On ven, 2008-08-01 at 11:21 -0700, Sendroiu Eugen wrote:
>
Hi Sendroiu,

> It would be helpful if we could see the certificate.

I did not report all certificate to allow you to replicate my code with
your how certificate/calist.

> My guess is that either your cert is self signed,

Yes, it's self signed.

> in which case you need to treat this case in your callback,

I have no idea how to do this. Have I to set any flag/field in the
context ?

> or the certificate you are trying to verify is not signed by the trust
> anchor that you provide. Also you must be careful which text editor
> you are using because some may replace spaces with their owns ( eg
> CRLF - CR or LF ) in the root_cert_data declaration, and that might
> spoil the signature.

I'll check also this :-)
>
> Cheers.

Thank you very much !

Flt
>
> ----- Original Message ----
> From: .:: Francesco la Torre ::.
>
> To: openssl-users@openssl.org
> Sent: Friday, August 1, 2008 8:02:44 PM
> Subject: Re: Verify x509 certificate
>
> Any help from someone ?
> :-)
> Flt
>
>
> Il giorno mer, 30/07/2008 alle 23.57 +0200, Francesco la Torre ha
> scritto:
> > Dear all,
> > I'm new in openssl api and I'm trying to write e simple application
> to
> > verify an x509 certificate but I'm facing with some strange problem.
> >
> > Here there is a snapshot of my code to use to replicate my
> scenario :
> >
> > #include
> > #include
> > #include
> > #include
> > #include
> > #include
> > #include
> >
> > const char root_cert_data[] =
> > "-----BEGIN CERTIFICATE-----\n\
> > MIIDQjCCAqugAwIBAg ... Rinw==\n\
> > -----END CERTIFICATE-----\n";
> >
> > int main(int argc, char **argv){
> >
> > FILE *fp;
> > X509 *root_cert;
> >
> > X509_STORE *CAcerts;
> > X509 * cert;
> >
> > X509_STORE_CTX ca_ctx;
> > char *strerr;
> > BIO *bio;
> >
> > STACK_OF(X509) *trusted_chain;
> >
> > trusted_chain = sk_X509_new_null();
> >
> > if (!(bio = BIO_new_mem_buf((void *) root_cert_data, -1))) {
> > printf("BIO_new_mem_buf\n");
> > exit(1);
> > }
> > BIO_set_close(bio, BIO_NOCLOSE);
> > if (!(root_cert = PEM_read_bio_X509(bio, 0, 0, 0))) {
> > printf("PEM_read_bio_X509 (root)\n");
> > ERR_print_errors_fp(stdout);
> > exit(1);
> > }
> >
> > sk_X509_push(trusted_chain, root_cert);
> > /* load CA cert store */
> > if (!(CAcerts = X509_STORE_new())) {
> > printf ("\nError1\n");
> > }
> >
> > if (X509_STORE_load_locations(CAcerts,
> > "/home/frank/test/test-CA/calist.pem" , NULL ) != 1) {
> > printf ("\nError2\n");
> > }
> > if (X509_STORE_set_default_paths(CAcerts) != 1) {
> > printf ("\nError3\n");
> > }
> >
> > /* load X509 certificate */
> > if (!(fp = fopen ("cert.pem", "r"))){
> > printf ("\nError4\n");
> > }
> > if (!(cert = PEM_read_X509 (fp, NULL, NULL, NULL))){
> > printf ("\nError5\n");
> > }
> >
> > /* verify */
> > if (X509_STORE_CTX_init(&ca_ctx, CAcerts, cert, trusted_chain) !=
> 1)
> > {
> > printf ("\nError6\n");
> > }
> >
> > X509_STORE_CTX_trusted_stack(&ca_ctx, trusted_chain);
> >
> > if (X509_verify_cert(&ca_ctx) != 1) {
> > strerr = (char *)
> X509_verify_cert_error_string(ca_ctx.error);
> > printf("Verification error: %s", strerr);
> > }
> >
> > X509_STORE_free(CAcerts);
> > X509_free(cert);
> >
> > return 0;
> > }
> >
> > obviously root_cert_data[] and cert.pem have to be replaced with
> your
> > certs.
> > Compilated as
> >
> > gcc -Wall x509.c -o x509 -lssl -lcrypto
> >
> > after execution I receive this error :
> >
> > Verification error: certificate signature failure
> >
> > Even if I try to verify my certificate by mean command line tool
> >
> > openssl verify -CAfile /home/frank/test/test-CA/calist.pem cert.pem
> >
> > The output is :
> >
> > cert.pem: OK
> >
> > Does anybody know where is the problem ?
> >
> > Thanks in advance,
> > Francesco la Torre
> >
> __________________________________________________ ____________________
> > OpenSSL Project
> http://www.openssl.org
> > User Support Mailing List
> openssl-users@openssl.org
> > Automated List Manager
> majordomo@openssl.org
> __________________________________________________ ____________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majordomo@openssl.org
>
>

