it seems to work good because if I try to change a character in array
containing the cert, the verification process fails. However next days
I'll try to load an untrusted chain and verify better, now instead I'm
preparing problems for the next post :-)
thanks
Flt
Il giorno sab, 02/08/2008 alle 18.57 -0700, Sendroiu Eugen ha scritto:
>
>
> I'm not sure you solved that. This works just because your certificate
> chain will have only 1 certificate so no signature verification is
> done.
>
> kr,
>
> Eugen Sendroiu
>
>
> ----- Original Message ----
> From: .:: Francesco la Torre ::.
> <[EMAIL PROTECTED]>
> To: openssl-users@openssl.org
> Sent: Saturday, August 2, 2008 5:16:10 PM
> Subject: Re: Verify x509 certificate
>
> Solved !
>
> I forgot to call SSLeay_add_all_algorithms();
> ... a summer youthful folly :-)
>
> Flt
>
>
> Il giorno sab, 02/08/2008 alle 11.43 +0200, .:: Francesco la Torre ::.
> ha scritto:
> > On sab, 2008-08-02 at 02:04 -0700, Kyle Hamilton wrote:
> > > The verify(1ssl) man page has descriptions of these error codes.
> 7 is
> > > "X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature
> failure",
> > > which is described as: the signature of the certificate is
> invalid.
> > >
> > > I would presume that this is because the signature cannot be
> verified
> > > with the public key that it's said to be verifiable with -- i.e.,
> the
> > > data in one of the certificates has been modified since it was
> signed
> > > (and thus, the signature has been invalidated).
> > >
> >
> > You're true, but I used the "stange" abjective because if I try to
> > verify the certificate from command line
> >
> > openssl verify -CAfile /home/frank/test/test-CA/calist.pem cert.pem
> >
> > The output is :
> >
> > cert.pem: OK
> >
> > so both certificates are valid.
> >
> > Regards,
> > Flt
> >
> > > -Kyle H
> > >
> > > On Fri, Aug 1, 2008 at 5:15 PM, .:: Francesco la Torre ::.
> > > <[EMAIL PROTECTED]> wrote:
> > > > On sab, 2008-08-02 at 00:21 +0200, .:: Francesco la Torre ::.
> wrote:
> > > >
> > > > One mistake is here even if there were not compilation error
> > > >
> > > >> and also add this line to the main
> > > >> X509_STORE_set_verify_cb_func(&ca_ctx,cb);
> > > >>
> > > >
> > > > the correct code block is :
> > > >
> > > > ...
> > > > /* load CA cert store */
> > > > if (!(CAcerts = X509_STORE_new())) {
> > > > printf ("\nError1\n");
> > > > }
> > > > ---> X509_STORE_set_verify_cb_func(CAcerts,cb);
> > > > ...
> > > >
> > > >
> > > >
> > > >> but the result is always the same :
> > > >>
> > > >
> > > > Not always the boring "Verification error: certificate signature
> > > > failure"
> > > >
> > > > But a new strange error :
> > > >
> > > >
> > >
> > /C=IT/ST=Italy/O=IIT-CNR/OU=lab18/CN=ubuntu-ser/[EMAIL PROTECTED]
> > > > error 7 at 1 depth lookup:certificate signature failure
> > > > Verification error: 0
> > > >
> > > >
> > > > I've tried to find any kind of reference for this kind of error
> but
> > > > google returns not a very good help.
> > > >
> > > > In various forum/mailing list this is _classified_ as *quite
> strange*
> > > > error ... is it possible ?
> > > >
> > > > Thanks in advance,
> > > > Flt
> > > >
> > > >
> > > >
> ______________________________________________________________________
> > > > OpenSSL Project
> http://www.openssl.org
> > > > User Support Mailing List
> openssl-users@openssl.org
> > > > Automated List Manager
> [EMAIL PROTECTED]
> > > >
> > >
> ______________________________________________________________________
> > > OpenSSL Project
> http://www.openssl.org
> > > User Support Mailing List
> openssl-users@openssl.org
> > > Automated List Manager
> [EMAIL PROTECTED]
> >
> >
> ______________________________________________________________________
> > OpenSSL Project
> http://www.openssl.org
> > User Support Mailing List
> openssl-users@openssl.org
> > Automated List Manager
> [EMAIL PROTECTED]
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager [EMAIL PROTECTED]
>
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
