Verify x509 certificate
Dear all, I'm new in openssl api and I'm trying to write e simple application to verify an x509 certificate but I'm facing with some strange problem. Here there is a snapshot of my code to use to replicate my scenario : #includestdio.h #includestdlib.h #includestring.h #include openssl/pem.h #include openssl/err.h #include openssl/sha.h #include openssl/ssl.h const char root_cert_data[] = -BEGIN CERTIFICATE-\n\ MIIDQjCCAqugAwIBAg ... Rinw==\n\ -END CERTIFICATE-\n; int main(int argc, char **argv){ FILE *fp; X509 *root_cert; X509_STORE *CAcerts; X509 * cert; X509_STORE_CTX ca_ctx; char *strerr; BIO *bio; STACK_OF(X509) *trusted_chain; trusted_chain = sk_X509_new_null(); if (!(bio = BIO_new_mem_buf((void *) root_cert_data, -1))) { printf(BIO_new_mem_buf\n); exit(1); } BIO_set_close(bio, BIO_NOCLOSE); if (!(root_cert = PEM_read_bio_X509(bio, 0, 0, 0))) { printf(PEM_read_bio_X509 (root)\n); ERR_print_errors_fp(stdout); exit(1); } sk_X509_push(trusted_chain, root_cert); /* load CA cert store */ if (!(CAcerts = X509_STORE_new())) { printf (\nError1\n); } if (X509_STORE_load_locations(CAcerts, /home/frank/test/test-CA/calist.pem , NULL ) != 1) { printf (\nError2\n); } if (X509_STORE_set_default_paths(CAcerts) != 1) { printf (\nError3\n); } /* load X509 certificate */ if (!(fp = fopen (cert.pem, r))){ printf (\nError4\n); } if (!(cert = PEM_read_X509 (fp, NULL, NULL, NULL))){ printf (\nError5\n); } /* verify */ if (X509_STORE_CTX_init(ca_ctx, CAcerts, cert, trusted_chain) != 1) { printf (\nError6\n); } X509_STORE_CTX_trusted_stack(ca_ctx, trusted_chain); if (X509_verify_cert(ca_ctx) != 1) { strerr = (char *) X509_verify_cert_error_string(ca_ctx.error); printf(Verification error: %s, strerr); } X509_STORE_free(CAcerts); X509_free(cert); return 0; } obviously root_cert_data[] and cert.pem have to be replaced with your certs. Compilated as gcc -Wall x509.c -o x509 -lssl -lcrypto after execution I receive this error : Verification error: certificate signature failure Even if I try to verify my certificate by mean command line tool openssl verify -CAfile /home/frank/test/test-CA/calist.pem cert.pem The output is : cert.pem: OK Does anybody know where is the problem ? Thanks in advance, Francesco la Torre __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Verify x509 certificate
Any help from someone ? :-) Flt Il giorno mer, 30/07/2008 alle 23.57 +0200, Francesco la Torre ha scritto: Dear all, I'm new in openssl api and I'm trying to write e simple application to verify an x509 certificate but I'm facing with some strange problem. Here there is a snapshot of my code to use to replicate my scenario : #includestdio.h #includestdlib.h #includestring.h #include openssl/pem.h #include openssl/err.h #include openssl/sha.h #include openssl/ssl.h const char root_cert_data[] = -BEGIN CERTIFICATE-\n\ MIIDQjCCAqugAwIBAg ... Rinw==\n\ -END CERTIFICATE-\n; int main(int argc, char **argv){ FILE *fp; X509 *root_cert; X509_STORE *CAcerts; X509 * cert; X509_STORE_CTX ca_ctx; char *strerr; BIO *bio; STACK_OF(X509) *trusted_chain; trusted_chain = sk_X509_new_null(); if (!(bio = BIO_new_mem_buf((void *) root_cert_data, -1))) { printf(BIO_new_mem_buf\n); exit(1); } BIO_set_close(bio, BIO_NOCLOSE); if (!(root_cert = PEM_read_bio_X509(bio, 0, 0, 0))) { printf(PEM_read_bio_X509 (root)\n); ERR_print_errors_fp(stdout); exit(1); } sk_X509_push(trusted_chain, root_cert); /* load CA cert store */ if (!(CAcerts = X509_STORE_new())) { printf (\nError1\n); } if (X509_STORE_load_locations(CAcerts, /home/frank/test/test-CA/calist.pem , NULL ) != 1) { printf (\nError2\n); } if (X509_STORE_set_default_paths(CAcerts) != 1) { printf (\nError3\n); } /* load X509 certificate */ if (!(fp = fopen (cert.pem, r))){ printf (\nError4\n); } if (!