Hi All, I am trying to verify the signature of a certificate using the routine X509_verify_cert() but without success: When it tries to verify th root certificate it stop with error #7 (certificate signature failure). I hope someone can help...
Some details about my check routine:
Following are my check routine, callback routine and the callback log text, attached
are my user certificate + CA root certificate.
I don't know if it help but when I tried to verify a certificate which was signed by
my own root CA (which were generated by openssl) - The same problem occured.
My check routine:
------------------------------------------------------------
int check(X509_STORE *store, X509 *cert, STACK_OF(X509) *uchain, STACK_OF(X509)
*tchain, int purpose)
{
int i=0,ret=0;
X509_STORE_CTX *store_ctx;
if (cert == NULL)
return 0;
X509_STORE_set_verify_cb_func(store, cb);
store_ctx = X509_STORE_CTX_new();
if (store_ctx == NULL)
return 0;
X509_STORE_CTX_init(store_ctx, store, cert, NULL/*tchain*/);
if(tchain)
X509_STORE_CTX_trusted_stack(store_ctx, tchain);
if(purpose >= 0)
X509_STORE_CTX_set_purpose(store_ctx, purpose);
X509_STORE_CTX_set_flags(store_ctx, X509_V_FLAG_CB_ISSUER_CHECK);
i=X509_verify_cert(store_ctx);
X509_STORE_CTX_free(store_ctx);
if (i)
return 1;
/* else */
return 0;
}
------------------------------------------------------------
RetVal = check(store, cert, NULL, trusted_chain, -1)
- store contains the certificates from the file "tc-ca.pem"
- cert contains the certificate from "tc-user.pem"
- trusted_chain: I am not sure I understand the real meaning of this parameter so I
made two tests:
- Test 1 - Empty stack
- Test 2 - Stack which contains the certificates from the file "tc-ca.pem"
My callback routine:
------------------------------------------------------------
static int cb(int ok, X509_STORE_CTX *ctx)
{
char buf[256];
static int cb_index = 0;
printf("Starting cb #%d (ok = %d)\n", ++cb_index, ok);
printf("ctx: error = %d. error_depth = %d. current_method = %d. "
"depth = %d. valid = %d. last_untrusted = %d. "
"error string = '%s'\n", ctx->error,
ctx->error_depth, ctx->current_method,
ctx->depth, ctx->valid, ctx->last_untrusted,
X509_verify_cert_error_string(ctx->error));
if (!ok)
{
X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),buf,256);
printf("current_cert subject: %s\n",buf);
X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),buf,256);
printf("current_cert issuer: %s\n",buf);
if (ctx->current_issuer)
{
X509_NAME_oneline(X509_get_subject_name(ctx->current_issuer),buf,256);
printf("current_issuer subject: %s\n",buf);
X509_NAME_oneline(X509_get_issuer_name(ctx->current_issuer),buf,256);
printf("current_issuer issuer: %s\n",buf);
}
if (ctx->error == X509_V_ERR_CERT_HAS_EXPIRED) ok=1;
/* since we are just checking the certificates, it is
* ok if they are self signed. But we should still warn
* the user.
*/
if (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ok=1;
if (ctx->error == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) ok = 1;
/* Continue after extension errors too */
if (ctx->error == X509_V_ERR_INVALID_CA) ok=1;
if (ctx->error == X509_V_ERR_PATH_LENGTH_EXCEEDED) ok=1;
if (ctx->error == X509_V_ERR_INVALID_PURPOSE) ok=1;
if (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ok=1;
}
printf("cb return value: %d\n\n", ok);
return(ok);
}
------------------------------------------------------------
The callback log text:
------------------------------------------------------------
Starting cb #1 (ok = 0)
ctx: error = 29. error_depth = 0. current_method = 0. depth = 9. valid = 0.
last_untrusted = 1. error string = 'subject issuer mismatch'
current_cert subject: /C=IL/CN=Shlomi [EMAIL PROTECTED]
current_cert issuer: /C=DE/ST=Hamburg/L=Hamburg/O=TC TrustCenter for Security in
Data Networks GmbH/OU=TC TrustCenter Class 1 [EMAIL PROTECTED]
current_issuer subject: /C=IL/CN=Shlomi [EMAIL PROTECTED]
current_issuer issuer: /C=DE/ST=Hamburg/L=Hamburg/O=TC TrustCenter for Security in
Data Networks GmbH/OU=TC TrustCenter Class 1 [EMAIL PROTECTED]
cb return value: 0
Starting cb #2 (ok = 0)
ctx: error = 29. error_depth = 0. current_method = 0. depth = 9. valid = 0.
last_untrusted = 1. error string = 'subject issuer mismatch'
current_cert subject: /C=IL/CN=Shlomi [EMAIL PROTECTED]
current_cert issuer: /C=DE/ST=Hamburg/L=Hamburg/O=TC TrustCenter for Security in
Data Networks GmbH/OU=TC TrustCenter Class 1 [EMAIL PROTECTED]
current_issuer subject: /C=IL/CN=Shlomi [EMAIL PROTECTED]
current_issuer issuer: /C=DE/ST=Hamburg/L=Hamburg/O=TC TrustCenter for Security in
Data Networks GmbH/OU=TC TrustCenter Class 1 [EMAIL PROTECTED]
cb return value: 0
Starting cb #3 (ok = 0)
ctx: error = 29. error_depth = 0. current_method = 0. depth = 9. valid = 0.
last_untrusted = 1. error string = 'subject issuer mismatch'
current_cert subject: /C=IL/CN=Shlomi [EMAIL PROTECTED]
current_cert issuer: /C=DE/ST=Hamburg/L=Hamburg/O=TC TrustCenter for Security in
Data Networks GmbH/OU=TC TrustCenter Class 1 [EMAIL PROTECTED]
current_issuer subject: /C=IL/CN=Shlomi [EMAIL PROTECTED]
current_issuer issuer: /C=DE/ST=Hamburg/L=Hamburg/O=TC TrustCenter for Security in
Data Networks GmbH/OU=TC TrustCenter Class 1 [EMAIL PROTECTED]
cb return value: 0
Starting cb #4 (ok = 0)
ctx: error = 7. error_depth = 1. current_method = 0. depth = 9. valid = 0.
last_untrusted = 1. error string = 'certificate signature failure'
current_cert subject: /C=DE/ST=Hamburg/L=Hamburg/O=TC TrustCenter for Security in
Data Networks GmbH/OU=TC TrustCenter Class 1 [EMAIL PROTECTED]
current_cert issuer: /C=DE/ST=Hamburg/L=Hamburg/O=TC TrustCenter for Security in
Data Networks GmbH/OU=TC TrustCenter Class 1 [EMAIL PROTECTED]
current_issuer subject: /C=IL/CN=Shlomi [EMAIL PROTECTED]
current_issuer issuer: /C=DE/ST=Hamburg/L=Hamburg/O=TC TrustCenter for Security in
Data Networks GmbH/OU=TC TrustCenter Class 1 [EMAIL PROTECTED]
cb return value: 0
------------------------------------------------------------
X509_verify_cert return value: 0
Thank you,
Shlomi
tc-ca.pem
Description: application/macbinary
tc-user.pem
Description: application/macbinary
