I would not use the X509_print_fp(), since it does not give you the PEM or DER
file.
Use intead PEM_write_bio or write_bio() for PEM and DER respectively.
Also check for error for the status of these two bio write function.
hopefully it helps
From: Andrea Saracino
Sent: Wednesday, July 27, 2011 6:05 PM
To: openssl-users@openssl.org
Subject: Re: X509 verify
Hi Erwin, thanks for your fast answer.
I dumped both the certificates in 2 PEM files, then I used the X509_print_fp()
to obtain the readable version of both of them. The two resulting files are
identical. Perhaps there is something wrong in the invocation of the i2d/d2i
functions. I'm posting an extract of the code:
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
struct T_G_4{
unsigned char nonce[NONCE_SIZE];
int cert_size;
unsigned char certificate[MAX_MSG_SIZE-NONCE_SIZE-sizeof(int)];
}
/*...*/
T_G_4 * TG4=new T_G_4;
/*...*/
peer_certificate=/* initialization function */ //this is a private member of a
class and the two functions are members of the same class
EVP_PKEY * pubkey=EVP_PKEY_new();
EVP_PKEY_set1_RSA(pubkey, rsa_ca_pub_key);
X509_verify(peer_certificate,pubkey); //this verification returns 1
unsigned char * serialized certificate=NULL; //following the example of the
openssl d2i_X509 page, NULL pointer avoids the management of the increasing
pointer
TG4->cert_size=i2d(peer_certificate,&serialized_certificate); //serialization
memcpy(TG4->certificate,serialized_certificate,TG4->cert_size);
//initialize the remaining fields and return TG4
//passing the structure to another function
//other function:
/*...*/
unsigned char * serialized_certificate=new unsigned char [TG4->cert_size];
memcpy(serialized_certificate,TG4->certificate,TG4->cert_size);
peer_certificate = d2i_X509(NULL,(const unsigned char
**)&serialized_certificate,TG4->cert_size); //deserialization
X509_verify(peer_certificate,pubkey); //now it returns 0... :(
/*...*/
Is there something wrong in this code?
Thanks in advance.
Best Regards
Andrea Saracino
2011/7/27 Erwin Himawan <ehima...@gmail.com>
The way I would verify this is by writting the original X509 object into PEM
file and dumping the X509 object resulted from d2i_x509() into another PEM file
and compares both files using the openssl ; either using asnparse or x509
command.
On Wed, Jul 27, 2011 at 9:46 AM, Andrea Saracino <saracino.and...@gmail.com>
wrote:
Hello everyone,
I've found some issues using the function X509_verify() on a simple X509
certificate. After the creation, if I call:
X509_verify(certificate,ca_key);
the function returns 1, but if I call the i2d_X509() function on the
certificate and then the d2i_X509() on the obtained byte string, the
X509_verify() on the resultant certificate returns 0.
I printed the certificate, in a readable format, before and after the i2d()
and d2i() execution and the result is exactly the same. The various fields
(issuer, subject...) have the correct values. Any ideas?
Best Regards
Andrea Saracino