(cert = PEM_read_X509 (fp, NULL, NULL, NULL))){ printf (\nError5\n); } /* verify */ if (X509_STORE_CTX_init(ca_ctx, CAcerts, cert, trusted_chain) != 1) { printf (\nError6\n); } X509_STORE_CTX_trusted_stack(ca_ctx, trusted_chain); if (X509_verify_cert(ca_ctx) != 1) { strerr = (char *) X509_verify_cert_error_string(ca_ctx.error); printf(Verification error: %s, strerr); } X509_STORE_free(CAcerts); X509_free(cert); return 0; } obviously root_cert_data[] and cert.pem have to be replaced with your certs. Compilated as gcc -Wall x509.c -o x509 -lssl -lcrypto after execution I receive this error : Verification error: certificate signature failure Even if I try to verify my certificate by mean command line tool openssl verify -CAfile /home/frank/test/test-CA/calist.pem cert.pem The output is : cert.pem: OK Does anybody know where is the problem ? Thanks in advance, Francesco la Torre __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Verify x509 certificate
On ven, 2008-08-01 at 11:21 -0700, Sendroiu Eugen wrote: Hi Sendroiu, It would be helpful if we could see the certificate. I did not report all certificate to allow you to replicate my code with your how certificate/calist. My guess is that either your cert is self signed, Yes, it's self signed. in which case you need to treat this case in your callback, I have no idea how to do this. Have I to set any flag/field in the context ? or the certificate you are trying to verify is not signed by the trust anchor that you provide. Also you must be careful which text editor you are using because some may replace spaces with their owns ( eg CRLF - CR or LF ) in the root_cert_data declaration, and that might spoil the signature. I'll check also this :-) Cheers. Thank you very much ! Flt - Original Message From: .:: Francesco la Torre ::. [EMAIL PROTECTED] To: openssl-users@openssl.org Sent: Friday, August 1, 2008 8:02:44 PM Subject: Re: Verify x509 certificate Any help from someone ? :-) Flt Il giorno mer, 30/07/2008 alle 23.57 +0200, Francesco la Torre ha scritto: Dear all, I'm new in openssl api and I'm trying to write e simple application to verify an x509 certificate but I'm facing with some strange problem. Here there is a snapshot of my code to use to replicate my scenario : #includestdio.h #includestdlib.h #includestring.h #include openssl/pem.h #include openssl/err.h #include openssl/sha.h #include openssl/ssl.h const char root_cert_data[] = -BEGIN CERTIFICATE-\n\ MIIDQjCCAqugAwIBAg ... Rinw==\n\ -END CERTIFICATE-\n; int main(int argc, char **argv){ FILE *fp; X509 *root_cert; X509_STORE *CAcerts; X509 * cert; X509_STORE_CTX ca_ctx; char *strerr; BIO *bio; STACK_OF(X509) *trusted_chain; trusted_chain = sk_X509_new_null(); if (!(bio = BIO_new_mem_buf((void *) root_cert_data, -1))) { printf(BIO_new_mem_buf\n); exit(1); } BIO_set_close(bio, BIO_NOCLOSE); if (!(root_cert = PEM_read_bio_X509(bio, 0, 0, 0))) { printf(PEM_read_bio_X509 (root)\n); ERR_print_errors_fp(stdout); exit(1); } sk_X509_push(trusted_chain, root_cert); /* load CA cert store */ if (!(CAcerts = X509_STORE_new())) { printf (\nError1\n); } if (X509_STORE_load_locations(CAcerts, /home/frank/test/test-CA/calist.pem , NULL ) != 1) { printf (\nError2\n); } if (X509_STORE_set_default_paths(CAcerts) != 1) { printf (\nError3\n); } /* load X509 certificate */ if (!(fp = fopen (cert.pem, r))){ printf (\nError4\n); } if (!(cert = PEM_read_X509 (fp, NULL, NULL, NULL))){ printf (\nError5\n); } /* verify */ if (X509_STORE_CTX_init(ca_ctx, CAcerts, cert, trusted_chain) != 1) { printf (\nError6\n); } X509_STORE_CTX_trusted_stack(ca_ctx, trusted_chain); if (X509_verify_cert(ca_ctx) != 1) { strerr = (char *) X509_verify_cert_error_string(ca_ctx.error); printf(Verification error: %s, strerr); } X509_STORE_free(CAcerts); X509_free(cert); return 0; } obviously root_cert_data[] and cert.pem have to be replaced with your certs. Compilated as gcc -Wall x509.c -o x509 -lssl -lcrypto after execution I receive this error : Verification error: certificate signature failure Even if I try to verify my certificate by mean command line tool openssl verify -CAfile /home/frank/test/test-CA/calist.pem cert.pem The output is : cert.pem: OK Does anybody know where is the problem ? Thanks in advance, Francesco la Torre __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Projecthttp://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Verify x509 certificate