__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org

self reply :-)

I've added a callback function like this

static int cb(int ok, X509_STORE_CTX *ctx){
char buf[256];

X509_NAME_oneline(
X509_get_subject_name(ctx->current_cert),buf,256);
printf("%s\n",buf);
printf("error %d at %d depth lookup:%s\n",ctx->error,
ctx->error_depth,
X509_verify_cert_error_string(ctx->error));

/* Continue even if self signed */
if (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ok=1;

ERR_clear_error();

return(ok);
}

and also add this line to the main

X509_STORE_set_verify_cb_func(&ca_ctx,cb);

but the result is always the same :

Verification error: certificate signature failure

where are my mistakes ?

Thanks
Flt

On ven, 2008-08-01 at 23:58 +0200, .:: Francesco la Torre ::. wrote:
> On ven, 2008-08-01 at 11:21 -0700, Sendroiu Eugen wrote:
> >
> Hi Sendroiu,
>
> > It would be helpful if we could see the certificate.
>
> I did not report all certificate to allow you to replicate my code with
> your how certificate/calist.
>
> > My guess is that either your cert is self signed,
>
> Yes, it's self signed.
>
> > in which case you need to treat this case in your callback,
>
> I have no idea how to do this. Have I to set any flag/field in the
> context ?
>
> > or the certificate you are trying to verify is not signed by the trust
> > anchor that you provide. Also you must be careful which text editor
> > you are using because some may replace spaces with their owns ( eg
> > CRLF - CR or LF ) in the root_cert_data declaration, and that might
> > spoil the signature.
>
> I'll check also this :-)
> >
> > Cheers.
>
> Thank you very much !
>
> Flt
> >
> > ----- Original Message ----
> > From: .:: Francesco la Torre ::.
> >
> > To: openssl-users@openssl.org
> > Sent: Friday, August 1, 2008 8:02:44 PM
> > Subject: Re: Verify x509 certificate
> >
> > Any help from someone ?
> > :-)
> > Flt
> >
> >
> > Il giorno mer, 30/07/2008 alle 23.57 +0200, Francesco la Torre ha
> > scritto:
> > > Dear all,
> > > I'm new in openssl api and I'm trying to write e simple application
> > to
> > > verify an x509 certificate but I'm facing with some strange problem.
> > >
> > > Here there is a snapshot of my code to use to replicate my
> > scenario :
> > >
> > > #include
> > > #include
> > > #include
> > > #include
> > > #include
> > > #include
> > > #include
> > >
> > > const char root_cert_data[] =
> > > "-----BEGIN CERTIFICATE-----\n\
> > > MIIDQjCCAqugAwIBAg ... Rinw==\n\
> > > -----END CERTIFICATE-----\n";
> > >
> > > int main(int argc, char **argv){
> > >
> > > FILE *fp;
> > > X509 *root_cert;
> > >
> > > X509_STORE *CAcerts;
> > > X509 * cert;
> > >
> > > X509_STORE_CTX ca_ctx;
> > > char *strerr;
> > > BIO *bio;
> > >
> > > STACK_OF(X509) *trusted_chain;
> > >
> > > trusted_chain = sk_X509_new_null();
> > >
> > > if (!(bio = BIO_new_mem_buf((void *) root_cert_data, -1))) {
> > > printf("BIO_new_mem_buf\n");
> > > exit(1);
> > > }
> > > BIO_set_close(bio, BIO_NOCLOSE);
> > > if (!(root_cert = PEM_read_bio_X509(bio, 0, 0, 0))) {
> > > printf("PEM_read_bio_X509 (root)\n");
> > > ERR_print_errors_fp(stdout);
> > > exit(1);
> > > }
> > >
> > > sk_X509_push(trusted_chain, root_cert);
