(*certstack, xi->x509);
xi->x509=NULL;
}
X509_INFO_free(xi);
}
if (!sk_X509_num(*certstack))
{
err = ERR_get_error();
Error( oper, "No certificates found" );
BIO_free(certbio);
Re: [openssl-users] [EXTERNAL] Certificate gets verified OK over SSL-CLI, but not when using SSL-API
Unfortunately this didn't work either. The end result is the same; OpenSSL
still emits a "certificate signature failure" with an error depth of 0.
Regards,
Manuel
Am Do, 21. Dez 2017, um 19:27, schrieb Sands, Daniel:
> I'm a fellow SSL-USER and not an expert, but my verification flow goes
> as follows:
>
> X509_STORE_CTX_new()
> X509_STORE_CTX_init(ctx,NULL,cert,NULL) <-- The certificate to verify
> X509_STORE_CTX_trusted_stack(ctx,CACertificateStack) <-- Perhaps this
> is the difference?
> X509_verify_cert(ctx)
>
>
> On Thu, 2017-12-21 at 12:42 +0100, Manuel Wagesreither wrote:
> > Dear all,
> >
> > I'm struggling with programatically verifying a certificate which is
> > solely stored in memory, i. e. not on the file system. The
> > certificate and the CA seem to be fine though, because when I extract
> > them from memory and store them as a file, and use the `openssl
> > verify`, verification is successful. Hence I suspect my code is
> > faulty.
> >
> > Unfortunately, I'm under the impression that validating certificates
> > which exist solely in memory is a niche application. I was yet not
> > able to find a comprehensive tutorial or even a code sample on the
> > internet. Hence, I hope you can help me.
> >
> > Below I'm posting my sample code. (I have stripped the certificate
> > and CA raw data, tough.) It can be compiled an run under a GNU/Linux
> > system.
> > When this code is run, OpenSSL emits a "certificate signature
> > failure" with an error depth of 0.
> >
> > Thanks a lot!
> > Manuel
> >
> >
> >
> > #include
> > #include
> > #include
> >
> > unsigned char g_authority[] = { 0x30, 0x82, 0x03, 0x00 /* and
> > so on */ };
> > unsigned char g_cert[] = { 0x30, 0x82, 0x02, 0x9b /* and so on */ };
> >
> > int main(int, char**)
> > {
> > // This holds the return codes and gets reused for most
> > function calls
> > int rc = 0;
> >
> > // Make a new store
> > X509_STORE *x509_store = X509_STORE_new();
> > if (x509_store == NULL) {
> > throw std::runtime_error("X509_STORE_new() failed");
> > }
> >
> > // Load and convert the authoritys certificate to a compatible
> > form
> > X509 *auth_cert = NULL;
> > {
> > const unsigned char* auth_cert_ptr = g_authority;
> > auth_cert = d2i_X509(NULL, _cert_ptr,
> > sizeof(g_authority));
> > if (auth_cert == nullptr) {
> > throw std::runtime_error("d2i_X509() failed for
> > authoritys certificate");
> > }
> > }
> >
> > // Add the authoritys certificate to the store
> > rc = X509_STORE_add_cert(x509_store, auth_cert);
> > if (rc != 1) {
> > throw std::runtime_error("X509_STORE_add_cert()
> > failed");
> > }
> >
> > // Make a new store context
> > X509_STORE_CTX *x509_store_ctx = X509_STORE_CTX_new();
> > if (x509_store_ctx == NULL) {
> > throw std::runtime_error("X509_STORE_CTX_new()
> > failed");
> > }
> >
> > // Load and convert the certificate to be verified to a
> > compatible form
> > X509 *myself = NULL;
> > {
> > const unsigned char *my_cert_ptr = g_cert;
> > myself = d2i_X509(NULL, _cert_ptr, sizeof(g_cert));
> > if (myself == NULL) {
> > throw std::runtime_error("d2i_X509() failed for
> > own certificate");
> > }
> > }
> >
> > rc = X509_STORE_CTX_init(x509_store_ctx, x509_store, myself,
> > NULL);
> > if (rc != 1) {
> > throw std::runtime_error("X509_STORE_CTX_init()
> > failed");
> > }
> >
> > rc = X509_verify_cert(x509_store_ctx);
> >
> > X509_STORE_free(x509_store);
> > X509_STORE_CTX_free(x509_store_ctx);
> >
> > if (rc > 0) {
> > std::cout <<
> > X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509_store_ctx
> > )) << std::endl;
> > return 0;
> > } else {
> > std::cerr <<
> > X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509_store_ctx
> > )) << std::endl;
> > std::cerr << "Error depth: " <<
> > X509_STORE_CTX_get_error_depth(x509_store_ctx) << std::endl;
> > return 1;
> > }
> > }
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] [EXTERNAL] Certificate gets verified OK over SSL-CLI, but not when using SSL-API
I'm a fellow SSL-USER and not an expert, but my verification flow goes
as follows:
X509_STORE_CTX_new()
X509_STORE_CTX_init(ctx,NULL,cert,NULL) <-- The certificate to verify
X509_STORE_CTX_trusted_stack(ctx,CACertificateStack) <-- Perhaps this
is the difference?