self reply :-) I've added a callback function like this static int cb(int ok, X509_STORE_CTX *ctx){ char buf[256]; X509_NAME_oneline( X509_get_subject_name(ctx-current_cert),buf,256); printf(%s\n,buf); printf(error %d at %d depth lookup:%s\n,ctx-error, ctx-error_depth, X509_verify_cert_error_string(ctx-error)); /* Continue even if self signed */ if (ctx-error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ok=1; ERR_clear_error(); return(ok); } and also add this line to the main X509_STORE_set_verify_cb_func(ca_ctx,cb); but the result is always the same : Verification error: certificate signature failure where are my mistakes ? Thanks Flt On ven, 2008-08-01 at 23:58 +0200, .:: Francesco la Torre ::. wrote: On ven, 2008-08-01 at 11:21 -0700, Sendroiu Eugen wrote: Hi Sendroiu, It would be helpful if we could see the certificate. I did not report all certificate to allow you to replicate my code with your how certificate/calist. My guess is that either your cert is self signed, Yes, it's self signed. in which case you need to treat this case in your callback, I have no idea how to do this. Have I to set any flag/field in the context ? or the certificate you are trying to verify is not signed by the trust anchor that you provide. Also you must be careful which text editor you are using because some may replace spaces with their owns ( eg CRLF - CR or LF ) in the root_cert_data declaration, and that might spoil the signature. I'll check also this :-) Cheers. Thank you very much ! Flt - Original Message From: .:: Francesco la Torre ::. [EMAIL PROTECTED] To: openssl-users@openssl.org Sent: Friday, August 1, 2008 8:02:44 PM Subject: Re: Verify x509 certificate Any help from someone ? :-) Flt Il giorno mer, 30/07/2008 alle 23.57 +0200, Francesco la Torre ha scritto: Dear all, I'm new in openssl api and I'm trying to write e simple application to verify an x509 certificate but I'm facing with some strange problem. Here there is a snapshot of my code to use to replicate my scenario : #includestdio.h #includestdlib.h #includestring.h #include openssl/pem.h #include openssl/err.h #include openssl/sha.h #include openssl/ssl.h const char root_cert_data[] = -BEGIN CERTIFICATE-\n\ MIIDQjCCAqugAwIBAg ... Rinw==\n\ -END CERTIFICATE-\n; int main(int argc, char **argv){ FILE *fp; X509 *root_cert; X509_STORE *CAcerts; X509 * cert; X509_STORE_CTX ca_ctx; char *strerr; BIO *bio; STACK_OF(X509) *trusted_chain; trusted_chain = sk_X509_new_null(); if (!(bio = BIO_new_mem_buf((void *) root_cert_data, -1))) { printf(BIO_new_mem_buf\n); exit(1); } BIO_set_close(bio, BIO_NOCLOSE); if (!(root_cert = PEM_read_bio_X509(bio, 0, 0, 0))) { printf(PEM_read_bio_X509 (root)\n); ERR_print_errors_fp(stdout); exit(1); } sk_X509_push(trusted_chain, root_cert); /* load CA cert store */ if (!(CAcerts = X509_STORE_new())) { printf (\nError1\n); } if (X509_STORE_load_locations(CAcerts, /home/frank/test/test-CA/calist.pem , NULL ) != 1) { printf (\nError2\n); } if (X509_STORE_set_default_paths(CAcerts) != 1) { printf (\nError3\n); } /* load X509 certificate */ if (!(fp = fopen (cert.pem, r))){ printf (\nError4\n); } if (!(cert = PEM_read_X509 (fp, NULL, NULL, NULL))){ printf (\nError5\n); } /* verify */ if (X509_STORE_CTX_init(ca_ctx, CAcerts, cert, trusted_chain) != 1) { printf (\nError6\n); } X509_STORE_CTX_trusted_stack(ca_ctx, trusted_chain); if (X509_verify_cert(ca_ctx) != 1) { strerr = (char *) X509_verify_cert_error_string(ca_ctx.error); printf(Verification error: %s, strerr); } X509_STORE_free(CAcerts); X509_free(cert); return 0; } obviously root_cert_data[] and cert.pem have to be replaced with your certs. Compilated as gcc -Wall x509.c -o x509 -lssl -lcrypto after execution I receive this error : Verification error: certificate signature failure Even if I try to verify my certificate by mean command line tool openssl verify -CAfile /home/frank/test/test-CA/calist.pem cert.pem The output is : cert.pem: OK Does anybody know where is the problem ? Thanks in advance, Francesco la Torre __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org