> > > /* load CA cert store */
> > > if (!(CAcerts = X509_STORE_new())) {
> > > printf ("\nError1\n");
> > > }
> > >
> > > if (X509_STORE_load_locations(CAcerts,
> > > "/home/frank/test/test-CA/calist.pem" , NULL ) != 1) {
> > > printf ("\nError2\n");
> > > }
> > > if (X509_STORE_set_default_paths(CAcerts) != 1) {
> > > printf ("\nError3\n");
> > > }
> > >
> > > /* load X509 certificate */
> > > if (!(fp = fopen ("cert.pem", "r"))){
> > > printf ("\nError4\n");
> > > }
> > > if (!(cert = PEM_read_X509 (fp, NULL, NULL, NULL))){
> > > printf ("\nError5\n");
> > > }
> > >
> > > /* verify */
> > > if (X509_STORE_CTX_init(&ca_ctx, CAcerts, cert, trusted_chain) !=
> > 1)
> > > {
> > > printf ("\nError6\n");
> > > }
> > >
> > > X509_STORE_CTX_trusted_stack(&ca_ctx, trusted_chain);
> > >
> > > if (X509_verify_cert(&ca_ctx) != 1) {
> > > strerr = (char *)
> > X509_verify_cert_error_string(ca_ctx.error);
> > > printf("Verification error: %s", strerr);
> > > }
> > >
> > > X509_STORE_free(CAcerts);
> > > X509_free(cert);
> > >
> > > return 0;
> > > }
> > >
> > > obviously root_cert_data[] and cert.pem have to be replaced with
> > your
> > > certs.
> > > Compilated as
> > >
> > > gcc -Wall x509.c -o x509 -lssl -lcrypto
> > >
> > > after execution I receive this error :
> > >
> > > Verification error: certificate signature failure
> > >
> > > Even if I try to verify my certificate by mean command line tool
> > >
> > > openssl verify -CAfile /home/frank/test/test-CA/calist.pem cert.pem
> > >
> > > The output is :
> > >
> > > cert.pem: OK
> > >
> > > Does anybody know where is the problem ?
> > >
> > > Thanks in advance,
> > > Francesco la Torre
> > >
> > __________________________________________________ ____________________
> > > OpenSSL Project
> > http://www.openssl.org
> > > User Support Mailing List
> > openssl-users@openssl.org
> > > Automated List Manager
> > majordomo@openssl.org
> > __________________________________________________ ____________________
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List openssl-users@openssl.org
> > Automated List Manager majordomo@openssl.org
> >
> >
>
> __________________________________________________ ____________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majordomo@openssl.org

__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org

On sab, 2008-08-02 at 00:21 +0200, .:: Francesco la Torre ::. wrote:
> self reply :-)
>
> I've added a callback function like this
>
> static int cb(int ok, X509_STORE_CTX *ctx){
> char buf[256];
>
> X509_NAME_oneline(
> X509_get_subject_name(ctx->current_cert),buf,256);
> printf("%s\n",buf);
> printf("error %d at %d depth lookup:%s\n",ctx->error,
> ctx->error_depth,
> X509_verify_cert_error_string(ctx->error));
>
> /* Continue even if self signed */
> if (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ok=1;
>
> ERR_clear_error();
>
> return(ok);
> }
>

One mistake is here even if there were not compilation error

> and also add this line to the main
> X509_STORE_set_verify_cb_func(&ca_ctx,cb);
>

the correct code block is :

....
/* load CA cert store */
if (!(CAcerts = X509_STORE_new())) {
printf ("\nError1\n");
}
---> X509_STORE_set_verify_cb_func(CAcerts,cb);
....



