Hello all,
I am using the openssl 0.9.8d and the following procedure to verify
certificates.
The procedure gives an error, whereas if I try to verify the same
certificates with the command line it succeedes.
I will appreciate any hint to solve this problem.
The C API procedure:
/*!Procedure to verify whether the certificate 'cert' was issued by
'pnca_cert'.*/
int verify_certificate(X509 *pnca_cert, X509 *cert)
{
int ret = 1;
X509_STORE *store;
X509_STORE_CTX *ctx;
#ifdef TESTING
BIO *out = NULL;
// open BIO for output to 'stdout'
if (!(out = BIO_new_fp(stdout, BIO_NOCLOSE))) {
ERR_INFO;
ERR_print_errors_fp (stderr);
fprintf(stderr, "Error creating stdout BIO: %s (%d)\n",
strerror(errno), errno);
return E_SSL;
}
#endif
ctx = X509_STORE_CTX_new();
store = X509_STORE_new();
X509_STORE_set_default_paths(store);
X509_STORE_add_cert(store, pnca_cert);
X509_STORE_CTX_init(ctx, store, cert, NULL);
#ifdef TESTING
BIO_printf(out, "\n\n\n\tPNCA Certificate: \n");
X509_print(out, pnca_cert);
BIO_printf(out, "\n");
BIO_printf(out, "\tPeer Certificate: \n");
X509_print(out, cert);
BIO_printf(out, "\n\n\n\n");
#endif
if (!X509_verify_cert(ctx)) {
fprintf(stderr, "Error verifying signature on issued certificate:
\n");
ERR_print_errors_fp (stderr);
ret = E_SSL;
}
X509_STORE_CTX_free(ctx);
X509_STORE_free(store);
return ret;
}
The certificates are (as printed out by the same procedure):
***********************************
Self-Signed PNCA Certificate:
***********************************
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
c8:d5:d0:90:c3:dd:0a:1a
Signature Algorithm: ecdsa-with-SHA1
Issuer: C=No, ST=CA, L=testing, O=Test Organization, OU=MAGNET WP6,
CN=PNCA
Validity
Not Before: Oct 23 14:32:40 2007 GMT
Not After : Nov 22 14:32:40 2007 GMT
Subject: C=No, ST=CA, L=testing, O=Test Organization, OU=MAGNET WP6,
CN=PNCA
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
EC Public Key:
pub:
04:e5:c5:a5:6a:46:ce:24:bd:80:f5:e2:30:d0:9c:
4a:14:69:c5:9a:c7:d0:a4:b7:b8:d9:fc:07:c9:37:
de:3c:23:44:73:3e:15:76:f3:3e:2a:22:13:34:9b:
36:89:a3:35:2f:12:30:e5:d1:eb:a6:e1:b8:b5:ee:
95:0e:d0:0e:05
ASN1 OID: secp256k1
Signature Algorithm: ecdsa-with-SHA1
30:45:02:20:35:da:33:85:05:7a:3c:6f:be:47:2f:cc:59:fb:
c1:a7:b4:af:6d:a6:39:04:eb:46:ad:42:a5:6e:2e:bf:ce:90:
02:21:00:e9:09:e4:20:3d:26:cf:4a:2c:ce:9f:72:77:25:0e:
af:61:c8:7a:3d:a0:5e:cb:76:e6:15:8d:53:17:11:0d:ed
**************************
Client Peer Certificate:
**************************
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: ecdsa-with-SHA1
Issuer: C=No, ST=CA, L=testing, O=Test Organization, OU=MAGNET WP6,
CN=PNCA
Validity
Not Before: Oct 23 14:33:36 2007 GMT
Not After : Oct 22 14:33:36 2008 GMT
Subject: C=PN, ST=MAGNET, L=Mobile, O=Test Organization, OU=Testing,
CN=Magnet device#1
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
EC Public Key:
pub:
04:d4:87:e4:d1:49:bb:b2:0e:56:57:d8:0d:69:8e:
fa:66:62:6f:eb:60:38:f2:59:7b:56:2e:f6:d8:eb:
f5:44:82:fd:46:ae:0c:1f:b0:67:5e:dd:2c:12:08:
ff:b4:db:ee:ae:7c:7f:f8:0e:24:b2:0b:21:5c:18:
73:72:b4:69:b5
ASN1 OID: secp256k1
X509v3 extensions:
X509v3 Subject Alternative Name:
URI:my PN name:5b8f3fe0-612e-11dc-9287-001921a6909f
Signature Algorithm: ecdsa-with-SHA1
30:44:02:20:12:71:ef:bf:aa:4c:b4:dd:fe:21:0c:f2:29:01:
f6:c4:21:97:56:05:5e:6c:5a:4e:83:14:55:48:90:52:c8:e1:
02:20:36:e1:70:78:55:b3:dd:e1:75:a8:a2:2a:28:e2:19:6f:
d2:97:65:8c:4b:62:68:42:cb:54:68:e4:72:0d:1c:8c
** file cpfp_ssl.c: line 2752
Error verifying signature on issued certificate:
8134:error:0D0C50A1:lib(13):func(197):reason(161):a_verify.c:141:
After looking into "a_verify.c" line 141, this corresponds to the following
error:
ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM
But then, if I try to verify the certificates with the command line, I get:
jjp ~ # openssl verify -CAfile u1/certs/pnca.pem u1/certs/pnclient.cert.pem
u1/certs/pnclient.cert.pem: OK
Any hints ?
Best regards,
Jordi
