self reply :-)
I've added a callback function like this
static int cb(int ok, X509_STORE_CTX *ctx){
char buf[256];
X509_NAME_oneline(
X509_get_subject_name(ctx->current_cert),buf,256);
printf("%s\n",buf);
printf("error %d at %d depth lookup:%s\n",ctx->error,
ctx->error_depth,
X509_verify_cert_error_string(ctx->error));
/* Continue even if self signed */
if (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ok=1;
ERR_clear_error();
return(ok);
}
and also add this line to the main
X509_STORE_set_verify_cb_func(&ca_ctx,cb);
but the result is always the same :
Verification error: certificate signature failure
where are my mistakes ?
Thanks
Flt
On ven, 2008-08-01 at 23:58 +0200, .:: Francesco la Torre ::. wrote:
> On ven, 2008-08-01 at 11:21 -0700, Sendroiu Eugen wrote:
> >
> Hi Sendroiu,
>
> > It would be helpful if we could see the certificate.
>
> I did not report all certificate to allow you to replicate my code with
> your how certificate/calist.
>
> > My guess is that either your cert is self signed,
>
> Yes, it's self signed.
>
> > in which case you need to treat this case in your callback,
>
> I have no idea how to do this. Have I to set any flag/field in the
> context ?
>
> > or the certificate you are trying to verify is not signed by the trust
> > anchor that you provide. Also you must be careful which text editor
> > you are using because some may replace spaces with their owns ( eg
> > CRLF - CR or LF ) in the root_cert_data declaration, and that might
> > spoil the signature.
>
> I'll check also this :-)
> >
> > Cheers.
>
> Thank you very much !
>
> Flt
> >
> > ----- Original Message ----
> > From: .:: Francesco la Torre ::.
> > <[EMAIL PROTECTED]>
> > To: openssl-users@openssl.org
> > Sent: Friday, August 1, 2008 8:02:44 PM
> > Subject: Re: Verify x509 certificate
> >
> > Any help from someone ?
> > :-)
> > Flt
> >
> >
> > Il giorno mer, 30/07/2008 alle 23.57 +0200, Francesco la Torre ha
> > scritto:
> > > Dear all,
> > > I'm new in openssl api and I'm trying to write e simple application
> > to
> > > verify an x509 certificate but I'm facing with some strange problem.
> > >
> > > Here there is a snapshot of my code to use to replicate my
> > scenario :
> > >
> > > #include<stdio.h>
> > > #include<stdlib.h>
> > > #include<string.h>
> > > #include <openssl/pem.h>
> > > #include <openssl/err.h>
> > > #include <openssl/sha.h>
> > > #include <openssl/ssl.h>
> > >
> > > const char root_cert_data[] =
> > > "-----BEGIN CERTIFICATE-----\n\
> > > MIIDQjCCAqugAwIBAg ... Rinw==\n\
> > > -----END CERTIFICATE-----\n";
> > >
> > > int main(int argc, char **argv){
> > >
> > > FILE *fp;
> > > X509 *root_cert;
> > >
> > > X509_STORE *CAcerts;
> > > X509 * cert;
> > >
> > > X509_STORE_CTX ca_ctx;
> > > char *strerr;
> > > BIO *bio;
> > >
> > > STACK_OF(X509) *trusted_chain;
> > >
> > > trusted_chain = sk_X509_new_null();
> > >
> > > if (!(bio = BIO_new_mem_buf((void *) root_cert_data, -1))) {
> > > printf("BIO_new_mem_buf\n");
> > > exit(1);
> > > }
> > > BIO_set_close(bio, BIO_NOCLOSE);
> > > if (!(root_cert = PEM_read_bio_X509(bio, 0, 0, 0))) {
> > > printf("PEM_read_bio_X509 (root)\n");
> > > ERR_print_errors_fp(stdout);
> > > exit(1);
> > > }
> > >
> > > sk_X509_push(trusted_chain, root_cert);
> > > /* load CA cert store */
> > > if (!(CAcerts = X509_STORE_new())) {
> > > printf ("\nError1\n");
> > > }
> > >
> > > if (X509_STORE_load_locations(CAcerts,
> > > "/home/frank/test/test-CA/calist.pem" , NULL ) != 1) {
> > > printf ("\nError2\n");
> > > }
> > > if (X509_STORE_set_default_paths(CAcerts) != 1) {
> > > printf ("\nError3\n");
> > > }
> > >
> > > /* load X509 certificate */
> > > if (!(fp = fopen ("cert.pem", "r"))){
> > > printf ("\nError4\n");
> > > }
> > > if (!(cert = PEM_read_X509 (fp, NULL, NULL, NULL))){
> > > printf ("\nError5\n");
> > > }
> > >
> > > /* verify */
> > > if (X509_STORE_CTX_init(&ca_ctx, CAcerts, cert, trusted_chain) !=
> > 1)
> > > {
> > > printf ("\nError6\n");
> > > }
> > >
> > > X509_STORE_CTX_trusted_stack(&ca_ctx, trusted_chain);
> > >
> > > if (X509_verify_cert(&ca_ctx) != 1) {
> > > strerr = (char *)
> > X509_verify_cert_error_string(ca_ctx.error);
> > > printf("Verification error: %s", strerr);
> > > }
> > >
> > > X509_STORE_free(CAcerts);
> > > X509_free(cert);
> > >
> > > return 0;
> > > }
> > >
> > > obviously root_cert_data[] and cert.pem have to be replaced with
> > your
> > > certs.
> > > Compilated as
> > >
> > > gcc -Wall x509.c -o x509 -lssl -lcrypto
> > >
> > > after execution I receive this error :
> > >
> > > Verification error: certificate signature failure
> > >
> > > Even if I try to verify my certificate by mean command line tool
> > >
> > > openssl verify -CAfile /home/frank/test/test-CA/calist.pem cert.pem
> > >
> > > The output is :
> > >
> > > cert.pem: OK
> > >
> > > Does anybody know where is the problem ?
> > >
> > > Thanks in advance,
> > > Francesco la Torre
> > >
> > ______________________________________________________________________
> > > OpenSSL Project
> > http://www.openssl.org
> > > User Support Mailing List
> > openssl-users@openssl.org
> > > Automated List Manager
> > [EMAIL PROTECTED]
> > ______________________________________________________________________
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List openssl-users@openssl.org
> > Automated List Manager [EMAIL PROTECTED]
> >
> >
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