> but the result is always the same :
>

Not always the boring "Verification error: certificate signature
failure"

But a new strange error :


/C=IT/ST=Italy/O=IIT-CNR/OU=lab18/CN=ubuntu-ser/emailAddress=frank@timpet.it
error 7 at 1 depth lookup:certificate signature failure
Verification error: 0


I've tried to find any kind of reference for this kind of error but
google returns not a very good help.

In various forum/mailing list this is _classified_ as *quite strange*
error ... is it possible ?

Thanks in advance,
Flt


__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org

The verify(1ssl) man page has descriptions of these error codes. 7 is
"X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure",
which is described as: the signature of the certificate is invalid.

I would presume that this is because the signature cannot be verified
with the public key that it's said to be verifiable with -- i.e., the
data in one of the certificates has been modified since it was signed
(and thus, the signature has been invalidated).

-Kyle H

On Fri, Aug 1, 2008 at 5:15 PM, .:: Francesco la Torre ::.
wrote:
> On sab, 2008-08-02 at 00:21 +0200, .:: Francesco la Torre ::. wrote:
>
> One mistake is here even if there were not compilation error
>
>> and also add this line to the main
>> X509_STORE_set_verify_cb_func(&ca_ctx,cb);
>>
>
> the correct code block is :
>
> ...
> /* load CA cert store */
> if (!(CAcerts = X509_STORE_new())) {
> printf ("\nError1\n");
> }
> ---> X509_STORE_set_verify_cb_func(CAcerts,cb);
> ...
>
>
>
>> but the result is always the same :
>>
>
> Not always the boring "Verification error: certificate signature
> failure"
>
> But a new strange error :
>
>
> /C=IT/ST=Italy/O=IIT-CNR/OU=lab18/CN=ubuntu-ser/emailAddress=frank@timpet.it
> error 7 at 1 depth lookup:certificate signature failure
> Verification error: 0
>
>
> I've tried to find any kind of reference for this kind of error but
> google returns not a very good help.
>
> In various forum/mailing list this is _classified_ as *quite strange*
> error ... is it possible ?
>
> Thanks in advance,
> Flt
>
>
> __________________________________________________ ____________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majordomo@openssl.org
>
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org

On sab, 2008-08-02 at 02:04 -0700, Kyle Hamilton wrote:
> The verify(1ssl) man page has descriptions of these error codes. 7 is
> "X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure",
> which is described as: the signature of the certificate is invalid.
>
> I would presume that this is because the signature cannot be verified
> with the public key that it's said to be verifiable with -- i.e., the
> data in one of the certificates has been modified since it was signed
> (and thus, the signature has been invalidated).
>

You're true, but I used the "stange" abjective because if I try to
verify the certificate from command line

openssl verify -CAfile /home/frank/test/test-CA/calist.pem cert.pem

The output is :

cert.pem: OK

so both certificates are valid.

