I'm working with someone else's code here, and I'm trying to figure out how
to implement verification anywhere in a cert chain. For example:
asd CA
|
lkjh CA
|
webserver
I want to be able to verify against the lkjh CA, not the asd CA, and lkjh is
halfway down the chain. I tried just taking the code we have right now,
replacing the root cert file with one only containing the lkjh cert, but I
get verify errors. Here is an output with some test certificates:
============================================================================
=====
[root@gendo sslget_src]# cp asd.cer root.pem
cp: overwrite `root.pem'? y
[root@gendo sslget_src]# ./sslget -host wslabweb02
#2
subject:'/Email=asd/C=US/ST=asd/L=asd/O=asd/OU=asd/CN=asd'
ERROR: 0
verify error:0
#1
subject:'[EMAIL PROTECTED]/C=US/ST=Or/L=Portland/O=McAfee
ASaP/OU=WebShield/CN=lkjh'
ERROR: 0
verify error:0
#0
subject:'/C=US/ST=OR/L=Beaverton/O=McAfee ASaP/OU=McAfee ASaP/CN=wslabweb02'
ERROR: 0
verify error:0
**** verification result: OK
[root@gendo sslget_src]# cp lkjh.cer root.pem
cp: overwrite `root.pem'? y
[root@gendo sslget_src]# ./sslget -host wslabweb02
#1
subject:'[EMAIL PROTECTED]/C=US/ST=Or/L=Portland/O=McAfee
ASaP/OU=WebShield/CN=lkjh'
ERROR: 20
VERIFY ERROR: 20 'unable to get local issuer certificate'
verify error:0
#1
subject:'[EMAIL PROTECTED]/C=US/ST=Or/L=Portland/O=McAfee
ASaP/OU=WebShield/CN=lkjh'
ERROR: 27
VERIFY ERROR: 27 'certificate not trusted'
verify error:0
#0
subject:'/C=US/ST=OR/L=Beaverton/O=McAfee ASaP/OU=McAfee ASaP/CN=wslabweb02'
ERROR: 27
verify error:0
**** verification result: FAILED
Certificate doesn't verify
[root@gendo sslget_src]#
============================================================================
=====
Here is the source for that callback function:
============================================================================
=====
static int VerifyCallback(int ok, X509_STORE_CTX *ctx)
{
char buf[256];
X509 *err_cert;
int err,depth;
err_cert = X509_STORE_CTX_get_current_cert( ctx );
err = X509_STORE_CTX_get_error( ctx );
depth = X509_STORE_CTX_get_error_depth( ctx );
X509_NAME_oneline( X509_get_subject_name(err_cert),buf,256 );
BIO_printf(bio_err,"#%d\nsubject:'%s'\n", depth, buf );
BIO_printf( bio_err, "ERROR: %d\n", err );
if( !ok )
{
BIO_printf( bio_err, "VERIFY ERROR: %d '%s'\n", err,
X509_verify_cert_error_string(err) );
if( verify_depth >= depth )
{
ok = 1;
verify_error = X509_V_OK;
}
else
{
ok = 0;
verify_error = X509_V_ERR_CERT_CHAIN_TOO_LONG;
}
}
#if 1
else
{
if( depth != 0 )
{
BIO_printf( bio_err, "* RESET *\n" );
X509_STORE_CTX_set_error( ctx, X509_V_OK );
}
}
#endif
switch( ctx->error )
{
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),buf,256);
BIO_printf(bio_err,"ERROR: issuer= %s\n",buf);
break;
case X509_V_ERR_CERT_NOT_YET_VALID:
case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
BIO_printf(bio_err,"ERROR: notBefore=");
ASN1_TIME_print(bio_err,X509_get_notBefore(ctx->current_cert));
BIO_printf(bio_err,"\n");
break;
case X509_V_ERR_CERT_HAS_EXPIRED:
case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
BIO_printf(bio_err,"ERROR notAfter=");
ASN1_TIME_print(bio_err,X509_get_notAfter(ctx->current_cert));
BIO_printf(bio_err,"\n");
break;
}
BIO_printf( bio_err, "verify error:%d\n", verify_error );
return( ok );
}
============================================================================
=====
Any ideas? I've been trying to find info on this, and I thought I was doing
it correct. Thanks for the help. :)
-Ian
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
