------=_Part_6455_8413763.1193214702268
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Hello all,

I am using the openssl 0.9.8d and the following procedure to verify
certificates.
The procedure gives an error, whereas if I try to verify the same
certificates with the command line it succeedes.

I will appreciate any hint to solve this problem.

The C API procedure:

/*!Procedure to verify whether the certificate 'cert' was issued by
'pnca_cert'.*/
int verify_certificate(X509 *pnca_cert, X509 *cert)
{
int ret = 1;
X509_STORE *store;
X509_STORE_CTX *ctx;

#ifdef TESTING
BIO *out = NULL;

// open BIO for output to 'stdout'
if (!(out = BIO_new_fp(stdout, BIO_NOCLOSE))) {
ERR_INFO;
ERR_print_errors_fp (stderr);
fprintf(stderr, "Error creating stdout BIO: %s (%d)\n",
strerror(errno), errno);
return E_SSL;
}
#endif

ctx = X509_STORE_CTX_new();
store = X509_STORE_new();
X509_STORE_set_default_paths(store);
X509_STORE_add_cert(store, pnca_cert);
X509_STORE_CTX_init(ctx, store, cert, NULL);

#ifdef TESTING
BIO_printf(out, "\n\n\n\tPNCA Certificate: \n");
X509_print(out, pnca_cert);
BIO_printf(out, "\n");

BIO_printf(out, "\tPeer Certificate: \n");
X509_print(out, cert);
BIO_printf(out, "\n\n\n\n");
#endif

if (!X509_verify_cert(ctx)) {
fprintf(stderr, "Error verifying signature on issued certificate:
\n");
ERR_print_errors_fp (stderr);
ret = E_SSL;
}

X509_STORE_CTX_free(ctx);
X509_STORE_free(store);

return ret;

}


The certificates are (as printed out by the same procedure):

***********************************
Self-Signed PNCA Certificate:
***********************************
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
c8:d5:d0:90:c3:dd:0a:1a
Signature Algorithm: ecdsa-with-SHA1
Issuer: C=No, ST=CA, L=testing, O=Test Organization, OU=MAGNET WP6,
CN=PNCA
Validity
Not Before: Oct 23 14:32:40 2007 GMT
Not After : Nov 22 14:32:40 2007 GMT
Subject: C=No, ST=CA, L=testing, O=Test Organization, OU=MAGNET WP6,
CN=PNCA
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
EC Public Key:
pub:
04:e5:c5:a5:6a:46:ce:24:bd:80:f5:e2:30:d0:9c:
4a:14:69:c5:9a:c7:d0:a4:b7:b8:d9:fc:07:c9:37:
de:3c:23:44:73:3e:15:76:f3:3e:2a:22:13:34:9b:
36:89:a3:35:2f:12:30:e5:d1:eb:a6:e1:b8:b5:ee:
95:0e:d0:0e:05
ASN1 OID: secp256k1
Signature Algorithm: ecdsa-with-SHA1
30:45:02:20:35:da:33:85:05:7a:3c:6f:be:47:2f:cc:59 :fb:
c1:a7:b4:af:6d:a6:39:04:eb:46:ad:42:a5:6e:2e:bf:ce :90:
02:21:00:e9:09:e4:20:3d:26:cf:4a:2c:ce:9f:72:77:25 :0e:
af:61:c8:7a:3d:a0:5e:cb:76:e6:15:8d:53:17:11:0d:ed

**************************
Client Peer Certificate:
**************************
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: ecdsa-with-SHA1
Issuer: C=No, ST=CA, L=testing, O=Test Organization, OU=MAGNET WP6,
CN=PNCA
Validity
Not Before: Oct 23 14:33:36 2007 GMT
Not After : Oct 22 14:33:36 2008 GMT
Subject: C=PN, ST=MAGNET, L=Mobile, O=Test Organization, OU=Testing,
CN=Magnet device#1
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
EC Public Key:
pub:
04:d4:87:e4:d1:49:bb:b2:0e:56:57:d8:0d:69:8e:
fa:66:62:6f:eb:60:38:f2:59:7b:56:2e:f6:d8:eb:
f5:44:82:fd:46:ae:0c:1f:b0:67:5e:dd:2c:12:08:
ff:b4:db:ee:ae:7c:7f:f8:0e:24:b2:0b:21:5c:18:
73:72:b4:69:b5
ASN1 OID: secp256k1
X509v3 extensions:
X509v3 Subject Alternative Name:
URI:my PN name:5b8f3fe0-612e-11dc-9287-001921a6909f
Signature Algorithm: ecdsa-with-SHA1
30:44:02:20:12:71:ef:bf:aa:4c:b4:dd:fe:21:0c:f2:29 :01:
f6:c4:21:97:56:05:5e:6c:5a:4e:83:14:55:48:90:52:c8 :e1:
02:20:36:e1:70:78:55:b3:dd:e1:75:a8:a2:2a:28:e2:19 :6f:
d2:97:65:8c:4b:62:68:42:cb:54:68:e4:72:0d:1c:8c


** file cpfp_ssl.c: line 2752
Error verifying signature on issued certificate:
8134:error:0D0C50A1:lib(13):func(197):reason(161): a_verify.c:141:

After looking into "a_verify.c" line 141, this corresponds to the following
error:

ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM

But then, if I try to verify the certificates with the command line, I get:

jjp ~ # openssl verify -CAfile u1/certs/pnca.pem u1/certs/pnclient.cert.pem
u1/certs/pnclient.cert.pem: OK


Any hints ?

Best regards,

Jordi

------=_Part_6455_8413763.1193214702268
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Hello all,

I am using the openssl 0.9.8d and the following procedure to verify certificates.
The procedure gives an error, whereas if I try to verify the same certificates with the command line it succeedes.