Regards,
Flt

> -Kyle H
>
> On Fri, Aug 1, 2008 at 5:15 PM, .:: Francesco la Torre ::.
> wrote:
> > On sab, 2008-08-02 at 00:21 +0200, .:: Francesco la Torre ::. wrote:
> >
> > One mistake is here even if there were not compilation error
> >
> >> and also add this line to the main
> >> X509_STORE_set_verify_cb_func(&ca_ctx,cb);
> >>
> >
> > the correct code block is :
> >
> > ...
> > /* load CA cert store */
> > if (!(CAcerts = X509_STORE_new())) {
> > printf ("\nError1\n");
> > }
> > ---> X509_STORE_set_verify_cb_func(CAcerts,cb);
> > ...
> >
> >
> >
> >> but the result is always the same :
> >>
> >
> > Not always the boring "Verification error: certificate signature
> > failure"
> >
> > But a new strange error :
> >
> >
> > /C=IT/ST=Italy/O=IIT-CNR/OU=lab18/CN=ubuntu-ser/emailAddress=frank@timpet.it
> > error 7 at 1 depth lookup:certificate signature failure
> > Verification error: 0
> >
> >
> > I've tried to find any kind of reference for this kind of error but
> > google returns not a very good help.
> >
> > In various forum/mailing list this is _classified_ as *quite strange*
> > error ... is it possible ?
> >
> > Thanks in advance,
> > Flt
> >
> >
> > __________________________________________________ ____________________
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List openssl-users@openssl.org
> > Automated List Manager majordomo@openssl.org
> >
> __________________________________________________ ____________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majordomo@openssl.org

__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org

Solved !

I forgot to call SSLeay_add_all_algorithms();
.... a summer youthful folly :-)

Flt


Il giorno sab, 02/08/2008 alle 11.43 +0200, .:: Francesco la Torre ::.
ha scritto:
> On sab, 2008-08-02 at 02:04 -0700, Kyle Hamilton wrote:
> > The verify(1ssl) man page has descriptions of these error codes. 7 is
> > "X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure",
> > which is described as: the signature of the certificate is invalid.
> >
> > I would presume that this is because the signature cannot be verified
> > with the public key that it's said to be verifiable with -- i.e., the
> > data in one of the certificates has been modified since it was signed
> > (and thus, the signature has been invalidated).
> >
>
> You're true, but I used the "stange" abjective because if I try to
> verify the certificate from command line
>
> openssl verify -CAfile /home/frank/test/test-CA/calist.pem cert.pem
>
> The output is :
>
> cert.pem: OK
>
> so both certificates are valid.
>
> Regards,
> Flt
>
> > -Kyle H
> >
> > On Fri, Aug 1, 2008 at 5:15 PM, .:: Francesco la Torre ::.
> > wrote:
> > > On sab, 2008-08-02 at 00:21 +0200, .:: Francesco la Torre ::. wrote:
> > >
> > > One mistake is here even if there were not compilation error
> > >
> > >> and also add this line to the main
> > >> X509_STORE_set_verify_cb_func(&ca_ctx,cb);
> > >>
> > >
> > > the correct code block is :
> > >
> > > ...
> > > /* load CA cert store */
> > > if (!(CAcerts = X509_STORE_new())) {
> > > printf ("\nError1\n");
> > > }
> > > ---> X509_STORE_set_verify_cb_func(CAcerts,cb);
> > > ...
> > >
> > >
> > >
> > >> but the result is always the same :
> > >>
> > >
> > > Not always the boring "Verification error: certificate signature
> > > failure"
> > >
> > > But a new strange error :
> > >
> > >
> > > /C=IT/ST=Italy/O=IIT-CNR/OU=lab18/CN=ubuntu-ser/emailAddress=frank@timpet.it
> > > error 7 at 1 depth lookup:certificate signature failure
> > > Verification error: 0
> > >
> > >
> > > I've tried to find any kind of reference for this kind of error but
> > > google returns not a very good help.
> > >
> > > In various forum/mailing list this is _classified_ as *quite strange*
> > > error ... is it possible ?
> > >
> > > Thanks in advance,
> > > Flt
> > >
> > >
> > > __________________________________________________ ____________________
> > > OpenSSL Project http://www.openssl.org
> > > User Support Mailing List openssl-users@openssl.org
> > > Automated List Manager majordomo@openssl.org
> > >
> > __________________________________________________ ____________________
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List openssl-users@openssl.org
> > Automated List Manager majordomo@openssl.org
>
> __________________________________________________ ____________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majordomo@openssl.org
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org