On Wed, Feb 10, 2010 at 4:23 AM, Dr. Stephen Henson <st...@openssl.org> wrote: > On Tue, Feb 09, 2010, skillz...@gmail.com wrote: > >> I'm trying to programmatically verify that a certificate from a sub-CA >> is signed by a specific root CA. I get an error of 7 >> (X509_V_ERR_CERT_SIGNATURE_FAILURE) from X509_verify_cert. If I verify >> with the openssl command line tool using 'openssl verify -CAfile >> root.pem cert.pem', it returns OK. Here's what I'm doing to verify the >> certifcate in code: >> >> 1. Call certStore = X509_STORE_new(). >> 2. Convert DER-encoded root certificate to an X509 object using >> d2i_X509. Returns a valid X509 pointer. >> 3. Call X509_STORE_add_cert to add root X509 object to X509_STORE. >> Returns 1 (success). >> 4. Call storeContext = X509_STORE_CTX_new(). >> 5. Convert DER-encoded sub-CA cert to an X509 object using d2i_X509. >> Returns a valid X509 pointer. >> 6. Call X509_STORE_CTX_init( storeContext, certStore, cert, NULL ). >> Returns 1 (success). >> 7. Call X509_verify_cert( storeContext ). Returns 0 (failed). >> X509_STORE_CTX_get_error() returns 7. >> >> Is there something I'm missing? > > OpenSSL_add_all_algorithms(), see the FAQ. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-us...@openssl.org > Automated List Manager majord...@openssl.org
Thanks, that worked. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
