Verify x509 certificate - Openssl
This is a discussion on Verify x509 certificate - Openssl ; Dear all,
I'm new in openssl api and I'm trying to write e simple application to
verify an x509 certificate but I'm facing with some strange problem.
Here there is a snapshot of my code to use to replicate my ...
-
Verify x509 certificate
Dear all,
I'm new in openssl api and I'm trying to write e simple application to
verify an x509 certificate but I'm facing with some strange problem.
Here there is a snapshot of my code to use to replicate my scenario :
#include
#include
#include
#include
#include
#include
#include
const char root_cert_data[] =
"-----BEGIN CERTIFICATE-----\n\
MIIDQjCCAqugAwIBAg ... Rinw==\n\
-----END CERTIFICATE-----\n";
int main(int argc, char **argv){
FILE *fp;
X509 *root_cert;
X509_STORE *CAcerts;
X509 * cert;
X509_STORE_CTX ca_ctx;
char *strerr;
BIO *bio;
STACK_OF(X509) *trusted_chain;
trusted_chain = sk_X509_new_null();
if (!(bio = BIO_new_mem_buf((void *) root_cert_data, -1))) {
printf("BIO_new_mem_buf\n");
exit(1);
}
BIO_set_close(bio, BIO_NOCLOSE);
if (!(root_cert = PEM_read_bio_X509(bio, 0, 0, 0))) {
printf("PEM_read_bio_X509 (root)\n");
ERR_print_errors_fp(stdout);
exit(1);
}
sk_X509_push(trusted_chain, root_cert);
/* load CA cert store */
if (!(CAcerts = X509_STORE_new())) {
printf ("\nError1\n");
}
if (X509_STORE_load_locations(CAcerts,
"/home/frank/test/test-CA/calist.pem" , NULL ) != 1) {
printf ("\nError2\n");
}
if (X509_STORE_set_default_paths(CAcerts) != 1) {
printf ("\nError3\n");
}
/* load X509 certificate */
if (!(fp = fopen ("cert.pem", "r"))){
printf ("\nError4\n");
}
if (!(cert = PEM_read_X509 (fp, NULL, NULL, NULL))){
printf ("\nError5\n");
}
/* verify */
if (X509_STORE_CTX_init(&ca_ctx, CAcerts, cert, trusted_chain) != 1)
{
printf ("\nError6\n");
}
X509_STORE_CTX_trusted_stack(&ca_ctx, trusted_chain);
if (X509_verify_cert(&ca_ctx) != 1) {
strerr = (char *) X509_verify_cert_error_string(ca_ctx.error);
printf("Verification error: %s", strerr);
}
X509_STORE_free(CAcerts);
X509_free(cert);
return 0;
}
obviously root_cert_data[] and cert.pem have to be replaced with your
certs.
Compilated as
gcc -Wall x509.c -o x509 -lssl -lcrypto
after execution I receive this error :
Verification error: certificate signature failure
Even if I try to verify my certificate by mean command line tool
openssl verify -CAfile /home/frank/test/test-CA/calist.pem cert.pem
The output is :
cert.pem: OK
Does anybody know where is the problem ?
Thanks in advance,
Francesco la Torre
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org
-
Re: Verify x509 certificate
Any help from someone ?
:-)
Flt
Il giorno mer, 30/07/2008 alle 23.57 +0200, Francesco la Torre ha
scritto:
> Dear all,
> I'm new in openssl api and I'm trying to write e simple application to
> verify an x509 certificate but I'm facing with some strange problem.
>
> Here there is a snapshot of my code to use to replicate my scenario :
>
> #include
> #include
> #include
> #include
> #include
> #include
> #include
>
> const char root_cert_data[] =
> "-----BEGIN CERTIFICATE-----\n\
> MIIDQjCCAqugAwIBAg ... Rinw==\n\
> -----END CERTIFICATE-----\n";
>
> int main(int argc, char **argv){
>
> FILE *fp;
> X509 *root_cert;
>
> X509_STORE *CAcerts;
> X509 * cert;
>
> X509_STORE_CTX ca_ctx;
> char *strerr;
> BIO *bio;
>
> STACK_OF(X509) *trusted_chain;
>
> trusted_chain = sk_X509_new_null();
>
> if (!(bio = BIO_new_mem_buf((void *) root_cert_data, -1))) {
> printf("BIO_new_mem_buf\n");
> exit(1);
> }
> BIO_set_close(bio, BIO_NOCLOSE);
> if (!(root_cert = PEM_read_bio_X509(bio, 0, 0, 0))) {
> printf("PEM_read_bio_X509 (root)\n");
> ERR_print_errors_fp(stdout);
> exit(1);
> }
>
> sk_X509_push(trusted_chain, root_cert);
> /* load CA cert store */
> if (!(CAcerts = X509_STORE_new())) {
> printf ("\nError1\n");
> }
>
> if (X509_STORE_load_locations(CAcerts,
> "/home/frank/test/test-CA/calist.pem" , NULL ) != 1) {
> printf ("\nError2\n");
> }
> if (X509_STORE_set_default_paths(CAcerts) != 1) {
> printf ("\nError3\n");
> }
>
> /* load X509 certificate */
> if (!(fp = fopen ("cert.pem", "r"))){
> printf ("\nError4\n");
> }
> if (!(cert = PEM_read_X509 (fp, NULL, NULL, NULL))){
> printf ("\nError5\n");
> }
>
> /* verify */
> if (X509_STORE_CTX_init(&ca_ctx, CAcerts, cert, trusted_chain) != 1)
> {
> printf ("\nError6\n");
> }
>
> X509_STORE_CTX_trusted_stack(&ca_ctx, trusted_chain);
>
> if (X509_verify_cert(&ca_ctx) != 1) {
> strerr = (char *) X509_verify_cert_error_string(ca_ctx.error);
> printf("Verification error: %s", strerr);
> }
>
> X509_STORE_free(CAcerts);
> X509_free(cert);
>
> return 0;
> }
>
> obviously root_cert_data[] and cert.pem have to be replaced with your
> certs.
> Compilated as
>
> gcc -Wall x509.c -o x509 -lssl -lcrypto
>
> after execution I receive this error :
>
> Verification error: certificate signature failure
>
> Even if I try to verify my certificate by mean command line tool
>
> openssl verify -CAfile /home/frank/test/test-CA/calist.pem cert.pem
>
> The output is :
>
> cert.pem: OK
>
> Does anybody know where is the problem ?
>
> Thanks in advance,
> Francesco la Torre
> __________________________________________________ ____________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majordomo@openssl.org
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org
