On ven, 2008-08-01 at 11:21 -0700, Sendroiu Eugen wrote:
>
Hi Sendroiu,
> It would be helpful if we could see the certificate.
I did not report all certificate to allow you to replicate my code with
your how certificate/calist.
> My guess is that either your cert is self signed,
Yes, it's self signed.
> in which case you need to treat this case in your callback,
I have no idea how to do this. Have I to set any flag/field in the
context ?
> or the certificate you are trying to verify is not signed by the trust
> anchor that you provide. Also you must be careful which text editor
> you are using because some may replace spaces with their owns ( eg
> CRLF - CR or LF ) in the root_cert_data declaration, and that might
> spoil the signature.
I'll check also this :-)
>
> Cheers.
Thank you very much !
Flt
>
> ----- Original Message ----
> From: .:: Francesco la Torre ::.
> <[EMAIL PROTECTED]>
> To: openssl-users@openssl.org
> Sent: Friday, August 1, 2008 8:02:44 PM
> Subject: Re: Verify x509 certificate
>
> Any help from someone ?
> :-)
> Flt
>
>
> Il giorno mer, 30/07/2008 alle 23.57 +0200, Francesco la Torre ha
> scritto:
> > Dear all,
> > I'm new in openssl api and I'm trying to write e simple application
> to
> > verify an x509 certificate but I'm facing with some strange problem.
> >
> > Here there is a snapshot of my code to use to replicate my
> scenario :
> >
> > #include<stdio.h>
> > #include<stdlib.h>
> > #include<string.h>
> > #include <openssl/pem.h>
> > #include <openssl/err.h>
> > #include <openssl/sha.h>
> > #include <openssl/ssl.h>
> >
> > const char root_cert_data[] =
> > "-----BEGIN CERTIFICATE-----\n\
> > MIIDQjCCAqugAwIBAg ... Rinw==\n\
> > -----END CERTIFICATE-----\n";
> >
> > int main(int argc, char **argv){
> >
> > FILE *fp;
> > X509 *root_cert;
> >
> > X509_STORE *CAcerts;
> > X509 * cert;
> >
> > X509_STORE_CTX ca_ctx;
> > char *strerr;
> > BIO *bio;
> >
> > STACK_OF(X509) *trusted_chain;
> >
> > trusted_chain = sk_X509_new_null();
> >
> > if (!(bio = BIO_new_mem_buf((void *) root_cert_data, -1))) {
> > printf("BIO_new_mem_buf\n");
> > exit(1);
> > }
> > BIO_set_close(bio, BIO_NOCLOSE);
> > if (!(root_cert = PEM_read_bio_X509(bio, 0, 0, 0))) {
> > printf("PEM_read_bio_X509 (root)\n");
> > ERR_print_errors_fp(stdout);
> > exit(1);
> > }
> >
> > sk_X509_push(trusted_chain, root_cert);
> > /* load CA cert store */
> > if (!(CAcerts = X509_STORE_new())) {
> > printf ("\nError1\n");
> > }
> >
> > if (X509_STORE_load_locations(CAcerts,
> > "/home/frank/test/test-CA/calist.pem" , NULL ) != 1) {
> > printf ("\nError2\n");
> > }
> > if (X509_STORE_set_default_paths(CAcerts) != 1) {
> > printf ("\nError3\n");
> > }
> >
> > /* load X509 certificate */
> > if (!(fp = fopen ("cert.pem", "r"))){
> > printf ("\nError4\n");
> > }
> > if (!(cert = PEM_read_X509 (fp, NULL, NULL, NULL))){
> > printf ("\nError5\n");
> > }
> >
> > /* verify */
> > if (X509_STORE_CTX_init(&ca_ctx, CAcerts, cert, trusted_chain) !=
> 1)
> > {
> > printf ("\nError6\n");
> > }
> >
> > X509_STORE_CTX_trusted_stack(&ca_ctx, trusted_chain);
> >
> > if (X509_verify_cert(&ca_ctx) != 1) {
> > strerr = (char *)
> X509_verify_cert_error_string(ca_ctx.error);
> > printf("Verification error: %s", strerr);
> > }
> >
> > X509_STORE_free(CAcerts);
> > X509_free(cert);
> >
> > return 0;
> > }
> >
> > obviously root_cert_data[] and cert.pem have to be replaced with
> your
> > certs.
> > Compilated as
> >
> > gcc -Wall x509.c -o x509 -lssl -lcrypto
> >
> > after execution I receive this error :
> >
> > Verification error: certificate signature failure
> >
> > Even if I try to verify my certificate by mean command line tool
> >
> > openssl verify -CAfile /home/frank/test/test-CA/calist.pem cert.pem
> >
> > The output is :
> >
> > cert.pem: OK
> >
> > Does anybody know where is the problem ?
> >
> > Thanks in advance,
> > Francesco la Torre
> >
> ______________________________________________________________________
> > OpenSSL Project
> http://www.openssl.org
> > User Support Mailing List
> openssl-users@openssl.org
> > Automated List Manager
> [EMAIL PROTECTED]
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager [EMAIL PROTECTED]
>
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