I will appreciate any hint to solve this problem.

The C API procedure:

/*!Procedure to verify whether the certificate 'cert' was issued by 'pnca_cert'.*/
int verify_certificate(X509 *pnca_cert, X509 *cert)

{
    int ret = 1;
    X509_STORE *store;
    X509_STORE_CTX *ctx;

#ifdef TESTING
    BIO *out = NULL;

    // open BIO for output to 'stdout'
    if (!(out = BIO_new_fp(stdout, BIO_NOCLOSE))) {

        ERR_INFO;
        ERR_print_errors_fp (stderr);
            fprintf(stderr, "Error creating stdout BIO: %s (%d)\n",  strerror(errno), errno);
        return E_SSL;
    }   
#endif


    ctx = X509_STORE_CTX_new();
    store = X509_STORE_new();
    X509_STORE_set_default_paths(store);
    X509_STORE_add_cert(store, pnca_cert);
    X509_STORE_CTX_init(ctx, store, cert, NULL);

#ifdef TESTING

    BIO_printf(out, "\n\n\n\tPNCA Certificate: \n");
    X509_print(out, pnca_cert);
    BIO_printf(out, "\n");   

    BIO_printf(out, "\tPeer Certificate: \n");
    X509_print(out, cert);

    BIO_printf(out, "\n\n\n\n");
#endif   

    if (!X509_verify_cert(ctx)) {
        fprintf(stderr, "Error verifying signature on issued certificate: \n");
        ERR_print_errors_fp (stderr);

        ret = E_SSL;
    }

    X509_STORE_CTX_free(ctx);
    X509_STORE_free(store);

    return ret;

}


The certificates are (as printed out by the same procedure):

***********************************

Self-Signed PNCA Certificate:
***********************************
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            c8:d5:d0:90:c3:dd:0a:1a
        Signature Algorithm: ecdsa-with-SHA1

        Issuer: C=No, ST=CA, L=testing, O=Test Organization, OU=MAGNET WP6, CN=PNCA
        Validity
            Not Before: Oct 23 14:32:40 2007 GMT
            Not After : Nov 22 14:32:40 2007 GMT
        Subject: C=No, ST=CA, L=testing, O=Test Organization, OU=MAGNET WP6, CN=PNCA

        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
            EC Public Key:
                pub:
                    04:e5:c5:a5:6a:46:ce:24:bd:80:f5:e2:30:d0:9c:
                    4a:14:69:c5:9a:c7:d0:a4:b7:b8:d9:fc:07:c9:37:

                    de:3c:23:44:73:3e:15:76:f3:3e:2a:22:13:34:9b:
                    36:89:a3:35:2f:12:30:e5:d1:eb:a6:e1:b8:b5:ee:
                    95:0e:d0:0e:05
                ASN1 OID: secp256k1
    Signature Algorithm: ecdsa-with-SHA1

        30:45:02:20:35:da:33:85:05:7a:3c:6f:be:47:2f:cc:59 :fb:
        c1:a7:b4:af:6d:a6:39:04:eb:46:ad:42:a5:6e:2e:bf:ce :90:
        02:21:00:e9:09:e4:20:3d:26:cf:4a:2c:ce:9f:72:77:25 :0e:
        af:61:c8:7a:3d:a0:5e:cb:76:e6:15:8d:53:17:11:0d:ed


**************************
Client Peer Certificate:
**************************
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: ecdsa-with-SHA1

        Issuer: C=No, ST=CA, L=testing, O=Test Organization, OU=MAGNET WP6, CN=PNCA
        Validity
            Not Before: Oct 23 14:33:36 2007 GMT
            Not After : Oct 22 14:33:36 2008 GMT
        Subject: C=PN, ST=MAGNET, L=Mobile, O=Test Organization, OU=Testing, CN=Magnet device#1

        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
            EC Public Key:
                pub:
                    04:d4:87:e4:d1:49:bb:b2:0e:56:57:d8:0d:69:8e:
                    fa:66:62:6f:eb:60:38:f2:59:7b:56:2e:f6:d8:eb:

                    f5:44:82:fd:46:ae:0c:1f:b0:67:5e:dd:2c:12:08:
                    ff:b4:db:ee:ae:7c:7f:f8:0e:24:b2:0b:21:5c:18:
                    73:72:b4:69:b5
                ASN1 OID: secp256k1
        X509v3 extensions:

            X509v3 Subject Alternative Name:
                URI:my PN name:5b8f3fe0-612e-11dc-9287-001921a6909f
    Signature Algorithm: ecdsa-with-SHA1
        30:44:02:20:12:71:ef:bf:aa:4c:b4:dd:fe:21:0c:f2:29 :01:

        f6:c4:21:97:56:05:5e:6c:5a:4e:83:14:55:48:90:52:c8 :e1:
        02:20:36:e1:70:78:55:b3:dd:e1:75:a8:a2:2a:28:e2:19 :6f:
        d2:97:65:8c:4b:62:68:42:cb:54:68:e4:72:0d:1c:8c


** file cpfp_ssl.c: line 2752

Error verifying signature on issued certificate:
8134:error:0D0C50A1:lib(13):func(197):reason(161): a_verify.c:141:

After looking into "a_verify.c" line 141, this corresponds to the following error:


ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM

But then, if I try to verify the certificates with the command line, I get:

jjp ~ # openssl verify -CAfile u1/certs/pnca.pem u1/certs/pnclient.cert.pem
u1/certs/pnclient.cert.pem: OK



Any hints ?

Best regards,

Jordi


------=_Part_6455_8413763.1193214702268--
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org