Re: [openssl-users] SSL_CTX_check_private_key:no certificate assigned

Sun, 01 Mar 2015 06:57:45 -0800 

On 03/01/15 19:43, Dr. Stephen Henson wrote:

On Sun, Mar 01, 2015, dE wrote:


Hi!

I'm trying to create a certificate using openssl library. Here is
the code --

void main () {
     SSL_library_init();
     SSL_load_error_strings();
     OpenSSL_add_all_algorithms();
     char err[1000];
     RSA* keypair = RSA_new();
     BIGNUM *e = BN_new();
     X509 *certificate = X509_new();
     EVP_PKEY *certkeypair = EVP_PKEY_new();

     BN_set_word(e, 65537);
     if (!RSA_generate_key_ex(keypair, 1024, e, NULL))
         printf ("key generation failed");
     BN_free(e);
     e = NULL;

     EVP_PKEY_assign_RSA(certkeypair,keypair);

     X509_set_version (certificate  , 3);
     ASN1_INTEGER_set(X509_get_serialNumber(certificate), 1);

     X509_NAME * certnames;
     certnames = X509_get_subject_name(certificate);
     X509_NAME_add_entry_by_txt(certnames, "C",  MBSTRING_ASC,
(unsigned char *)"global", -1, -1, 0);
     X509_NAME_add_entry_by_txt(certnames, "O",  MBSTRING_ASC,
(unsigned char *)"BIGcoin", -1, -1, 0);
     X509_NAME_add_entry_by_txt(certnames, "CN", MBSTRING_ASC,
(unsigned char *)"My IP", -1, -1, 0);

     X509_set_issuer_name(certificate,certnames);

     X509_gmtime_adj(X509_get_notBefore(certificate), -(24*60*60));
     X509_gmtime_adj(X509_get_notAfter(certificate), (366*24*60*60));

     X509_sign(certificate, certkeypair, EVP_sha512());

     const SSL_METHOD* meth;
     meth = TLSv1_method();
     SSL_CTX* ctx;
     ctx = SSL_CTX_new(meth);

     SSL_CTX_use_certificate (ctx, certificate);
     SSL_CTX_use_PrivateKey (ctx, certkeypair);

     if (!SSL_CTX_check_private_key (ctx))
         printf ("Signature could not be verified\n");

     ERR_error_string(ERR_peek_last_error(), err);
         printf ("Error is %s\n", err);
}

I cant get the created certificate to be verified. It always results in --

error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate
assigned

You're missing a call to X509_set_pubkey. Since the certificate doesn't
contain a public key it is not valid and the TLS code can't check a public key
which doesn't exist. In fact it wont even get there: if there is no key on a
certificate OpenSSL will refuse to add it as a certificate in the first place
(which is why you get the "no certificate" error).

If you checked some of your other functions for errors you'd see what was
happening: there are probably many more errors in the whole queue but you're
only seeing the last one.

Check out demos/x509/mkcert.c for an example of how to create a certificate.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Thank you!
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply via email to