X509_verify_cert(ctx)
On Thu, 2017-12-21 at 12:42 +0100, Manuel Wagesreither wrote:
> Dear all,
>
> I'm struggling with programatically verifying a certificate which is
> solely stored in memory, i. e. not on the file system. The
> certificate and the CA seem to be fine though, because when I extract
> them from memory and store them as a file, and use the `openssl
> verify`, verification is successful. Hence I suspect my code is
> faulty.
>
> Unfortunately, I'm under the impression that validating certificates
> which exist solely in memory is a niche application. I was yet not
> able to find a comprehensive tutorial or even a code sample on the
> internet. Hence, I hope you can help me.
>
> Below I'm posting my sample code. (I have stripped the certificate
> and CA raw data, tough.) It can be compiled an run under a GNU/Linux
> system.
> When this code is run, OpenSSL emits a "certificate signature
> failure" with an error depth of 0.
>
> Thanks a lot!
> Manuel
>
>
>
> #include
> #include
> #include
>
> unsigned char g_authority[] = { 0x30, 0x82, 0x03, 0x00 /* and
> so on */ };
> unsigned char g_cert[] = { 0x30, 0x82, 0x02, 0x9b /* and so on */ };
>
> int main(int, char**)
> {
> // This holds the return codes and gets reused for most
> function calls
> int rc = 0;
>
> // Make a new store
> X509_STORE *x509_store = X509_STORE_new();
> if (x509_store == NULL) {
> throw std::runtime_error("X509_STORE_new() failed");
> }
>
> // Load and convert the authoritys certificate to a compatible
> form
> X509 *auth_cert = NULL;
> {
> const unsigned char* auth_cert_ptr = g_authority;
> auth_cert = d2i_X509(NULL, _cert_ptr,
> sizeof(g_authority));
> if (auth_cert == nullptr) {
> throw std::runtime_error("d2i_X509() failed for
> authoritys certificate");
> }
> }
>
> // Add the authoritys certificate to the store
> rc = X509_STORE_add_cert(x509_store, auth_cert);
> if (rc != 1) {
> throw std::runtime_error("X509_STORE_add_cert()
> failed");
> }
>
> // Make a new store context
> X509_STORE_CTX *x509_store_ctx = X509_STORE_CTX_new();
> if (x509_store_ctx == NULL) {
> throw std::runtime_error("X509_STORE_CTX_new()
> failed");
> }
>
> // Load and convert the certificate to be verified to a
> compatible form
> X509 *myself = NULL;
> {
> const unsigned char *my_cert_ptr = g_cert;
> myself = d2i_X509(NULL, _cert_ptr, sizeof(g_cert));
> if (myself == NULL) {
> throw std::runtime_error("d2i_X509() failed for
> own certificate");
> }
> }
>
> rc = X509_STORE_CTX_init(x509_store_ctx, x509_store, myself,
> NULL);
> if (rc != 1) {
> throw std::runtime_error("X509_STORE_CTX_init()
> failed");
> }
>
> rc = X509_verify_cert(x509_store_ctx);
>
> X509_STORE_free(x509_store);
> X509_STORE_CTX_free(x509_store_ctx);
>
> if (rc > 0) {
> std::cout <<
> X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509_store_ctx
> )) << std::endl;
> return 0;
> } else {
> std::cerr <<
> X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509_store_ctx
> )) << std::endl;
> std::cerr << "Error depth: " <<
> X509_STORE_CTX_get_error_depth(x509_store_ctx) << std::endl;
> return 1;
> }
> }
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