Re: Verify x509 certificate
On sab, 2008-08-02 at 00:21 +0200, .:: Francesco la Torre ::. wrote: self reply :-) I've added a callback function like this static int cb(int ok, X509_STORE_CTX *ctx){ char buf[256]; X509_NAME_oneline( X509_get_subject_name(ctx-current_cert),buf,256); printf(%s\n,buf); printf(error %d at %d depth lookup:%s\n,ctx-error, ctx-error_depth, X509_verify_cert_error_string(ctx-error)); /* Continue even if self signed */ if (ctx-error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ok=1; ERR_clear_error(); return(ok); } One mistake is here even if there were not compilation error and also add this line to the main X509_STORE_set_verify_cb_func(ca_ctx,cb); the correct code block is : ... /* load CA cert store */ if (!(CAcerts = X509_STORE_new())) { printf (\nError1\n); } --- X509_STORE_set_verify_cb_func(CAcerts,cb); ... but the result is always the same : Not always the boring Verification error: certificate signature failure But a new strange error : /C=IT/ST=Italy/O=IIT-CNR/OU=lab18/CN=ubuntu-ser/[EMAIL PROTECTED] error 7 at 1 depth lookup:certificate signature failure Verification error: 0 I've tried to find any kind of reference for this kind of error but google returns not a very good help. In various forum/mailing list this is _classified_ as *quite strange* error ... is it possible ? Thanks in advance, Flt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Verify x509 certificate
On sab, 2008-08-02 at 02:04 -0700, Kyle Hamilton wrote: The verify(1ssl) man page has descriptions of these error codes. 7 is X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure, which is described as: the signature of the certificate is invalid. I would presume that this is because the signature cannot be verified with the public key that it's said to be verifiable with -- i.e., the data in one of the certificates has been modified since it was signed (and thus, the signature has been invalidated). You're true, but I used the stange abjective because if I try to verify the certificate from command line openssl verify -CAfile /home/frank/test/test-CA/calist.pem cert.pem The output is : cert.pem: OK so both certificates are valid. Regards, Flt -Kyle H On Fri, Aug 1, 2008 at 5:15 PM, .:: Francesco la Torre ::. [EMAIL PROTECTED] wrote: On sab, 2008-08-02 at 00:21 +0200, .:: Francesco la Torre ::. wrote: One mistake is here even if there were not compilation error and also add this line to the main X509_STORE_set_verify_cb_func(ca_ctx,cb); the correct code block is : ... /* load CA cert store */ if (!(CAcerts = X509_STORE_new())) { printf (\nError1\n); } --- X509_STORE_set_verify_cb_func(CAcerts,cb); ... but the result is always the same : Not always the boring Verification error: certificate signature failure But a new strange error : /C=IT/ST=Italy/O=IIT-CNR/OU=lab18/CN=ubuntu-ser/[EMAIL PROTECTED] error 7 at 1 depth lookup:certificate signature failure Verification error: 0 I've tried to find any kind of reference for this kind of error but google returns not a very good help. In various forum/mailing list this is _classified_ as *quite strange* error ... is it possible ? Thanks in advance, Flt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Verify x509 certificate
Solved ! I forgot to call SSLeay_add_all_algorithms(); ... a summer youthful folly :-) Flt Il giorno sab, 02/08/2008 alle 11.43 +0200, .:: Francesco la Torre ::. ha scritto: On sab, 2008-08-02 at 02:04 -0700, Kyle Hamilton wrote: The verify(1ssl) man page has descriptions of these error codes. 