Verify x509 certificate - Openssl

This is a discussion on Verify x509 certificate - Openssl ; Dear all, I'm new in openssl api and I'm trying to write e simple application to verify an x509 certificate but I'm facing with some strange problem. Here there is a snapshot of my code to use to replicate my ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Verify x509 certificate

  1. Verify x509 certificate

    Dear all,
    I'm new in openssl api and I'm trying to write e simple application to
    verify an x509 certificate but I'm facing with some strange problem.

    Here there is a snapshot of my code to use to replicate my scenario :

    #include
    #include
    #include
    #include
    #include
    #include
    #include

    const char root_cert_data[] =
    "-----BEGIN CERTIFICATE-----\n\
    MIIDQjCCAqugAwIBAg ... Rinw==\n\
    -----END CERTIFICATE-----\n";

    int main(int argc, char **argv){

    FILE *fp;
    X509 *root_cert;

    X509_STORE *CAcerts;
    X509 * cert;

    X509_STORE_CTX ca_ctx;
    char *strerr;
    BIO *bio;

    STACK_OF(X509) *trusted_chain;

    trusted_chain = sk_X509_new_null();

    if (!(bio = BIO_new_mem_buf((void *) root_cert_data, -1))) {
    printf("BIO_new_mem_buf\n");
    exit(1);
    }
    BIO_set_close(bio, BIO_NOCLOSE);
    if (!(root_cert = PEM_read_bio_X509(bio, 0, 0, 0))) {
    printf("PEM_read_bio_X509 (root)\n");
    ERR_print_errors_fp(stdout);
    exit(1);
    }

    sk_X509_push(trusted_chain, root_cert);
    /* load CA cert store */
    if (!(CAcerts = X509_STORE_new())) {
    printf ("\nError1\n");
    }

    if (X509_STORE_load_locations(CAcerts,
    "/home/frank/test/test-CA/calist.pem" , NULL ) != 1) {
    printf ("\nError2\n");
    }
    if (X509_STORE_set_default_paths(CAcerts) != 1) {
    printf ("\nError3\n");
    }

    /* load X509 certificate */
    if (!(fp = fopen ("cert.pem", "r"))){
    printf ("\nError4\n");
    }
    if (!(cert = PEM_read_X509 (fp, NULL, NULL, NULL))){
    printf ("\nError5\n");
    }

    /* verify */
    if (X509_STORE_CTX_init(&ca_ctx, CAcerts, cert, trusted_chain) != 1)
    {
    printf ("\nError6\n");
    }

    X509_STORE_CTX_trusted_stack(&ca_ctx, trusted_chain);

    if (X509_verify_cert(&ca_ctx) != 1) {
    strerr = (char *) X509_verify_cert_error_string(ca_ctx.error);
    printf("Verification error: %s", strerr);
    }

    X509_STORE_free(CAcerts);
    X509_free(cert);

    return 0;
    }

    obviously root_cert_data[] and cert.pem have to be replaced with your
    certs.
    Compilated as

    gcc -Wall x509.c -o x509 -lssl -lcrypto

    after execution I receive this error :

    Verification error: certificate signature failure

    Even if I try to verify my certificate by mean command line tool

    openssl verify -CAfile /home/frank/test/test-CA/calist.pem cert.pem

    The output is :

    cert.pem: OK

    Does anybody know where is the problem ?

    Thanks in advance,
    Francesco la Torre
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  2. Re: Verify x509 certificate

    Any help from someone ?
    :-)
    Flt


    Il giorno mer, 30/07/2008 alle 23.57 +0200, Francesco la Torre ha
    scritto:
    > Dear all,
    > I'm new in openssl api and I'm trying to write e simple application to
    > verify an x509 certificate but I'm facing with some strange problem.
    >
    > Here there is a snapshot of my code to use to replicate my scenario :
    >
    > #include
    > #include
    > #include
    > #include
    > #include
    > #include
    > #include
    >
    > const char root_cert_data[] =
    > "-----BEGIN CERTIFICATE-----\n\
    > MIIDQjCCAqugAwIBAg ... Rinw==\n\
    > -----END CERTIFICATE-----\n";
    >
    > int main(int argc, char **argv){
    >
    > FILE *fp;
    > X509 *root_cert;
    >
    > X509_STORE *CAcerts;
    > X509 * cert;
    >
    > X509_STORE_CTX ca_ctx;
    > char *strerr;
    > BIO *bio;
    >
    > STACK_OF(X509) *trusted_chain;
    >
    > trusted_chain = sk_X509_new_null();
    >
    > if (!(bio = BIO_new_mem_buf((void *) root_cert_data, -1))) {
    > printf("BIO_new_mem_buf\n");
    > exit(1);
    > }
    > BIO_set_close(bio, BIO_NOCLOSE);
    > if (!(root_cert = PEM_read_bio_X509(bio, 0, 0, 0))) {
    > printf("PEM_read_bio_X509 (root)\n");
    > ERR_print_errors_fp(stdout);
    > exit(1);
    > }
    >
    > sk_X509_push(trusted_chain, root_cert);
    > /* load CA cert store */
    > if (!(CAcerts = X509_STORE_new())) {
    > printf ("\nError1\n");
    > }
    >
    > if (X509_STORE_load_locations(CAcerts,
    > "/home/frank/test/test-CA/calist.pem" , NULL ) != 1) {
    > printf ("\nError2\n");
    > }
    > if (X509_STORE_set_default_paths(CAcerts) != 1) {
    > printf ("\nError3\n");
    > }
    >
    > /* load X509 certificate */
    > if (!(fp = fopen ("cert.pem", "r"))){
    > printf ("\nError4\n");
    > }
    > if (!(cert = PEM_read_X509 (fp, NULL, NULL, NULL))){
    > printf ("\nError5\n");
    > }
    >
    > /* verify */
    > if (X509_STORE_CTX_init(&ca_ctx, CAcerts, cert, trusted_chain) != 1)
    > {
    > printf ("\nError6\n");
    > }
    >
    > X509_STORE_CTX_trusted_stack(&ca_ctx, trusted_chain);
    >
    > if (X509_verify_cert(&ca_ctx) != 1) {
    > strerr = (char *) X509_verify_cert_error_string(ca_ctx.error);
    > printf("Verification error: %s", strerr);
    > }
    >
    > X509_STORE_free(CAcerts);
    > X509_free(cert);
    >
    > return 0;
    > }
    >
    > obviously root_cert_data[] and cert.pem have to be replaced with your
    > certs.
    > Compilated as
    >
    > gcc -Wall x509.c -o x509 -lssl -lcrypto
    >
    > after execution I receive this error :
    >
    > Verification error: certificate signature failure
    >
    > Even if I try to verify my certificate by mean command line tool
    >
    > openssl verify -CAfile /home/frank/test/test-CA/calist.pem cert.pem
    >
    > The output is :
    >
    > cert.pem: OK
    >
    > Does anybody know where is the problem ?
    >
    > Thanks in advance,
    > Francesco la Torre
    > __________________________________________________ ____________________
    > OpenSSL Project http://www.openssl.org
    > User Support Mailing List openssl-users@openssl.org
    > Automated List Manager majordomo@openssl.org

    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


+ Reply to Thread