7 is X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure, which is described as: the signature of the certificate is invalid. I would presume that this is because the signature cannot be verified with the public key that it's said to be verifiable with -- i.e., the data in one of the certificates has been modified since it was signed (and thus, the signature has been invalidated). You're true, but I used the stange abjective because if I try to verify the certificate from command line openssl verify -CAfile /home/frank/test/test-CA/calist.pem cert.pem The output is : cert.pem: OK so both certificates are valid. Regards, Flt -Kyle H On Fri, Aug 1, 2008 at 5:15 PM, .:: Francesco la Torre ::. [EMAIL PROTECTED] wrote: On sab, 2008-08-02 at 00:21 +0200, .:: Francesco la Torre ::. wrote: One mistake is here even if there were not compilation error and also add this line to the main X509_STORE_set_verify_cb_func(ca_ctx,cb); the correct code block is : ... /* load CA cert store */ if (!(CAcerts = X509_STORE_new())) { printf (\nError1\n); } --- X509_STORE_set_verify_cb_func(CAcerts,cb); ... but the result is always the same : Not always the boring Verification error: certificate signature failure But a new strange error : /C=IT/ST=Italy/O=IIT-CNR/OU=lab18/CN=ubuntu-ser/[EMAIL PROTECTED] error 7 at 1 depth lookup:certificate signature failure Verification error: 0 I've tried to find any kind of reference for this kind of error but google returns not a very good help. In various forum/mailing list this is _classified_ as *quite strange* error ... is it possible ? Thanks in advance, Flt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Verify x509 certificate
it seems to work good because if I try to change a character in array containing the cert, the verification process fails. However next days I'll try to load an untrusted chain and verify better, now instead I'm preparing problems for the next post :-) thanks Flt Il giorno sab, 02/08/2008 alle 18.57 -0700, Sendroiu Eugen ha scritto: I'm not sure you solved that. This works just because your certificate chain will have only 1 certificate so no signature verification is done. kr, Eugen Sendroiu - Original Message From: .:: Francesco la Torre ::. [EMAIL PROTECTED] To: openssl-users@openssl.org Sent: Saturday, August 2, 2008 5:16:10 PM Subject: Re: Verify x509 certificate Solved ! I forgot to call SSLeay_add_all_algorithms(); ... a summer youthful folly :-) Flt Il giorno sab, 02/08/2008 alle 11.43 +0200, .:: Francesco la Torre ::. ha scritto: On sab, 2008-08-02 at 02:04 -0700, Kyle Hamilton wrote: The verify(1ssl) man page has descriptions of these error codes. 7 is X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure, which is described as: the signature of the certificate is invalid. I would presume that this is because the signature cannot be verified with the public key that it's said to be verifiable with -- i.e., the data in one of the certificates has been modified since it was signed (and thus, the signature has been invalidated). You're true, but I used the stange abjective because if I try to verify the certificate from command line openssl verify -CAfile /home/frank/test/test-CA/calist.pem cert.pem The output is : cert.pem: OK so both certificates are valid. Regards, Flt -Kyle H On Fri, Aug 1, 2008 at 5:15 PM, .:: Francesco la Torre ::. [EMAIL PROTECTED] wrote: On sab, 2008-08-02 at 00:21 +0200, .:: Francesco la Torre ::. wrote: One mistake is here even if there were not compilation error and also add this line to the main X509_STORE_set_verify_cb_func(ca_ctx,cb); the correct code block is : ... /* load CA cert store */ if (!(CAcerts = X509_STORE_new())) { printf (\nError1\n); } --- X509_STORE_set_verify_cb_func(CAcerts,cb); ... but the result is always the same : Not always the boring Verification error: certificate signature failure But a new strange error : /C=IT/ST=Italy/O=IIT-CNR/OU=lab18/CN=ubuntu-ser/[EMAIL PROTECTED] error 7 at 1 depth lookup:certificate signature failure Verification error: 0 I've tried to find any kind of reference for this kind of error but google returns not a very good help. In various forum/mailing list this is _classified_ as *quite strange* error ... is it possible ? Thanks in advance, Flt __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Projecthttp://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]